FCC ID: I88MAX200HW2 WiMAX Router

Chapter 22Logs Table 116 FSM Logs: Callee Side LOG MESSAGE VoIP Call Start from SIP[SIP Port Number]

VoIP Call Established Ph[Phone Port] <-

Outgoing Call Number VoIP Call End Phone[Phone Port]

DESCRIPTION A VoIP phone call came to the ZyXEL Device from the listed SIP number. A VoIP phone call was set up from the listed SIP number to the ZyXEL Device. A VoIP phone call that came into the ZyXEL Device has terminated. Table 117 Lifeline Logs LOG MESSAGE PSTN Call Start PSTN Call End PSTN Call Established DESCRIPTION A PSTN call has been initiated. A PSTN call has terminated. A PSTN call has been set up. MAX-200HW2 Series Users Guide 253 Chapter 22Logs 254 MAX-200HW2 Series Users Guide CHAPTER 23 Tools Use these screens to upload new firmware, back up and restore the configuration, and restart the ZyXEL Device. 23.1 Tools Overview 23.1.1 Firmware Contact your service provider for information on available firmware upgrades. Firmware files (usually) use the system model name with a "*.bin" extension, e.g., "ZyXEL Device.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. Only use firmware for your ZyXEL Devices specific model. Refer to the label on the back of your ZyXEL Device. 23.2 Tools Screens 23.2.1 Firmware Screen Use this screen to upload new firmware to the ZyXEL Device. To access this screen, click Maintenance > Tools > Firmware. Only use firmware for your ZyXEL Devices specific model. Refer to the label on the bottom of your ZyXEL Device. MAX-200HW2 Series Users Guide 255 Chapter 23Tools Figure 160 Maintenance > Tools > Firmware Each field is described in the following table. Table 118 Maintenance > Tools > Firmware LABEL File Path Enter the location of the .bin file you want to upload, or click DESCRIPTION You must decompress compressed (.zip) files before you can upload them. Browse... to find it. Browse... Click this to find the .bin file you want to upload. Upload Click this to begin uploading the selected file. This may take up to two minutes. See Section 23.2.2 on page 256 for more information about this process. Note: Do not turn off the device while firmware upload is in progress!

23.2.2 Firmware Upload Screens Do not turn off the device while firmware upload is in progress!

When the ZyXEL Device starts to upload firmware, the Firmware Upload in Process screen appears. Figure 161 Firmware Upload In Process 256 MAX-200HW2 Series Users Guide Chapter 23Tools The process usually takes about two minutes. The device automatically restarts in this time. This causes a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 162 Network Temporarily Disconnected After two minutes, log in again, and check your new firmware version in the Status screen. You might have to open a new browser window to log in. If the upload is not successful, the following screen appears. Figure 163 Firmware Upload Error Click Return to go back to the Firmware screen. 23.2.3 Configuration Screen Use this screen to back up or restore the configuration of the ZyXEL Device. You can also use this screen to reset the ZyXEL Device to the factory default settings. To access this screen, click Maintenance > Tools > Configuration. Figure 164 Maintenance > Tools > Configuration MAX-200HW2 Series Users Guide 257 Chapter 23Tools Each field is described in the following table. Table 119 Maintenance > Tools > Configuration LABEL Backup Configuration Backup DESCRIPTION Click this to save the ZyXEL Devices current configuration to a file on your computer. Once your device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file is useful if you need to return to your previous settings. Restore Configuration File PathEnter the location of the file you want to upload, or click BrowseClick this to find the file you want to upload. UploadClick this to restore the selected configuration file. See 258 for more information about this. Browse... to find it. Section 23.2.4 on page Note: Do not turn off the device while configuration file upload is in progress. Back to Factory Defaults Reset Click this to clear all user-entered configuration information and return the ZyXEL Device to its factory defaults. There is no warning screen. 23.2.4 Restore Configuration Screens Do not turn off the device while configuration file upload is in progress. When the ZyXEL Device has finished restoring the selected configuration file, the following screen appears. Figure 165 Configuration Upload Successful The device now automatically restarts. This causes a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. 258 MAX-200HW2 Series Users Guide Figure 166 Network Temporarily Disconnected Chapter 23Tools If the ZyXEL Devices IP address is different in the configuration file you selected, you may need to change the IP address of your computer to be in the same subnet as that of the default management IP address (192.168.5.1). See your Quick Start Guide or the appendices for details on how to set up your computers IP address. You might have to open a new browser to log in again. If the upload was not successful, a Configuration Upload Error screen appears. Figure 167 Configuration Upload Error Click Return to go back to the Configuration screen. 23.2.5 Restart Screen Use this screen to reboot the ZyXEL Device without turning the power off. To access this screen, click Maintenance > Tools > Restart. Figure 168 Maintenance > Tools > Restart This does not affect the ZyXEL Devices configuration. When you click Restart, the following screen appears. MAX-200HW2 Series Users Guide 259 Chapter 23Tools Figure 169 Maintenance > Tools > Restart > In Progress Wait one minute for the device to finish restarting. Then, you can log in again. 260 MAX-200HW2 Series Users Guide PART IV Troubleshooting and Specifications Troubleshooting (263) Product Specifications (269) 261 262 Chapter 24Troubleshooting 24.2 ZyXEL Device Access and Login I forgot the IP address for the ZyXEL Device. 1 The default IP address is 192.168.1.1. 2 If you changed the IP address and have forgotten it, you might get the IP address of the ZyXEL Device by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the ZyXEL Device (it depends on the network), so enter this IP address in your Internet browser. 3 If this does not work, you have to reset the ZyXEL Device to its factory defaults. See Section 24.1 on page 263. I forgot the password. 1 The default password is 1234. 2 If this does not work, you have to reset the ZyXEL Device to its factory defaults. See Section 23.2.3 on page 257. I cannot see or access the Login screen in the web configurator. 1 Make sure you are using the correct IP address. The default IP address is 192.168.1.1. If you changed the IP address (Section 9.2.1 on page 122), use the new IP address. If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the ZyXEL Device. 2 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.2.1 on page 35. 3 Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled. See Appendix C on page 301. 4 If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. Your ZyXEL Device is a DHCP server by default. If there is no DHCP server on your network, make sure your computers IP address is in the same subnet as the ZyXEL Device. See Appendix D on page 309. 5 Reset the ZyXEL Device to its factory defaults, and try to access the ZyXEL Device with the default IP address. See Section 23.2.3 on page 257. 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. 264 MAX-200HW2 Series Users Guide Chapter 24Troubleshooting Advanced Suggestions Try to access the ZyXEL Device using another service, such as Telnet. If you can access the ZyXEL Device, check the remote management settings and firewall rules to find out why the ZyXEL Device does not respond to HTTP. If your computer is connected wirelessly, use a computer that is connected to a LAN/

ETHERNET port. I can see the Login screen, but I cannot log in to the ZyXEL Device. 1 Make sure you have entered the user name and password correctly. The default user name is admin, and the default password is 1234. These fields are case-sensitive, so make sure [Caps Lock] is not on. 2 You cannot log in to the web configurator while someone is using Telnet to access the ZyXEL Device. Log out of the ZyXEL Device in the other session, or ask the person who is logged in to log out. 3 Disconnect and re-connect the power adaptor or cord to the ZyXEL Device. 4 If this does not work, you have to reset the ZyXEL Device to its factory defaults. See Section 23.2.3 on page 257. I cannot Telnet to the ZyXEL Device. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. 24.3 Internet Access I cannot access the Internet. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.2.1 on page 35. 2 Make sure you entered your ISP account information correctly in the wizard. These fields are case-sensitive, so make sure [Caps Lock] is not on. 3 Check your security settings. In the web configurator, go to the Status screen. Click the Details... link next to Profile in the WiMAX Information box and make sure that you are using the correct security settings for your Internet account. 4 Check your WiMAX settings. The ZyXEL Device may have been set to search the wrong frequencies for a wireless connection. In the web configurator, go to the Status screen. Click the Details... link next to Site Information in the WiMAX Information MAX-200HW2 Series Users Guide 265 Chapter 24Troubleshooting box and ensure that the values are correct. If the values are incorrect, enter the correct frequency settings in the Network > WAN > WiMAX Frequency screen. If you are unsure of the correct values, contact your service provider. 5 If you are trying to access the Internet wirelessly, make sure the wireless settings in the wireless client are the same as the settings in the AP. 6 Disconnect all the cables from your ZyXEL Device, and follow the directions in the Quick Start Guide again. 7 If the problem continues, contact your ISP. I cannot access the Internet anymore. I had access to the Internet (with the ZyXEL Device), but my Internet connection is not available anymore. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.2.1 on page 35. 2 Disconnect and re-connect the power adaptor to the ZyXEL Device. 3 If the problem continues, contact your ISP. The Internet connection is slow or intermittent. 1 The quality of the ZyXEL Devices wireless connection to the base station may be poor. Poor signal reception may be improved by moving the ZyXEL Device away from thick walls and other obstructions, or to a higher floor in your building. 2 There may be radio interference caused by nearby electrical devices such as microwave ovens and radio transmitters. Move the ZyXEL Device away or switch the other devices off. Weather conditions may also affect signal quality. 3 As well as having an external antenna connector, the MAX-210HW2 is equipped with an internal directional antenna. If you know the location of the base station, orient the front of the ZyXEL Device (the side with the LEDs) towards the base station. If you do not know the location of the base station, experiment by moving the ZyXEL Device while observing the SIGNAL LEDs for an increase in received signal strength. The MAX-

200HW2 and MAX-230HW2 do not have internal antennas. 4 There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.2.1 on page 35. If the ZyXEL Device is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications. 5 Disconnect and re-connect the power adaptor to the ZyXEL Device. 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. The Internet connection disconnects. 266 MAX-200HW2 Series Users Guide Chapter 24Troubleshooting Check your WiMAX link and signal strength using the LINK and SIGNAL LEDs on the device. See the following section if signal strength is poor or the ZyXEL Device has no link to a base station. Contact your ISP if the problem persists. 24.4 Phone Calls and VoIP The telephone port wont work or the telephone lacks a dial tone. 1 Check the telephone connections and telephone wire. 2 Make sure you have the VoIP SIP Settings screen properly configured. I can access the Internet, but cannot make VoIP calls. 1 Make sure you have the VoIP SIP Settings screen properly configured. 2 The VoIP LED should come on. Make sure that your telephone is connected to the LINE port. 3 You can also check the VoIP status in the Status screen. 4 If the VoIP settings are correct, use speed dial to make peer-to-peer calls. If you cannot make a call using speed dial, there may be something wrong with the SIP server. Contact your VoIP service provider. Problems With Multiple SIP Accounts You can set up two SIP accounts on your ZyXEL Device. By default your ZyXEL Device uses SIP account 1 for outgoing calls, and it uses SIP accounts 1 and 2 for incoming calls. With this setting, you always use SIP account 1 for your outgoing calls and you cannot distinguish which SIP account the calls are coming in through. If you want to control the use of different dialing plans for accounting purposes or other reasons, you need to configure your phone port in order to control which SIP account you are using when placing or receiving calls. 24.5 Reset the ZyXEL Device to Its Factory Defaults If you reset the ZyXEL Device, you lose all of the changes you have made. The ZyXEL Device re-loads its default settings, and the password resets to 1234. You have to make all of your changes again. MAX-200HW2 Series Users Guide 267 Chapter 24Troubleshooting You will lose all of your changes when you push the RESET button. To reset the ZyXEL Device, 1 Make sure the PWR LED is on and not blinking. 2 Press and hold the RESET button for five to ten seconds. Release the RESET button when the PWR LED begins to blink. The default settings have been restored. If the ZyXEL Device restarts automatically, wait for the ZyXEL Device to finish restarting, and log in to the web configurator. The password is 1234. If the ZyXEL Device does not restart automatically, disconnect and reconnect the ZyXEL Devices power. Then, follow the directions above again. 24.5.1 Pop-up Windows, JavaScripts and Java Permissions Please see Section Appendix C on page 301. 24.6 Wireless LAN Troubleshooting I cannot access the ZyXEL Device orping any computer from the WLAN 1 Make sure the wireless LAN is enabled on the ZyXEL Device 2 Make sure the wireless adapter on the wireless station is working properly. 3 Make sure the wireless adapter (installed on your computer) is IEEE 802.11 compatible and supports the same wireless standard as the ZyXEL Device. 4 Make sure your computer (with a wireless adapter installed) is within the transmission range of the ZyXEL Device. 5 Check that both the ZyXEL Device and your wireless station are using the same wireless and wireless security settings. 6 Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the ZyXEL Device. 7 Make sure you allow the ZyXEL Device to be remotely accessed through the WLAN interface. Check your remote management settings. 268 MAX-200HW2 Series Users Guide CHAPTER 25 Product Specifications This chapter gives details about your ZyXEL Devices hardware and firmware features. Table 120 Product Specifications PHYSICAL AND ENVIRONMENTAL Product Name WIMAX-200HW2/WIMAX-210HW2/WIMAX-230HW2 Ethernet InterfaceFour auto-negotiating, auto-MDI/MDI-X 10/100 Mbps RJ-45 Ethernet ports WLAN InterfaceWiFi (54 Mbps) interface (801.11g, 802.16b backward compatible) Telephony InterfaceTwo analog interfaces for standard telephones through RJ-11 connectors StandardsIEEE 802.16e-2005 Antenna MAX-210HW2:

Built-in patch antenna (WiMAX): 6dBi, 70?azimuth, 30?elevation WiMAX SMA antenna connector, equipped by default with 2dBi omni antenna, 60 WiFi SMA antenna connector, equipped by default with 2dBi omni antenna, 60 MAX-200HW2/MAX-230HW2:

WiFi SMA antenna connector, equipped by default with 2dBi omni antenna, 60 Panel Directional Antenna 0 to 45

-25 to 55 Operating Temperature Storage Temperature Operating Humidity10% ~ 90% (non-condensing) Storage Humidity 10% to 95%

Power Supply18 V DC 1A Power consumptionWorst-case-scenario 10W, peak 15W Weight600g Dimensions216 x 164 x 52mm RADIO SPECIFICATIONS Media Access ProtocolIEEE 802.16e WiMAX BandwidthMAX-200HW2: 2.5 - 2.7 GHz Data RateDownlink:

MAX-210HW2: 3.4 ~ 3.6 GHz MAX-230HW2: 2.3 ~ 2.4 GHz Maximum 5 Mbps Uplink:

Maximum 2 Mbps MAX-200HW2 Series Users Guide 269 Chapter 25Product Specifications Table 120 Product Specifications (continued) ModulationQPSK (uplink and downlink) 16-QAM (uplink and downlink) 64-QAM (downlink only) Output Power27dBm (+/- 1dB) Duplex modeTime Division Duplex (TDD) SOFTWARE SPECIFICATIONS SecurityPKMv2 EAP CCMP, 128-bit AES Table 121 Physical Features FEATUREDESCRIPTION Auto-crossover 10/100 Mbps Ethernet Interface External Antenna The MAX-210HW2 is equipped with WiFi and WiMAX omnidirectional This interface automatically adjusts to either a crossover or straight-

through Ethernet cable. antennas. The MAX-200HW2 and MAX-230HW2 are equippped with a WiFi omnidirectional antenna and a WiMAX panel directional antenna. Telephone Port Connect analog telephones to the ZyXEL Device s 2 LINE ports (RJ-

11 connector) to take advantage of its Voice over IP (VoIP) features. Reset ButtonThe reset button is built into the rear panel. Use this button to restore the factory default password to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at 192.168.1.33. Table 122 Non-Physical Features FEATUREDESCRIPTION High Speed Wireless Internet Access The ZyXEL Device is ideal for high-speed wireless Internet browsing. WiMAX (Worldwide Interoperability for Microwave Access) is a wireless networking standard providing high-bandwidth, wide-range secured wireless service. The ZyXEL Device is a WiMAX mobile station (MS) compatible with the IEEE 802.16e standard. WiFi FunctionalityAllow the IEEE 802.11b and/or IEEE 802.11g wireless clients to connect to the ZyXEL Device wirelessly. Enable wireless security

(WEP, WPA(2), WPA(2)-PSK) and/or MAC filtering to protect your wireless network. FirewallThe ZyXEL Device is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The ZyXEL Devices firewall supports TCP/

UDP inspection, DoS detection and prevention, real time alerts, reports and logs. Content FilteringThe ZyXEL Device can block access to web sites containing specified keywords. You can define time periods and days during which content filtering is enabled and include or exclude a range of users on the LAN from content filtering. Auto ProvisioningYour Internet service prov ider can automatically update your devices configuration via an auto-provisioning server. 270 MAX-200HW2 Series Users Guide Chapter 25Product Specifications Table 122 Non-Physical Features FEATUREDESCRIPTION Echo Cancellation You device supports G.168, an ITU-T standard for eliminating the echo caused by the sound of your voice reverberating in the telephone receiver while you talk. QoS (Quality of Service) Quality of Service (QoS) mechanisms help to provide better service on a per-flow basis. Your device supports Type of Service (ToS) tagging. This allows the device to tag voice frames so they can be prioritized over the network. Packet FiltersYour device s packet filtering function allows added network security and management. 272 MAX-200HW2 Series Users Guide PART V Appendices and Index WiMAX Security (275) Setting up Your Computers IP Address (279) Pop-up Windows, JavaScripts and Java Permissions (301) IP Addresses and Subnetting (309) Wireless LANs (319) Common Services (333) Legal Information (337) Customer Support (341) Index (347) 273 274 APPENDIX A WiMAX Security Wireless security is vital to protect your wireless communications. Without it, information transmitted over the wireless network would be accessible to any networking device within range. User Authentication and Data Encryption The WiMAX (IEEE 802.16) standard employs user authentication and encryption to ensure secured communication at all times. User authentication is the process of confirming a users identity and level of authorization. Data encryption is the process of encoding information so that it cannot be read by anyone who does not know the code. WiMAX uses PKMv2 (Privacy Key Management version 2) for authentication, and CCMP

(Counter Mode with Cipher Block Chaining Message Authentication Protocol) for data encryption. WiMAX supports EAP (Extensible Authentication Protocol, RFC 2486) which allows additional authentication methods to be deployed with no changes to the base station or the mobile or subscriber stations. PKMv2 PKMv2 is a procedure that allows authentication of a mobile or subscriber station and negotiation of a public key to encrypt traffic between the MS/SS and the base station. PKMv2 uses standard EAP methods such as Transport Layer Security (EAP-TLS) or Tunneled TLS

(EAP-TTLS) for secure communication. In cryptography, a key is a piece of information, typically a string of random numbers and letters, that can be used to lock (encrypt) or unlock (decrypt) a message. Public key encryption uses key pairs, which consist of a public (freely available) key and a private

(secret) key. The public key is used for encryption and the private key is used for decryption. You can decrypt a message only if you have the private key. Public key certificates (or digital IDs) allow users to verify each others identity. RADIUS RADIUS is based on a client-server model that supports authentication, authorization and accounting. The base station is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:

MAX-200HW2 Series Users Guide 275 Appendix AWiMAX Security Authentication Determines the identity of the users. Authorization Determines the network services available to authenticated users once they are connected to the network. Accounting Keeps track of the clients network activity. RADIUS is a simple package exchange in which your base station acts as a message relay between the MS/SS and the network RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the base station and the RADIUS server for user authentication:

Access-Request Sent by an base station requesting authentication. Access-Reject Sent by a RADIUS server rejecting access. Access-Accept Sent by a RADIUS server allowing access. Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The base station sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the base station and the RADIUS server for user accounting:

Accounting-Request Sent by the base station requesting accounting. Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Diameter Diameter (RFC 3588) is a type of AAA server that provides several improvements over RADIUS in efficiency, security, and support for roaming. Security Association The set of information about user authentication and data encryption between two computers is known as a security association (SA). In a WiMAX network, the process of security association has three stages. 276 MAX-200HW2 Series Users Guide CCMP Appendix AWiMAX Security Authorization request and reply The MS/SS presents its public certificate to the base station. The base station verifies the certificate and sends an authentication key (AK) to the MS/SS. Key request and reply The MS/SS requests a transport encryption key (TEK) which the base station generates and encrypts using the authentication key. Encrypted traffic The MS/SS decrypts the TEK (using the authentication key). Both stations can now securely encrypt and decrypt the data flow. All traffic in a WiMAX network is encrypted using CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol). CCMP is based on the 128-bit Advanced Encryption Standard (AES) algorithm. Counter mode refers to the encryption of each block of plain text with an arbitrary number, known as the counter. This number changes each time a block of plain text is encrypted. Counter mode avoids the security weakness of repeated identical blocks of encrypted text that makes encrypted data vulnerable to pattern-spotting. Cipher Block Chaining Message Authentication (also known as CBC-MAC) ensures message integrity by encrypting each block of plain text in such a way that its encryption is dependent on the block before it. This series of chained blocks creates a message authentication code (MAC or CMAC) that ensures the encrypted data has not been tampered with. Authentication The ZyXEL Device supports EAP-TTLS authentication. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection (with EAP-TLS digital certifications are needed by both the server and the wireless clients for mutual authentication). Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-

CHAP v2. MAX-200HW2 Series Users Guide 277 Appendix AWiMAX Security 278 MAX-200HW2 Series Users Guide APPENDIX B Setting up Your Computers IP Address The purpose of this appendix is to show you how to configure an IP address on your computer depending on what operating system you have. It does NOT mean that your ZyXEL Device supports all these operating systems. All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP/Vista, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/

IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package. TCP/IP should already be installed on computers using Windows NT/2000/XP, Macintosh OS 7 and later operating systems. After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Devices LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. MAX-200HW2 Series Users Guide 279 Appendix BSetting up Your Computer s IP Address Figure 170 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter:

1 In the Network window, click Add. 2 Select Adapter and then click Add. 3 Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP:

1 In the Network window, click Add. 2 Select Protocol and then click Add. 3 Select Microsoft from the list of manufacturers. 4 Select TCP/IP from the list of network protocols and then click OK. If you need Client for Microsoft Networks:

1 Click Add. 2 Select Client and then click Add. 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click OK. 5 Restart your computer so the changes you made take effect. 280 MAX-200HW2 Series Users Guide Appendix BSetting up Your Computer s IP Address Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. If your IP address is dynamic, select Obtain an IP address automatically. If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Figure 171 Windows 95/98/Me: TCP/IP Properties: IP Address 3 Click the DNS Configuration tab. If you do not know your DNS information, select Disable DNS. If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). MAX-200HW2 Series Users Guide 281 Appendix BSetting up Your Computer s IP Address Figure 172 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. If you do not know your gateways IP address, remove previously installed gateways. If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your ZyXEL Device and restart your computer when prompted. Verifying Settings 1 Click Start and then Run. 2 In the Run window, type "winipcfg" and then click OK to open the IP Configuration window. 3 Select your network adapter. You should see your computer's IP address, subnet mask and default gateway. Windows 2000/NT/XP The following example figures use the default Windows XP GUI theme. 1 Click start (Start in Windows 2000/NT), Settings, Control Panel. 282 MAX-200HW2 Series Users Guide Appendix BSetting up Your Computer s IP Address Figure 173 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 174 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. MAX-200HW2 Series Users Guide 283 Appendix BSetting up Your Computer s IP Address Figure 175 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 176 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). If you have a dynamic IP address click Obtain an IP address automatically. If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. 284 MAX-200HW2 Series Users Guide Appendix BSetting up Your Computer s IP Address Figure 177 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses:

In the IP Settings tab, in IP addresses, click Add. In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add. Repeat the above two steps for each IP address you want to add. Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways. In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. Click Add. Repeat the previous three steps for each default gateway you want to add. Click OK when finished. MAX-200HW2 Series Users Guide 285 Appendix BSetting up Your Computer s IP Address Figure 178 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP):

Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNSserver and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. 286 MAX-200HW2 Series Users Guide Appendix BSetting up Your Computer s IP Address Figure 179 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11 Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt. 2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. Windows Vista This section shows screens from Windows Vista Enterprise Version 6.0. 1 Click the Start icon, Control Panel. MAX-200HW2 Series Users Guide 287 Appendix BSetting up Your Computer s IP Address Figure 180 Windows Vista: Start Menu 2 In the Control Panel, double-click Network and Internet. Figure 181 Windows Vista: Control Panel 3 Click Network and Sharing Center. Figure 182 Windows Vista: Network And Internet 4 Click Manage network connections. Figure 183 Windows Vista: Network and Sharing Center 288 MAX-200HW2 Series Users Guide Appendix BSetting up Your Computer s IP Address 5 Right-click Local Area Connection and then click Properties. During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. Figure 184 Windows Vista: Network and Sharing Center 6 Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Figure 185 Windows Vista: Local Area Connection Properties MAX-200HW2 Series Users Guide 289 Appendix BSetting up Your Computer s IP Address 7 The Internet Protocol Version 4 (TCP/IPv4) Properties window opens (the General tab). If you have a dynamic IP address click Obtain an IP address automatically. If you have a static IP address click Use the following IP address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. Figure 186 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties 8 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses:

In the IP Settings tab, in IP addresses, click Add. In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add. Repeat the above two steps for each IP address you want to add. Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways. In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. Click Add. Repeat the previous three steps for each default gateway you want to add. Click OK when finished. 290 MAX-200HW2 Series Users Guide Appendix BSetting up Your Computer s IP Address Figure 187 Windows Vista: Advanced TCP/IP Properties 9 In the Internet Protocol Version 4 (TCP/IPv4) Properties window, (the General tab):

Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNSserver and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. MAX-200HW2 Series Users Guide 291 Appendix BSetting up Your Computer s IP Address Figure 188 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties 10 Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties window. 11 Click Close to close the Local Area Connection Properties window. 12 Close the Network Connections window. 13 Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt. 2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. 292 MAX-200HW2 Series Users Guide Appendix BSetting up Your Computer s IP Address Figure 189 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 190 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following:

From the Configure box, select Manually. MAX-200HW2 Series Users Guide 293 Appendix BSetting up Your Computer s IP Address Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your ZyXEL Device in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the TCP/IP Control Panel window. Macintosh OS X 1 Click the Apple menu, and click System Preferences to open the System Preferences window. Figure 191 Macintosh OS X: Apple Menu 2 Click Network in the icon bar. Select Automatic from the Location list. Select Built-in Ethernet from the Show list. Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. 294 MAX-200HW2 Series Users Guide Appendix BSetting up Your Computer s IP Address Figure 192 Macintosh OS X: Network 4 For statically assigned settings, do the following:

From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your ZyXEL Device in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the Network window. Linux This section shows you how to configure your computers TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version. MAX-200HW2 Series Users Guide 295 Appendix BSetting up Your Computer s IP Address Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network. Figure 193 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 194 Red Hat 9.0: KDE: Ethernet Device: General 296 MAX-200HW2 Series Users Guide Appendix BSetting up Your Computer s IP Address If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields. 3 Click OK to save the changes and close the Ethernet Device General screen. 4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen. Enter the DNS server information in the fields provided. Figure 195 Red Hat 9.0: KDE: Network Configuration: DNS 5 Click the Devices tab. 6 Click the Activate button to apply the changes. The following screen displays. Click Yes to save the changes in all screens. Figure 196 Red Hat 9.0: KDE: Network Configuration: Activate 7 After the network card restart process is complete, make sure the Status is Active in the Network Configuration screen. Using Configuration Files Follow the steps below to edit the network configuration files and set your computer IP address. 1 Assuming that you have only one network card on the computer, locate the ifconfig-

eth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor. If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field. The following figure shows an example. MAX-200HW2 Series Users Guide 297 Appendix BSetting up Your Computer s IP Address Figure 197 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet If you have a static IP address, enter static in the BOOTPROTO= field. Type IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK=

followed by the subnet mask. The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0. Figure 198 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.1.10 NETMASK=255.255.255.0 USERCTL=no PEERDNS=yes TYPE=Ethernet 2 If you know your DNS server IP address(es), enter the DNS server information in the resolv.conf file in the /etc directory. The following figure shows an example where two DNS server IP addresses are specified. Figure 199 Red Hat 9.0: DNS Settings in resolv.conf nameserver 172.23.5.1 nameserver 172.23.5.2 3 After you edit and save the configuration files, you must restart the network card. Enter

./network restart in the /etc/rc.d/init.d directory. The following figure shows an example. Figure 200 Red Hat 9.0: Restart Ethernet Card

[root@localhost init.d]# network restart Shutting down interface eth0: [OK]

Shutting down loopback interface: [OK]

Setting network parameters: [OK]

Bringing up loopback interface: [OK]

Bringing up interface eth0: [OK]

298 MAX-200HW2 Series Users Guide Appendix BSetting up Your Computer s IP Address Verifying Settings Enter ifconfig in a terminal screen to check your TCP/IP properties. Figure 201 Red Hat 9.0: Checking TCP/IP Properties

[root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000

[root@localhost]#

MAX-200HW2 Series Users Guide 299 Appendix BSetting up Your Computer s IP Address 300 MAX-200HW2 Series Users Guide APPENDIX C Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow:

Web browser pop-up windows from your device. JavaScripts (enabled by default). Java permissions (enabled by default). Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary. Internet Explorer Pop-up Blockers You may have to disable pop-up blocking to log into your device. Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your devices IP address. Disable Pop-up Blockers 1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 202 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. MAX-200HW2 Series Users Guide 301 Appendix CPop-up Windows, JavaScripts and Java Permissions 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 203 Internet Options: Privacy 3 Click Apply to save this setting. Enable Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settingsto open the Pop-up Blocker Settings screen. 302 MAX-200HW2 Series Users Guide Appendix CPop-up Windows, JavaScripts and Java Permissions Figure 204 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix http://. For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 205 Pop-up Blocker Settings MAX-200HW2 Series Users Guide 303 Appendix CPop-up Windows, JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 1 In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 206 Internet Options: Security 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window. 304 MAX-200HW2 Series Users Guide Appendix CPop-up Windows, JavaScripts and Java Permissions Figure 207 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window. Figure 208 Security Settings - Java MAX-200HW2 Series Users Guide 305 Appendix CPop-up Windows, JavaScripts and Java Permissions JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 209 Java (Sun) Mozilla Firefox Mozilla Firefox 2.0 screens are used here. Screens for other versions may vary. You can enable Java, Javascripts and pop-ups in one screen. Click Tools, then click Options in the screen that appears. 306 MAX-200HW2 Series Users Guide Appendix CPop-up Windows, JavaScripts and Java Permissions Figure 210 Mozilla Firefox: Tools > Options Click Content.to show the screen below. Select the check boxes as shown in the following screen. Figure 211 Mozilla Firefox Content Security MAX-200HW2 Series Users Guide 307 Appendix CPop-up Windows, JavaScripts and Java Permissions 308 MAX-200HW2 Series Users Guide APPENDIX D IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks. Introduction to IP Addresses One part of the IP address is the network number, and the other part is the host ID. In the same way that houses on a street share a common street name, the hosts on a network share a common network number. Similarly, as each house has its own house number, each host on the network has its own unique identifying number - the host ID. Routers use the network number to send packets to the correct network, while the host ID determines to which host on the network the packets are delivered. Structure An IP address is made up of four parts, written in dotted decimal notation (for example, 192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. MAX-200HW2 Series Users Guide 309 Appendix DIP Addresses and Subnetting Figure 212 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask. Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). The term subnet is short for sub-

network. A subnet mask has 32 bits. If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID. The following example shows a subnet mask identifying the network number (in bold text) and host ID of an IP address (192.168.1.2 in decimal). Table 123 IP Address Network Number and Host ID Example 3RD OCTET:

(1) 1ST OCTET:

(192) 4TH OCTET

(2) 2ND OCTET:

(168) IP Address (Binary)11000000101010000000000100000010 111111111111111111111111 Subnet Mask (Binary) 110000001010100000000001 Network Number Host ID00000010 00000000 By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. Subnet masks can be referred to by the size of the network number part (the bits with a 1 value). For example, an 8-bit mask means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. 310 MAX-200HW2 Series Users Guide Appendix DIP Addresses and Subnetting Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Table 124 Subnet Masks BINARY 1ST OCTET 11111111 11111111 11111111 11111111 8-bit mask 16-bit mask 24-bit mask 29-bit mask 2ND OCTET 00000000 11111111 11111111 11111111 3RD OCTET 00000000 00000000 11111111 11111111 4TH OCTET 00000000 00000000 00000000 11111000 DECIMAL 255.0.0.0 255.255.0.0 255.255.255.0 255.255.255.248 Network Size The size of the network number determines the maximum number of possible hosts you can have on your network. The larger the number of network number bits, the smaller the number of remaining host ID bits. An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network (192.168.1.255 with a 24-bit subnet mask, for example). As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows:

Table 125 Maximum Host Numbers SUBNET MASK 8 bits255.0.0.024 bits 16 bits255.255.0.016 bits 24 bits255.255.255.08 bits 29 bits255.255.255.2483 bits 24 216777214 16 265534 8 2254 3 2 MAXIMUM NUMBER OF HOSTS HOST ID SIZE 2 2 2 2 6 Notation Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a / followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. Table 126 Alternative Subnet Mask Notation SUBNET MASK 255.255.255.0 255.255.255.128 ALTERNATIVE NOTATION

/24

/25 LAST OCTET

(BINARY) 0000 0000 1000 0000 LAST OCTET

(DECIMAL) 0 128 MAX-200HW2 Series Users Guide 311 Appendix DIP Addresses and Subnetting Table 126 Alternative Subnet Mask Notation (continued) SUBNET MASK ALTERNATIVE NOTATION

/26

/27

/28

/29

/30 LAST OCTET

(BINARY) 1100 0000 1110 0000 1111 0000 1111 1000 1111 1100 LAST OCTET

(DECIMAL) 192 224 240 248 252 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 Subnetting You can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons. In this example, the company network address is 192.168.1.0. The first three octets of the address (192.168.1) are the network number, and the remaining octet is the host ID, allowing a maximum of 28 2 or 254 possible hosts. The following figure shows the company network before subnetting. Figure 213 Subnetting Example: Before Subnetting You can borrow one of the host ID bits to divide the network 192.168.1.0 into two separate sub-networks. The subnet mask is now 25 bits (255.255.255.128 or /25). The borrowed host ID bit can have a value of either 0 or 1, allowing two subnets;

192.168.1.0 /25 and 192.168.1.128 /25. The following figure shows the company network after subnetting. There are now two sub-

networks, A and B. 312 MAX-200HW2 Series Users Guide Figure 214 Subnetting Example: After Subnetting Appendix DIP Addresses and Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 2 or 126 possible hosts (a host ID of all zeroes is the subnets address itself, all ones is the subnets broadcast address). 192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask 255.255.255.128 is its broadcast address. Therefore, the lowest IP address that can be assigned to an actual host for subnet A is 192.168.1.1 and the highest is 192.168.1.126. Similarly, the host ID range for subnet B is 192.168.1.129 to 192.168.1.254. Example: Four Subnets The previous example illustrated using a 25-bit subnet mask to divide a 24-bit address into two subnets. Similarly, to divide a 24-bit address into four subnets, you need to borrow two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits

(11111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet contains 6 host ID bits, giving 26 - 2 or 62 hosts for each subnet (a host ID of all zeroes is the subnet itself, all ones is the subnets broadcast address). Table 127 Subnet 1 IP/SUBNET MASK NETWORK NUMBER IP Address (Decimal) IP Address (Binary) Subnet Mask (Binary) Subnet Address:

192.168.1.0 Broadcast Address:

192.168.1.63 192.168.1. 11000000.10101000.00000001. 11111111.11111111.11111111. Lowest Host ID: 192.168.1.1 Highest Host ID: 192.168.1.62 LAST OCTET BIT VALUE 0 00000000 11000000 MAX-200HW2 Series Users Guide 313 Appendix DIP Addresses and Subnetting Table 128 Subnet 2 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address:

192.168.1.64 Broadcast Address:

192.168.1.127 Table 129 Subnet 3 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address:

192.168.1.128 Broadcast Address:

192.168.1.191 Table 130 Subnet 4 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address:

192.168.1.192 Broadcast Address:

192.168.1.255 NETWORK NUMBER 192.168.1. 11000000.10101000.00000001. 11111111.11111111.11111111. Lowest Host ID: 192.168.1.65 Highest Host ID: 192.168.1.126 NETWORK NUMBER 192.168.1. 11000000.10101000.00000001. 11111111.11111111.11111111. Lowest Host ID: 192.168.1.129 Highest Host ID: 192.168.1.190 NETWORK NUMBER 192.168.1. 11000000.10101000.00000001. 11111111.11111111.11111111. Lowest Host ID: 192.168.1.193 Highest Host ID: 192.168.1.254 LAST OCTET BIT VALUE 64 01000000 11000000 LAST OCTET BIT VALUE 128 10000000 11000000 LAST OCTET BIT VALUE 192 11000000 11000000 Example: Eight Subnets Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet. Table 131 Eight Subnets SUBNET 1 2 3 4 SUBNET ADDRESS 0 32 64 96 FIRST ADDRESS 1 33 65 97 LAST ADDRESS 30 62 94 126 BROADCAST ADDRESS 31 63 95 127 314 MAX-200HW2 Series Users Guide Appendix DIP Addresses and Subnetting Table 131 Eight Subnets (continued) SUBNET FIRST ADDRESS SUBNET ADDRESS 128 160 192 224 129 161 193 225 5 6 7 8 LAST ADDRESS 158 190 222 254 BROADCAST ADDRESS 159 191 223 255 Subnet Planning SUBNET MASK The following table is a summary for subnet planning on a network with a 24-bit network number. Table 132 24-bit Network Number Subnet Planning NO. BORROWED HOST BITS 1 2 3 4 5 6 7 NO. HOSTS PER SUBNET 126 62 30 14 6 2 1 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) 2 4 8 16 32 64 128 NO. SUBNETS NO. SUBNETS SUBNET MASK The following table is a summary for subnet planning on a network with a 16-bit network number. Table 133 16-bit Network Number Subnet Planning NO. BORROWED HOST BITS 1 2 3 4 5 6 7 8 9 10 11 12 13 255.255.128.0 (/17) 255.255.192.0 (/18) 255.255.224.0 (/19) 255.255.240.0 (/20) 255.255.248.0 (/21) 255.255.252.0 (/22) 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) NO. HOSTS PER SUBNET 32766 16382 8190 4094 2046 1022 510 254 126 62 30 14 6 2 4 8 16 32 64 128 256 512 1024 2048 4096 8192 MAX-200HW2 Series Users Guide 315 Appendix DIP Addresses and Subnetting Table 133 16-bit Network Number Subnet Planning (continued) NO. BORROWED NO. SUBNETS HOST BITS 14 15 255.255.255.252 (/30) 255.255.255.254 (/31) SUBNET MASK 16384 32768 NO. HOSTS PER SUBNET 2 1 Configuring IP Addresses Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. You must also enable Network Address Translation (NAT) on the ZyXEL Device. Once you have decided on the network number, pick an IP address for your ZyXEL Device that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise. Private IP Addresses Every machine on the Internet must have a unique address. If your networks are isolated from the Internet (running only between two branch offices, for example) you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority

(IANA) has reserved the following three blocks of IP addresses specifically for private networks:

10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255 You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses. Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. 316 MAX-200HW2 Series Users Guide Appendix DIP Addresses and Subnetting IP Address Conflicts Each device on a network must have a unique IP address. Devices with duplicate IP addresses on the same network will not be able to access the Internet or other resources. The devices may also be unreachable through the network. Conflicting Computer IP Addresses Example More than one device can not use the same IP address. In the following example computer A has a static (or fixed) IP address that is the same as the IP address that a DHCP server assigns to computer B which is a DHCP client. Neither can access the Internet. This problem can be solved by assigning a different static IP address to computer A or setting computer A to obtain an IP address automatically. Figure 215 Conflicting Computer IP Addresses Example Conflicting Router IP Addresses Example Since a router connects different networks, it must have interfaces using different network numbers. For example, if a router is set between a LAN and the Internet (WAN), the routers LAN and WAN addresses must be on different subnets. In the following example, the LAN and WAN are on the same subnet. The LAN computers cannot access the Internet because the router cannot route between networks. Figure 216 Conflicting Computer IP Addresses Example MAX-200HW2 Series Users Guide 317 Appendix DIP Addresses and Subnetting Conflicting Computer and Router IP Addresses Example More than one device can not use the same IP address. In the following example, the computer and the routers LAN port both use 192.168.1.1 as the IP address. The computer cannot access the Internet. This problem can be solved by assigning a different IP address to the computer or the routers LAN port. Figure 217 Conflicting Computer and Router IP Addresses Example 318 MAX-200HW2 Series Users Guide APPENDIX E Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an ad-hoc wireless LAN. Figure 218 Peer-to-Peer Communication in an Ad-hoc Network BSS A Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. MAX-200HW2 Series Users Guide 319 Appendix EWireless LANs Figure 219 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. 320 MAX-200HW2 Series Users Guide Figure 220 Infrastructure WLAN Appendix EWireless LANs Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance. Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11. RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. MAX-200HW2 Series Users Guide 321 Appendix EWireless LANs Figure 221 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked. When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission. Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. 322 MAX-200HW2 Series Users Guide Appendix EWireless LANs If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type Preamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet. Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11 compliant wireless adapters support long preamble, but not all support short preamble. Use long preamble if you are unsure what preamble mode other wireless devices on the network support, and to provide more reliable communications in busy wireless networks. Use short preamble if you are sure all wireless devices on the network support it, and to provide more efficient communications. Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it, otherwise the ZyXEL Device uses long preamble. The wireless devices MUSTuse the same preamble mode in order to communicate. IEEE 802.11g Wireless LAN IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:

Table 134 IEEE 802.11g DATA RATE (MBPS) MODULATION 1DBPSK (Differential Binary Phase Shift Keyed) 2DQPSK (Differential Quadrature Phase Shift Keying) 5.5 / 11CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. MAX-200HW2 Series Users Guide 323 Appendix EWireless LANs Wireless security methods available on the ZyXEL Device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyXEL Device identity. The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device. Table 135 Wireless Security Levels SECURITY LEVEL Least Secure SECURITY TYPE Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.1x EAP with RADIUS Server Authentication Wi-Fi Protected Access (WPA) WPA2 Most Secure You must enable the same wireless security settings on the ZyXEL Device and on all wireless clients that you want to associate with it. IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:

User based identification that allows for roaming. Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients. RADIUS RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:

Authentication Determines the identity of the users. Authorization 324 MAX-200HW2 Series Users Guide Appendix EWireless LANs Determines the network services available to authenticated users once they are connected to the network. Accounting Keeps track of the clients network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:

Access-Request Sent by an access point requesting authentication. Access-Reject Sent by a RADIUS server rejecting access. Access-Accept Sent by a RADIUS server allowing access. Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:

Accounting-Request Sent by the access point requesting accounting. Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. MAX-200HW2 Series Users Guide 325 Appendix EWireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client proves that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the senders identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP 326 LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. MAX-200HW2 Series Users Guide Appendix EWireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled. EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types. Table 136 Comparison of EAP Authentication Types Mutual Authentication Certificate Client Certificate Server Dynamic Key Exchange Credential Integrity Deployment Difficulty Client Identity Protection EAP-MD5 No No No No None Easy No EAP-TLS Yes Yes Yes Yes Strong Hard No EAP-TTLS Yes Optional Yes Yes Strong Moderate Yes PEAP Yes Optional Yes Yes Strong Moderate Yes LEAP Yes No No Yes Moderate Moderate No WPA and WPA2 WPA is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication. If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. MAX-200HW2 Series Users Guide 327 Appendix EWireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol

(TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP. TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but its still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys.

(a weakness of WEP) User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices. Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again. Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. 328 MAX-200HW2 Series Users Guide Appendix EWireless LANs Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is theWPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in

"Zero Configuration" wireless client. However, you must run Windows XP to use it. WPA(2) with RADIUS Application Example To set up WPA(2), you need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system. 1 The AP passes the wireless client's authentication request to the RADIUS server. 2 The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. 3 A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client. 4 The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. Figure 222 WPA(2) with RADIUS Application Example WPA(2)-PSK Application Example A WPA(2)-PSK application looks as follows. 1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key

(PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters

(including spaces and symbols). 2 The AP checks each wireless client's password and allows it to join the network only if the password matches. MAX-200HW2 Series Users Guide 329 Appendix EWireless LANs 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them. Figure 223 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 137 Wireless Security Relational Matrix AUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOL OpenNoneNoDisable ENTER MANUAL KEY ENCRYPTIO N METHOD IEEE 802.1X Open Shared WPA WPA-PSK WPA2 WPA2-PSK WEP WEP TKIP/AES TKIP/AES TKIP/AES TKIP/AES No Yes Yes No Yes Yes No Yes No Yes Enable without Dynamic WEP Key Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable Enable Disable Enable Disable 330 MAX-200HW2 Series Users Guide Appendix EWireless LANs Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. Antenna Characteristics Frequency An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE 802.11a) is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antennas coverage area. Antenna Gain Antenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides. Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications. Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb. The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications. MAX-200HW2 Series Users Guide 331 Appendix EWireless LANs Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-topoint application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. 332 MAX-200HW2 Series Users Guide APPENDIX F Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. Protocol: This is the type of IP protocol used by the service. If this is TCP/UDP, then the service uses the same port number with TCP and UDP. If this is USER-DEFINED, the Port(s) is the IP protocol number, not the port number. Port(s): This value depends on the Protocol. Please refer to RFC 1700 for further information about port numbers. If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number. If the Protocol is USER, this is the IP protocol number. Description: This is a brief explanation of the applications that use this service or the situations in which this service is used. Table 138 Commonly Used Services NAME AH

(IPSEC_TUNNEL) AIM/New-ICQ PROTOCOL User-Defined TCP AUTH TCP BGP BOOTP_CLIENT BOOTP_SERVER CU-SEEME DNS TCP UDP UDP TCP UDP TCP/UDP ESP

(IPSEC_TUNNEL) User-Defined FINGER TCP PORT(S) 51 5190 113 179 68 67 7648 24032 53 50 79 DESCRIPTION The IPSEC AH (Authentication Header) tunneling protocol uses this service. AOLs Internet Messenger service. It is also used as a listening port by ICQ. Authentication protocol used by some servers. Border Gateway Protocol. DHCP Client. DHCP Server. A popular videoconferencing solution from White Pines Software. Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. MAX-200HW2 Series Users Guide 333 Appendix FCommon Services Table 138 Commonly Used Services (continued) NAME PORT(S) 20 FTP 21 PROTOCOL TCP TCP 1720 80 443 1 4000 2 500 6667 1863 5190 144 2049 119 H.323 HTTP HTTPS ICMP TCP TCP TCP User-Defined ICQ IGMP (MULTICAST) User-Defined UDP IKE IRC UDP TCP/UDP MSN Messenger NEW-ICQ NEWS NFS NNTP PING POP3 PPTP PPTP_TUNNEL

(GRE) RCMD REAL_AUDIO REXEC RLOGIN RTELNET 334 TCP TCP TCP UDP TCP User-Defined 1 TCP TCP 110 1723 User-Defined 47 TCP TCP TCP TCP TCP 512 7070 514 513 107 DESCRIPTION File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. NetMeeting uses this protocol. Hyper Text Transfer Protocol - a client/

server protocol for the world wide web. HTTPS is a secured http session often used in e-commerce. Internet Control Message Protocol is often used for diagnostic or routing purposes. This is a popular Internet chat program. Internet Group Management Protocol is used when sending packets to a specific group of hosts. The Internet Key Exchange algorithm is used for key distribution and management. This is another popular Internet chat program. Microsoft Networks messenger service uses this protocol. An Internet chat program. A protocol for news groups. Network File System - NFS is a client/

server distributed file service that provides transparent file sharing for network environments. Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable. Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel. PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel. Remote Command Service. A streaming audio service that enables real time sound over the web. Remote Execution Daemon. Remote Login. Remote Telnet. MAX-200HW2 Series Users Guide Table 138 Commonly Used Services (continued) NAME PORT(S) 554 RTSP PROTOCOL TCP/UDP SFTP SMTP TCP TCP SNMP SNMP-TRAPS SQL-NET TCP/UDP TCP/UDP TCP SSH STRM WORKS SYSLOG TCP/UDP UDP UDP TACACS TELNET UDP TCP TFTP UDP 115 25 161 162 1521 22 1558 514 49 23 69 VDOLIVE TCP 7000 Appendix FCommon Services DESCRIPTION The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. Simple File Transfer Protocol. Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. Simple Network Management Program. Traps for use with the SNMP (RFC:1215). Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers. Secure Shell Remote Login Program. Stream Works Protocol. Syslog allows you to send system logs to a UNIX server. Login Host Protocol used for (Terminal Access Controller Access Control System). Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/

IP networks. Its primary function is to allow users to log into remote host systems. Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). Another videoconferencing solution. MAX-200HW2 Series Users Guide 335 Appendix FCommon Services 336 MAX-200HW2 Series Users Guide APPENDIX G Legal Information Copyright Copyright ?2007 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimers ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice. Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners. Certifications Federal Communications Commission (FCC) Interference Statement The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:

This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations. This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. MAX-200HW2 Series Users Guide 337 Appendix GLegal Information If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

1 Reorient or relocate the receiving antenna. 2 Increase the separation between the equipment and the receiver. 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. 4 Consult the dealer or an experienced radio/TV technician for help. FCC Radiation Exposure Statement The device complies with FCC RF radiation exposure limits set forth for an uncontrolled environment, under 47 CFR 2.1093 paragraph (d)(2). End users must follow the specific operating instructions for satisfying RF exposure compliance.To maintain compliance with FCC RF exposure compliance requirements, please follow operation instruction as documented in this manual. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. To comply with FCC RF exposure compliance requirements, a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons. Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product from the drop-down list box on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page. 338 MAX-200HW2 Series Users Guide ZyXEL Limited Warranty Appendix GLegal Information ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions. Note Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. MAX-200HW2 Series Users Guide 339 Appendix GLegal Information 340 MAX-200HW2 Series Users Guide APPENDIX H Customer Support Please have the following information ready when you contact customer support. Required Information Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it.

+ is the (prefix) number you dial to make an international telephone call. Corporate Headquarters (Worldwide) Support E-mail: support@zyxel.com.tw Sales E-mail: sales@zyxel.com.tw Telephone: +886-3-578-3942 Fax: +886-3-578-2439 Web: www.zyxel.com, www.europe.zyxel.com FTP: ftp.zyxel.com, ftp.europe.zyxel.com Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, Taiwan Costa Rica Support E-mail: soporte@zyxel.co.cr Sales E-mail: sales@zyxel.co.cr Telephone: +506-2017878 Fax: +506-2015098 Web: www.zyxel.co.cr FTP: ftp.zyxel.co.cr Regular Mail: ZyXEL Costa Rica, Plaza Roble Escaz , Etapa El Patio, Tercer Piso, San Jos? Costa Rica Czech Republic E-mail: info@cz.zyxel.com Telephone: +420-241-091-350 Fax: +420-241-091-359 Web: www.zyxel.cz MAX-200HW2 Series Users Guide 341 Appendix HCustomer Support Regular Mail: ZyXEL Communications, Czech s.r.o., Modransk?621, 143 01 Praha 4 -

Modrany, Cesk?Republika Denmark Support E-mail: support@zyxel.dk Sales E-mail: sales@zyxel.dk Telephone: +45-39-55-07-00 Fax: +45-39-55-07-07 Web: www.zyxel.dk Regular Mail: ZyXEL Communications A/ S, Columbusvej, 2860 Soeborg, Denmark Finland Support E-mail: support@zyxel.fi Sales E-mail: sales@zyxel.fi Telephone: +358-9-4780-8411 Fax: +358-9-4780-8448 Web: www.zyxel.fi Regular Mail: ZyXEL Communications Oy, Malminkaari 10, 00700 Helsinki, Finland France E-mail: info@zyxel.fr Telephone: +33-4-72-52-97-97 Fax: +33-4-72-52-19-20 Web: www.zyxel.fr Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France Germany Support E-mail: support@zyxel.de Sales E-mail: sales@zyxel.de Telephone: +49-2405-6909-69 Fax: +49-2405-6909-99 Web: www.zyxel.de Regular Mail: ZyXEL Deutschland GmbH., Adenauerstr. 20/A2 D-52146, Wuerselen, Germany Hungary Support E-mail: support@zyxel.hu Sales E-mail: info@zyxel.hu Telephone: +36-1-3361649 Fax: +36-1-3259100 Web: www.zyxel.hu Regular Mail: ZyXEL Hungary, 48, Zoldlomb Str., H-1025, Budapest, Hungary 342 MAX-200HW2 Series Users Guide Appendix HCustomer Support India Support E-mail: support@zyxel.in Sales E-mail: sales@zyxel.in Telephone: +91-11-30888144 to +91-11-30888153 Fax: +91-11-30888149, +91-11-26810715 Web: http://www.zyxel.in Regular Mail: India - ZyXEL Technology India Pvt Ltd., II-Floor, F2/9 Okhla Phase -1, New Delhi 110020, India Japan Support E-mail: support@zyxel.co.jp Sales E-mail: zyp@zyxel.co.jp Telephone: +81-3-6847-3700 Fax: +81-3-6847-3705 Web: www.zyxel.co.jp Regular Mail: ZyXEL Japan, 3F, Office T&U, 1-10-10 Higashi-Gotanda, Shinagawa-ku, Tokyo 141-0022, Japan Kazakhstan Support: http://zyxel.kz/support Sales E-mail: sales@zyxel.kz Telephone: +7-3272-590-698 Fax: +7-3272-590-689 Web: www.zyxel.kz Regular Mail: ZyXEL Kazakhstan, 43 Dostyk Ave., Office 414, Dostyk Business Centre, 050010 Almaty, Republic of Kazakhstan Malaysia Support E-mail: support@zyxel.com.my Sales E-mail: sales@zyxel.com.my Telephone: +603-8076-9933 Fax: +603-8076-9833 Web: http://www.zyxel.com.my Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F, Bandar Puchong Jaya, 47100 Puchong, Selangor Darul Ehsan, Malaysia North America Support E-mail: support@zyxel.com Support Telephone: +1-800-978-7222 Sales E-mail: sales@zyxel.com Sales Telephone: +1-714-632-0882 Fax: +1-714-632-0858 Web: www.zyxel.com MAX-200HW2 Series Users Guide 343 Appendix HCustomer Support Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806-

2001, U.S.A. Norway Support E-mail: support@zyxel.no Sales E-mail: sales@zyxel.no Telephone: +47-22-80-61-80 Fax: +47-22-80-61-81 Web: www.zyxel.no Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, Norway Poland E-mail: info@pl.zyxel.com Telephone: +48-22-333 8250 Fax: +48-22-333 8251 Web: www.pl.zyxel.com Regular Mail: ZyXEL Communications, ul. Okrzei 1A, 03-715 Warszawa, Poland Russia Support: http://zyxel.ru/support Sales E-mail: sales@zyxel.ru Telephone: +7-095-542-89-29 Fax: +7-095-542-89-25 Web: www.zyxel.ru Regular Mail: ZyXEL Russia, Ostrovity anova 37a Str., Moscow 117279, Russia Singapore Support E-mail: support@zyxel.com.sg Sales E-mail: sales@zyxel.com.sg Telephone: +65-6899-6678 Fax: +65-6899-8887 Web: http://www.zyxel.com.sg Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Strategy

#03-28, Singapore 609930 Spain Support E-mail: support@zyxel.es Sales E-mail: sales@zyxel.es Telephone: +34-902-195-420 Fax: +34-913-005-345 Web: www.zyxel.es Regular Mail: ZyXEL Communications, Arte, 21 5 planta, 28033 Madrid, Spain 344 MAX-200HW2 Series Users Guide Appendix HCustomer Support Sweden Support E-mail: support@zyxel.se Sales E-mail: sales@zyxel.se Telephone: +46-31-744-7700 Fax: +46-31-744-7701 Web: www.zyxel.se Regular Mail: ZyXEL Communications A/S, Sj porten 4, 41764 Gteborg, Sweden Thailand Support E-mail: support@zyxel.co.th Sales E-mail: sales@zyxel.co.th Telephone: +662-831-5315 Fax: +662-831-5395 Web: http://www.zyxel.co.th Regular Mail: ZyXEL Thailand Co., Ltd., 1/1 Moo 2, Ratchaphruk Road, Bangrak-Noi, Muang, Nonthaburi 11000, Thailand. Ukraine Support E-mail: support@ua.zyxel.com Sales E-mail: sales@ua.zyxel.com Telephone: +380-44-247-69-78 Fax: +380-44-494-49-32 Web: www.ua.zyxel.com Regular Mail: ZyXEL Ukraine, 13, Pimonenko Str., Kiev 04050, Ukraine United Kingdom Support E-mail: support@zyxel.co.uk Sales E-mail: sales@zyxel.co.uk Telephone: +44-1344-303044, 08707-555779 (UK only) Fax: +44-1344-303034 Web: www.zyxel.co.uk FTP: ftp.zyxel.co.uk Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) MAX-200HW2 Series Users Guide 345 Appendix HCustomer Support 346 MAX-200HW2 Series Users Guide Index Index see AAA auto firmware upgrade 271 auto-discovering UPnP-enabled network devices 225 automatic log out 41 auto-provisioning 270 B base station see BS Basic Service Set, See BSS 319 Basic wireless security 64 BS 107 links 107 BSS 319 BYE request 150 C CA 187, 188, 326 and certificates 188 call hold 166, 168 call service mode 166, 167 call transfer 167, 168 call waiting 167, 168 CBC-MAC 277 CCMP 275, 277 cell 107 certificate 275 verification 277 Certificate Authority See CA. Certificate Management Protocol (CMP) 194 Certificate Revocation List (CRL) 188 certificates 187 advantages 188 and CA 188 certification path 188, 196 expired 188 factory-default 188 file formats 188 fingerprints 197 Numerics 802.11 Mode 106 A AAA 108 AbS 154 Access point 91 See also AP. accounting server see AAA ACK message 150 activity 108 Advanced Encryption Standard See AES. advanced encryption standard see AES AES 277, 328 AK 277 ALG 131, 271 alternative subnet mask notation 311 analysis-by-synthesis 154 Antenna 36, 117 antenna 269 directional 331 gain 331 omni-directional 331 Antenna selection 117 AP 91 See also access point. AP (access point) 321 application layer gateway 131, 152, 271 Application Layer Gateway. See ALG. authentication 68, 84, 108, 110, 275 inner 277 types 277 authentication key see AK authentication server see AAA authorization 275 authorization request and reply 277 authorization server MAX-200HW2 Series Users Guide 347 Index importing 192 not used for encryption 188 revoked 188 self-signed 194 serial number 197 storage space 191 thumbprint algorithms 190 thumbprints 190 used for authentication 188 verifying fingerprints 189 Certification Authority. See CA. certification requests 187, 194 certifications 337 notices 338 viewing 338 chaining 277 chaining message authentication see CCMP change password at login 40 channel 91, 321 interference 321 circuit-switched telephone networks 149 Class of Service (CoS) 156 clicks 154 client server SIP 150 client-server protocol 150 CMAC see MAC code 275 codec 153 coder/decoder 153 comfort noise 165 comfort noise generation 271 computer name 233 configuration upload successful 258, 259 connections 35 contact information 341 copyright 337 CoS 156 counter mode see CCMP coverage area 107 cryptography 275 CTS (Clear to Send) 322 customer support 341 D data encryption 275, 276 data flow 277 data rate 269 daytime RFC 867 238 decoder 153 decryption 275, 277 default LAN IP address 39 device name 231 DHCP 233, 234, 271 DHCP client 271 DHCP clients 233 DHCP relay 271 DHCP server 271 DIAMETER 108 differentiated services 156 DiffServ 156 DiffServ Code Point (DSCP) 156 DiffServ code point (DSCP) 156 DiffServ marking rule 156 digital ID 275 dimensions 269 disclaimer 337 DL frequency 113 domain name 233 download frequency see DL frequency DS field 156 DSCPs 156 DTMF 154 dual-tone multi-frequency see DTMF duplex 270 dynamic DNS 234, 271 dynamic host configuration protocol 271 dynamic jitter buffer 271 dynamic WEP key exchange 327 E EAP 108 EAP Authentication 325 echo cancellation 165, 272 encoding 275 encrypted traffic 277 encryption 93, 275, 276, 277, 328 and local (user) database 93 key 94 WPA compatible 94 environmental specifications 269 ESS 320 348 MAX-200HW2 Series Users Guide ESSID 268 ethernet 269 ethernet encapsulation 129 europe type call service mode 166 Extended Service Set, See ESS 320 Extended wireless security 65 extensible authorization protocol see EAP External Antenna 270 F FCC interference statement 337 firewall 179, 180 firmware upload 256 firmware upload error 257 flash key 166 flashing 166 Fragmentation Threshold 106 fragmentation threshold 322 frequency band 114 scanning 114 frequency pairs 154 frequency ranges 113 FTP 213, 234 FTP restrictions 213 G G.168 165, 272 G.711 153 G.729 154 General wireless LAN screen 94 Graphical User Interface (GUI) 33 H hardware 35 hidden node 321 hide SSID 92 HTTP 255 humidity 269 hybrid waveform codec 154 hypertext transfer protocol 255 Index I IANA 316 IBSS 319 identity 108, 275 idle timeout 214 IEEE 802.11g 323 IEEE 802.16 107, 275 IEEE 802.16e 3, 107 IEEE 802.1Q VLAN 156 IGD 1.0 222 Independent Basic Service Set See IBSS 319 initialization vector (IV) 328 inner authentication 277 install UPnP 222 Windows Me 222 Windows XP 223 installation 35 interface 269 Internet access 108, 270 Internet access wizard setup 61 Internet Assigned Numbers Authority See IANA 316 Internet gateway device 222 Internet service provider see ISP Internet Telephony Service Provider 34 Internet telephony service provider 149 interoperability 107 introduction 33 IP alias 271 IP policy routing (IPPR) 271 IP-PBX 149 ISP 49 ITSP 149 ITU-T 165 J jitter buffer 271 K key 68, 84, 110, 275 key request and reply 277 MAX-200HW2 Series Users Guide 349 Index L listening port 161 local (user) database 92 and encryption 93 log out 41 M MAC 104, 277 MAC address 92 MAC address filter 92 MAC address filtering 104 MAC filter 104 MAN 107 management information base (MIB) 217 managing the device good habits 37 manual site survey 113 Media access control 104 media access protocol 269 message authentication code see MAC message integrity 277 Message Integrity Check (MIC) 328 message waiting indication 154 Metropolitan Area Network see MAN microwave 107 mobile station see MS modulation 270 MS 107 multimedia 149 multiple PVC support 271 multiple SIP accounts 271 MWI 154 My Certificates. See also certificates. 190 N NAT 316 and remote management 213 server sets 129 NAT routers 153 NAT traversal 221 network activity 108 network address translation (NAT) 271 network address translators 153 network disconnect 257, 259 network services 108 NTP RFC 1305 238 NTP time servers 234 O OK response 150 operating humidity 269 operating temperature 269 outbound proxy 152, 153 SIP 153 outbound proxy server 153 P Pairwise Master Key (PMK) 328, 330 pattern-spotting 277 PBX services 149 PCM 153 peer-to-peer calls 173 per-hop behavior 156 PHB (per-hop behavior) 156 phone book 173 phone services 165 physical specifications 269 PKMv2 68, 84, 108, 110, 275, 277 plain text encryption 277 port forwarding 129 port numbers 129 services 129 port numbers 129 power 269 output 270 power supply 269 preamble mode 323 pre-defined NTP time servers list 234 preparation 33 privacy key management see PKM private key 275 product registration 339 proxy server SIP 151 PSK 328 350 MAX-200HW2 Series Users Guide PSTN 154 public certificate 277 public key 68, 84, 110, 275 Public Switched Telephone Network 154 Public-Key Infrastructure (PKI) 188 public-private key pairs 187 pulse code modulation 153 pulse dialing 154 Q QoS 155, 272 quality of service see QoS Quality of Service (QoS) 106 Quick Start Guide 35, 39 R radio specifications 269 RADIUS 108, 275, 324 message types 325 messages 325 Shared Secret Key 276 shared secret key 325 RADIUS Message Types 276 RADIUS Messages 276 RADIUS server 92 real-time transport protocol 152 redirect server SIP 151 register server SIP 152 registration product 339 related documentation 3 remote management 213 remote management and NAT 213 remote management limitations 213 REN 271 required bandwidth 154 reset button 41, 258 resetting the time 235 resetting your device 41 RFC 1305 238 RFC 1889 152 RFC 2510. See Certificate Management Protocol. Index RFC 3489 153 RFC 3842 154 RFC 867 238 RFC 868 238 ringer equivalence number 271 Roaming 105 RTP 152 RTS (Request To Send) 322 threshold 321, 322 RTS/CTS Threshold 106 S safety warnings 6 secure communication 68, 84, 110, 275 secure connection 108 security 270, 275 security association 276 see SA see QoS see WAN server, outbound proxy 153 Service Set 95 Service Set IDentification 95 Service Set IDentity. See SSID. services 108, 129 session initiation protocol see SIP silence suppression 165, 271 silent packets 165 Simple Certificate Enrollment Protocol (SCEP) 194 SIP 149 ALG 131 authentication 74 authentication password 74 SIP account 149, 271 SIP ACK message 150 SIP ALG 131, 152, 271 SIP application layer gateway 131, 271 SIP BYE request 150 SIP call progression 150 SIP client 150 SIP client server 150 SIP identities 149 SIP INVITE request 150 SIP number 74, 149 SIP OK response 150 SIP outbound proxy 153 SIP proxy server 151 MAX-200HW2 Series Users Guide 351 Index SIP redirect server 151 SIP register server 152 SIP server address 74 SIP servers 150 SIP service domain 74, 150 SIP URI 149 SIP user agent 150 SNMP 216 manager 216 MIBs 217 sound quality 154 specifications physical and environmental 269 radio 269 speed dial 173 SS 107 SSID 91, 95 hide 92 standards 269 stateful inspection 179 storage humidity 269 storage temperature 269 STUN 152, 153 subnet 309 subnet mask 310 subnetting 312 subscriber station see SS supplementary phone services 165 syntax conventions 4 system name 233 system timeout 214 T tampering TDD 270 TEK 277 telephone keys 154 temperature 269 Temporal Key Integrity Protocol (TKIP) 328 TFTP restrictions 213 three-way conference 167, 168 time resetting 235 time RFC 868 238 TLS 68, 84, 110, 275 ToS 156 Touch Tone 154 trademarks 337 transport encryption key see TEK transport layer security see TLS triangle 181 triangle route solutions 182 trigger port forwarding 130 process 130 TTLS 68, 84, 110, 275, 277 tunneled TLS see TTLS Type of Service 156 U UIC 222 unauthorized device 275 uniform resource identifier 149 Universal Plug and Play 221 application 221 security issues 221 Universal Plug and Play (UPnP) 271 Universal Plug and Play Forum 222 UPnP 221, 231 auto-discovery 225 installing example 222 UPnP certification 222 USA type call service mode 167 use NAT 152, 153 user agent, SIP 150 user authentication 92, 275 local (user) database 92 RADIUS server 92 weaknesses 93 user ID 74 user name 237 V VAD 165, 271 verification 277 virtual local area network see VLAN VLAN 156 VLAN group 156 VLAN ID 156 352 MAX-200HW2 Series Users Guide Index wireless security 268, 270, 275, 323 wizard setup 61 WLAN 91 interference 321 security parameters 330 WPA 327 key caching 328 pre-authentication 328 user authentication 328 vs WPA-PSK 328 wireless client supplicant 329 with RADIUS application example 329 WPA compatible 94 WPA2 327 user authentication 328 vs WPA2-PSK 328 wireless client supplicant 329 with RADIUS application example 329 WPA2-Pre-Shared Key 327 WPA2-PSK 327, 328 application example 329 WPA-PSK 327, 328 application example 329 Z ZyXEL utility 33, 35 VLAN ID tags 156 VLAN tags 156 voice activity detection 165, 271 voice coding 153 voice mail 149 voice over IP see VoIP VoIP 3, 149 standards compliance 271 W WAN 107 WAN setup 107 warranty 339 note 339 waveform codec 153 web configurator 39 weight 269 WEP Encryption 97 WEP encryption 96 WEP key 96 wide area network WiMAX 3, 107, 269 security 276 WiMAX Forum 107 WiMAX bandwidth 269 wireless channel 268 wireless client 91 wireless client WPA supplicants 329 Wireless Interoperability for Microwave Access see WiMAX Wireless LAN 91 wireless LAN 268 wireless Metropolitan Area Network see MAN Wireless network basic guidelines 91 channel 91 encryption 93 example 91 MAC address filter 92 overview 91 security 92 SSID 91 wireless network 3 access 107 standard 107 Wireless security 92 overview 92 type 92 MAX-200HW2 Series Users Guide 353 Index 354 MAX-200HW2 Series Users Guide Index MAX-200HW2 Series Users Guide 355 Index 356 MAX-200HW2 Series Users Guide

About This User's Guide About This User's Guide Congratulations on your purchase of the ZyXEL MAX-200HW2 Series WiMAX WiFi Router with Built-In Switch and VOIP. Your ZyXEL Device allows you to access WiMAX wireless networks, set up a WiFi network and make Voice over Internet (VoIP) phone calls. Your ZyXEL Device is easy to install and configure. Intended Audience This manual is designed to guide you through the configuration of your ZyXEL Device for its various applications. Related Documentation Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access. Supporting Disk Refer to the included CD for support documents. ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. Users Guide Feedback Help us help you. Send all Users Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you!

The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. E-mail: techwriters@zyxel.com.tw MAX-200HW2 Series Users Guide 3 Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this Users Guide. Warnings tell you about things that could harm you or your ZyXEL Device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions The ZyXEL MAX-200HW2 Series may be referred to as the ZyXEL Device, the device, the system or the product in this Users Guide. Product labels, screen names, field labels and field choices are all in bold font. A key stroke is denoted by square brackets and uppercase text, for example, [ENTER]

means the enter or return key on your keyboard. Enter means for you to type one or more characters and then press the [ENTER] key. Select or choose means for you to use one of the predefined choices. A right angle bracket ( > ) within a screen name denotes a mouse click. For example, Maintenance > Log > Log Setting means you first click Maintenance in the navigation panel, then the Log sub menu and finally the Log Setting tab to get to that screen. Units of measurement may denote the metric value or the scientific value. For example, k for kilo may denote 1000 or 1024, M for mega may denote 1000000 or 1048576 and so on. e.g., is a shorthand for for instance, and i.e., means that is or in other words. Icons Used in Figures Figures in this Users Guide may use the following generic icons. The ZyXEL Device icon is not an exact representation of your ZyXEL Device. 4 MAX-200HW2 Series Users Guide Document Conventions Table 1 Common Icons ZyXEL DeviceComputerNotebook Wireless SignalWireless Base StationInternet Cloud RouterServerFirewall MAX-200HW2 Series Users Guide 5 Safety Warnings Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. For your safety, be sure to read and follow all warning notices and instructions. Do NOT use this product near water, for example, in a wet basement or near a swimming pool. Do NOT expose your device to dampness, dust or corrosive liquids. Do NOT store things on the device. Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. Connect ONLY suitable accessories to the device. ONLY qualified service personnel should service or disassemble this device. Make sure to connect the cables to the correct ports. Place connecting cables carefully so that no one will step on them or stumble over them. Always disconnect all cables from this device before servicing or disassembling. Use ONLY an appropriate power adaptor or cord for your device. Connect the power adaptor or cord to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe). Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord. Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution. If the power adaptor or cord is damaged, remove it from the power outlet. Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one. Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device. Use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord. Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s). 6 MAX-200HW2 Series Users Guide This product is recyclable. Dispose of it properly. Safety Warnings MAX-200HW2 Series Users Guide 7 Safety Warnings 8 MAX-200HW2 Series Users Guide Contents Overview Contents Overview Introduction ............................................................................................................................31 Getting Started ...........................................................................................................................33 Introducing the Web Configurator ..............................................................................................39 Tutorials and Wizard ..............................................................................................................47 Tutorial .......................................................................................................................................49 Internet Setup Wizard................................................................................................................ 61 VoIP Wizard ...............................................................................................................................73 Web Configurator ...................................................................................................................77 Status Screens ..........................................................................................................................79 Wireless LAN .............................................................................................................................91 WAN Setup ..............................................................................................................................107 LAN ...........................................................................................................................................119 NAT ..........................................................................................................................................129 VPN Transport .........................................................................................................................137 SIP ...........................................................................................................................................149 Phone ......................................................................................................................................165 Phone Book .............................................................................................................................173 Firewall ....................................................................................................................................179 Certificates ...............................................................................................................................187 Content Filter ...........................................................................................................................205 Static Route .............................................................................................................................209 Remote MGMT ........................................................................................................................213 UPnP .......................................................................................................................................221 System .....................................................................................................................................233 Logs .........................................................................................................................................241 Tools ........................................................................................................................................255 Troubleshooting and Specifications ..................................................................................261 Troubleshooting .......................................................................................................................263 Product Specifications .............................................................................................................269 Appendices and Index .........................................................................................................273 MAX-200HW2 Series Users Guide 9 Contents Overview 10 MAX-200HW2 Series Users Guide Table of Contents Table of Contents About This User's Guide..........................................................................................................3 Document Conventions............................................................................................................4 Safety Warnings........................................................................................................................6 Contents Overview...................................................................................................................9 Table of Contents....................................................................................................................11 List of Figures.........................................................................................................................21 List of Tables...........................................................................................................................27 Part I: Introduction.................................................................................31 Chapter 1 Getting Started........................................................................................................................33 1.1 About Your ZyXEL Device .................................................................................................33 1.1.1 Wireless Internet Access ............................................................................................33 1.1.2 WiFi Network ..............................................................................................................34 1.1.3 Make Calls via Internet Telephony Service Provider ..................................................34 1.2 ZyXEL Device Hardware .....................................................................................................35 1.2.1 LEDs ..........................................................................................................................35 1.2.2 Antennas ....................................................................................................................36 1.3 Good Habits for Managing the ZyXEL Device .....................................................................37 Chapter 2 Introducing the Web Configurator........................................................................................39 2.1 Web Configurator Overview .................................................................................................39 2.1.1 Accessing the Web Configurator ................................................................................39 2.1.2 The RESET Button .....................................................................................................41 2.2 Web Configurator Main Screen ...........................................................................................42 2.2.1 Title Bar ......................................................................................................................42 2.2.2 Navigation Panel ........................................................................................................43 2.2.3 Main Window ..............................................................................................................45 2.2.4 Status Bar ...................................................................................................................45 MAX-200HW2 Series Users Guide 11 Table of Contents Part II: Tutorials and Wizard..................................................................47 Chapter 3 Tutorial.....................................................................................................................................49 3.1 Connect to the Internet ........................................................................................................49 3.1.1 Configure Internet Access Settings ............................................................................49 3.1.2 Configure WiMAX Settings .........................................................................................52 3.2 Set Up a WiFi Network ........................................................................................................53 3.2.1 Configuring the AP (Your ZyXEL Device) ...................................................................53 3.3 Connect to the WiFi Network ...............................................................................................54 3.3.1 Connecting to a Wireless LAN ...................................................................................55 3.4 Make a Telephone Call Over the Internet ............................................................................57 3.4.1 Configure Your SIP Account ......................................................................................57 3.4.2 Configure a Phone .....................................................................................................58 3.4.3 Set Up Speed Dialing and Make a Call ......................................................................59 Chapter 4 Internet Setup Wizard.............................................................................................................61 4.1 Wizard Setup Overview .......................................................................................................61 4.2 Internet Connection Wizard Setup .......................................................................................61 4.3 Step One: System Information .............................................................................................62 4.4 Step Two: Wireless LAN Wizard ..........................................................................................63 4.4.1 Wireless LAN Screen .................................................................................................63 4.4.2 Basic (WEP) Security .................................................................................................64 4.4.3 Extend (WPA-PSK or WPA2-PSK) Security ...............................................................65 4.4.4 The OTIST Screen .....................................................................................................65 4.5 Step Three: Internet Configuration ......................................................................................66 4.5.1 Connection Type Screen ............................................................................................66 4.5.2 ISP Parameters for Internet Access Screen ..............................................................67 4.5.3 Antenna Selection Screen ..........................................................................................68 4.5.4 IP Address Screen .....................................................................................................69 4.5.5 WAN IP Address Assignment .....................................................................................70 4.5.6 Wizard Complete ........................................................................................................71 Chapter 5 VoIP Wizard.............................................................................................................................73 5.1 Introduction ..........................................................................................................................73 5.2 VOIP Wizard Setup .............................................................................................................73 Part III: Web Configurator.....................................................................77 12 MAX-200HW2 Series Users Guide Table of Contents Chapter 6 Status Screens........................................................................................................................79 6.1 Status Screen ......................................................................................................................79 6.2 Site Information ...................................................................................................................83 6.3 Profile ..................................................................................................................................84 6.4 Packet Statistics ..................................................................................................................85 6.5 DHCP Table Screen ............................................................................................................86 6.6 VoIP Statistics Window ........................................................................................................87 Chapter 7 Wireless LAN...........................................................................................................................91 7.1 Wireless Network Overview .................................................................................................91 7.2 Wireless Security Overview .................................................................................................92 7.2.1 SSID ...........................................................................................................................92 7.2.2 MAC Address Filter ....................................................................................................92 7.2.3 User Authentication ....................................................................................................92 7.2.4 Encryption ..................................................................................................................93 7.2.5 One-Touch Intelligent Security Technology (OTIST) ..................................................94 7.3 General Wireless LAN Screen ............................................................................................94 7.3.1 No Security .................................................................................................................95 7.3.2 WEP Encryption .........................................................................................................96 7.3.3 WPA-PSK/WPA2-PSK ................................................................................................97 7.3.4 WPA/WPA2 ................................................................................................................99 7.4 OTIST ...............................................................................................................................101 7.4.1 Enabling OTIST ........................................................................................................101 7.4.2 Starting OTIST .........................................................................................................103 7.4.3 Notes on OTIST .......................................................................................................103 7.5 MAC Filter ..........................................................................................................................104 7.6 Wireless LAN Advanced Screen .......................................................................................105 Chapter 8 WAN Setup.............................................................................................................................107 8.1 WAN Overview .................................................................................................................107 8.2 WiMAX ...............................................................................................................................107 8.2.1 Authentication ..........................................................................................................108 8.3 Internet Access Setup ......................................................................................................108 8.4 Frequency Settings .............................................................................................................111 8.4.1 Frequency Ranges ....................................................................................................111 8.4.2 Configuring Frequency Settings ................................................................................111 8.5 Configuring Advanced WAN Settings .................................................................................114 8.6 Configuring Traffic Redirect Settings ..................................................................................115 8.6.1 Configuring The Antenna ..........................................................................................117 MAX-200HW2 Series Users Guide 13 Table of Contents Chapter 9 LAN.........................................................................................................................................119 9.1 LAN Overview .....................................................................................................................119 9.1.1 IP Address and Subnet Mask ....................................................................................119 9.1.2 DHCP Setup .............................................................................................................120 9.1.3 LAN TCP/IP ..............................................................................................................120 9.1.4 DNS Server Address ................................................................................................120 9.1.5 RIP Setup .................................................................................................................121 9.1.6 Multicast ...................................................................................................................121 9.2 LAN Screens .....................................................................................................................122 9.2.1 LAN IP Screen .........................................................................................................122 9.2.2 LAN DHCP Setup Screen ........................................................................................122 9.2.3 LAN Static DHCP Screen .........................................................................................123 9.2.4 LAN Client List Screen .............................................................................................124 9.2.5 LAN IP Alias Screen .................................................................................................125 9.2.6 LAN Advanced Screen .............................................................................................126 Chapter 10 NAT.........................................................................................................................................129 10.1 NAT Overview ..................................................................................................................129 10.1.1 Port Forwarding: Services and Port Numbers ........................................................129 10.1.2 Trigger Port Forwarding .........................................................................................130 10.1.3 SIP ALG .................................................................................................................131 10.2 NAT Screens ....................................................................................................................131 10.2.1 NAT General Screen ..............................................................................................131 10.2.2 NAT Port Forwarding Screen .................................................................................132 10.2.3 NAT Port Forwarding Edit Screen ..........................................................................133 10.2.4 NAT Trigger Port Screen ........................................................................................134 10.2.5 NAT ALG Screen ....................................................................................................135 Chapter 11 VPN Transport.......................................................................................................................137 11.1 Overview ..........................................................................................................................137 11.1.1 What You Can Do in the VPN Transport Screens ..................................................138 11.1.2 What You Need to Know about VPN Transport ......................................................138 11.1.3 Before You Begin ....................................................................................................140 11.2 The General Screen .........................................................................................................140 11.3 The Customer Interface Screen .......................................................................................141 11.4 The Customer Interface Edit Screen ................................................................................142 11.5 The Ethernet Pseudowire Screen ....................................................................................143 11.6 The Ethernet Pseudowire Edit Screen .............................................................................144 11.7 The Statistics Screen .......................................................................................................145 11.8 VPN Transport Technical Reference ................................................................................146 14 MAX-200HW2 Series Users Guide Table of Contents 11.8.1 Multi-Protocol Label Switching ...............................................................................146 11.8.2 Generic Routing Encapsulation ..............................................................................147 Chapter 12 SIP..........................................................................................................................................149 12.1 SIP Overview ...................................................................................................................149 12.1.1 Introduction to VoIP ................................................................................................149 12.1.2 Introduction to SIP ..................................................................................................149 12.1.3 SIP Identities ..........................................................................................................149 12.1.4 SIP Call Progression ..............................................................................................150 12.1.5 SIP Client Server ....................................................................................................150 12.1.6 RTP ........................................................................................................................152 12.1.7 NAT and SIP ..........................................................................................................152 12.1.8 Voice Coding ..........................................................................................................153 12.1.9 PSTN Call Setup Signaling ....................................................................................154 12.1.10 MWI (Message Waiting Indication) .......................................................................154 12.1.11 Custom Tones (IVR) .............................................................................................155 12.1.12 Quality of Service (QoS) ......................................................................................155 12.2 SIP Screens .....................................................................................................................157 12.2.1 SIP Settings Screen ...............................................................................................157 12.2.2 Advanced SIP Setup Screen ..................................................................................158 12.2.3 SIP QoS Screen .....................................................................................................162 Chapter 13 Phone.....................................................................................................................................165 13.1 Phone Overview ..............................................................................................................165 13.1.1 Voice Activity Detection/Silence Suppression/Comfort Noise ................................165 13.1.2 Echo Cancellation ..................................................................................................165 13.1.3 Supplementary Phone Services Overview .............................................................165 13.2 Phone Screens ................................................................................................................169 13.2.1 Analog Phone Screen ............................................................................................169 13.2.2 Advanced Analog Phone Setup Screen .................................................................170 13.2.3 Common Phone Settings Screen ...........................................................................171 13.2.4 Phone Region Screen ............................................................................................171 Chapter 14 Phone Book...........................................................................................................................173 14.1 Phone Book Overview .....................................................................................................173 14.2 Phone Book Screens .......................................................................................................173 14.2.1 Incoming Call Policy Screen ..................................................................................173 14.2.2 Speed Dial Screen .................................................................................................175 Chapter 15 Firewall...................................................................................................................................179 MAX-200HW2 Series Users Guide 15 Table of Contents 15.1 Firewall Overview ............................................................................................................179 15.1.1 Stateful Inspection Firewall. ..................................................................................179 15.1.2 About the ZyXEL Device Firewall ...........................................................................179 15.1.3 Guidelines For Enhancing Security With Your Firewall ..........................................180 15.1.4 The Firewall, NAT and Remote Management ........................................................180 15.2 Triangle Route .................................................................................................................181 15.2.1 The Triangle Route Problem ................................................................................181 15.2.2 Solving the Triangle Route Problem ....................................................................182 15.3 Firewall Screens ..............................................................................................................183 15.3.1 General Firewall Screen .........................................................................................183 15.3.2 Firewall Services Screen ........................................................................................183 Chapter 16 Certificates............................................................................................................................187 16.1 Certificates Overview .......................................................................................................187 16.1.1 Advantages of Certificates .....................................................................................188 16.2 Self-signed Certificates ....................................................................................................188 16.3 Factory Default Certificate ...............................................................................................188 16.3.1 Certificate File Formats ..........................................................................................188 16.4 Certificate Configuration Screens Summary ...................................................................189 16.5 Verifying a Certificate .......................................................................................................189 16.5.1 Checking the Fingerprint of a Certificate on Your Computer ..................................189 16.6 My Certificates Screen ....................................................................................................190 16.6.1 My Certificates Create Screen .............................................................................192 16.6.2 My Certificate Details Screen ................................................................................195 16.6.3 My Certificate Import Screen .................................................................................198 16.7 Trusted CAs ...................................................................................................................199 16.8 Trusted CA Details ..........................................................................................................201 16.9 Trusted CA Import .........................................................................................................203 Chapter 17 Content Filter.........................................................................................................................205 17.1 Content Filtering Overview ..............................................................................................205 17.2 Content Filtering Screens ................................................................................................205 17.2.1 Content Filter Screen .............................................................................................205 17.2.2 Content Filter Schedule Screen .............................................................................207 Chapter 18 Static Route...........................................................................................................................209 18.1 Static Route Overview .....................................................................................................209 18.2 Static Route Screens .......................................................................................................209 18.2.1 IP Static Route Screen ...........................................................................................209 18.2.2 IP Static Route Edit Screen ....................................................................................210 16 MAX-200HW2 Series Users Guide Table of Contents Chapter 19 Remote MGMT.......................................................................................................................213 19.1 Remote Management Overview ......................................................................................213 19.1.1 Remote Management Limitations ..........................................................................213 19.1.2 Remote Management and NAT ..............................................................................213 19.1.3 System Timeout .....................................................................................................214 19.2 Remote Management Screens ........................................................................................214 19.2.1 WWW Screen .........................................................................................................214 19.2.2 Telnet Screen .........................................................................................................214 19.2.3 FTP Screen ............................................................................................................215 19.3 SNMP ..............................................................................................................................216 19.3.1 Supported MIBs .....................................................................................................217 19.3.2 SNMP Traps ...........................................................................................................217 19.3.3 Configuring SNMP .................................................................................................217 19.3.4 DNS Screen ...........................................................................................................218 19.3.5 Security Screen ......................................................................................................219 Chapter 20 UPnP......................................................................................................................................221 20.1 Introducing Universal Plug and Play ................................................................................221 20.1.1 How do I know if I'm using UPnP? .........................................................................221 20.1.2 NAT Traversal ........................................................................................................221 20.1.3 Cautions with UPnP ...............................................................................................221 20.1.4 UPnP and ZyXEL ...................................................................................................222 20.2 UPnP Examples ..............................................................................................................222 20.2.1 Installing UPnP in Windows Example ....................................................................222 20.2.2 Using UPnP in Windows XP Example ...................................................................225 20.3 UPnP Screen ...................................................................................................................231 Chapter 21 System...................................................................................................................................233 21.1 System Features Overview .............................................................................................233 21.1.1 System Name .........................................................................................................233 21.1.2 Domain Name ........................................................................................................233 21.1.3 DNS Server Address Assignment ..........................................................................233 21.1.4 Dynamic DNS .........................................................................................................234 21.1.5 Pre-defined NTP Time Servers List ........................................................................234 21.1.6 Resetting the Time .................................................................................................235 21.2 System Screens ..............................................................................................................235 21.2.1 General System Screen .........................................................................................235 21.2.2 Dynamic DNS Screen ............................................................................................236 21.2.3 Time Setting Screen ...............................................................................................237 MAX-200HW2 Series Users Guide 17 Table of Contents Chapter 22 Logs.......................................................................................................................................241 22.1 Logs Overview .................................................................................................................241 22.1.1 Alerts ......................................................................................................................241 22.1.2 Syslog Logs ............................................................................................................241 22.2 Logs Screens ...................................................................................................................243 22.2.1 Log Viewer Screen .................................................................................................243 22.2.2 Log Settings Screen ...............................................................................................243 22.3 Log Message Descriptions ..............................................................................................245 Chapter 23 Tools.......................................................................................................................................255 23.1 Tools Overview ................................................................................................................255 23.1.1 Firmware ................................................................................................................255 23.2 Tools Screens ..................................................................................................................255 23.2.1 Firmware Screen ....................................................................................................255 23.2.2 Firmware Upload Screens ......................................................................................256 23.2.3 Configuration Screen .............................................................................................257 23.2.4 Restore Configuration Screens ..............................................................................258 23.2.5 Restart Screen .......................................................................................................259 Part IV: Troubleshooting and Specifications.....................................261 Chapter 24 Troubleshooting....................................................................................................................263 24.1 Power, Hardware Connections, and LEDs ......................................................................263 24.2 ZyXEL Device Access and Login ....................................................................................264 24.3 Internet Access ................................................................................................................265 24.4 Phone Calls and VoIP ......................................................................................................267 24.5 Reset the ZyXEL Device to Its Factory Defaults ..............................................................267 24.5.1 Pop-up Windows, JavaScripts and Java Permissions ...........................................268 24.6 Wireless LAN Troubleshooting ........................................................................................268 Chapter 25 Product Specifications.........................................................................................................269 Part V: Appendices and Index............................................................273 Appendix A WiMAX Security................................................................................................275 Appendix B Setting up Your Computers IP Address............................................................279 18 MAX-200HW2 Series Users Guide Table of Contents Appendix C Pop-up Windows, JavaScripts and Java Permissions......................................301 Appendix D IP Addresses and Subnetting...........................................................................309 Appendix E Wireless LANs..................................................................................................319 Appendix F Common Services.............................................................................................333 Appendix G Legal Information..............................................................................................337 Appendix H Customer Support.............................................................................................341 Index.......................................................................................................................................347 MAX-200HW2 Series Users Guide 19 Table of Contents 20 MAX-200HW2 Series Users Guide List of Figures List of Figures Figure 1 Mobile Station and Base Station ...............................................................................................34 Figure 2 WLAN Application Example .....................................................................................................34 Figure 3 ZyXEL Devices VoIP Features ............ ...................................................................................35 Figure 4 The ZyXEL Device ...................................................................................................................35 Figure 5 Password Screen .....................................................................................................................40 Figure 6 Change Password Screen ........................................................................................................40 Figure 7 Replace Certificate Screen .......................................................................................................40 Figure 8 Wizard or Advanced Screen ....................................................................................................41 Figure 9 Main Screen .............................................................................................................................42 Figure 10 Tutorial: Security .....................................................................................................................50 Figure 11 Tutorial: Trusted CAs Tab .......................................................................................................50 Figure 12 Tutorial: Trusted CAs Screen .................................................................................................50 Figure 13 Tutorial: Network ....................................................................................................................51 Figure 14 Tutorial: Internet Access Settings ..........................................................................................51 Figure 15 Tutorial: WiMAX Frequency Setup .........................................................................................52 Figure 16 Network > Wireless LAN > General .......................................................................................53 Figure 17 Network > Wireless LAN > Device Information ......................................................................54 Figure 18 Network > Wireless LAN > Interface Status ...........................................................................54 Figure 19 ZyXEL Utility: Security Settings .............................................................................................56 Figure 20 ZyXEL Utility: Confirm Save ...................................................................................................56 Figure 21 ZyXEL Utility: Link Info ..........................................................................................................56 Figure 22 Tutorial: SIP Account Setup ...................................................................................................58 Figure 23 Tutorial: the Analog Phone Screen .........................................................................................59 Figure 24 Tutorial: the Speed Dial Screen ..............................................................................................60 Figure 25 Tutorial: New Speed Dial Rule ................................................................................................60 Figure 26 Select a Mode ........................................................................................................................61 Figure 27 Connection Wizard: Introduction ............................................................................................62 Figure 28 Wizard > Step 1 > System Information ...................................................................................62 Figure 29 Wizard > Step 2 > Wireless LAN ...........................................................................................63 Figure 30 Wizard > Step 2 > Basic (WEP) Security ...............................................................................64 Figure 31 Wizard > Step 2 > Extend (WPA-PSK or WPA2-PSK) Security .............................................65 Figure 32 Wizard > Step 2 > OTIST .......................................................................................................66 Figure 33 Wizard > Step 3 > Connection Type Screen ..........................................................................67 Figure 34 Wizard > Step 3 > ISP Parameters for Internet Access Screen .............................................67 Figure 35 Wizard > Step 3 > Antenna Selection .....................................................................................69 Figure 36 Wizard > Step 3 > IP Address ................................................................................................70 Figure 37 Wizard > Step 3 > WAN IP Address Assignment ...................................................................71 Figure 38 The Connection Wizard: Congratulations ...............................................................................72 MAX-200HW2 Series Users Guide 21 List of Figures Figure 39 Select a Mode ........................................................................................................................73 Figure 40 VOIP Wizard: Configuration ...................................................................................................74 Figure 41 VoIP Wizard: SIP Registration Test ........................................................................................75 Figure 42 VoIP Wizard: Fail ....................................................................................................................75 Figure 43 VOIP Wizard: Finish ..............................................................................................................75 Figure 44 Status Screen .........................................................................................................................79 Figure 45 The Site Information Screen ...................................................................................................83 Figure 46 The WiMAX Profile Screen ....................................................................................................84 Figure 47 Packet Statistics .....................................................................................................................85 Figure 48 DHCP Table ............................................................................................................................86 Figure 49 VoIP Statistics .........................................................................................................................87 Figure 50 Example of a Wireless Network .............................................................................................91 Figure 51 Network > Wireless LAN > General ......................................................................................94 Figure 52 Network > Wireless LAN > General: No Security ...................................................................95 Figure 53 Network > Wireless LAN > General: Static WEP ...................................................................96 Figure 54 Network > Wireless LAN > General: WPA-PSK/WPA2-PSK ..................................................98 Figure 55 Network > Wireless LAN > General: WPA/WPA2 ...................................................................99 Figure 56 Network > Wireless LAN > OTIST .......................................................................................101 Figure 57 Example Wireless Client OTIST Screen ..............................................................................102 Figure 58 Security Key .........................................................................................................................103 Figure 59 OTIST in Progress (AP) .......................................................................................................103 Figure 60 OTIST in Progress (Client) ...................................................................................................103 Figure 61 No AP with OTIST Found .....................................................................................................103 Figure 62 Start OTIST? ........................................................................................................................104 Figure 63 Network > Wireless LAN > MAC Filter .................................................................................105 Figure 64 Network > Wireless LAN > Advanced ..................................................................................106 Figure 65 WiMax: Mobile Station ..........................................................................................................107 Figure 66 WiMAX: Multiple Mobile Stations ..........................................................................................108 Figure 67 Using an AAA Server ...........................................................................................................108 Figure 68 Network > WAN > Internet Connection ................................................................................109 Figure 69 Frequency Ranges ................................................................................................................111 Figure 70 Network > WAN >WiMAX Frequency ....................................................................................113 Figure 71 Completing the WiMAX Frequency Screen ...........................................................................114 Figure 72 Network > WAN > Advanced .................................................................................................114 Figure 73 Network > WAN > Traffic Redirect .........................................................................................116 Figure 74 Network > WAN > Antenna Selection ....................................................................................117 Figure 75 Network > LAN > IP ..............................................................................................................122 Figure 76 Network > LAN > DHCP Setup ............................................................................................123 Figure 77 Network > LAN > Static DHCP .............................................................................................124 Figure 78 Network > LAN > Client List .................................................................................................125 Figure 79 Network > LAN > IP Alias .....................................................................................................125 Figure 80 Network > LAN > Advanced .................................................................................................127 Figure 81 Multiple Servers Behind NAT Example ................................................................................129 22 MAX-200HW2 Series Users Guide List of Figures Figure 82 Trigger Port Forwarding Process: Example ..........................................................................130 Figure 83 Network > NAT > General ....................................................................................................131 Figure 84 Network > NAT > Port Forwarding .......................................................................................132 Figure 85 Network > NAT > Port Forwarding > Edit .............................................................................133 Figure 86 Network > NAT > Trigger Port ..............................................................................................134 Figure 87 Network > NAT > ALG ..........................................................................................................135 Figure 88 VPN Transport example .......................................................................................................137 Figure 89 Identifying Users ...................................................................................................................138 Figure 90 Ethernet Pseudowire Settings Example .............................................................................139 Figure 91 Pseudowire Mapping ............................................................................................................139 Figure 92 Network > VPN Transport > General ....................................................................................140 Figure 93 Network > VPN Transport > Customer Interface ..................................................................141 Figure 94 Network > VPN Transport > Customer Interface Edit ...........................................................142 Figure 95 Network > VPN Transport > Ethernet Pseudowire ...............................................................144 Figure 96 Network > VPN Transport > Ethernet Pseudowire > Edit .....................................................145 Figure 97 Network > VPN Transport > Statistics ..................................................................................146 Figure 98 VPLS Tunneling ....................................................................................................................147 Figure 99 SIP User Agent .....................................................................................................................151 Figure 100 SIP Proxy Server ................................................................................................................151 Figure 101 SIP Redirect Server ............................................................................................................152 Figure 102 STUN ..................................................................................................................................153 Figure 103 DiffServ: Differentiated Service Field ..................................................................................156 Figure 104 VoIP > SIP > SIP Settings ..................................................................................................157 Figure 105 VoIP > SIP > SIP Settings > Advanced ..............................................................................159 Figure 106 VoIP > SIP > QoS ...............................................................................................................163 Figure 107 VoIP > Phone > Analog Phone ...........................................................................................169 Figure 108 VoIP > Phone > Analog Phone > Advanced ......................................................................170 Figure 109 VoIP > Phone > Common ...................................................................................................171 Figure 110 VoIP > Phone > Region ......................................................................................................171 Figure 111 VoIP > Phone Book > Incoming Call Policy ........................................................................174 Figure 112 VoIP > Phone Book > Speed Dial .......................................................................................176 Figure 113 Firewall Rule Directions ......................................................................................................180 Figure 114 Ideal Firewall Setup ............................................................................................................181 Figure 115 Triangle Route Problem ...................................................................................................182 Figure 116 IP Alias ...............................................................................................................................182 Figure 117 Security > Firewall > General .............................................................................................183 Figure 118 Security > Firewall > Services ............................................................................................184 Figure 119 Remote Host Certificates ....................................................................................................189 Figure 120 Certificate Details ..............................................................................................................190 Figure 121 Security > Certificates > My Certificates .........................................................................191 Figure 122 Security > Certificates > My Certificates > Create ..............................................................193 Figure 123 Security > Certificates > My Certificates > Details ............................................................196 Figure 124 Security > Certificates > My Certificates > Import ..............................................................199 MAX-200HW2 Series Users Guide 23 List of Figures Figure 125 Security > Certificates > Trusted CAs ................................................................................200 Figure 126 Security > Certificates > Trusted CAs > Details .................................................................201 Figure 127 Security > Certificates > Trusted CAs > Import ..................................................................204 Figure 128 Security > Content Filter > Filter .........................................................................................206 Figure 129 Security > Content Filter > Schedule ..................................................................................207 Figure 130 Example of Static Routing Topology ...................................................................................209 Figure 131 Management > Static Route > IP Static Route ...................................................................210 Figure 132 Management > Static Route > IP Static Route > Edit ..........................................................211 Figure 133 Management > Remote MGMT > WWW ...........................................................................214 Figure 134 Management > Remote MGMT > Telnet ............................................................................215 Figure 135 Management > Remote MGMT > FTP ...............................................................................215 Figure 136 SNMP Management Model ................................................................................................216 Figure 137 Management > Remote MGMT > SNMP ...........................................................................218 Figure 138 Management > Remote MGMT > DNS ..............................................................................219 Figure 139 Management > Remote MGMT > Security .........................................................................219 Figure 140 Add/Remove Programs: Windows Setup: Communication ................................................222 Figure 141 Add/Remove Programs: Windows Setup: Communication Components ...........................223 Figure 142 Network Connections .........................................................................................................223 Figure 143 Windows Optional Networking Components Wizard ..........................................................224 Figure 144 Networking Services ...........................................................................................................224 Figure 145 Network Connections .........................................................................................................225 Figure 146 Internet Connection Properties ..........................................................................................226 Figure 147 Internet Connection Properties: Advanced Settings ...........................................................227 Figure 148 Internet Connection Properties: Advanced Settings: Add ..................................................227 Figure 149 System Tray Icon ................................................................................................................228 Figure 150 Internet Connection Status .................................................................................................228 Figure 151 Network Connections .........................................................................................................229 Figure 152 Network Connections: My Network Places ........................................................................230 Figure 153 Network Connections: My Network Places: Properties: Example ......................................230 Figure 154 Management > UPnP .........................................................................................................231 Figure 155 Maintenance > System > General ......................................................................................235 Figure 156 Maintenance > System > Dynamic DNS ............................................................................236 Figure 157 Maintenance > System > Time Setting ...............................................................................238 Figure 158 Maintenance > Logs > View Log ........................................................................................243 Figure 159 Maintenance > Logs > Log Settings ...................................................................................244 Figure 160 Maintenance > Tools > Firmware .......................................................................................256 Figure 161 Firmware Upload In Process ..............................................................................................256 Figure 162 Network Temporarily Disconnected ....................................................................................257 Figure 163 Firmware Upload Error .......................................................................................................257 Figure 164 Maintenance > Tools > Configuration .................................................................................257 Figure 165 Configuration Upload Successful .......................................................................................258 Figure 166 Network Temporarily Disconnected ....................................................................................259 Figure 167 Configuration Upload Error .................................................................................................259 24 MAX-200HW2 Series Users Guide List of Figures Figure 168 Maintenance > Tools > Restart ...........................................................................................259 Figure 169 Maintenance > Tools > Restart > In Progress ....................................................................260 Figure 170 WIndows 95/98/Me: Network: Configuration ......................................................................280 Figure 171 Windows 95/98/Me: TCP/IP Properties: IP Address ..........................................................281 Figure 172 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ..............................................282 Figure 173 Windows XP: Start Menu ....................................................................................................283 Figure 174 Windows XP: Control Panel ...............................................................................................283 Figure 175 Windows XP: Control Panel: Network Connections: Properties .........................................284 Figure 176 Windows XP: Local Area Connection Properties ...............................................................284 Figure 177 Windows XP: Internet Protocol (TCP/IP) Properties ..........................................................285 Figure 178 Windows XP: Advanced TCP/IP Properties .......................................................................286 Figure 179 Windows XP: Internet Protocol (TCP/IP) Properties ..........................................................287 Figure 180 Windows Vista: Start Menu .................................................................................................288 Figure 181 Windows Vista: Control Panel ............................................................................................288 Figure 182 Windows Vista: Network And Internet ................................................................................288 Figure 183 Windows Vista: Network and Sharing Center .....................................................................288 Figure 184 Windows Vista: Network and Sharing Center .....................................................................289 Figure 185 Windows Vista: Local Area Connection Properties ............................................................289 Figure 186 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties ...................................290 Figure 187 Windows Vista: Advanced TCP/IP Properties ....................................................................291 Figure 188 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties ...................................292 Figure 189 Macintosh OS 8/9: Apple Menu ..........................................................................................293 Figure 190 Macintosh OS 8/9: TCP/IP .................................................................................................293 Figure 191 Macintosh OS X: Apple Menu ............................................................................................294 Figure 192 Macintosh OS X: Network ..................................................................................................295 Figure 193 Red Hat 9.0: KDE: Network Configuration: Devices .........................................................296 Figure 194 Red Hat 9.0: KDE: Ethernet Device: General ..................................................................296 Figure 195 Red Hat 9.0: KDE: Network Configuration: DNS ...............................................................297 Figure 196 Red Hat 9.0: KDE: Network Configuration: Activate ........................................................297 Figure 197 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 ...............................................298 Figure 198 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 ...................................................298 Figure 199 Red Hat 9.0: DNS Settings in resolv.conf ........................................................................298 Figure 200 Red Hat 9.0: Restart Ethernet Card .................................................................................298 Figure 201 Red Hat 9.0: Checking TCP/IP Properties .......................................................................299 Figure 202 Pop-up Blocker ...................................................................................................................301 Figure 203 Internet Options: Privacy ....................................................................................................302 Figure 204 Internet Options: Privacy ....................................................................................................303 Figure 205 Pop-up Blocker Settings .....................................................................................................303 Figure 206 Internet Options: Security ...................................................................................................304 Figure 207 Security Settings - Java Scripting .......................................................................................305 Figure 208 Security Settings - Java ......................................................................................................305 Figure 209 Java (Sun) ..........................................................................................................................306 Figure 210 Mozilla Firefox: Tools > Options .........................................................................................307 MAX-200HW2 Series Users Guide 25 List of Figures Figure 211 Mozilla Firefox Content Security .........................................................................................307 Figure 212 Network Number and Host ID ............................................................................................310 Figure 213 Subnetting Example: Before Subnetting ............................................................................312 Figure 214 Subnetting Example: After Subnetting ...............................................................................313 Figure 215 Conflicting Computer IP Addresses Example ....................................................................317 Figure 216 Conflicting Computer IP Addresses Example ....................................................................317 Figure 217 Conflicting Computer and Router IP Addresses Example ..................................................318 Figure 218 Peer-to-Peer Communication in an Ad-hoc Network .........................................................319 Figure 219 Basic Service Set ...............................................................................................................320 Figure 220 Infrastructure WLAN ...........................................................................................................321 Figure 221 RTS/CTS ...........................................................................................................................322 Figure 222 WPA(2) with RADIUS Application Example .......................................................................329 Figure 223 WPA(2)-PSK Authentication ...............................................................................................330 26 MAX-200HW2 Series Users Guide List of Tables List of Tables Table 1 Common Icons ............................................................................................................................ 5 Table 2 Models Covered ........................................................................................................................33 Table 3 The ZyXEL Device ....................................................................................................................35 Table 4 Web Configurator Icons in the Title Bar ....................................................................................43 Table 5 Navigation Panel Summary ......................................................................................................43 Table 6 Example Internet Access Information .......................................................................................49 Table 7 Wizard > Step 1 > System Information .....................................................................................62 Table 8 Wizard > Step 2 > Wireless LAN ...............................................................................................63 Table 9 Wizard > Step 2 > Basic (WEP) Security ..................................................................................64 Table 10 Wizard > Step 2 > Extend (WPA-PSK or WPA2-PSK) Security ..............................................65 Table 11 Wizard > Step 2 > OTIST ........................................................................................................66 Table 12 Wizard > Step 3 > ISP Parameters for Internet Access Screen ..............................................67 Table 13 Wizard > Step 3 > Antenna Selection .....................................................................................69 Table 14 Wizard > Step 3 > IP Address .................................................................................................70 Table 15 Wizard > Step 3 > WAN IP Address Assignment ....................................................................71 Table 16 VOIP Wizard Configuration .....................................................................................................74 Table 17 Status Screen ..........................................................................................................................80 Table 18 The Site Information Screen ...................................................................................................84 Table 19 The WiMAX Profile Screen .....................................................................................................84 Table 20 Packet Statistics ......................................................................................................................86 Table 21 DHCP Table ............................................................................................................................87 Table 22 VoIP Statistics .........................................................................................................................87 Table 23 Types of Encryption for Each Type of Authentication .............................................................93 Table 24 Network > Wireless LAN > General ........................................................................................95 Table 25 Wireless No Security ...............................................................................................................96 Table 26 Network > Wireless LAN > General: Static WEP ....................................................................97 Table 27 Network > Wireless LAN > General: WPA-PSK/WPA2-PSK ..................................................98 Table 28 Network > Wireless LAN > General: WPA/WPA2 .................................................................100 Table 29 Network > Wireless LAN > OTIST ........................................................................................102 Table 30 Network > Wireless LAN > MAC Filter ..................................................................................105 Table 31 Network > Wireless LAN > Advanced ...................................................................................106 Table 32 Network > WAN > Internet Connection .................................................................................109 Table 33 Radio Frequency Conversion ................................................................................................111 Table 34 DL Frequency Example Settings ...........................................................................................112 Table 35 Network > WAN > WiMAX Frequency ...................................................................................113 Table 36 Example Supported Frequencies (GHz) ................................................................................113 Table 37 Network > WAN > Advanced .................................................................................................115 Table 38 Network > WAN > Traffic Redirect .........................................................................................116 MAX-200HW2 Series Users Guide 27 List of Tables Table 39 Network > WAN > Antenna Selection ....................................................................................117 Table 40 Network > LAN > IP ..............................................................................................................122 Table 41 Network > LAN > DHCP Setup .............................................................................................123 Table 42 Network > LAN > Static DHCP ..............................................................................................124 Table 43 Network > LAN > Client List ..................................................................................................125 Table 44 Network > LAN > IP Alias .....................................................................................................126 Table 45 Network > LAN > Advanced ..................................................................................................127 Table 46 Network > NAT > General .....................................................................................................131 Table 47 Network > NAT > Port Forwarding ........................................................................................133 Table 48 Network > NAT > Port Forwarding > Edit ..............................................................................134 Table 49 Network > NAT > Trigger Port ...............................................................................................135 Table 50 Network > NAT > ALG ..........................................................................................................135 Table 51 Network > VPN Transport > General ....................................................................................140 Table 52 Network > VPN Transport > Customer Interface ..................................................................141 Table 53 Network > VPN Transport > Customer Interface Edit ...........................................................142 Table 54 Network > VPN Transport > Ethernet Pseudowire ................................................................144 Table 55 Network > VPN Transport > Ethernet Pseudowire > Edit .....................................................145 Table 56 Network > VPN Transport > Statistics ...................................................................................146 Table 57 SIP Call Progression .............................................................................................................150 Table 58 Custom Tones Details ...........................................................................................................155 Table 59 VoIP > SIP > SIP Settings .....................................................................................................157 Table 60 VoIP > SIP > SIP Settings > Advanced ................................................................................160 Table 61 VoIP > SIP > QoS .................................................................................................................163 Table 62 European Type Flash Key Commands .................................................................................166 Table 63 USA Type Flash Key Commands .........................................................................................168 Table 64 VoIP > Phone > Analog Phone .............................................................................................169 Table 65 VoIP > Phone > Analog Phone > Advanced .........................................................................170 Table 66 VoIP > Phone > Common .....................................................................................................171 Table 67 VoIP > Phone > Region ........................................................................................................171 Table 68 VoIP > Phone Book > Incoming Call Policy ..........................................................................174 Table 69 VoIP > Phone Book > Speed Dial .........................................................................................176 Table 70 Security > Firewall > General ................................................................................................183 Table 71 Security > Firewall > Services ...............................................................................................184 Table 72 Security > Certificates > My Certificates ...............................................................................191 Table 73 Security > Certificates > My Certificates > Create ................................................................193 Table 74 Security > Certificates > My Certificates > Details ................................................................196 Table 75 Security > Certificates > My Certificates > Import .................................................................199 Table 76 Security > Certificates > Trusted CAs ...................................................................................200 Table 77 Security > Certificates > Trusted CAs > Details ....................................................................202 Table 78 Security > Certificates > Trusted CAs Import ........................................................................204 Table 79 Security > Content Filter > Filter ...........................................................................................206 Table 80 Security > Content Filter > Schedule ....................................................................................207 Table 81 Management > Static Route > IP Static Route ......................................................................210 28 MAX-200HW2 Series Users Guide List of Tables Table 82 Management > Static Route > IP Static Route > Edit ............................................................211 Table 83 ..............................................................................................................................................213 Table 84 Management > Remote MGMT > WWW ..............................................................................214 Table 85 Management > Remote MGMT > Telnet ...............................................................................215 Table 86 Management > Remote MGMT > FTP .................................................................................215 Table 87 SNMP Traps ..........................................................................................................................217 Table 88 Remote Management: SNMP ...............................................................................................218 Table 89 Management > Remote MGMT > DNS .................................................................................219 Table 90 Management > Remote MGMT > Security ...........................................................................220 Table 91 Management > UPnP ............................................................................................................231 Table 92 Pre-defined NTP Time Servers .............................................................................................234 Table 93 Maintenance > System > General ........................................................................................235 Table 94 Maintenance > System > Dynamic DNS ...............................................................................237 Table 95 Maintenance > System > Time Setting .................................................................................238 Table 96 Syslog Logs ..........................................................................................................................242 Table 97 RFC-2408 ISAKMP Payload Types ......................................................................................242 Table 98 Maintenance > Logs > View Log ...........................................................................................243 Table 99 Maintenance > Logs > Log Settings .....................................................................................244 Table 100 System Error Logs ..............................................................................................................245 Table 101 System Maintenance Logs ..................................................................................................246 Table 102 Access Control Logs ...........................................................................................................246 Table 103 TCP Reset Logs ..................................................................................................................247 Table 104 Packet Filter Logs ...............................................................................................................248 Table 105 ICMP Logs ..........................................................................................................................248 Table 106 CDR Logs ...........................................................................................................................248 Table 107 PPP Logs ............................................................................................................................248 Table 108 UPnP Logs ..........................................................................................................................249 Table 109 Content Filtering Logs .........................................................................................................249 Table 110 Attack Logs ..........................................................................................................................249 Table 111 Remote Management Logs .................................................................................................250 Table 112 ICMP Notes .........................................................................................................................251 Table 113 SIP Logs ..............................................................................................................................252 Table 114 RTP Logs ............................................................................................................................252 Table 115 FSM Logs: Caller Side ........................................................................................................252 Table 116 FSM Logs: Callee Side .......................................................................................................253 Table 117 Lifeline Logs ........................................................................................................................253 Table 118 Maintenance > Tools > Firmware ........................................................................................256 Table 119 Maintenance > Tools > Configuration ..................................................................................258 Table 120 Product Specifications .........................................................................................................269 Table 121 Physical Features ...............................................................................................................270 Table 122 Non-Physical Features ........................................................................................................270 Table 123 IP Address Network Number and Host ID Example ...........................................................310 Table 124 Subnet Masks ......................................................................................................................311 MAX-200HW2 Series Users Guide 29 List of Tables Table 125 Maximum Host Numbers .....................................................................................................311 Table 126 Alternative Subnet Mask Notation ........................................................................................311 Table 127 Subnet 1 ..............................................................................................................................313 Table 128 Subnet 2 ..............................................................................................................................314 Table 129 Subnet 3 ..............................................................................................................................314 Table 130 Subnet 4 ..............................................................................................................................314 Table 131 Eight Subnets ......................................................................................................................314 Table 132 24-bit Network Number Subnet Planning ............................................................................315 Table 133 16-bit Network Number Subnet Planning ............................................................................315 Table 134 IEEE 802.11g ......................................................................................................................323 Table 135 Wireless Security Levels .....................................................................................................324 Table 136 Comparison of EAP Authentication Types ..........................................................................327 Table 137 Wireless Security Relational Matrix ....................................................................................330 Table 138 Commonly Used Services ...................................................................................................333 30 MAX-200HW2 Series Users Guide PART I Introduction Getting Started (33) Introducing the Web Configurator (39) 31 32 CHAPTER 1 Getting Started This chapter introduces the main features and applications of the ZyXEL Device. 1.1 About Your ZyXEL Device The ZyXEL Device is a WiMAX WiFi router with built-in switch and VoIP. It allows you to access the Internet by connecting to a WiMAX wireless network. You can create a WiFi network using the Wireless LAN feature. You can use a traditional analog telephone to make Internet calls using the ZyXEL Devices Voice over IP (VoIP) communication capabilities. You can configure firewall and content filtering for secure Internet access, as well as a host of other features. The web browser-based Graphical User Interface (GUI), also known as the web configurator, provides easy management. See Chapter 25 on page 269 for a complete list of features for your model. At the time of writing, this Users Guide covers the following models:

Table 2 Models Covered MAX-200HW22.5Ghz MAX-210HW23.5Ghz MAX-230HW22.3Ghz This Users Guide uses screens and example settings from the MAX-210HW2 model. 1.1.1 Wireless Internet Access Connect your computer or network to the ZyXEL Device for wireless Internet access. See the Quick Start Guide for instructions on hardware connection. In a wireless metropolitan area network (MAN), the ZyXEL Device connects to a base station

(BS) for Internet access. The following diagram shows a notebook computer equipped with the ZyXEL Device connecting to the Internet through a base station (marked BS). MAX-200HW2 Series Users Guide 33 Chapter 1Getting Started Figure 1 Mobile Station and Base Station You can also configure firewall and content filtering on the ZyXEL Device for secure Internet access. When the firewall is on, all incoming traffic from the Internet to your network is blocked unless it is initiated from your network. This means that probes from the outside to your network are not allowed, but you can safely browse the Internet and download files. Use content filtering to block access to web sites with URLs containing keywords that you specify. You can define time periods and days during which content filtering is enabled and include or exclude particular computers on your network from content filtering. For example, you could block access to certain web sites for the kids. 1.1.2 WiFi Network The ZyXEL Device Wireless LAN feature allows IEEE 802.11b or IEEE 802.11g compatible wireless clients to access the Internet or the local network as well as to communicate with each other. Wireless stations can move freely anywhere in the coverage area and use resources on the wired network. Figure 2 WLAN Application Example 1.1.3 Make Calls via Internet Telephony Service Provider In a home or small office environment, you can use the ZyXEL Device to make and receive the following types of VoIP telephone calls:

Peer-to-Peer calls (A) - Use the ZyXEL Device to make a call to the recipients IP address without using a SIP proxy server. 34 MAX-200HW2 Series Users Guide Chapter 1Getting Started Calls via a VoIP service provider (B) - The ZyXEL Device sends your call to a VoIP service providers SIP server which forwards your calls to either VoIP or PSTN phones. Figure 3 ZyXEL Devices VoIP Features 1.2 ZyXEL Device Hardware Follow the instructions in the Quick Start Guideto make hardware connections. 1.2.1 LEDs The following figure shows the LEDs (lights) on the ZyXEL Device. Figure 4 The ZyXEL Device The following table describes your ZyXEL Devices LEDs. Table 3 The ZyXEL Device LED DESCRIPTION PWROFFThe ZyXEL Device is not receiving power. STATE REDThe ZyXEL Device is receiving power but has been unable to start up correctly. See the Troubleshooting section for more information. The ZyXEL Device is starting up. RED / ORANGE

(BLINKING) GREENThe ZyXEL Device is receiving power and functioning correctly. GREEN (BLINKING)The ZyXEL Device is performing a self-test. MAX-200HW2 Series Users Guide 35 Chapter 1Getting Started Table 3 The ZyXEL Device LED LAN 1 to 4 STATE OFFThe LAN is not connected. GREENThe ZyXEL Device has a successful Local Area Network DESCRIPTION

(Ethernet) connection. Your device is sending/receiving data through the wireless LAN. GREEN

(BLINKING) OFFNo SIP account is registered, or the ZyXEL Device is not receiving VoIP 1 to 2 power. GREENA SIP account is registered. GREEN

(BLINKING) ORANGEA SIP account is registered and has a voice message. ORANGE

(BLINKING) A SIP account is registered and has a voice message, and the phone attached to the LINE port is in use (off the hook). A SIP account is registered, and the phone attached to the LINE port is in use (off the hook). LINKOFFThe ZyXEL Device is not connected to a wireless (WiMAX) network. GREENThe ZyXEL Device is successfully connected to a wireless

(WiMAX) network. The ZyXEL Device is searching for a wireless (WiMAX) network. GREEN

(BLINKING SLOWLY) GREEN

(BLINKING QUICKLY) The ZyXEL Device has found a wireless (WiMAX) network and is connecting. WLANOFFThe wireless LAN is not ready or has failed. SIGNAL 1 ~ 5 The ZyXEL Device is sending/receiving data through the wireless LAN. GREENThe wireless LAN is active. GREEN

(BLINKING) The SIGNAL LEDs display the Received Signal Strength Indication (RSSI) of the wireless

(WiMAX) connection. NO SIGNAL LEDS ON SIGNAL 1 ONThe signal strength is less than -80 dBm SIGNAL 2 ONThe signal strength is between -79 and -70 dBm SIGNAL 3 ONThe signal strength is between -69 and -60 dBm SIGNAL 4 ONThe signal strength is between -59 and -50 dBm SIGNAL 5 ONThe signal strength is more than -50 dBm There is no wireless connection. 1.2.2 Antennas If you have a MAX-210HW2 you should have a 2dBi WiFi omni antenna and a 2dBi WiMAX omni antenna. Connect the WiFi antenna to the SMA connector port labelled WiFi. Connect the WiMAX antenna to the SMA connector port labelled WiMAX. Make sure you connect the correct antenna to the correct connector port. 36 MAX-200HW2 Series Users Guide Chapter 1Getting Started If you have a MAX-200HW2 or MAX-210HW2 you should have a 2dBi Wifi omni antenna and a panel directional antenna. Connect the WiFi omni antenna to the connector port labelled WiFi. Connect the cable to the panel directional antenna and connector port labelled WiMAX. Make sure you position the panel directional antenna as far away from the device as possible to minimize interference. See the panel directional antenna documentation on how to set it up. The MAX-210HW2 is also equipped with one internal 6dBi directional patch antenna for WiMAX. If your signal strength is poor (use the SIGNAL LEDs to gauge received signal strength) orient the front of the ZyXEL Device (the side with the LEDs) towards the base station. If you do not know the location of the base station, experiment with moving the ZyXEL Device while observing the SIGNAL LEDs. 1.3 Good Habits for Managing the ZyXEL Device Do the following things regularly to make the ZyXEL Device more secure and to manage the ZyXEL Device more effectively. Change the password. Use a password thats not easy to guess and that consists of different types of characters, such as numbers and letters. Write down the password and put it in a safe place. Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the ZyXEL Device becomes unstable or even crashes. If you forget your password, you will have to reset the ZyXEL Device to its factory default settings. If you backed up an earlier configuration file, you would not have to totally re-configure the ZyXEL Device. You could simply restore your last configuration. MAX-200HW2 Series Users Guide 37 Chapter 1Getting Started 38 MAX-200HW2 Series Users Guide CHAPTER 2 Introducing the Web Configurator This chapter describes how to access and navigate the web configurator. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy device setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels. In order to use the web configurator you need to allow:

Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in Windows XP SP (Service Pack) 2. JavaScripts (enabled by default). Java permissions (enabled by default). See the Troubleshooting chapter if you need to make sure these functions are allowed in Internet Explorer. 2.1.1 Accessing the Web Configurator 1 Make sure your ZyXEL Device hardware is properly connected (refer to the Quick Start Guide). 2 Launch your web browser. 3 Type "192.168.1.1" as the URL. 4 A password screen displays. The default password (1234) displays in non-readable characters. If you havent changed the password yet, you can just click Login. Click Cancel to revert to the default password in the password field. If you have changed the password, enter your password and click Login. MAX-200HW2 Series Users Guide 39 Chapter 2Introducing the Web Configurator Figure 5 Password Screen 5 The following screen displays if you have not yet changed your password. It is highly recommended you change the default password. Enter a new password, retype it to confirm and click Apply; alternatively click Ignore to proceed to the main menu if you do not want to change the password now. Figure 6 Change Password Screen 6 Click Apply in the next screen to create a certificate using your ZyXEL Devices MAC address that will be specific to this device. This certificate is used for authentication when using a secure HTTPS connection over the Internet. Figure 7 Replace Certificate Screen 40 MAX-200HW2 Series Users Guide Chapter 2Introducing the Web Configurator 7 A screen displays to let you choose whether to go to the wizard or the advanced screens. Click Go to Wizard setup if you are logging in for the first time or if you want to make basic changes. The wizard selection screen appears after you click Apply. See Chapter 4 on page 61 for more information. Click Go to Advanced setup if you want to configure features that are not available in the wizards. The main screen appears after you click Apply. See Section 2.2 on page 42 for more information. Click Exit if you want to log out. For security reasons, by default the ZyXEL Device automatically logs you out if you do not use the web configurator for five minutes. If this happens, log in again. Figure 8 Wizard or Advanced Screen 2.1.2 The RESET Button If you forget your password or cannot access the web configurator, you will need to use the RESET button to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to 1234. 2.1.2.1 Using The Reset Button 1 Make sure the POWER light is on (not blinking). 2 To set the device back to the factory default settings, press the RESET button for ten seconds or until the POWER light begins to blink and then release it. When the POWER light begins to blink, the defaults have been restored and the device restarts. 3 Reconfigure the ZyXEL Device, following the steps in your Quick Start Guide. MAX-200HW2 Series Users Guide 41 Chapter 2Introducing the Web Configurator 2.2 Web Configurator Main Screen Figure 9 Main Screen A B C As illustrated above, the main screen is divided into these parts:

D A - title bar B - navigation panel C - main window D - status bar 2.2.1 Title Bar The title bar provides some icons in the upper right corner. 42 MAX-200HW2 Series Users Guide Chapter 2Introducing the Web Configurator The icons have the following functions. Table 4 Web Configurator Icons in the Title Bar ICON DESCRIPTION Wizards: Click this icon to go to the configuration wizards. See Chapter 4 on page 61 for more information. Logout: Click this icon to log out of the web configurator. 2.2.2 Navigation Panel Use the menu items on the navigation panel to open screens to configure ZyXEL Device features. The following table describes the menu items. Table 5 Navigation Panel Summary LINK Status Network TAB FUNCTION This screen contains administrative and system-related information. Wireless LAN WAN LAN NAT General OTIST MAC Filter Advanced Internet Connection WiMAX Frequency Advanced Traffic Redirect Antenna Selection IP DHCP Setup Static DHCP Use this screen to enable Wireless LAN and configure WiFi security. Use this screen to enable OTIST. Use this screen to configure the MAC address filtering options. Use this screen to set the 802.11 mode. Use this screen to configure ISP parameters, WAN IP address assignment and other advanced properties. Use this screen to set the radio frequencies the ZyXEL Device searches for a WiMAX connection. Use this screen to configure DNS servers, RIP & Multicast, and Windows networking settings. Use this screen to configure your traffic redirect properties Use this screen to choose which antenna (external or internal) you want the ZyXEL Device to use. Use this screen to configure LAN TCP/IP settings. Use this screen to configure LAN DHCP and DNS settings. Use this screen to always assign specific IP addresses to individual MAC addresses. Use this screen to view current DHCP client information. Use this screen to partition your LAN interface into subnets. Use this screen to configure RIP and Multicast setup settings. Use this screen to enable NAT. Client List IP Alias Advanced General Port Forwarding Use this screen to make your localservers visible to the outside world. Trigger Port ALG Use this screen to set port triggering rules. Use this screen to configure Application Level Gateway settings. MAX-200HW2 Series Users Guide 43 Chapter 2Introducing the Web Configurator Table 5 Navigation Panel Summary LINK TAB VPN Transport General Customer Interface Ethernet Pseudowire Statistics SIP Settings QoS VoIP SIP Phone Analog Phone Phone Book Common Region Incoming Call Policy Speed Dial Security Firewall General Services Certificates My Certificates Trusted CAs Content Filter Filter Schedule Management FUNCTION Use the General screen to turn VPN transport on or off, and to set the VPN transport endpoint (your service providers router). Use this screen to configure the VPNs used by the ZyXEL Device. Use this screen to configure Ethernet pseudowires. Each Ethernet pseudowire mimics a regular wired Ethernet connection, transporting VPLS data over the WiMAX network. Use this screen to view details and performance information of each active customer interface and its associated Ethernet pseudowire. Use this screen to configure your ZyXEL Devices Voice over IP settings. Use this screen to configure your ZyXEL Devices Quality of Service settings for VoIP. Use this screen to set which SIP account to use for outgoing or incoming calls. Use this screen to configure general phone settings. Use this screen to select your location and call service mode. Use this screen to configure call-forwarding. Use this screen to configure speed dial for SIP phone numbers that you call often. Use this screen to activate/deactivate the firewall and the default action to take on network traffic going in specific directions. Use this screen to set the days and times for your device to perform service blocking. Use this screen to generate and export self-signed certificates or certification requests and import the ZyXEL Devices CA-signed certificates. Use this screen to save CA certificates and trusted remote host certificates to the ZyXEL Device. Use this screen to block sites containing certain keywords in the URL, exclude a range of users on the LAN from content filtering on your ZyXEL Device and restrict certain web features. Use this screen to set the days and times for your ZyXEL Device to perform content filtering. Static Route IP Static Route Use this screen to configure IP static routes to tell your device about networks beyond the directly connected remote nodes. 44 MAX-200HW2 Series Users Guide Table 5 Navigation Panel Summary LINK TAB Remote MGMT WWW Telnet FTP SNMP DNS Security General General Dynamic DNS Time Setting View Log Log Settings Firmware Configuration Restart UPnP Maintenance System Logs Tools Chapter 2Introducing the Web Configurator FUNCTION Use this screen to configure through which interface(s) and from which IP address(es) users can use HTTP to manage the ZyXEL Device. Use this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the ZyXEL Device. Use this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the ZyXEL Device. Use this screen to configure your ZyXEL Devices settings for Simple Network Management Protocol management. Use this screen to configure through which interface(s) and from which IP address(es) users can send DNS queries to the ZyXEL Device. Use this screen to set whether or not your device will respond to pings and probes for services that you have not made available. Use this screen to turn UPnP on or off. This screen contains administrative and system-related information and also allows you to change your password. Use this screen to set up Dynamic DNS. Use this screen to change your ZyXEL Devices time and date. Use this screen to display your devices logs. Use this screen to select which logs and/or immediate alerts your device is to record. You can also set it to e-mail the logs to you. Use this screen to upload firmware to your device. Use this screen to backup and restore your devices configuration (settings) or reset the factory default settings. This screen allows you to reboot the ZyXEL Device without turning the power off. 2.2.3 Main Window The main window displays information and configuration fields. It is discussed in the rest of this document. Right after you log in, the Status screen is displayed. See Chapter 6 on page 79 for more information about the Status screen. 2.2.4 Status Bar Check the status bar when you click Apply or OK to verify that the configuration has been updated. MAX-200HW2 Series Users Guide 45 Chapter 2Introducing the Web Configurator 46 MAX-200HW2 Series Users Guide PART II Tutorials and Wizard Tutorial (49) Internet Setup Wizard (61) VoIP Wizard (73) 47 48 CHAPTER 3 Tutorial This chapter provides examples showing how to use the ZyXEL Device to access the Internet, set up a WiFi network, set up VoIP and make a telephone call over the Internet using the ZyXEL Devices speed dial feature. 3.1 Connect to the Internet This section shows how to set up your Internet access details on the ZyXEL Device and configure your WiMAX frequency settings. See Section 8.2 on page 107 for more information on how WiMAX works. 3.1.1 Configure Internet Access Settings To access the Internet, you need information from your Internet Service Provider (ISP) about your account and the network. In this example, your ISP has given you the following information. Table 6 Example Internet Access Information UsernameUser1234 Password4321 CertificateIncluded on CD Authentication TTLS Type TTLS Inner EAP mode CHAP The information provided by your ISP may be quite different from this example information. When you enter user information, always enter the information supplied by your service provider and leave other fields at their defaults. Your ISP has also told you that you will be assigned a dynamic IP address each time you connect to the Internet. See Section 8.3 on page 108 for more details about dynamic and static IP addresses. MAX-200HW2 Series Users Guide 49 Chapter 3Tutorial Once you have connected the ZyXEL Device to your computer and accessed the Web Configurator (see the Quick Start Guide for details) follow the steps below to connect to a network. 1 First, install your security certificate. In the Web Configurator, click Security >

Certificates. Figure 10 Tutorial: Security 2 Click the Trusted CAs tab. Figure 11 Tutorial: Trusted CAs Tab 3 The following screen displays. This is where you can choose a security certificate for the ZyXEL Device to use. Figure 12 Tutorial: Trusted CAs Screen 4 Click Import, then click Browse in the screen that appears. Browse to the location of your certificate (on the CD from your ISP in this example) and click Open. 5 The certificates location displays in the File Path field. Click Apply. The Trusted CAs screen displays again, showing the certificates details in the Trusted CA Certificates section. You have successfully uploaded your certificate!

6 Next, configure your Internet access settings. In the Web Configurator, click Network >

WAN in the navigation panel. 50 MAX-200HW2 Series Users Guide Figure 13 Tutorial: Network Chapter 3Tutorial 7 The following screen displays. This screen is where you enter your Internet access details. Not all fields are available in all ZyXEL Devices. Figure 14 Tutorial: Internet Access Settings In the ISP Parameters for Internet Access area, enter your username (User1234) in the User field, and enter your password (4321) in the Password field. Select TTLS from the Authentication list, and select CHAP from the TTLS Inner EAP list. Leave PKM at its default. In the WAN IP Address Assignment area, make sure that Get Automatically from ISP

(Default) is selected. Leave all other fields at their default values. MAX-200HW2 Series Users Guide 51 Chapter 3Tutorial 8 Click Apply. Your Internet access settings are saved to the ZyXEL Device, and are used automatically each time you connect to the Internet. 3.1.2 Configure WiMAX Settings The WiMAX Frequency screen allows you to specify a set of frequencies to search for a connection to a base station. Before you start, you need information from your ISP about the supported frequencies. In this example, your ISP has told you that the supported WiMAX frequencies are at 2.55 and 2.56 Gigahertz (GHz). See Section 8.4 on page 111 for more information on radio frequencies. Follow the steps below to configure your frequency settings. 1 Click Network > WAN > WiMAX Frequency to open the screen shown next. Figure 15 Tutorial: WiMAX Frequency Setup 2 Enter the frequency settings your ISP gave you in the DL Frequency fields. Note that these fields are in kilohertz (kHz). 2.55 GHz is equal to 2550000 kHz, so enter 2550000 in the DL Frequency [1] field. 2.56 GHz is equal to 2560000 kHZ, so enter 2560000 in the DL Frequency [2] field. 3 Click Apply to save your settings. The ZyXEL Device scans for an available wireless connection at the DL Frequency [1] setting (2.55 GHz) and, if it does not find an available connection, searches at the DL Frequency [2] setting (2.56 GHz). When it finds an available connection, the fields in this screen will be automatically set to use that frequency. For an example of using the WiMAX Frequency screen to configure more frequencies, see Section 8.4.2.1 on page 113. 4 Look at the LEDs on your ZyXEL Device. When the ZyXEL Device successfully connects to a base station, the LINK LED shines green steadily. The SIGNAL 1 ~ 5 LEDs indicate the signal strength, with SIGNAL 5 showing a very strong signal and SIGNAL 1 showing a very weak signal. 5 Open your Internet browser and enter http://www.zyxel.com or the URL of any other web site in the address bar. If you are able to access the web site, your wireless 52 MAX-200HW2 Series Users Guide connection is successfully configured. If you cannot access the web site, check the Troubleshooting section of this User's Guide. Chapter 3Tutorial 3.2 Set Up a WiFi Network SSID Channel Security 802.11 mode SSID_Example3 6 WPA-PSK

(Pre-Shared Key: ThisismyWPA-PSKpre-sharedkey) IEEE 802.11b/g An access point (AP) or wireless router is referred to as an AP and a computer with a wireless network card or USB/PCI adapter is referred to as a wireless client here. We use the M-302 utility screens as an example for the wireless client. The screens may vary for different models. 3.2.1 Configuring the AP (Your ZyXEL Device) Follow the steps below to configure the wireless settings on your ZyXEL Device. 1 Open the Wireless LAN > General screen in the ZyXEL Devices web configurator. Figure 16 Network > Wireless LAN > General 2 Make sure the Enable Wireless LAN check box is selected. 3 Enter SSID_Example3 as the SSID and select a channel. 4 Set security mode to WPA-PSK and enter ThisismyWPA-PSKpre-sharedkey in the Pre-Shared Key field. Click Apply. 5 Open the Status screen.Verify your wireless and wireless security settings under Device Information. MAX-200HW2 Series Users Guide 53 Chapter 3Tutorial Figure 17 Network > Wireless LAN > Device Information 6 Check if the WLAN connection is up under Interface Status. Figure 18 Network > Wireless LAN > Interface Status 3.3 Connect to the WiFi Network This section describes how to connect the wireless client to your WiFi network. 54 MAX-200HW2 Series Users Guide 3.3.1 Connecting to a Wireless LAN The following sections show you how to join a wireless network using the ZyXEL utility, as in the following diagram. The wireless client is labelled C and the access point is labelled AP. Chapter 3Tutorial There are three ways to connect the client to an access point. Configure nothing and leave the wireless client to automatically scan for and connect to any available network that has no wireless security configured. Manually connect to a network. Configure a profile to have the wireless client automatically connect to a specific network or peer computer. This example illustrates how to manually connect your wireless client to an access point (AP) which is configured for WPA-PSK security and connected to the Internet. Before you connect to the access point, you must know its Service Set IDentity (SSID) and WPA-PSK pre-shared key. In this example, the SSID is SSID_Example3 and the pre-shared key is ThisismyWPA-PSKpre-sharedkey. After you install the ZyXEL utility and then insert the wireless client, follow the steps below to connect to a network using the Site Survey screen. 1 Open the ZyXEL utility and click the Site Survey tab to open the screen shown next. 2 The wireless client automatically searches for available wireless networks. Click Scan if you want to search again. If no entry displays in the Available Network List, that means there is no wireless network available within range. Make sure the AP or peer computer is turned on or move the wireless client closer to the AP or peer computer. 3 When you try to connect to an AP with security configured, a window will pop up prompting you to specify the security settings. Enter the pre-shared key and leave the encryption type at the default setting. Use the Next button to move on to the next screen. You can use the Back button at any time to return to the previous screen, or the Exit button to return to the Site Survey screen. MAX-200HW2 Series Users Guide 55 Chapter 3Tutorial Figure 19 ZyXEL Utility: Security Settings 4 The Confirm Save window appears. Check your settings and click Save to continue. Figure 20 ZyXEL Utility: Confirm Save 5 The ZyXEL utility returns to the Link Info screen while it connects to the wireless network using your settings. When the wireless link is established, the ZyXEL utility icon in the system tray turns green and the Link Info screen displays details of the active connection. Check the network information in the Link Info screen to verify that you have successfully connected to the selected network. If the wireless client is not connected to a network, the fields in this screen remain blank. Figure 21 ZyXEL Utility: Link Info 6 Open your Internet browser and enter http://www.zyxel.com or the URL of any other web site in the address bar. If you are able to access the web site, your wireless connection is successfully configured. 56 MAX-200HW2 Series Users Guide If you cannot access the web site, try changing the encryption type in the Security Settings screen, check the Troubleshooting section of this User's Guide or contact your network administrator. Chapter 3Tutorial 3.4 Make a Telephone Call Over the Internet To make a call over the Internet using the ZyXEL Device, first do the following things:

Set up hardware connections from the ZyXEL Device to your computer, your telephone and the power supply (see the Quick Start Guide for more details on hardware connections). Set up your Internet access and WiMAX settings on the ZyXEL Device (see Section 3.1.1 on page 49 and Section 3.1.2 on page 52 for examples). Set up an account with a Voice over IP (VoIP) provider. This account (called a SIP account) allows you to make calls over the Internet. See Chapter 12 on page 149 for more information on SIP accounts. Use the sections below to set up your SIP account and speed dialing, and place a VoIP call. 3.4.1 Configure Your SIP Account Your ZyXEL Device needs to be configured with the details of your SIP account before you can use it to make calls over the Internet. In this example, your SIP identity is id123@abcvoip.com, your user name is id123 and your password is zyx987. Your VoIP provider has told you that the SIP server address is sipserver-abcvoip.com. See Section 12.1.3 on page 149 for more information on SIP identities. Once you have connected the ZyXEL Device to your computer and accessed the Web Configurator (see the Quick Start Guide for details) follow the steps below to configure your SIP settings. 1 In the Web Configurator, click VoIP > SIP in the navigation panel. The following screen displays. This screen is where you enter your SIP account details. MAX-200HW2 Series Users Guide 57 Chapter 3Tutorial Figure 22 Tutorial: SIP Account Setup 2 Select SIP1 from the SIP Account list and make sure that the Active SIP Account box is selected. 3 Enter your SIP user name (id123) in the Number field. 4 Enter your VoIP providers SIP server name (sipserver-abcvoip.com) in the SIP Server Address field. As your VoIP provider did not give you a different REGISTER Server Address, enter sipserver-abcvoip.com again. Enter your VoIP providers domain name (abcvoip.com) in the SIP Service Domain field. 5 In the Authentication area, enter id123 in the User Name field, and zyx987 in the Password field. Leave the SIP Local Port, SIP Server Port and REGISTER Server Port fields at their default values, as your VoIP provider did not supply port details. Click Apply. 6 Click on the Status button in the navigation panel to check that your SIP account is correctly registered. Look in the VoIP Status area towards the bottom of the Status screen. If the SIP 1 account displays Registered in the Registration field, it is ready to use. If the Registration field for the SIP 1 account displays Register Fail or Inactive, click the Register button, check your settings in the VoIP > SIP screen or contact your VoIP provider to confirm that you have the correct settings and that your account is active. 3.4.2 Configure a Phone Once you have set up your SIP account, click VoIP > Phone > Analog Phone in the navigation panel. The following screen displays. 58 MAX-200HW2 Series Users Guide Figure 23 Tutorial: the Analog Phone Screen Chapter 3Tutorial Use this screen to make sure that the phone connected to your ZyXEL Device uses the correct SIP account. 1 Select Phone1 from the drop-down list box. 2 In the Outgoing Call Use area, select SIP1. 3 In the Incoming Call apply to area, select both SIP1 and SIP2. 4 Click Apply. Your analog phone settings are saved. 3.4.3 Set Up Speed Dialing and Make a Call In this example you want to set up speed dialling to make calls to a friend, Bob, whose SIP account number is 2345@xyzvoip.com. Your voIP provider, abcvoip.com, has told you that to call an xyzvoip.com number you must add 555 at its start. Different VoIP providers implement calls to other networks in different ways. Check with your provider for details. To configure speed dialling on the ZyXEL Device, click VoIP > Phone Book > Speed Dial. The following screen displays. MAX-200HW2 Series Users Guide 59 Chapter 3Tutorial Figure 24 Tutorial: the Speed Dial Screen Use the following steps to set up a speed dial entry. 1 You can have up to ten speed dial rules. Select the rule number (1, in this example) from the Speed Dial drop-down list box. 2 In the Number field, enter 5552345 and in the Name field enter Bob. Under Type, select Use Proxy and click Add. The new speed dial rule is displayed in the Speed Dial Phone book List. Figure 25 Tutorial: New Speed Dial Rule Use the following steps to call a number from the speed dial list. 1 Ensure that your phone is correctly connected to the ZyXEL Device. See the Quick Start Guide for details of hardware connections. 2 Lift the phones receiver and type the speed dial number exactly as it appears in the Speed Dial Phone Book list. In this case, Bobs phone number occupies rule #01, so dial

#01 on the phones keypad to make the call. 60 MAX-200HW2 Series Users Guide CHAPTER 4 Internet Setup Wizard This chapter provides information on the wizard setup screens for Internet access. 4.1 Wizard Setup Overview The wizard will guide you through several steps. You will need to enter some information for identification purposes, then the wizard will guide you through configuring your Internet settings. 4.2 Internet Connection Wizard Setup 1 After you enter the password to access the web configurator, select Go to Wizard setup. Otherwise, click the wizard icon () in the top right corner of the web configuratorto go to the wizards. Figure 26 Select a Mode 2 Click CONNECTION WIZARD to configure the system for Internet access. 3 The following screen displays. Click Next to continue. Click Back at any time to return to the previous screen, or Exit to leave the wizard setup. MAX-200HW2 Series Users Guide 61 Chapter 4Internet Setup Wizard Figure 27 Connection Wizard: Introduction 4.3 Step One: System Information In the next screen you can give your ZyXEL Device a name (optional) in the System Name field. Enter up to thirty letters (this field is case-sensitive) or numbers. The at symbol (@), dash (-), underscore (_) and period (.) are also permitted. Enter your ISPs IP address in the Domain Name field if your ISP has instructed you to do so, or if you are having trouble accessing the Internet. Otherwise, leave this field blank. Click Next. Figure 28 Wizard > Step 1 > System Information The following table describes the labels in this screen. Table 7 Wizard > Step 1 > System Information LABEL System Name System Name is a unique name to identify the ZyXEL Device in an Ethernet network. Enter a descriptive name. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted. DESCRIPTION Domain Name Type the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. The domain name entered by you is given priority over the ISP assigned domain name. Click Back to display the previous screen. Click Next to proceed to the next screen. Click Exit to close the wizard screen without saving. Back Next Exit 62 MAX-200HW2 Series Users Guide Chapter 4Internet Setup Wizard 4.4 Step Two: Wireless LAN Wizard Set up your wireless LAN using the following screens. 4.4.1 Wireless LAN Screen Figure 29 Wizard > Step 2 > Wireless LAN The following table describes the labels in this screen. Table 8 Wizard > Step 2 > Wireless LAN LABEL Name (SSID) DESCRIPTION Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN. If you change this field on the ZyXEL Device, make sure all wireless stations use the same SSID in order to access the network. Select a Security level from the drop-down list box. Choose Auto to have the ZyXEL Device generate a pre-shared key automatically. If you choose this option go directly to Section 4.4.4 on page 65. Choose None to have no wireless LAN security configured. If you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device that is within range. If you choose this option, skip directly to Section 4.4.4 on page 65. Choose Basic (WEP) security if you want to configure WEP Encryption parameters. If you choose this option, go directly to Section 4.4.2 on page 64. Choose Extend (WPA-PSK or WPA2-PSK) security to configure a Pre-Shared Key. Choose this option only if your wireless clients support WPA-PSK or WPA2-PSK respectively. If you choose this option, skip directly to Section 4.4.3 on page 65. The range of radio frequencies used by IEEE 802.11b/g wireless devices is called a channel. Click the Scan button to have the ZyXEL Device automatically select a channel. Click Back to display the previous screen. Click Next to proceed to the next screen. Click Exit to close the wizard screen without saving. Security Channel Selection Back Next Exit MAX-200HW2 Series Users Guide 63 Chapter 4Internet Setup Wizard The ZyXEL Device and other wireless devices must use the same SSID, channel ID and WEP encryption key (if WEP is enabled), WPA-PSK (if WPA-

PSK is enabled) or WPA2-PSK (if WPA2-PSK is enabled) for wireless communication. 4.4.2 Basic (WEP) Security Choose Basic (WEP) to set up WEP Encryption parameters. Figure 30 Wizard > Step 2 > Basic (WEP) Security The following table describes the labels in this screen. Table 9 Wizard > Step 2 > Basic (WEP) Security LABEL Passphrase DESCRIPTION Type a Passphrase (up to 32 printable characters) and click Generate. The ZyXEL Device automatically generates a WEP key. Select 64-bit WEP or 128-bit WEP to allow data encryption. WEP Encryption ASCII Select this option in order to enter ASCII characters as the WEP keys. ASCII characters include the characters available on a standard English language keyboard. HEX Select this option to enter hexadecimal characters as the WEP keys. The preceding 0x is entered automatically. 64 MAX-200HW2 Series Users Guide Chapter 4Internet Setup Wizard Table 9 Wizard > Step 2 > Basic (WEP) Security LABEL Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless DESCRIPTION stations must use the same WEP key for data transmission. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9", "A-F"). You must configure at least one key, only one key can be activated at any one time. The default key is key 1. Click Back to display the previous screen. Click Next to proceed to the next screen. Proceed to Section 4.4.4 on page 65. Click Exit to close the wizard screen without saving. Back Next Exit 4.4.3 Extend (WPA-PSK or WPA2-PSK) Security Choose Extend (WPA-PSK) or Extend (WPA2-PSK) security in the Wireless LAN setup screen to set up a Pre-Shared Key. Figure 31 Wizard > Step 2 > Extend (WPA-PSK or WPA2-PSK) Security The following table describes the labels in this screen. Table 10 Wizard > Step 2 > Extend (WPA-PSK or WPA2-PSK) Security LABEL Pre-Shared Key DESCRIPTION Type from 8 to 63 case-sensitive ASCII characters. You can set up the most secure wireless connection by configuring WPA in the wireless LAN screens. You need to configure an authentication server to do this. Click Back to display the previous screen. Click Next to proceed to the next screen. Proceed to Click Exit to close the wizard screen without saving. Back Next Exit 4.4.4 The OTIST Screen After configuring your security settings or choosing Auto or None the OTIST screen will display. You mustenable OTIST if you have selected Auto. For the other security types you may click No if you do not plan to use OTIST. OTIST is only compatible with certain wireless devices, please check your other devices documentation to see if it supports OTIST. For more information on OTIST see Section 7.4 on page 101. MAX-200HW2 Series Users Guide 65 Chapter 4Internet Setup Wizard Note: The text in the screen below may be different depending on your chosen security settings. Figure 32 Wizard > Step 2 > OTIST The following table describes the labels in this screen. Table 11 Wizard > Step 2 > OTIST LABEL Enable OTIST Select Yes to enable OTIST. Select No to not use OTIST. Setup Key DESCRIPTION If you select Yes then type an OTIST Setup Key of exactly eight ASCII characters in length. Click Back to display the previous screen. Click Next to proceed to the next screen. Proceed to Section 4.5 on page 66 Click Exit to close the wizard screen without saving. Back Next Exit 4.5 Step Three: Internet Configuration Set up your Internet access using the following screens. 4.5.1 Connection Type Screen Leave the Connection Type at the default setting WIMAX and click Next. 66 MAX-200HW2 Series Users Guide Figure 33 Wizard > Step 3 > Connection Type Screen Chapter 4Internet Setup Wizard 4.5.2 ISP Parameters for Internet Access Screen Enter your Internet account information (username and password) exactly as provided by your ISP. Leave the fields for which you were not given information at their default settings. Click Next to continue. Figure 34 Wizard > Step 3 > ISP Parameters for Internet Access Screen The following table describes the labels in this screen. Table 12 Wizard > Step 3 > ISP Parameters for Internet Access Screen LABEL ISP Parameters for Internet Access DESCRIPTION UserUse this field to enter the username associated with your Internet access account. You can enter up to 61 printable ASCII characters. PasswordUse this field to enter the password associated with your Internet access account. You can enter up to 47 printable ASCII characters. MAX-200HW2 Series Users Guide 67 Chapter 4Internet Setup Wizard Table 12 Wizard > Step 3 > ISP Parameters for Internet Access Screen LABEL DESCRIPTION Anonymous IdentityEnter the anonymous identity provided by your Internet Service Provider. Anonymous identity (also known as outer identity) is used with EAP-TTLS encryption. The anonymous identity is used to route your authentication request to the correct authentication server, and does not reveal your real user name. Your real user name and password are encrypted in the TLS tunnel, and only the anonymous identity can be seen. Leave this field blank if your ISP did not give you an anonymous identity to use. PKMThis field displays the Privacy Key Management version number. PKM provides security between the ZyXEL Device and the base station. At the time of writing, the ZyXEL Device supports PKMv2 only. See the WiMAX security appendix for more information. AuthenticationThis field displays the user authentication method. Authentication is the process of confirming the identity of a mobile station (by means of a username and password, for example). Check with your service provider if you are unsure of the correct setting for your account. Choose from the following user authentication methods:

TTLS (Tunnelled Transport Layer Security) TLS (Transport Layer Security) Note: Not all ZyXEL Devices support TLS authentication. Check with your service provider for details. TTLS Inner EAPThis field displays the type of secondary authentication method. Once a secure EAP-TTLS connection is established, the inner EAP is the protocol used to exchange security information between the mobile station, the base station and the AAA server to authenticate the mobile station. See the WiMAX security appendix for more details. The ZyXEL Device supports the following inner authentication types:

CHAP (Challenge Handshake Authentication Protocol) MSCHAP (Microsoft CHAP) MSCHAPV2 (Microsoft CHAP version 2) PAP (Password Authentication Protocol) Auth ModeSelect the authentication mode from the drop-down list box. This field is not available in all ZyXEL Devices. Check with your service provider for details. The ZyXEL Device supports the following authentication modes:

User Only Device Only with Cert Certs and User Authentication CertificateThis is the security certificate the ZyXEL Device uses to authenticate Back Next Exit the AAA server. Use the Security > Certificates > Trusted CA screen to import certificates to the ZyXEL Device. Click Back to display the previous screen. Click Next to proceed to the next screen. Click Exit to close the wizard screen without saving. 4.5.3 Antenna Selection Screen If you have the MAX-210HW2 you can choose to use the internal antenna or external antenna for WiMAX. The internal antenna is fixed, and the external antenna is removable. 68 MAX-200HW2 Series Users Guide Chapter 4Internet Setup Wizard In the screen that appears, you can select which antenna to use. Select Automatic Selection to have the ZyXEL Device use whichever antenna has the best reception (recommended). Alternatively, if you do not want to use the external antenna, select Use Internal Antenna, and if you do not want to use the internal antenna, select Use External Antenna. Click Next. The MAX-200HW2 and MAX-230HW2 do not have an internal antenna. Figure 35 Wizard > Step 3 > Antenna Selection The following table describes the labels in this screen. Table 13 Wizard > Step 3 > Antenna Selection LABEL Automatic SelectionSelect DESCRIPTION Automatic Selection to have the ZyXEL Device choose which antenna to use. This setting is recommend as it will choose the antenna with the best signal to the base station. Use Internal AntennaSelect Use External AntennaSelect Use Internal Antenna to have the ZyXEL Device use its internal antenna. This option is not applicable for the MAX-200HW2 and MAX-230HW2. Use External Antenna to have the ZyXEL Device use its external antenna. BackClick Next Exit Back to display the previous screen. Click Next to proceed to the next screen. Click Exit to close the wizard screen without saving. 4.5.4 IP Address Screen A fixed IP address is a static IP that your ISP gives you. An automatic (dynamic) IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. In the following screen, select Use fixed IP address provided by your ISP if your ISP gave you an IP address to use.Otherwise, select Get automatically from your ISP. MAX-200HW2 Series Users Guide 69 Chapter 4Internet Setup Wizard Figure 36 Wizard > Step 3 > IP Address The following table describes the labels in this screen. Table 14 Wizard > Step 3 > IP Address LABEL Your IP Address DESCRIPTION Get automatically from ISP

(Default) Use Fixed IP Address provided by your ISP Select this if you have a dynamic IP address. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. A static IP address is a fixed IP that your ISP gives you. BackClick Next Exit Back to display the previous screen. Click Next to proceed to the next screen. Click Exit to close the wizard screen without saving. 4.5.5 WAN IP Address Assignment If you selected Get automatically from your ISP in the previous screen, skip this step. If you selected Use fixed IP address provided by your ISP, the following screen appears. Enter your IP address, subnet mask, gateway address and DNS details exactly as they were given to you by your ISP. 70 MAX-200HW2 Series Users Guide Figure 37 Wizard > Step 3 > WAN IP Address Assignment Chapter 4Internet Setup Wizard The following table describes the labels in this screen. Table 15 Wizard > Step 3 > WAN IP Address Assignment LABEL WAN IP Address Assignment DESCRIPTION My WAN IP AddressType your ISP assigned IP address in this field. My WAN IP Subnet MaskEnter a subnet mask in dotted decimal notation. Refer to the appendicesto calculate a subnet mask If you are implementing subnetting. Gateway IP AddressSpecify a gateway IP address (supplied by your ISP). DNS Server Address Assignment First, Second and Third DNS Server Enter the DNS server's IP address in the field(s). Leave the IP address set to 0.0.0.0 to ignore the field. BackClick Next Exit Back to display the previous screen. Click Next to proceed to the next screen. Click Exit to close the wizard screen without saving. 4.5.6 Wizard Complete Click Finish to complete and save the Connection Wizard settings. MAX-200HW2 Series Users Guide 71 Chapter 4Internet Setup Wizard Figure 38 The Connection Wizard: Congratulations Launch your web browser and navigate to www.zyxel.com. Internet access is just the beginning. Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct. 72 MAX-200HW2 Series Users Guide CHAPTER 5 VoIP Wizard This chapter shows you how to use the wizard to set up your SIP account(s). 5.1 Introduction The ZyXEL Device has Voice over IP (VoIP) communication capabilities that allow you to use a traditional analog telephone to make Internet calls. You can configure the ZyXEL Device to use up to two SIP based VoIP accounts. 5.2 VOIP Wizard Setup 1 After you enter the password to access the web configurator, select Go to Wizard setup. Otherwise, click the wizard icon ( ) in the top right corner of the web configuratorto display the wizard main screen. Click VOIP SETUP to configure the system for Voice Over Internet connection. Figure 39 Select a Mode 2 The following screen displays. This wizard screen allows you to configure your voice settings for SIP account 1. Fill in the fields with information from your VoIP service provider. Leave the default settings in fields for which no information was provided

(except if otherwise specified). See Chapter 12 on page 149 for background information on these fields. MAX-200HW2 Series Users Guide 73 Chapter 5VoIP Wizard Figure 40 VOIP Wizard: Configuration The following table describes the labels in this screen Table 16 VOIP Wizard Configuration LABEL SIP NumberEnter your SIP number in this field (use the number or text that comes DESCRIPTION before the @ symbol in a SIP account like 1234@VoIP-provider.com ). You can use up to 127 ASCII characters. SIP Server AddressType the IP address or domain name of the SIP server in this field. It doesnt matter whether the SIP server is a proxy, redirect or register server. You can use up to 95 ASCII characters. SIP Service DomainEnter the SIP service domain name in this field (the domain name that comes after the @ symbol in a SIP account like 1234@VoIP-

provider.com ). You can use up to 127 ASCII Extended set characters. User NameThis is the user name for registering this SIP account with the SIP register server. Type the user name exactly as it was given to you. You can use up to 95 ASCII characters. PasswordType the password associated with the user name above. You can use up Check here to set up SIP2 settings. Back Apply Exit to 95 ASCII Extended set characters. This screen configures SIP account 1. Select the check box if you have a second SIP account that you want to use. You will need to configure the same fields for the second SIP account. Click Back to return to the previous screen. Click Apply to complete the wizard setup and save your configuration. Click Exit to close the wizard without saving your settings. 3 The ZyXEL Device attempts to register your SIP account with the SIP server. 74 MAX-200HW2 Series Users Guide Figure 41 VoIP Wizard: SIP Registration Test Chapter 5VoIP Wizard 4 This screen displays if SIP account registration fails. Check your WiMAX connection using the LINK and SIGNAL LEDs on the front of the ZyXEL Device. Then wait a few seconds and click Register Again. If your Internet connection was already working, you can click Back and try re-entering your SIP account settings. Figure 42 VoIP Wizard: Fail 5 This screen displays if your SIP account registration was successful. Click Return to Wizard Main Page if you want to use another configuration wizard. Click Go to Advanced Setup page or Finish to close the wizard and go to the main web configurator screens. Figure 43 VOIP Wizard: Finish MAX-200HW2 Series Users Guide 75 Chapter 5VoIP Wizard 76 MAX-200HW2 Series Users Guide PART III Web Configurator Status Screens (79) Network Wireless LAN (91) WAN Setup (107) LAN (119) NAT (129) VPN Transport (137) VoIP SIP (149) Phone (165) Phone Book (173) Security Firewall (179) Certificates (187) Content Filter (205) Management Static Route (209) Remote MGMT (213) UPnP (221) Maintenance System (233) Logs (241) Tools (255) 77 78 CHAPTER 6 Status Screens Use the Status screens to look at the current status of the device, system resources, interfaces

(LAN, WAN and WLAN), and SIP accounts. You can also register and unregister SIP accounts. The Status screen also provides detailed information from DHCP and statistics from WiMAX, VoIP, bandwidth management, and traffic. 6.1 Status Screen Click Status to open this screen. Figure 44 Status Screen MAX-200HW2 Series Users Guide 79 Chapter 6Status Screens Each field is described in the following table. Table 17 Status Screen LABEL Refresh IntervalSelect how often you want the ZyXEL Device to update this screen. Refresh NowClick this to update this screen immediately. Device Information DESCRIPTION System NameThis field displays the ZyXEL Device system name. It is used for identification. You can change this in the Maintenance > System > General screens System Name field. This field displays the current version of the firmware inside the device. It also shows the date the firmware version was created. You can change the firmware version by uploading new firmware in Maintenance > Tools > Firmware. Firmware Version WAN Information IP AddressThis field displays the current IP address of the ZyXEL Device in the WAN. IP Subnet Mask DHCPThis field displays what DHCP services the ZyXEL Device is using in the WAN. This field displays the current subnet mask on the WAN. Choices are:

Client - The ZyXEL Device is a DHCP client in the WAN. Its IP address comes from a DHCP server on the WAN. None - The ZyXEL Device is not using any DHCP services in the WAN. It has a static IP address. If you are not using Roadrunner on Ethernet, you can change this in Network >

WAN. If you are using Roadrunner on Ethernet, this is controlled by Roadrunner. LAN Information IP AddressThis field displays the current IP address of the ZyXEL Device in the LAN. IP Subnet Mask DHCPThis field displays what DHCP services the ZyXEL Device is providing to the LAN. This field displays the current subnet mask in the LAN. Choices are:

Server - The ZyXEL Device is a DHCP server in the LAN. It assigns IP addresses to other computers in the LAN. Relay - The ZyXEL Device is routing DHCP requests to one or more DHCP servers. The DHCP server(s) may be on another network. None - The ZyXEL Device is not providing any DHCP services to the LAN. You can change this in Network > LAN > DHCP Setup. WLAN Information Name (SSID) This is the descriptive name used to identify the ZyXEL Device in the wireless LAN. This is the channel number used by the ZyXEL Device. Channel Security Mode This is the WiFi security mode used by the ZyXEL Device. WiMAX Information Operator ID Every WiMAX service provider has a unique Operator ID number, which is broadcast by each base station it owns. You can only connect to the Internet through base stations belonging to your service providers network. 80 MAX-200HW2 Series Users Guide Chapter 6Status Screens Table 17 Status Screen LABEL BSID DESCRIPTION This field displays the identification number of the wireless base station to which the ZyXEL Device is connected. Every base station transmits a unique BSID, which identifies it across the network. A base stations coverage area can be divided into multiple cells. This field shows the identification number of the cell in which the ZyXEL Device is connected. This field displays the radio frequency of the ZyXEL Devices wireless connection to a base station. This field displays the Media Access Control address of the ZyXEL Device. Every network device has a unique MAC address which identifies it across the network. Cell ID Frequency MAC address WiMAX StateThis field displays the status of the ZyXEL Devices current connection. NA: the ZyXEL Device is starting up. Fail: The ZyXEL Device is unable to connect to a base station. Initial Synchronization: the ZyXEL Device is attempting to locate a base station. Initial DCD (Downlink Channel Descriptor): the ZyXEL Device has located a base station and is receiving information about a possible downlink connection. Initial UCD (Uplink Channel Descriptor): the ZyXEL Device is receiving information from the base station about a possible uplink connection. Initial Ranging and Calibration: the ZyXEL Device and the base station are transmitting and receiving information about the distance between them. Ranging allows the ZyXEL Device to use a lower transmission power level when communicating with a nearby base station, and a higher transmission power level when communicating with a distant base station. Initial Negotiation: the ZyXEL Device and the base station are exchanging information about their capabilities. Initial PKM (Privacy Key Management): the ZyXEL Device and the base station are exchanging security information. Initial Registration: the ZyXEL Device is registering with a RADIUS server. Running: the ZyXEL Device has successfully registered with the base station. Traffic can now flow between the ZyXEL Device and the base station. Sleep: the ZyXEL Device is in power saving mode, but periodically checks whether a base station has traffic waiting. Idle: the ZyXEL Device is in power saving mode, but can connect when a base station alerts it that there is traffic waiting. Handover: the ZyXEL Device is moving from one coverage area to another, and is connecting to the new base station. Bandwidth CINR mean CINR deviation RSSI UL Data Rate DL Data Rate This field shows the size of the bandwidth step the ZyXEL Device uses to connect to a base station in megahertz (MHz). This field shows the average Carrier to Interference plus Noise Ratio of the current connection. This value is an indication of overall radio signal quality. A higher value indicates a higher signal quality, and a lower value indicates a lower signal quality. This field shows the amount of change in the CINR level. This value is an indication of radio signal stability. A lower number indicates a more stable signal, and a higher number indicates a less stable signal. This field shows the Received Signal Strength Indication. This value is a measurement of overall radio signal strength. A higher RSSI level indicates a stronger signal, and a lower RSSI level indicates a weaker signal. A strong signal does not necessarily indicate a good signal: a strong signal may have a low signal-to-noise ratio (SNR). This field shows the number of data packets uploaded from the ZyXEL Device to the base station each second. This field shows the number of data packets downloaded to the ZyXEL Device from the base station each second. MAX-200HW2 Series Users Guide 81 Chapter 6Status Screens Table 17 Status Screen LABEL PER Tx Power Firmware Version Site Information Profile System Status System Up Time Memory Usage DESCRIPTION This field shows the Packet Error Rate. The PER is the percentage of data packets transmitted across the network but not successfully received. This field shows the output transmission (Tx) level of the ZyXEL Device. This shows the WiMAX chipset firmware version. Click the Details... link to view details of the radio frequencies used by the ZyXEL Device to connect to a base station. Click the Details... link to view details of the current wireless security settings. This field displays how long the ZyXEL Device has been running since it last started up. The ZyXEL Device starts up when you plug it in, when you restart it

(Maintenance > Tools > Restart), or when you reset it (see Section 2.1.2 on page 41). This field displays the current date and time in the ZyXEL Device. You can change this in Maintenance > System > Time Setting. Current Date/

Time CPU UsageThis field displays what percentage of the ZyXEL Device s processing ability is currently being used. The higher the CPU usage, the more likely the ZyXEL Device is to slow down. You can reduce this by disabling some services, such as DHCP, NAT, or content filtering. This field displays what percentage of the ZyXEL Devices memory is currently used. The higher the memory usage, the more likely the ZyXEL Device is to slow down. Some memory is required just to start the ZyXEL Device and to run the web configurator. You can reduce the memory usage by disabling some services (see CPU Usage); by reducing the amount of memory allocated to NAT and firewall rules (you may have to reduce the number of NAT rules or firewall rules to do so);

or by deleting rules in functions such as incoming call policies, speed dial entries, and static routes. IVR UsageThis field displays what percentage of the ZyXEL Device s IVR memory is currently used. IVR (Interactive Voice Response) refers to the customizable ring tone and on-hold music you set. See Section 12.1.11 on page 155 for more information. Interface Status InterfaceThis column displays each interface of the ZyXEL Device. StatusThis field indicates whether or not the ZyXEL Device is using the interface. For the WAN interface, this field displays Up when the ZyXEL Device is connected to a WiMAX network, and Down when the ZyXEL Device is not connected to a WiMAX network. For the LAN interface, this field displays Up when the ZyXEL Device is using the interface and Down when the ZyXEL Device is not using the interface. For the WLAN port, it displays Up when WLAN is enabled or Down when WLAN is disabled. RateFor the LAN ports this displays the port speed and duplex setting. For the WAN interface, it displays the downstream and upstream transmission rate or N/A if the ZyXEL Device is not connected to a base station. For the WLAN port, it displays the transmission rate when WLAN is enabled or N/

A when WLAN is disabled. Summary Packet Statistics Click this link to view port status and packet specific statistics. 82 MAX-200HW2 Series Users Guide Chapter 6Status Screens Table 17 Status Screen LABEL DESCRIPTION DHCP TableClick this link to see details of computers to which the ZyXEL Device has given an IP address. VoIP StatisticsClick this link to view statistics about your VoIP usage. VoIP Status AccountThis column displays each SIP account in the ZyXEL Device. RegistrationThis field displays the current registration status of the SIP account. You have to register SIP accounts with a SIP server to use VoIP. If the SIP account is already registered with the SIP server, Click Unregister to delete the SIP accounts registration in the SIP server. This does not cancel your SIP account, but it deletes the mapping between your SIP identity and your IP address or domain name. The second field displays Registered. If the SIP account is not registered with the SIP server, Click Register to have the ZyXEL Device attempt to register the SIP account with the SIP server. The second field displays the reason the account is not registered. Inactive - The SIP account is not active. You can activate it in VoIP > SIP > SIP Settings. Register Fail - The last time the ZyXEL Device tried to register the SIP account with the SIP server, the attempt failed. The ZyXEL Device automatically tries to register the SIP account when you turn on the ZyXEL Device or when you activate it. URIThis field displays the account number and service domain of the SIP account. You can change these in VoIP > SIP > SIP Settings. 6.2 Site Information Click Status > Site Information to view this screen. This read-only screen shows information about the ZyXEL Devices connection with a WiMAX base station. To configure these settings, go to the Network > WAN > WiMAX Frequency screen. Figure 45 The Site Information Screen MAX-200HW2 Series Users Guide 83 Chapter 6Status Screens The following table describes the labels in this screen. Table 18 The Site Information Screen LABEL DESCRIPTION Site Information DL Frequency

[0] ~ [9]

These fields show the downlink frequency settings in kilohertz (kHz). These settings determine how the ZyXEL Device searches for an available wireless connection. See Section 8.4 on page 111 for more information. 6.3 Profile Click Status > Profile to view this screen. This read-only screen displays information about the security settings you are using. To configure these settings, go to the Network > WAN >

Internet Connection screen. Not all ZyXEL Device models have all the fields shown here. Figure 46 The WiMAX Profile Screen The following table describes the labels in this screen. Table 19 The WiMAX Profile Screen LABEL DESCRIPTION Profile UserThis is the username for your Internet access account. PasswordThis is the password for your Internet access account. The password displays as a row of asterisks. Anonymous IdentityThis is the anonymous identity provided by your Internet Service Provider. Anonymous identity (also known as outer identity) is used with EAP-TTLS encryption. PKMThis field displays the Privacy Key Management version number. PKM provides security between the ZyXEL Device and the base station. See the WiMAX security appendix for more information. 84 MAX-200HW2 Series Users Guide Chapter 6Status Screens Table 19 The WiMAX Profile Screen DESCRIPTION LABEL AuthenticationThis field displays the user authentication method. Authentication is the process of confirming the identity of a user (by means of a username and password, for example). EAP-TTLS allows an MS/SS and a base station to establish a secure link (or tunnel) with an AAA (Authentication, Authorization and Accounting) server in order to exchange authentication information. See the WiMAX security appendix for more details. TTLS Inner EAPThis field displays the type of secondary authentication method. Once a secure EAP-TTLS connection is established, the inner EAP is the protocol used to exchange security information between the mobile station, the base station and the AAA server to authenticate the mobile station. See the WiMAX security appendix for more details. The ZyXEL Device supports the following inner authentication types:

CHAP (Challenge Handshake Authentication Protocol) MSCHAP (Microsoft CHAP) MSCHAPV2 (Microsoft CHAP version 2) PAP (Password Authentication Protocol) Auth ModeThis is the authentication mode. The ZyXEL Device supports the following authentication modes:

User Only Device Only with Cert Certs and User Authentication CertificateThis is the security certificate the ZyXEL Device uses to authenticate the AAA server. 6.4 Packet Statistics To access this screen, open the Status screen (see Section 6.1 on page 79), and click

(Details...) next to Packet Statistics. Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable. Figure 47 Packet Statistics MAX-200HW2 Series Users Guide 85 Chapter 6Status Screens The following table describes the fields in this screen. Table 20 Packet Statistics LABEL Packet Statistics PortThis column displays each interface of the ZyXEL Device. Status DESCRIPTION This field indicates whether or not the ZyXEL Device is using the interface. For the WAN interface, this field displays Up when the ZyXEL Device is connected to a WiMAX network, and Down when the ZyXEL Device is not connected to a WiMAX network. For the LAN interface, this field displays Up when the ZyXEL Device is using the interface and Down when the ZyXEL Device is not using the interface. For the WLAN port, it displays Up when WLAN is enabled or Down when WLAN is disabled. This field displays the number of packets transmitted on this interface. This field displays the number of packets received on this interface. This field displays the number of collisions on this port. This field displays the number of bytes transmitted in the last second. This field displays the number of bytes received in the last second. This field displays the elapsed time this interface has been connected. This is the elapsed time the system has been on. Type the time interval for the browser to refresh system statistics. Click this button to apply the new poll interval you entered in the Poll Interval field above. Click this button to halt the refreshing of the system statistics. TxPkts RxPkts Collisions Tx B/s Rx B/s Up Time System up Time Poll Interval(s) Set Interval Stop 6.5 DHCP Table Screen This screen displays information about computers that received an IP address from the ZyXEL Device. To access this screen, open the Status screen (see Section 6.1 on page 79), and click

(Details...) next to DHCP Table. Figure 48 DHCP Table 86 MAX-200HW2 Series Users Guide Chapter 6Status Screens Each field is described in the following table. Table 21 DHCP Table LABEL DHCP Table

#This field is a sequential value. It is not associated with a specific entry. IP AddressThis field displays the IP address the ZyXEL Device assigned to a computer in DESCRIPTION the network. Host NameThis field displays the system name of the computer to which the ZyXEL Device assigned the IP address. MAC AddressThis field displays the MAC address of the computer to which the ZyXEL Device assigned the IP address. RefreshClick this to update this screen. 6.6 VoIP Statistics Window This screen displays SIP registration information, status of calls and VoIP traffic statistics. To access this screen, open the Status screen (see Section 6.1 on page 79), and click (Details...) next to VoIP Statistics. Figure 49 VoIP Statistics Each field is described in the following table. Table 22 VoIP Statistics LABEL SIP Status AccountThis column displays each SIP account in the ZyXEL Device. DESCRIPTION MAX-200HW2 Series Users Guide 87 Chapter 6Status Screens Table 22 VoIP Statistics LABEL RegistrationThis field displays the current registration status of the SIP account. You can DESCRIPTION change this in the Status screen. Registered - The SIP account is registered with a SIP server. Register Fail - The last time the ZyXEL Device tried to register the SIP account with the SIP server, the attempt failed. The ZyXEL Device automatically tries to register the SIP account when you turn on the ZyXEL Device or when you activate it. Inactive - The SIP account is not active. You can activate it in VoIP > SIP > SIP Settings. Last RegistrationThis field displays the last time you successfully registered the SIP account. It displays N/A if you never successfully registered this account. URIThis field displays the account number and service domain of the SIP account. You can change these in VoIP > SIP > SIP Settings. ProtocolThis field displays the transport protocol the SIP account uses. SIP accounts always use UDP. Message WaitingThis field indicates whether or not there are any messages waiting for the SIP account. This field displays the last number that called the SIP account. It displays N/A if no number has ever dialed the SIP account. This field displays the last number the SIP account called. It displays N/A if the SIP account has never dialed a number. Last Incoming Number Last Outgoing Number Call Statistics PhoneThis field displays the ZyXEL Device HookThis field indicates whether the phone is on the hook or off the hook. s phone port number. On - The phone is hanging up or already hung up. Off - The phone is dialing, calling, or connected. StatusThis field displays the current state of the phone call. N/A - There are no current VoIP calls, incoming calls or outgoing calls being made. DIAL - The callees phone is ringing. RING - The phone is ringing for an incoming VoIP call. Process - There is a VoIP call in progress. DISC - The callees line is busy, the callee hung up or your phone was left off the hook. CodecThis field displays what voice codec is being used for a current VoIP call through a phone port. Peer NumberThis field displays the SIP number of the party that is currently engaged in a VoIP call through a phone port. DurationThis field displays how long the current call has lasted. Tx PktsThis field displays the number of packets the ZyXEL Device has transmitted in the current call. Rx PktsThis field displays the number of packets the ZyXEL Device has received in the current call. Tx B/sThis field displays how quickly the ZyXEL Device has transmitted packets in the current call. The rate is the average number of bytes transmitted per second. Rx B/sThis field displays how quickly the ZyXEL Device has received packets in the current call. The rate is the average number of bytes transmitted per second. 88 MAX-200HW2 Series Users Guide Chapter 6Status Screens Table 22 VoIP Statistics LABEL Poll Interval(s)Enter how often you want the ZyXEL Device to update this screen, and click DESCRIPTION Interval. Set Set IntervalClick this to make the ZyXEL Device update the screen based on the amount of time you specified in Poll Interval. StopClick this to make the ZyXEL Device stop updating the screen. MAX-200HW2 Series Users Guide 89 Chapter 6Status Screens 90 MAX-200HW2 Series Users Guide CHAPTER 7 Wireless LAN This chapter discusses how to configure the wireless network settings in your ZyXEL Device. See the appendices for more detailed information about wireless networks. 7.1 Wireless Network Overview The following figure provides an example of a wireless network. Figure 50 Example of a Wireless Network The wireless network is the part in the blue circle. In this wireless network, devices A and B are called wireless clients. The wireless clients use the access point (AP) to interact with other devices (such as the printer) or with the Internet. Your ZyXEL Device is the AP. Every wireless network must follow these basic guidelines. Every wireless client in the same wireless network must use the same SSID. The SSID is the name of the wireless network. It stands for Service Set IDentity. If two wireless networks overlap, they should use different channels. Like radio stations or television channels, each wireless network uses a specific channel, or frequency, to send and receive information. MAX-200HW2 Users Guide 91 Chapter 7Wireless LAN Every wireless client in the same wireless network must use security compatible with the AP. Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network. 7.2 Wireless Security Overview The following sections introduce different types of wireless security you can set up in the wireless network. 7.2.1 SSID Normally, the AP acts like a beacon and regularly broadcasts the SSID in the area. You can hide the SSID instead, in which case the AP does not broadcast the SSID. In addition, you should change the default SSID to something that is difficult to guess. This type of security is fairly weak, however, because there are ways for unauthorized devices to get the SSID. In addition, unauthorized devices can still see the information that is sent in the wireless network. 7.2.2 MAC Address Filter Every wireless client has a unique identification number, called a MAC address.1 A MAC address is usually written using twelve hexadecimal characters2; for example, 00A0C5000002 or 00:A0:C5:00:00:02. To get the MAC address for each wireless client, see the appropriate Users Guide or other documentation. You can use the MAC address filter to tell the AP which wireless clients are allowed or not allowed to use the wireless network. If a wireless client is allowed to use the wireless network, it still has to have the correct settings (SSID, channel, and security). If a wireless client is not allowed to use the wireless network, it does not matter if it has the correct settings. This type of security does not protect the information that is sent in the wireless network. Furthermore, there are ways for unauthorized devices to get the MAC address of an authorized wireless client. Then, they can use that MAC address to use the wireless network. 7.2.3 User Authentication You can make every user log in to the wireless network before they can use it. This is called user authentication. However, every wireless client in the wireless network has to support IEEE 802.1x to do this. For wireless networks, there are two typical places to store the user names and passwords for each user. In the AP: this feature is called a local user database or a local database. In a RADIUS server: this is a server used in businesses more than in homes. 1.Some wireless devices, such as scanners, can detect wireless networks but cannot use wireless networks. These kinds of wireless devices might not have MAC addresses. 2.Hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. 92 MAX-200HW2 Users Guide Chapter 7Wireless LAN If your AP does not provide a local user database and if you do not have a RADIUS server, you cannot set up user names and passwords for your users. Unauthorized devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network. Local user databases also have an additional limitation that is explained in the next section. 7.2.4 Encryption Wireless networks can use encryption to protect the information that is sent in the wireless network. Encryption is like a secret code. If you do not know the secret code, you cannot understand the message. The types of encryption you can choose depend on the type of user authentication. (See Section 7.2.3 on page 92 for information about this.) Table 23 Types of Encryption for Each Type of Authentication RADIUS SERVER Weakest NO AUTHENTICATION No SecurityWPA Static WEP WPA-PSK Strongest WPA2-PSKWPA2 For example, if the wireless network has a RADIUS server, you can choose WPA or WPA2. If users do not log in to the wireless network, you can choose no encryption, Static WEP, WPA-

PSK, or WPA2-PSK. Usually, you should set up the strongest encryption that every wireless client in the wireless network supports. For example, suppose the AP does not have a local user database, and you do not have a RADIUS server. Therefore, there is no user authentication. Suppose the wireless network has two wireless clients. Device A only supports WEP, and device B supports WEP and WPA. Therefore, you should set up Static WEP in the wireless network. It is recommended that wireless networks use WPA-PSK, WPA, or stronger encryption. IEEE 802.1x and WEP encryption are better than none at all, but it is still possible for unauthorized devices to figure out the original information pretty quickly. It is not possible to use WPA-PSK, WPA or stronger encryption with a local user database. In this case, it is better to set up stronger encryption with no authentication than to set up weaker encryption with the local user database. MAX-200HW2 Users Guide 93 Chapter 7Wireless LAN When you select WPA2 or WPA2-PSK in your ZyXEL Device, you can also select an option

(WPA Compatible) to support WPA as well. In this case, if some wireless clients support WPA and some support WPA2, you should set up WPA2-PSK or WPA2 (depending on the type of wireless network login) and select the WPA Compatible option in the ZyXEL Device. Many types of encryption use a key to protect the information in the wireless network. The longer the key, the stronger the encryption. Every wireless client in the wireless network must have the same key. 7.2.5 One-Touch Intelligent Security Technology (OTIST) With ZyXELs OTIST, you set up the SSID and WPA-PSK on the ZyXEL Device. Then, the ZyXEL Device transfers them to the devices in the wireless networks. As a result, you do not have to set up the SSID and encryption on every device in the wireless network. The devices in the wireless network have to support OTIST, and they have to be in range of the ZyXEL Device when you activate it. See Section 7.4 on page 101 for more details. 7.3 General Wireless LAN Screen If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Devices SSID, channel or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyXEL Devices new settings. Click Network > Wireless LAN to open the General screen. Figure 51 Network > Wireless LAN > General 94 MAX-200HW2 Users Guide Chapter 7Wireless LAN The following table describes the general wireless LAN labels in this screen. Table 24 Network > Wireless LAN > General LABEL Enable Wireless LAN Name(SSID) DESCRIPTION Click the check box to activate wireless LAN.

(Service Set IDentity) The SSID identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN. Select this check box to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning using a site survey tool. Set the operating frequency/channel depending on your particular region. Select a channel from the drop-down list box. The options vary depending on whether you are using A or B/G frequency band and the country you are in. Refer to the Connection Wizard chapter for more information on channels. Click Apply to save your changes back to the ZyXEL Device. Click Reset to reload the previous configuration for this screen. Hide SSID Channel Selection Apply Reset See the rest of this chapter for information on the other labels in this screen. 7.3.1 No Security Select No Security to allow wireless stations to communicate with the access points without any data encryption. If you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device that is within range. Figure 52 Network > Wireless LAN > General: No Security MAX-200HW2 Users Guide 95 Chapter 7Wireless LAN The following table describes the labels in this screen. Table 25 Wireless No Security LABEL DESCRIPTION Security Mode Choose No Security from the drop-down list box. Apply Reset Click Apply to save your changes back to the ZyXEL Device. Click Reset to reload the previous configuration for this screen. 7.3.2 WEP Encryption WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key. Your ZyXEL Device allows you to configure up to four 64-bit or 128-bit WEP keys but only one key can be enabled at any one time. In order to configure and enable WEP encryption; click Network > Wireless LAN to display the General screen. Select Static WEP from the Security Mode list. Figure 53 Network > Wireless LAN > General: Static WEP 96 MAX-200HW2 Users Guide Chapter 7Wireless LAN The following table describes the wireless LAN security labels in this screen. Table 26 Network > Wireless LAN > General: Static WEP LABEL Passphrase DESCRIPTION Enter a passphrase (password phrase) of up to 32 printable characters and click Generate. The ZyXEL Device automatically generates four different WEP keys and displays them in the Key fields below. Select 64-bit WEP or 128-bit WEP to enable data encryption. WEP Encryption Authentication Method ASCII Hex Apply Reset Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless This field is activated when you select 64-bit WEP or 128-bit WEP in the WEP Encryption field. Select Auto, Open System or Shared Key from the drop-down list box. Select this option in order to enter ASCII characters as WEP key. Select this option in order to enter hexadecimal characters as a WEP key. The preceding "0x", that identifies a hexadecimal key, is entered automatically. stations must use the same WEP key for data transmission. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9", "A-F"). You must configure at least one key, only one key can be activated at any one time. The default key is key 1. Click Apply to save your changes back to the ZyXEL Device. Click Reset to reload the previous configuration for this screen. 7.3.3 WPA-PSK/WPA2-PSK Click Network > Wireless LAN to display the General screen. Select WPA-PSK or WPA2-

PSK from the Security Mode list. MAX-200HW2 Users Guide 97 Chapter 7Wireless LAN Figure 54 Network > Wireless LAN > General: WPA-PSK/WPA2-PSK The following table describes the labels in this screen. Table 27 Network > Wireless LAN > General: WPA-PSK/WPA2-PSK LABEL WPA Compatible Pre-Shared Key ReAuthentication Timer (in seconds) Idle Timeout Group Key Update Timer DESCRIPTION This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2-PSK or WPA2. The encryption mechanisms used for WPA/WPA2 and WPA-PSK/WPA2-PSK are the same. The only difference between the two is that WPA-PSK/WPA2-PSK uses a simple common password, instead of user-specific credentials. Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols). Specify how often wireless stations have to resend usernames and passwords in order to stay connected. Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes). Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour). The Group Key Update Timer is the rate at which the AP (if using WPA-PSK/

WPA2-PSK key management) or RADIUSserver (if using WPA/WPA2 key management) sends a new group key out to all clients. The re-keying process is the WPA/WPA2 equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA-PSK/WPA2-PSK mode. The default is 1800 seconds (30 minutes). 98 MAX-200HW2 Users Guide Chapter 7Wireless LAN Table 27 Network > Wireless LAN > General: WPA-PSK/WPA2-PSK LABEL Apply Reset DESCRIPTION Click Apply to save your changes back to the ZyXEL Device. Click Reset to reload the previous configuration for this screen. 7.3.4 WPA/WPA2 Click Network > Wireless LAN to display the General screen. Select WPA or WPA2 from the Security Mode list. Figure 55 Network > Wireless LAN > General: WPA/WPA2 MAX-200HW2 Users Guide 99 Chapter 7Wireless LAN The following table describes the labels in this screen. Table 28 Network > Wireless LAN > General: WPA/WPA2 LABEL WPA Compatible DESCRIPTION This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2-PSK or WPA2. Specify how often wireless stations have to resend usernames and passwords in order to stay connected. Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes). Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour). The Group Key Update Timer is the rate at which the AP (if using WPA-PSK/

WPA2-PSK key management) or RADIUSserver (if using WPA/WPA2 key management) sends a new group key out to all clients. The re-keying process is the WPA/WPA2 equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA-PSK/WPA2-PSK mode. The ZyXEL Device default is 1800 seconds (30 minutes). Enter the IP address of the external authentication server in dotted decimal notation. Enter the port number of the external authentication server. The default port number is 1812. You need not change this value unless your network administrator instructs you to do so with additional information. Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyXEL Device. The key must be the same on the external authentication server and your ZyXEL Device. The key is not sent over the network. Select the checkbox to enable user accounting through an external authentication server. Enter the IP address of the external accounting server in dotted decimal notation. Enter the port number of the external accounting server. The default port number is 1813. You need not change this value unless your network administrator instructs you to do so with additional information. Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the ZyXEL Device. The key must be the same on the external accounting server and your ZyXEL Device. The key is not sent over the network. Click Apply to save your changes back to the ZyXEL Device. Click Reset to reload the previous configuration for this screen. ReAuthentication Timer (in seconds) Idle Timeout Group Key Update Timer Authentication Server IP Address Port Number Shared Secret Accounting Server Active IP Address Port Number Shared Secret Apply Reset 100 MAX-200HW2 Users Guide Chapter 7Wireless LAN 7.4 OTIST In a wireless network, the wireless clients must have the same SSID and security settings as the access point (AP) or wireless router (we will refer to both as AP here) in order to associate with it. Traditionally this meant that you had to configure the settings on the AP and then manually configure the exact same settings on each wireless client. OTIST (One-Touch Intelligent Security Technology) allows you to transfer your APs SSID and WPA-PSK security settings to wireless clients that support OTIST and are within transmission range. You can also choose to have OTIST generate a WPA-PSK key for you if you didnt configure one manually. OTIST replaces the pre-configured wireless settings on the wireless clients. 7.4.1 Enabling OTIST You must enable OTIST on both the AP and wireless client before you start transferring settings. The AP and wireless client(s) MUST use the same Setupkey . Click the Network > Wireless LAN > OTIST. The following screen displays. Figure 56 Network > Wireless LAN > OTIST MAX-200HW2 Users Guide 101 Chapter 7Wireless LAN The following table describes the labels in this screen. Table 29 Network > Wireless LAN > OTIST LABEL Setup KeyType an OTIST DESCRIPTION Setup Key of exactly eight ASCII characters in length. The default OTIST setup key is "01234567". Note: If you change the OTIST setup key here, you must also make the same change on the wireless client(s). If you want OTIST to automatically generate a WPA-PSK, you must:

Change your security to any security other than WPA-PSK in the Wireless LAN >

General screen. Select the Yes! checkbox in the OTIST screen and click Start. The wireless screen displays an auto generated WPA-PSK and is now in WPA-

PSK security mode. The WPA-PSK security settings are assigned to the wireless client when you start OTIST. Note: If you already have a WPA-PSK configured in the Wireless LAN

> General screen, and you run OTIST with Yes! selected, OTIST will use the existing WPA-PSK. Click Start to encrypt the wireless security data using the setup key and have the ZyXEL Device set the wireless client to use the same wireless settings as the ZyXEL Device. You must also activate and start OTIST on the wireless client all within three minutes. Yes!

Start 7.4.1.1 Wireless Client Start the ZyXEL utility and click the Adapter tab. Select the OTIST check box, enter the same Setup Key as your APs and click Save. Figure 57 Example Wireless Client OTIST Screen 102 MAX-200HW2 Users Guide Chapter 7Wireless LAN 7.4.2 Starting OTIST Note: You must click Start in the AP OTIST web configurator screen and in the wireless client(s) Adapter screen all within three minutes (at the time of writing). You can start OTIST in the wireless clients and AP in any order but they must all be within range and have OTIST enabled. 1 In the AP, a web configurator screen pops up showing you the security settings to transfer. You can use the key in this screen to set up WPA-PSK encryption manually for non-

OTIST devices in the wireless network. After reviewing the settings, click OK. Figure 58 Security Key 2 This screen appears while OTIST settings are being transferred. It closes when the transfer is complete. Figure 59 OTIST in Progress (AP) Figure 60 OTIST in Progress (Client) In the wireless client, you see this screen if it can't find an OTIST-enabled AP (with the same Setup key). Click OK to go back to the ZyXEL utility main screen. Figure 61 No AP with OTIST Found If there is more than one OTIST-enabled AP within range, you see a screen asking you to select one AP to get settings from. 7.4.3 Notes on OTIST 1 If you enabled OTIST in the wireless client, you see this screen each time you start the utility. Click Yes for it to search for an OTIST-enabled AP. MAX-200HW2 Users Guide 103 Chapter 7Wireless LAN Figure 62 Start OTIST?

2 If an OTIST-enabled wireless client loses its wireless connection for more than ten seconds, it will search for an OTIST-enabled AP for up to one minute. (If you manually have the wireless client search for an OTIST-enabled AP, there is no timeout; click Cancel in the OTIST progress screen to stop the search.) 3 When the wireless client finds an OTIST-enabled AP, you must still click Start in the AP OTIST web configurator screen for the AP to transfer settings. 4 If you change the SSID or the keys on the AP after using OTIST, you need to run OTIST again or enter them manually in the wireless client(s). 5 If you configure OTIST to generate a WPA-PSK key, this key changes each time you run OTIST. Therefore, if a new wireless client joins your wireless network, you need to run OTIST on the AP and ALL wireless clients again. 7.5 MAC Filter The MAC filter screen allows you to configure the ZyXEL Device to give exclusive access to up to 32 devices (Allow) or exclude up to 32 devices from accessing the ZyXEL Device

(Deny). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC address of the devices to configure this screen. To change your ZyXEL Devices MAC filter settings, click Network > Wireless LAN >

MAC Filter. The screen appears as shown. 104 MAX-200HW2 Users Guide Figure 63 Network > Wireless LAN > MAC Filter Chapter 7Wireless LAN The following table describes the labels in this menu. Table 30 Network > Wireless LAN > MAC Filter LABEL Active Filter Action Define the filter action for the list of MAC addresses in the MAC Address table. DESCRIPTION Select Yes from the drop down list box to enable MAC address filtering. Select Deny to block access to the ZyXEL Device, MAC addresses not listed will be allowed to access the ZyXEL Device. Select Allow to permit access to the ZyXEL Device, MAC addresses not listed will be denied access to the ZyXEL Device. This is the index number of the MAC address. Enter the MAC addresses of the wireless station that are allowed or denied access to the ZyXEL Device in these address fields. Enter the MAC addresses in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc. Click Apply to save your changes back to the ZyXEL Device. Click Reset to reload the previous configuration for this screen. Set MAC Address Apply Reset 7.6 Wireless LAN Advanced Screen Click Network > Wireless LAN > Advanced. The screen appears as shown. MAX-200HW2 Users Guide 105 Chapter 7Wireless LAN Figure 64 Network > Wireless LAN > Advanced The following table describes the labels in this screen. Table 31 Network > Wireless LAN > Advanced LABEL Wireless Advanced Setup RTS/CTS Threshold DESCRIPTION Data with its frame size larger than this value will perform the RTS (Request To Send)/CTS (Clear To Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value, then the RTS/CTS handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Enter a value between 0 and 2432. It is the maximum data fragment size that can be sent. Enter a value between 256 and 2432. Select 802.11b to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyXEL Device. Select 802.11g to allow only IEEE 802.11g compliant WLAN devices to associate with the ZyXEL Device. Select 802.11b/g to allow either IEEE802.11b or IEEE802.11g compliant WLAN devices to associate with the ZyXEL Device. The transmission rate of your ZyXEL Device might be reduced. Click Apply to save your changes back to the ZyXEL Device. Click Reset to reload the previous configuration for this screen. Fragmentation Threshold 802.11 Mode Apply Reset 106 MAX-200HW2 Users Guide CHAPTER 8 WAN Setup This chapter describes how to configure WAN settings. 8.1 WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. Your ZyXEL Device uses the IEEE 802.16e WiMAX standard to connect wirelessly to a WiMAX base station (see Section 1.1 on page 33). 8.2 WiMAX WiMAX (Worldwide Interoperability for Microwave Access) is the IEEE 802.16 wireless networking standard, which provides high-bandwidth, wide-range wireless service across wireless Metropolitan Area Networks (MANs). ZyXEL is a member of the WiMAX Forum, the industry group dedicated to promoting and certifying interoperability of wireless broadband products. In a wireless MAN, a wireless-equipped computer is known either as a mobile station (MS) or a subscriber station (SS). Mobile stations use the IEEE 802.16e standard and are able to maintain connectivity while switching their connection from one base station to another base station (handover) while subscriber stations use other standards that do not have this capability

(IEEE 802.16-2004, for example). The following figure shows an MS-equipped notebook computer MS1 moving from base station BS1s coverage area and connecting to BS2. Figure 65 WiMax: Mobile Station WiMAX technology uses radio signals (around 2 to 10 GHz) to connect subscriber stations and mobile stations to local base stations. Numerous subscriber stations and mobile stations connect to the network through a single base station (BS), as in the following figure. MAX-200HW2 Series Users Guide 107 Chapter 8WAN Setup Figure 66 WiMAX: Multiple Mobile Stations A base station's coverage area can extend over many hundreds of meters, even under poor conditions. A base station provides network access to subscriber stations and mobile stations, and communicates with other base stations. The radio frequency and bandwidth of the link between the ZyXEL Device and the base station are controlled by the base station. The ZyXEL Device follows the base stations configuration. 8.2.1 Authentication When authenticating a user, the base station uses a third-party RADIUS or Diameter server known as an AAA (Authentication, Authorization and Accounting) server to authenticate the mobile or subscriber stations. The following figure shows a base station using an AAA server to authenticate mobile station MS, allowing it to access the Internet. Figure 67 Using an AAA Server In this figure, the dashed arrow shows the PKM (Privacy Key Management) secured connection between the mobile station and the base station, and the solid arrow shows the EAP secured connection between the mobile station, the base station and the AAA server. See the WiMAX security appendix for more details. 8.3 Internet Access Setup To change your ZyXEL Devices Internet access settings, click Network > WAN. The Internet Connection screen displays. 108 MAX-200HW2 Series Users Guide Chapter 8WAN Setup Not all ZyXEL Device models have all the fields shown here. Figure 68 Network > WAN > Internet Connection The following table describes the labels in this screen. Table 32 Network > WAN > Internet Connection LABEL ISP Parameters for Internet Access DESCRIPTION UserUse this field to enter the username associated with your Internet access account. You can enter up to 61 printable ASCII characters. PasswordUse this field to enter the password associated with your Internet access account. You can enter up to 47 printable ASCII characters. Anonymous IdentityEnter the anonymous identity provided by your Internet Service Provider. Anonymous identity (also known as outer identity) is used with EAP-TTLS encryption. The anonymous identity is used to route your authentication request to the correct authentication server, and does not reveal your real user name. Your real user name and password are encrypted in the TLS tunnel, and only the anonymous identity can be seen. Leave this field blank if your ISP did not give you an anonymous identity to use. MAX-200HW2 Series Users Guide 109 Chapter 8WAN Setup Table 32 Network > WAN > Internet Connection LABEL DESCRIPTION PKMThis field displays the Privacy Key Management version number. PKM provides security between the ZyXEL Device and the base station. At the time of writing, the ZyXEL Device supports PKMv2 only. See the WiMAX security appendix for more information. AuthenticationThis field displays the user authentication method. Authentication is the process of confirming the identity of a mobile station (by means of a username and password, for example). Check with your service provider if you are unsure of the correct setting for your account. Choose from the following user authentication methods:

TTLS (Tunnelled Transport Layer Security) TLS (Transport Layer Security) Note: Not all ZyXEL Devices support TLS authentication. Check with your service provider for details. TTLS Inner EAPThis field displays the type of secondary authentication method. Once a secure EAP-TTLS connection is established, the inner EAP is the protocol used to exchange security information between the mobile station, the base station and the AAA server to authenticate the mobile station. See the WiMAX security appendix for more details. This field is available only when TTLS is selected in the Authentication field. The ZyXEL Device supports the following inner authentication types:

CHAP (Challenge Handshake Authentication Protocol) MSCHAP (Microsoft CHAP) MSCHAPV2 (Microsoft CHAP version 2) PAP (Password Authentication Protocol) Auth ModeSelect the authentication mode from the drop-down list box. This field is not available in all ZyXEL Devices. Check with your service provider for details. The ZyXEL Device supports the following authentication modes:

User Only Device Only with Cert Certs and User Authentication CertificateThis is the security certificate the ZyXEL Device uses to authenticate the AAA server. Use the Security > Certificates > Trusted CA screen to import certificates to the ZyXEL Device. WAN IP Address Assignment Get automatically from ISP

(Default) Select this if you have a dynamic IP address. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. Use Fixed IP AddressA static IP address is a fixed IP that your ISP gives you. Type your ISP assigned IP address in the IP Address field below. IP Subnet MaskEnter a subnet mask in dotted decimal notation. Refer to the appendicesto calculate a subnet mask If you are implementing subnetting. Gateway IP AddressSpecify a gateway IP address (supplied by your ISP). ApplyClick this button to save your settings. ResetClick this button to return all the fields in this screen to their default values. 110 MAX-200HW2 Series Users Guide Chapter 8WAN Setup 8.4 Frequency Settings In a WiMAX network, a mobile or subscriber station must use a radio frequency supported by the base station to communicate. When the ZyXEL Device looks for a connection to a base station, it can search a range of frequencies. Radio frequency is measured in Hertz (Hz). Table 33 Radio Frequency Conversion 1 kHz = 1000 Hz 1 MHz = 1000 kHz (1000000 Hz) 1 GHz = 1000 MHz (1000000 kHz) 8.4.1 Frequency Ranges The following figure shows the ZyXEL Device searching a range of frequencies to find a connection to a base station. Figure 69 Frequency Ranges In this figure, A is the WiMAX frequency range. WiMAX frequency range refers to the entire range of frequencies the ZyXEL Device is capable of using to transmit and receive (see the Product Specifications appendix for details). In the figure, B shows the operator frequency range. This is the range of frequencies within the WiMAX frequency range supported by your operator (service provider). The operator range is subdivided into bandwidth steps. In the figure, each C is a bandwidth step. The arrow D shows the ZyXEL Device searching for a connection. Have the ZyXEL Device search only certain frequencies by configuring the downlink frequencies. Your operator can give you information on the supported frequencies. The downlink frequencies are points of the frequency range your ZyXEL Device searches for an available connection. Use the Site Survey screen to set these bands. You can set the downlink frequencies anywhere within the WiMAX frequency range. In this example, the downlink frequencies have been set to search all of the operator range for a connection. 8.4.2 Configuring Frequency Settings You need to set the ZyXEL Device to scan one or more specific radio frequencies to find an available connection to a WiMAX base station. MAX-200HW2 Series Users Guide 111 Chapter 8WAN Setup Use the WiMAX Frequency screen to define the radio frequencies to be searched for available wireless connections. See Section 8.4.2.1 on page 113 for an example of using the WiMAX Frequency screen. It may take several minutes for the ZyXEL Device to find a connection. The ZyXEL Device searches the DL Frequency settings in ascending numerical order, from [0] to [9]. If you enter a 0 in a DL Frequency field, the ZyXEL Device immediately moves on to the next DL Frequency field. When the ZyXEL Device connects to a base station, the values in this screen are automatically set to the base stations frequency. The next time the ZyXEL Device searches for a connection, it searches only this frequency. If you want the ZyXEL Device to search other frequencies, enter them in the DL Frequency fields. The following table describes some examples of DL Frequency settings. Table 34 DL Frequency Example Settings EXAMPLE 1 25000002500000 25500002550000 DL Frequency

[0]:

DL Frequency

[1]:

DL Frequency [2] 02600000 DL Frequency

[3]:

DL Frequency

[4]:

0 0 EXAMPLE 2 0 0 The ZyXEL Device searches at 2500000 kHz, and then searches at 2550000 kHz if it has not found a connection. The ZyXEL Device searches at 2500000 kHz and then at 2550000 kHz if it has not found an available connection. If it still does not find an available connection, it searches at 2600000 kHz. Click Network > WAN > WiMAX Frequency to display the screen shown next. 112 MAX-200HW2 Series Users Guide Figure 70 Network > WAN >WiMAX Frequency Chapter 8WAN Setup The following table describes the labels in this screen. Table 35 Network > WAN > WiMAX Frequency LABEL DL Frequency

[0] ~ [9]

DESCRIPTION These fields show the downlink frequency settings in kilohertz (kHz). Enter values in these fields to have the ZyXEL Device scan these frequencies for available channels in ascending numerical order. Contact your service provider for details of supported frequencies. ApplyClick this button to save your settings. ResetClick this button to return all the fields in this screen to their default values. 8.4.2.1 Using the WiMAX Frequency Screen: Example In this example, your Internet service provider has given you a list of supported frequencies, as follows. Table 36 Example Supported Frequencies (GHz) 2.5 2.525 2.6 2.625 Use the WiMAX Frequency screen to enter the frequencies you want the ZyXEL Device to scan for a connection to a base station. 1 In the DL Frequency [0] field, enter 2500000 (2500000 kilohertz (kHz) is equal to 2.5 gigahertz). 2 In the DL Frequency [1] field, enter 2525000. 3 In the DL Frequency [2] field, enter 2600000. 4 In the DL Frequency [3] field, enter 2625000. Leave the rest of the DL Frequency fields at zero. The screen appears as follows. MAX-200HW2 Series Users Guide 113 Chapter 8WAN Setup Figure 71 Completing the WiMAX Frequency Screen 5 Click Apply. The ZyXEL Device stores your settings. When the ZyXEL Device searches for available frequencies, it scans all frequencies from DL Frequency [0] to DL Frequency [3]. When it finds an available connection, the fields in this screen will be automatically set to use that frequency. 8.5 Configuring Advanced WAN Settings Click Network > WAN > Advanced to display the following screen. Figure 72 Network > WAN > Advanced 114 MAX-200HW2 Series Users Guide Chapter 8WAN Setup The following table describes the labels in this screen. Table 37 Network > WAN > Advanced LABEL DNS Servers DESCRIPTION First, Second and Third DNS Server Select Obtainedfrom ISP if your ISP dynamically assigns DNS server information (and the ZyXEL Device's WAN IP address). Use the drop-down list box to select a DNS server IP address that the ISP assigns in the field to the right. Select UserDefined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose UserDefined, but leave the IP address set to 0.0.0.0, UserDefined changes to None after you click Apply. If you set a second choice to UserDefined, and enter the same IP address, the second UserDefined changes to None after you click Apply. Select None if you do not want to configure DNS servers. You must have another DHCP server on your LAN, or else the computers must have their DNS server addresses manually configured. If you do not configure a DNS server, you must know the IP address of a computer in order to access it. RIP & Multicast Setup RIP DirectionSelect the RIP direction from RIP VersionSelect the RIP version from MulticastIGMP (Internet Group Multicast Protocol) is a network-layer protocol used to None, Both, In Only and Out Only. RIP-1, RIP-2B and RIP-2M. Windows Networking

(NetBIOS over TCP/IP) Allow between LAN and WAN establish membership in a multicast group. The ZyXEL Device supports both IGMP version 1 (IGMP-v1) and IGMP-v2. Select None to disable it. NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN. Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic. Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN. Allow Trigger DialSelect this option to allow NetBIOS packets to initiate calls. ApplyClick this button to save your settings. ResetClick this button to return all the fields in this screen to their default values. 8.6 Configuring Traffic Redirect Settings To change your ZyXEL Devices traffic redirect settings, click Network > WAN > Traffic Redirect. The screen appears as shown. MAX-200HW2 Series Users Guide 115 Chapter 8WAN Setup Figure 73 Network > WAN > Traffic Redirect The following table describes the labels in this screen. Table 38 Network > WAN > Traffic Redirect LABEL Traffic Redirect ActiveSelect this check box to have the ZyXEL Device use traffic redirect if the normal DESCRIPTION WAN connection goes down. Note: If you activate traffic redirect, you must configure the Check WAN IP Address field. Backup Gateway IP Address Check WAN IP Address Type the IP address of your backup gateway in dotted decimal notation. The ZyXEL Device automatically forwards traffic to this IP address if the ZyXEL Device's Internet connection terminates. Configure this field to test your ZyXEL Device's WAN accessibility. Type the IP address of a reliable nearby computer (for example, your ISP's DNS server address). Note: If you activate either traffic redirect or dial backup, you must configure an IP address here. When using a WAN backup connection, the ZyXEL Device periodically pings the addresses configured here and uses the other WAN backup connection (if configured) if there is no response. Fail ToleranceType the number of times (2 recommended) that your ZyXEL Device may ping the IP addresses configured in the Check WAN IP Address field without getting a response before switching to a WAN backup connection (or a different WAN backup connection). Period (sec)The ZyXEL Device tests a WAN connection by periodically sending a ping to either the default gateway or the address in the Check WAN IP Address field. Type a number of seconds (5 to 300) to set the time interval between checks. Allow more time if your destination IP address handles lots of traffic. Timeout (sec)Type the number of seconds (1 to 10) for your ZyXEL Device to wait for a response to the ping before considering the check to have failed. This setting must be less than the Period. Use a higher value in this field if your network is busy or congested. ApplyClick this button to save your settings. ResetClick this button to return all the fields in this screen to their default values. 116 MAX-200HW2 Series Users Guide Chapter 8WAN Setup 8.6.1 Configuring The Antenna In this screen you can select whether to use the internal or external antenna for WiMAX. Select Automatic Selection to have the ZyXEL Device use whichever antenna has the best signal reception (recommended). Alternatively, if you do not want to use the external antenna, select Use Internal Antenna, and if you do not want to use the internal antenna, select Use External Antenna. The MAX-200HW2 and MAX-230HW2 does not have an internal antenna. To choose which antenna to use, click Network > WAN > Antenna Selection. The screen appears as shown. Figure 74 Network > WAN > Antenna Selection The following table describes the labels in this screen. Table 39 Network > WAN > Antenna Selection LABEL Automatic SelectionSelect DESCRIPTION Automatic Selection to have the ZyXEL Device choose which antenna to use. This setting is recommend as it will choose the antenna with the stronger signal reception. Use Internal AntennaSelect Use External AntennaSelect Use Internal Antenna to have the ZyXEL Device use its internal antenna. This option is not applicable for the MAX-200HW2 and MAX-230HW2. Use External Antenna to have the ZyXEL Device use its external antenna. ApplyClick this button to save your settings. ResetClick this button to return the fields in this screen to their default settings. MAX-200HW2 Series Users Guide 117 Chapter 8WAN Setup 118 MAX-200HW2 Series Users Guide CHAPTER 9 LAN Use these screens to set up the ZyXEL Device on the LAN. You can configure its IP address and subnet mask, DHCP services, and other subnets. You can also control how the ZyXEL Device sends routing information using RIP. 9.1 LAN Overview A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is usually a computer network limited to the immediate area, such as the same building or floor of a building. 9.1.1 IP Address and Subnet Mask Similar to the way houses on a street share a common street name, computers on a LAN share one common network number. Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the ZyXEL Device. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network. Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your ZyXEL Device, but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise. MAX-200HW2 Series Users Guide 119 Chapter 9LAN 9.1.2 DHCP Setup DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyXEL Device as a DHCP server or disable it. When configured as a server, the ZyXEL Device provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else each computer must be manually configured. The ZyXEL Device is pre-configured with a pool of IP addresses for the DHCP clients (DHCP Pool). See the product specifications in the appendices. Do not assign static IP addresses from the DHCP pool to your LAN computers. These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), see Section 9.2.2 on page 122. 9.1.3 LAN TCP/IP The ZyXEL Device has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. The LAN parameters of the ZyXEL Device are preset in the factory with the following values:

IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits) DHCP server enabled with 32 client IP addresses starting from 192.168.1.33. These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), see Section 9.2.2 on page 122. 9.1.4 DNS Server Address DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask. There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when s/he signs up. If your ISP gives you the DNS server addresses, enter them in the DNS Server fields in DHCP Setup, otherwise, leave them blank. Some ISPs choose to pass the DNS servers using the DNS server extensions of PPP IPCP (IP Control Protocol) after the connection is up. If your ISP did not give you explicit DNS servers, chances are the DNS servers are conveyed through IPCP negotiation. The ZyXEL Device supports the IPCP DNS server extensions through the DNS proxy feature. If the Primary and Secondary DNS Server fields in the LAN Setup screen are notspecified, for instance, left as 0.0.0.0, the ZyXEL Device tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the ZyXEL Device, the ZyXEL Device forwards the query to the real DNS server learned through IPCP and relays the response back to the computer. 120 MAX-200HW2 Series Users Guide Chapter 9LAN Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions. It does not mean you can leave the DNS servers out of the DHCP setup under all circumstances. If your ISP gives you explicit DNS servers, make sure that you enter their IP addresses in the LAN Setup screen. This way, the ZyXEL Device can pass the DNS servers to the computers and the computers can query the DNS server directly without the ZyXEL Devices intervention. 9.1.5 RIP Setup RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. When set to:

Both - the ZyXEL Device will broadcast its routing table periodically and incorporate the RIP information that it receives. In Only - the ZyXEL Device will not send any RIP packets but will accept all RIP packets received. Out Only - the ZyXEL Device will send out RIP packets but will not accept any RIP packets received. None - the ZyXEL Device will not send any RIP packets and will ignore any RIP packets received. The Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. 9.1.6 Multicast Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts

(including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group. MAX-200HW2 Series Users Guide 121 Chapter 9LAN The ZyXEL Device supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-

v2). At start up, the ZyXEL Device queries all directly connected networks to gather group membership. After that, the ZyXEL Device periodically updates this information. IP multicasting can be enabled/disabled on the ZyXEL Device LAN and/or WAN interfaces in the web configurator (LAN; WAN). Select None to disable IP multicasting on these interfaces. 9.2 LAN Screens 9.2.1 LAN IP Screen Use this screen to set up the ZyXEL Devices IP address and subnet mask. To access this screen, click Network > LAN > IP. Figure 75 Network > LAN > IP Each field is described in the following table. Table 40 Network > LAN > IP LABEL IP Address DESCRIPTION Enter the IP address of the ZyXEL Device on the LAN. Note: This field is the IP address you use to access the ZyXEL Device on the LAN. If the web configurator is running on a computer on the LAN, you lose access to the web configurator as soon as you change this field and click Apply. You can access the web configurator again by typing the new IP address in the browser. IP Subnet Mask Apply Reset Enter the subnet mask of the LAN. Click this to save your changes. Click this to set every field in this screen to its default value. 9.2.2 LAN DHCP Setup Screen Use this screen to enable, disable, and configure the DHCP server in the ZyXEL Device. To access this screen, click Network > LAN > DHCP Setup. 122 MAX-200HW2 Series Users Guide Figure 76 Network > LAN > DHCP Setup Chapter 9LAN Each field is described in the following table. Table 41 Network > LAN > DHCP Setup LABEL DHCP Setup Enable DHCP Server DESCRIPTION Select this if you want the ZyXEL Device to be the DHCP server on the LAN. As a DHCP server, the ZyXEL Device assigns IP addresses to DHCP clients on the LAN and provides the subnet mask and DNS server information. Enter the IP address from which the ZyXEL Device begins allocating IP addresses, if you have not specified an IP address for this computer in Network >

LAN > Static DHCP. Enter the number of IP addresses to allocate. This number must be at least one and is limited by a subnet mask of 255.255.255.0 (regardless of the subnet the ZyXEL Device is in). For example, if the IP Pool Start Address is 10.10.10.10, the ZyXEL Device can allocate up to 10.10.10.254, or 245 IP addresses. Specify the IP addresses of a maximum of three DNS servers that the network can use. The ZyXEL Device provides these IP addresses to DHCP clients. You can specify these IP addresses two ways. From ISP - provide the DNS servers provided by the ISP on the WAN port. User Defined - enter a static IP address. DNS Relay - this setting will relay DNS information from the DNS server obtained by the ZyXEL Device. None - no DNS service will be provided by the ZyXEL Device. Click this to save your changes. Click this to set every field in this screen to its default value. IP Pool Starting Address Pool Size DNS Server First DNS Server Second DNS Server Third DNS Server Apply Reset 9.2.3 LAN Static DHCP Screen This screen has no effect if the DHCP server is not enabled. You can enable it in Network > LAN > DHCP Setup. MAX-200HW2 Series Users Guide 123 Figure 78 Network > LAN > Client List Chapter 9LAN Each field is described in the following table. Table 43 Network > LAN > Client List LABEL

IP Address Host Name DESCRIPTION This field is a sequential value. It is not associated with a specific entry. This field displays the IP address the ZyXEL Device assigned to the computer. This field displays the system name of the computer to which the ZyXEL Device assigned the IP address. This field displays the MAC address of the computer to which the ZyXEL Device assigned the IP address. Select this if you want to always assign this IP address to this MAC address. Then, click Apply. The ZyXEL Device creates an entry in the LAN Static DHCP screen. See Section 9.2.2 on page 122. Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its default value. MAC Address Reserve Apply Reset 9.2.5 LAN IP Alias Screen Use this screen to add subnets on the LAN port. You can also control what routing information is sent and received by each subnet. To access this screen, click Network > LAN > IP Alias. Figure 79 Network > LAN > IP Alias MAX-200HW2 Series Users Guide 125 Chapter 9LAN DESCRIPTION Each field is described in the following table. Table 44 Network > LAN > IP Alias LABEL IP Alias 1 IP Alias 1 IP Address IP Subnet Mask RIP Direction Select this to add the specified subnet to the LAN port. Enter the IP address of the ZyXEL Device on the subnet. Enter the subnet mask of the subnet. Use this field to control how much routing information the ZyXEL Device sends and receives on the subnet. None - The ZyXEL Device does not send or receive routing information on the subnet. Both - The ZyXEL Device sends and receives routing information on the subnet. In Only - The ZyXEL Device only receives routing information on the subnet. Out Only - The ZyXEL Device only sends routing information on the subnet. Select which version of RIP the ZyXEL Device uses when it sends or receives information on the subnet. RIP-1 - The ZyXEL Device uses RIPv1 to exchange routing information. RIP-2B - The ZyXEL Device broadcasts RIPv2 to exchange routing information. RIP-2M - The ZyXEL Device multicasts RIPv2 to exchange routing information. Select this to add the specified subnet to the LAN port. Enter the IP address of the ZyXEL Device on the subnet. Enter the subnet mask of the subnet. Use this field to control how much routing information the ZyXEL Device sends and receives on the subnet. None - The ZyXEL Device does not send or receive routing information on the subnet. Both - The ZyXEL Device sends and receives routing information on the subnet. In Only - The ZyXEL Device only receives routing information on the subnet. Out Only - The ZyXEL Device only sends routing information on the subnet. Select which version of RIP the ZyXEL Device uses when it sends or receives information on the subnet. RIP-1 - The ZyXEL Device uses RIPv1 to exchange routing information. RIP-2B - The ZyXEL Device broadcasts RIPv2 to exchange routing information. RIP-2M - The ZyXEL Device multicasts RIPv2 to exchange routing information. Click this to save your changes. Click this to set every field in this screen to its default value. RIP Version IP Alias 2 IP Alias 2 IP Address IP Subnet Mask RIP Direction RIP Version Apply Reset 9.2.6 LAN Advanced Screen Use this screen to control what routing information is sent and received by each subnet. To access this screen, click Network > LAN > Advanced. 126 MAX-200HW2 Series Users Guide Figure 80 Network > LAN > Advanced Chapter 9LAN Each field is described in the following table. Table 45 Network > LAN > Advanced LABEL RIP & Multicast Setup RIP Direction DESCRIPTION Use this field to control how much routing information the ZyXEL Device sends and receives on the subnet. None - The ZyXEL Device does not send or receive routing information on the subnet. Both - The ZyXEL Device sends and receives routing information on the subnet. In Only - The ZyXEL Device only receives routing information on the subnet. Out Only - The ZyXEL Device only sends routing information on the subnet. Select which version of RIP the ZyXEL Device uses when it sends or receives information on the subnet. RIP-1 - The ZyXEL Device uses RIPv1 to exchange routing information. RIP-2B - The ZyXEL Device broadcasts RIPv2 to exchange routing information. RIP-2M - The ZyXEL Device multicasts RIPv2 to exchange routing information. You do not have to enable multicasting to use RIP-2M. (See RIP Version.) Select which version of IGMP the ZyXEL Device uses to support multicasting on the LAN. Multicasting sends packets to some computers on the LAN and is an alternative to unicasting (sending packets to one computer) and broadcasting

(sending packets to every computer). None - The ZyXEL Device does not support multicasting. IGMP-v1 - The ZyXEL Device supports IGMP version 1. IGMP-v2 - The ZyXEL Device supports IGMP version 2. Multicasting can improve overall network performance. However, it requires extra processing and generates more network traffic. In addition, other computers on the LAN have to support the same version of IGMP. Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its default value. RIP Version Multicast Apply Reset MAX-200HW2 Series Users Guide 127 Chapter 9LAN 128 MAX-200HW2 Series Users Guide CHAPTER 10 NAT Use these screens to configure port forwarding and trigger ports for the ZyXEL Device. You can also enable and disable SIP, FTP, and H.323 ALG. 10.1 NAT Overview 10.1.1 Port Forwarding: Services and Port Numbers A NAT server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make accessible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world. Use the NAT Port Forwarding Screen to forward incoming service requests to the server(s) on your local network. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service;

for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers. In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server. If the default is not defined, the service request is simply discarded. See Appendix F on page 333 for some examples of services. For example, let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. Figure 81 Multiple Servers Behind NAT Example MAX-200HW2 Series Users Guide 129 Chapter 10NAT 10.1.2 Trigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address, Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The ZyXEL Device records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a "trigger" port). When the ZyXEL Device's WAN port receives a response with a specific port number and protocol ("incoming" port), the ZyXEL Device forwards the traffic to the LAN IP address of the computer that sent the request. After that computers connection for that service closes, another computer on the LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application. 10.1.2.1 Trigger Port Forwarding Example The following is an example of trigger port forwarding. In this example, J is Janes computer and S is the Real Audio server. Figure 82 Trigger Port Forwarding Process: Example 1 Jane requests a file from the Real Audio server (port 7070). 2 Port 7070 is a trigger port and causes the ZyXEL Device to record Janes computer IP address. The ZyXEL Device associates Jane's computer IP address with the "incoming"

port range of 6970-7170. 3 The Real Audio server responds using a port number ranging between 6970-7170. 4 The ZyXEL Device forwards the traffic to Janes computer IP address. 5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyXEL Device times out in three minutes with UDP (User Datagram Protocol), or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). 10.1.2.2 Two Points To Remember About Trigger Ports 1 Trigger events only happen on data that is coming from inside the ZyXEL Device and going to the outside. 130 MAX-200HW2 Series Users Guide 2 If an application needs a continuous data stream, that port (range) will be tied up so that another computer on the LAN cant trigger it. Chapter 10NAT 10.1.3 SIP ALG Some applications, such as SIP, cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets data payload. Some NAT routers may include a SIP Application Layer Gateway (ALG). An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer. A SIP ALG allows SIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream. See Section 10.2.5 on page 135 for information on configuring the ZyXEL Devices ALG. 10.2 NAT Screens 10.2.1 NAT General Screen Use this screen to enable and disable NAT and to allocate memory for NAT and firewall rules. To access this screen, click Network > NAT > General. Figure 83 Network > NAT > General Each field is described in the following table. Table 46 Network > NAT > General LABEL NAT Setup Enable Network Address Translation DESCRIPTION Select this if you want to use port forwarding, trigger ports, or any of the ALG. MAX-200HW2 Series Users Guide 131 Chapter 10NAT Table 46 Network > NAT > General LABEL Max NAT/Firewall Session Per User DESCRIPTION When computers use peer to peer applications, such as file sharing applications, they may use a large number of NAT sessions. If you do not limit the number of NAT sessions a single client can establish, this can result in all of the available NAT sessions being used. In this case, no additional NAT sessions can be established, and users may not be able to access the Internet. Each NAT session establishes a corresponding firewall session. Use this field to limit the number of NAT/firewall sessions each client computer can establish through the ZyXEL Device. If your network has a small number of clients using peer to peer applications, you can raise this number to ensure that their performance is not degraded by the number of NAT sessions they can establish. If your network has a large number of users using peer to peer applications, you can lower this number to ensure no single client is using all of the available NAT sessions. Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its last-saved value. Apply Cancel 10.2.2 NAT Port Forwarding Screen Use this screen to look at the current port-forwarding rules in the ZyXEL Device, and to enable, disable, activate, and deactivate each one. You can also set up a default server to handle ports not covered by rules. To access this screen, click Network > NAT > Port Forwarding. Figure 84 Network > NAT > Port Forwarding 132 MAX-200HW2 Series Users Guide Chapter 10NAT Each field is described in the following table. Table 49 Network > NAT > Trigger Port LABEL Name DESCRIPTION Enter a name to identify this rule. You can use 1 - 15 printable ASCII characters, or you can leave this field blank. It does not have to be a unique name. Incoming Start Port End Port Trigger Start Port End Port Apply Cancel Enter the incoming port number or range of port numbers you want to forward to the IP address the ZyXEL Device records. To forward one port number, enter the port number in the Start Port and End Port fields. To forward a range of ports, If you want to delete this rule, enter zero in the Start Port and End Port fields. enter the port number at the beginning of the range in the Start Port field enter the port number at the end of the range in the End Port field. Enter the outgoing port number or range of port numbers that makes the ZyXEL Device record the source IP address and assign it to the selected incoming port number(s). To select one port number, enter the port number in the Start Port and End Port fields. To select a range of ports, If you want to delete this rule, enter zero in the Start Port and End Port fields. Click this to save your changes and to apply them to the ZyXEL Device. Click this to discard your changes. enter the port number at the beginning of the range in the Start Port field enter the port number at the end of the range in the End Port field. 10.2.5 NAT ALG Screen Use this screen to enable and disable SIP (VoIP), FTP (file transfer), and H.323 (audio-visual) ALG in the ZyXEL Device. To access this screen, click Network > NAT > ALG. Figure 87 Network > NAT > ALG Each field is described in the following table. Table 50 Network > NAT > ALG DESCRIPTION LABEL Enable SIP ALG Select this to make sure SIP (VoIP) works correctly with port-forwarding and port-

triggering rules. Enable FTP ALG Select this to make sure FTP (file transfer) works correctly with port-forwarding and port-triggering rules. MAX-200HW2 Series Users Guide 135 Chapter 10NAT Table 50 Network > NAT > ALG LABEL DESCRIPTION Select this to make sure H.323 (audio-visual programs, such as NetMeeting) Enable H.323 ALG works correctly with port-forwarding and port-triggering rules. Apply Click this to save your changes and to apply them to the ZyXEL Device. Cancel Click this to discard your most recent changes. 136 MAX-200HW2 Series Users Guide CHAPTER 11 VPN Transport 11.1 Overview This chapter describes the Network > VPN Transport screens. The ZyXEL Devices VPN Transport feature allows traffic from multiple users to pass through the WiMAX network, to the service providers router. Each user has his own personal connection to the service provider, even though there is only a single WiMAX connection. This allows the service provider to identify which user traffic comes from. The following figure shows two users (A and B), connecting to the ZyXEL Device (Z) through a switch (S). Each user has his own connection over the WiMAX network to the service providers router (R). Figure 88 VPN Transport example A B WiMAX S Z R The services available may vary, depending upon the service provider. VPN stands for Virtual Private Network. There are many types of VPN; the type used by the ZyXEL Device is known as Virtual Private LAN Service, or VPLS. Unlike some other types of VPN (such as IPSec VPNs) VPLS VPNs do not use authentication or encryption to secure the data they carry. MAX-200HW2 Series Users Guide 137 Chapter 11VPN Transport 11.1.1 What You Can Do in the VPN Transport Screens Use the Network > VPN Transport > General screen (see Section 11.2 on page 140) to turn VPN transport on or off, and to set the VPN transport endpoint (your service providers router). Use the Network > VPN Transport > Customer Interface screen (see Section 11.3 on page 141) to specify which users can use which WiMAX network links. Use the Network > VPN Transport > Ethernet Pseudowire screen (see Section 11.5 on page 143) to configure the links over the WiMAX network between the ZyXEL Device and the service providers router. Use the Network > VPN Transport > Statistics screen (see Section 11.7 on page 145) to view performance information about the VPN transport connections. 11.1.2 What You Need to Know about VPN Transport Identifying Users For the ZyXEL Devices VPN Transport feature to work, it must be able to identify users on the LAN. It does this by examining VLAN (Virtual Local Area Network) tags. These tags must be added to the data packets by a switch on the LAN. In the following example, two users (A and B) are connected to a switch (C). A and B are connected to different ports on the switch (port 1 and port 2). A and B send untagged packets to the switch. The switch adds tags to packets depending on the physical port on which they arrive. Packets arriving on port 1 are given a VLAN ID (VLAN IDentifier) of 1, and packets arriving on port 2 are given a VLAN ID of 2. When the packets reach the ZyXEL Device (D), their source is identified by examining their VLAN tags. Figure 89 Identifying Users PORT 1 PORT 2 VLAN 1 VLAN 2 PORT 1 C PORT 2 1 2 D A B 138 MAX-200HW2 Series Users Guide Chapter 11VPN Transport Ethernet Pseudowires Because VPLS mimics a simple wired Ethernet connection to your service providers router, the connection between the ZyXEL Device and the peer device is known as an Ethernet pseudowire or PW. The Ethernet pseudowires use MPLS (MultiProtocol Label Switching) virtual circuit labels to define the connection. In any such pseudowire, the ingress label on one device must be the same as the egress label on the peer device, as shown in the following figure. A is your ZyXEL Device and B is your service providers router. Figure 90 Ethernet Pseudowire Settings Example TO Y PSEUDOWIRE TO X INGRESS LABEL: X EGRESS LABEL: Y Customer Interface Mapping INGRESS LABEL: Y EGRESS LABEL: X Once the ZyXEL Device has examined a frames VLAN tag, it is able to assign the frame to a specified path. This is done using a customer interface. The customer interface is simply a set of information that takes frames from a VLAN and put them on an Ethernet pseudowire, and vice versa. In the following example, the ZyXEL Device takes frames tagged with two different VLAN IDs (10 and 20) and using the customer interfaces, assigns them to specific pseudowires (PW1 and PW2). Figure 91 Pseudowire Mapping VLAN 10 VLAN 20 PW1 PW2 10 20 PW1 PW2 1 2 WiMAX MAX-200HW2 Series Users Guide R 139 Chapter 11VPN Transport The ZyXEL Device has a default customer interface configured for frames that arrive at the ZyXEL Device without VLAN tags. 11.1.3 Before You Begin Before you start configuring your ZyXEL Device to use VPN transport, ensure that you have the following from the service provider. The IP address or domain name of the service providers edge router. Virtual circuit (VC) labels for each Ethernet Pseudowire you want to create. Also, ensure you know the VLAN IDs (Virtual LAN IDentifiers) of the VLANs on your LAN. 11.2 The General Screen Use this screen to turn VPN transport on or off, and to set the VPN transport endpoint (your service providers router). Click Network > VPN Transport > General. The following screen displays. Figure 92 Network > VPN Transport > General The following table describes the labels in this screen. Table 51 Network > VPN Transport > General LABEL L2/L3 VPN Transport General Setup DESCRIPTION Transport L2/L3 VPN traffic through WiMAX network by using Ethernet pseudowire Remote GRE Tunnel EndEnter the domain name router. Select this to turn the VPN transport feature on. Deselect it to turn the VPN transport feature off. or IP address of your service providers ApplyClick this to save your settings. ResetClick this to return the fields in this screen to their defaults. 140 MAX-200HW2 Series Users Guide Chapter 11VPN Transport 11.3 The Customer Interface Screen Use this screen to configure the VPNs used by the ZyXEL Device. The customer interfaces connect data coming from your computers to Ethernet pseudowires, according to the datas VLAN (Virtual Local Area Network) information. One customer interface is for traffic that has no tag; this is the default interface (rule 0) which cannot be deleted in the GUI. All other customer interfaces are identified by their VLAN ID. Click Network > VPN Transport > Customer Interface. The following screen displays. Figure 93 Network > VPN Transport > Customer Interface The following table describes the labels in this screen. Table 52 Network > VPN Transport > Customer Interface LABEL

#This displays the interface index number. Interface 0 is the DESCRIPTION default rule for routing, and cannot be deleted. ActiveThis icon is green if the associated interface is enabled. The icon is grey if the associated interface is disabled. Enable or disable an interface by clicking its Edit icon and selecting or deselecting Active and clicking Apply in the screen that displays. Interface TypeThis displays either Tagged or Untagged. A tagged interface controls traffic with a specific IEEE 802.1Q VLAN tag, whereas an untagged interface controls traffic that does not have a VLAN tag. There can be only one untagged interface. MAX-200HW2 Series Users Guide 141 Chapter 11VPN Transport Table 52 Network > VPN Transport > Customer Interface LABEL DESCRIPTION VLAN IDFor a tagged interface, this displays the IEEE 802.1Q VLAN ID number. For the untagged interface, -1 displays. Mode (B, R)This displays either interface, interface 0, can be a routing interface. B (bridging) or R (routing). Only the default Associated Ethernet Pseudowire This displays the number of the Ethernet pseudowire that this interface uses, as well as the ingress and egress MPLS (Multi-

Protocol Label Switching) VC (Virtual Circuit) label numbers. dscpThis displays the DiffServ Control Point value you previously entered in binary (see Section 12.1.12 on page 155 for more information on DSCP). This determines the pseudowires priority on the network. The DSCP value is displayed in binary notation and has six bits. Interface DescriptionThis displays the information you previously entered describing the interface. For the default interface, interface 0, the description reads for routing / NAT. ModifyClick the Edit icon to set up a new interface or alter the configuration of an existing interface. Click the Delete icon to remove an existing interface. 11.4 The Customer Interface Edit Screen Customer interfaces map traffic onto specific Ethernet pseudowires for transport over the WiMAX network. There is also a default customer interface for routing traffic that does not possess a VLAN tag. Use this screen to configure the customer interface settings. Click the Edit icon in the Network > VPN Transport > Customer Interface screen. The following screen displays. Figure 94 Network > VPN Transport > Customer Interface Edit The following table describes the labels in this screen. Table 53 Network > VPN Transport > Customer Interface Edit LABEL Customer Interface TypeA customer interface can be tagged (controlling traffic that has DESCRIPTION a specific VLAN ID) or untagged (controlling traffic without a specific VLAN ID). There can be only one untagged interface. 142 MAX-200HW2 Series Users Guide Chapter 11VPN Transport Table 53 Network > VPN Transport > Customer Interface Edit LABEL DESCRIPTION VLAN IDEnter the Virtual Local Area Network Identifier number (1 ~

4094) for this interface. This VLAN ID must not be used by any other customer interface. For the untagged interface, -1 displays. ModeThis displays Bridging or Routing. A tagged interface can operate in bridging mode only. Associated Ethernet PseudowireSelect the Ethernet pseudowire this interface should use for communications over the WiMAX network. You should configure the pseudowire (in the Network > VPN Transport >

Ethernet Pseudowire screen) before you select it. DSCPIf you wish to prioritize an interface, enter a DiffServ Code Point value of six bits in binary notation. The higher the value, the higher the interfaces priority on the ZyXEL Devices WiMAX link. See Section 12.1.12 on page 155 for more information on DSCP. Interface DescriptionEnter a brief (up to 31 characters) name or description for this interface. ApplyClick this to save your changes and return to the previous screen. CancelClick this to return to the previous screen without saving your changes. 11.5 The Ethernet Pseudowire Screen Use this screen to configure Ethernet pseudowires. Each Ethernet pseudowire mimics a regular wired Ethernet connection, transporting VPLS data over the WiMAX network between the ZyXEL Device and the peer device (the endpoint you specify in the Network > VPN Transport > General screen). Click Network > VPN Transport > Ethernet Pseudowire. The following screen displays. MAX-200HW2 Series Users Guide 143 Chapter 11VPN Transport Figure 95 Network > VPN Transport > Ethernet Pseudowire The following table describes the labels in this screen. Table 54 Network > VPN Transport > Ethernet Pseudowire LABEL

#This displays the pseudowire index number. ActiveThis icon is green if the associated pseudowire is enabled. The DESCRIPTION icon is grey if the associated pseudowire is disabled. Enable or disable a pseudowire by clicking its Edit icon. IngressThis is the MPLS virtual circuit label number for traffic coming from the peer device. EgressThis is the MPLS virtual circuit label number for traffic going to the peer device. Pseudowire DescriptionThis displays the information you previously entered describing the pseudowire. ModifyClick the Edit icon to set up a new interface or alter the configuration of an existing pseudowire. Click the Delete icon to remove an existing pseudowire. 11.6 The Ethernet Pseudowire Edit Screen Use this screen to set up or modify an Ethernet pseudowires configuration. Click a pseudowire entrys Edit icon in the Network > VPN Transport > Ethernet Pseudowire screen. The following screen displays. 144 MAX-200HW2 Series Users Guide Figure 96 Network > VPN Transport > Ethernet Pseudowire > Edit Chapter 11VPN Transport The following table describes the labels in this screen. Table 55 Network > VPN Transport > Ethernet Pseudowire > Edit LABEL ActiveSelect this to enable the pseudowire. Deselect it to disable the DESCRIPTION pseudowire. IngressEnter the VC ingress label number for this pseudowire. This must be the egress label number of the peer device. This should not be the ingress label number of any other Ethernet pseudowire configured on the ZyXEL Device. EgressEnter the egress label number for this pseudowire. This must be the ingress label of the peer device. This should not be the egress label number of any other Ethernet pseudowire configured on the ZyXEL Device. Pseudowire DescriptionEnter a brief (up to 31 characters) description for this pseudowire. ApplyClick this to save your settings and return to the previous screen. ResetClick this to reset the fields in this screen to their last-saved values. 11.7 The Statistics Screen Use this screen to view details and performance information of each active customer interface and its associated Ethernet pseudowire. Click Network > VPN Transport > Statistics. The following screen displays. MAX-200HW2 Series Users Guide 145 Chapter 11VPN Transport Figure 97 Network > VPN Transport > Statistics The following table describes the labels in this screen. Table 56 Network > VPN Transport > Statistics LABEL

#This is the index number of the customer interface. ActiveThis icon is green if the associated interface is enabled. The DESCRIPTION icon is grey if the associated interface is disabled. Enable or disable an interface by clicking its Edit icon. Total PacketsThis displays the number of packets received (

Receive) and sent (Transmit) on the customer interface since the interface was activated, or the Clear button pressed. Total BytesThis displays the number of bytes received (

Receive) and sent

(Transmit) on the customer interface since the interface was activated, or the Clear button pressed. Interface DescriptionThis is the brief name or description of the customer interface you configured in the Network > VPN Transport > Customer Interface > Edit screen. 11.8 VPN Transport Technical Reference This section includes background information about VPN Transport. 11.8.1 Multi-Protocol Label Switching The ZyXEL Device uses MPLS VPNs to create virtual private LANs. MPLS stands for Multi-

Protocol Label Switching, and is a packet-switching technology that allows packets with different VLAN tags to be transported on different paths (known as LSPs, or Label Switched Paths). Each packet is identified by its VLAN tag and sent to a specific LSP for transport over the WiMAX network. 146 MAX-200HW2 Series Users Guide Chapter 11VPN Transport Each LSP has a defined start-point and end-point. Since MPLS creates mono-directional paths

(traffic flows in only one direction), each Ethernet pseudowire uses two LSPs so that traffic can flow both ways. One LSP carries upstream traffic, and the other carries downstream traffic. 11.8.2 Generic Routing Encapsulation In order to transport the VPLS traffic over the WiMAX network, the ZyXEL Device uses the Generic Routing Encapsulation (GRE) protocol. Like MPLS, GRE is a tunneling protocol that has specified endpoints. The GRE tunnel is bi-directional, and transports both LSPs. The GRE tunnel runs across the WiMAX network between the ZyXEL Device and your service providers router. It is necessary to encapsulate the Ethernet pseudowire since the WiMAX connection is IP-

only. MPLS information is carried in a packets Ethernet header and, without encapsulation, would be stripped from the packet prior to the packets transmission over the WiMAX link. The following figure shows the VPLS connection between your ZyXEL Device (A) and your service providers router (B), consisting of GRE-encapsulated Ethernet pseudowire traffic. Figure 98 VPLS Tunneling ETHERNET PSEUDOWIRES GRE TUNNEL WiMAX CONNECTION MAX-200HW2 Series Users Guide 147 Chapter 11VPN Transport 148 MAX-200HW2 Series Users Guide CHAPTER 12 SIP Use these screens to set up your SIP accounts and to configure QoS settings. 12.1 SIP Overview 12.1.1 Introduction to VoIP VoIP (Voice over IP) is the sending of voice signals over the Internet Protocol. This allows you to make phone calls and send faxes over the Internet at a fraction of the cost of using the traditional circuit-switched telephone network. You can also use servers to run telephone service applications like PBX services and voice mail. Internet Telephony Service Provider

(ITSP) companies provide VoIP service. A company could alternatively set up an IP-PBX and provide its own VoIP service. Circuit-switched telephone networks require 64 kilobits per second (kbps) in each direction to handle a telephone call. VoIP can use advanced voice coding techniques with compression to reduce the required bandwidth. 12.1.2 Introduction to SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP signaling is separate from the media for which it handles sessions. The media that is exchanged during the session can use a different path from that of the signaling. SIP handles telephone calls and can interface with traditional circuit-switched telephone networks. 12.1.3 SIP Identities A SIP account uses an identity (sometimes referred to as a SIP address). A complete SIP identity is called a SIP URI (Uniform Resource Identifier). A SIP account's URI identifies the SIP account in a way similar to the way an e-mail address identifies an e-mail account. The format of a SIP identity is SIP-Number@SIP-Service-Domain. 12.1.3.1 SIP Number The SIP number is the part of the SIP URI that comes before the @ symbol. A SIP number can use letters like in an e-mail address (johndoe@your-ITSP.com for example) or numbers like a telephone number (1122334455@VoIP-provider.com for example). MAX-200HW2 Series Users Guide 149 Chapter 12SIP 12.1.3.2 SIP Service Domain The SIP service domain of the VoIP service provider (the company that lets you make phone calls over the Internet) is the domain name in a SIP URI. For example, if the SIP address is 1122334455@VoIP-provider.com, then VoIP-provider.com is the SIP service domain. 12.1.4 SIP Call Progression The following figure displays the basic steps in the setup and tear down of a SIP call. A calls B. Table 57 SIP Call Progression A 1. INVITE B 4. ACK 6. BYE 5.Dialogue (voice traffic) 2. Ringing 3. OK 7. OK 1 A sends a SIP INVITE request to B. This message is an invitation for B to participate in a SIP telephone call. 2 B sends a response indicating that the telephone is ringing. 3 B sends an OK response after the call is answered. 4 A then sends an ACK message to acknowledge that B has answered the call. 5 Now A and B exchange voice media (talk). 6 After talking, A hangs up and sends a BYE request. 7 B replies with an OK response confirming receipt of the BYE request and the call is terminated. 12.1.5 SIP Client Server SIP is a client-server protocol. A SIP client is an application program or device that sends SIP requests. A SIP server responds to the SIP requests. When you use SIP to make a VoIP call, it originates at a client and terminates at a server. A SIP client could be a computer or a SIP phone. One device can act as both a SIP client and a SIP server. 12.1.5.1 SIP User Agent A SIP user agent can make and receive VoIP telephone calls. This means that SIP can be used for peer-to-peer communications even though it is a client-server protocol. In the following figure, either A or B can act as a SIP user agent client to initiate a call. A and B can also both act as a SIP user agent to receive the call. 150 MAX-200HW2 Series Users Guide Figure 99 SIP User Agent Chapter 12SIP 12.1.5.2 SIP Proxy Server A SIP proxy server receives requests from clients and forwards them to another server. In the following example, you want to use client device A to call someone who is using client device C. 1 The client device (A in the figure) sends a call invitation to the SIP proxy server (B). 2 The SIP proxy server forwards the call invitation to C. Figure 100 SIP Proxy Server 12.1.5.3 SIP Redirect Server A SIP redirect server accepts SIP requests, translates the destination address to an IP address and sends the translated IP address back to the device that sent the request. Then the client device that originally sent the request can send requests to the IP address that it received back from the redirect server. Redirect servers do not initiate SIP requests. In the following example, you want to use client device A to call someone who is using client device C. 1 Client device A sends a call invitation for C to the SIP redirect server (B). 2 The SIP redirect server sends the invitation back to A with Cs IP address (or domain name). 3 Client device A then sends the call invitation to client device C. MAX-200HW2 Series Users Guide 151 Chapter 12SIP Figure 101 SIP Redirect Server 12.1.5.4 SIP Register Server A SIP register server maintains a database of SIP identity-to-IP address (or domain name) mapping. The register server checks your user name and password when you register. 12.1.6 RTP When you make a VoIP call using SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. 12.1.7 NAT and SIP The ZyXEL Device must register its public IP address with a SIP register server. If there is a NAT router between the ZyXEL Device and the SIP register server, the ZyXEL Device probably has a private IP address. The ZyXEL Device lists its IP address in the SIP message that it sends to the SIP register server. NAT does not translate this IP address in the SIP message. The SIP register server gets the ZyXEL Devices IP address from inside the SIP message and maps it to your SIP identity. If the ZyXEL Device has a private IP address listed in the SIP message, the SIP server cannot map it to your SIP identity. See Chapter 10 on page 129 for more information about NAT. Use a SIP ALG (Application Layer Gateway), Use NAT, STUN, or outbound proxy to allow the ZyXEL Device to list its public IP address in the SIP messages. 12.1.7.1 SIP ALG See Section 10.1.3 on page 131. 152 MAX-200HW2 Series Users Guide

Chapter 12SIP 12.1.7.2 Use NAT If you know the NAT routers public IP address and SIP port number, you can use the Use NAT feature to manually configure the ZyXEL Device to use a them in the SIP messages. This eliminates the need for STUN or a SIP ALG. You must also configure the NAT router to forward traffic with this port number to the ZyXEL Device. 12.1.7.3 STUN STUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) allows the ZyXEL Device to find the presence and types of NAT routers and/or firewalls between it and the public Internet. STUN also allows the ZyXEL Device to find the public IP address that NAT assigned, so the ZyXEL Device can embed it in the SIP data stream. STUN does not work with symmetric NAT routers or firewalls. See RFC 3489 for details on STUN. The following figure shows how STUN works. 1 The ZyXEL Device (A) sends SIP packets to the STUN server (B). 2 The STUN server (B) finds the public IP address and port number that the NAT router used on the ZyXEL Devices SIP packets and sends them to the ZyXEL Device. 3 The ZyXEL Device uses the public IP address and port number in the SIP packets that it sends to the SIP server (C). Figure 102 STUN 12.1.7.4 Outbound Proxy Your VoIP service provider may host a SIP outbound proxy server to handle all of the ZyXEL Devices VoIP traffic. This allows the ZyXEL Device to work with any type of NAT router and eliminates the need for STUN or a SIP ALG. Turn off a SIP ALG on a NAT router in front of the ZyXEL Device to keep it from retranslating the IP address (since this is already handled by the outbound proxy server). 12.1.8 Voice Coding A codec (coder/decoder) codes analog voice signals into digital signals and decodes the digital signals back into voice signals. The ZyXEL Device supports the following codecs. G.711 is a Pulse Code Modulation (PCM) waveform codec. PCM measures analog signal amplitudes at regular time intervals (sampling) and converts them into digital bits

(quantization). Quantization reads the analog signal and then writes it to the nearest digital value. For this reason, a digital sample is usually slightly different from its analog original (this difference is known as quantization noise). MAX-200HW2 Series Users Guide 153 Chapter 12SIP G.711 provides excellent sound quality but requires 64kbps of bandwidth. G.723 is an Adaptive Differential Pulse Code Modulation (ADPCM) waveform codec. Differential (or Delta) PCM is similar to PCM, but encodes the audio signal based on the difference between one sample and a prediction based on previous samples, rather than encoding the samples actual quantized value. Many thousands of samples are taken each second, and the differences between consecutive samples are usually quite small, so this saves space and reduces the bandwidth necessary. However, DPCM produces a high quality signal (high signal-to-noise ratio or SNR) for high difference signals (where the actual signal is very different from what was predicted) but a poor quality signal (low SNR) for low difference signals (where the actual signal is very similar to what was predicted). This is because the level of quantization noise is the same at all signal levels. Adaptive DPCM solves this problem by adapting the difference signals level of quantization according to the audio signals strength. A low difference signal is given a higher quantization level, increasing its signal-to-noise ratio. This provides a similar sound quality at all signal levels. G.723 provides high quality sound and requires 20 or 40 kbps. G.729 is an Analysis-by-Synthesis (AbS) hybrid waveform codec. It uses a filter based on information about how the human vocal tract produces sounds. The codec analyzes the incoming voice signal and attempts to synthesize it using its list of voice elements. It tests the synthesized signal against the original and, if it is acceptable, transmits details of the voice elements it used to make the synthesis. Because the codec at the receiving end has the same list, it can exactly recreate the synthesized audio signal. G.729 provides good sound quality and reduces the required bandwidth to 8kbps. 12.1.9 PSTN Call Setup Signaling PSTNs (Public Switched Telephone Networks) use DTMF or pulse dialing to set up telephone calls. Dual-Tone Multi-Frequency (DTMF) signaling uses pairs of frequencies (one lower frequency and one higher frequency) to set up calls. It is also known as Touch Tone? Each of the keys on a DTMF telephone corresponds to a different pair of frequencies. Pulse dialing sends a series of clicks to the local phone office in order to dial numbers.3 12.1.10 MWI (Message Waiting Indication) Enable Message Waiting Indication (MWI) enables your phone to give you a messagewaiting

(beeping) dial tone when you have one or more voice messages. Your VoIP service provider must have a messaging system that sends message-waiting-status SIP packets as defined in RFC 3842. 3.The ZyXEL Device supports DTMF at the time of writing. 154 MAX-200HW2 Series Users Guide 12.1.11 Custom Tones (IVR) Chapter 12SIP IVR (Interactive Voice Response) is a feature that allows you to use your telephone to interact with the ZyXEL Device. The ZyXEL Device allows you to record custom tones for the Caller Ringing Tone and On Hold Tone functions. The same recordings apply to both the caller ringing and on hold tones. Table 58 Custom Tones Details LABEL Total Time for All Tones128 seconds for all custom tones combined Maximum Time per Individual Tone Total Number of Tones Recordable 8 You can record up to eight different custom tones but the total time must be 128 seconds or less. DESCRIPTION 20 seconds 12.1.11.1 Recording Custom Tones Use the following steps if you would like to create new tones or change your tones:

1 Pick up the phone and press **** on your phones keypad and wait for the message that says you are in the configuration menu. 2 Press a number from 1101~1108 on your phone followed by the # key. 3 Play your desired music or voice recording into the receivers mouthpiece. Press the #

key. 4 You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done. 12.1.11.2 Listening to Custom Tones Do the following to listen to a custom tone:

1 Pick up the phone and press **** on your phones keypad and wait for the message that says you are in the configuration menu. 2 Press a number from 1201~1208 followed by the # key to listen to the tone. 3 You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done. 12.1.11.3 Deleting Custom Tones Do the following to delete a custom tone:

1 Pick up the phone and press **** on your phones keypad and wait for the message that says you are in the configuration menu. 2 Press a number from 1301~1308 followed by the # key to delete the tone of your choice. Press 14 followed by the # key if you wish to clear all your custom tones. 3 You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done. 12.1.12 Quality of Service (QoS) Quality of Service (QoS) refers to both a network's ability to deliver data with minimum delay and the networking methods used to provide bandwidth for real-time multimedia applications. MAX-200HW2 Series Users Guide 155 Chapter 12SIP 12.1.12.1 Type Of Service (ToS) Network traffic can be classified by setting the ToS (Type Of Service) values at the data source

(for example, at the ZyXEL Device) so a server can decide the best method of delivery, that is the least cost, fastest route and so on. 12.1.12.2 DiffServ DiffServ is a class of service (CoS) model that marks packets so that they receive specific per-

hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.4 12.1.12.3 DSCP and Per-Hop Behavior DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field. Figure 103 DiffServ: Differentiated Service Field DSCP

(6-bit) Unused

(2-bit) DSCP is backward compatible with the three precedence bits in the ToS octet so that non-

DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping. The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different priorities of forwarding. Resources can then be allocated according to the DSCP values and the configured policies. 12.1.12.4 VLAN Virtual Local Area Network (VLAN) allows a physical network to be partitioned into multiple logical networks. Only stations within the same group can communicate with each other. Your ZyXEL Device can add IEEE 802.1Q VLAN ID tags to voice frames that it sends to the network. This allows the ZyXEL Device to communicate with a SIP server that is a member of the same VLAN group. Some ISPs use the VLAN tag to identify voice traffic and give it priority over other traffic. 4.The ZyXEL Device does not support DiffServ at the time of writing. 156 MAX-200HW2 Series Users Guide Chapter 12SIP 12.2 SIP Screens 12.2.1 SIP Settings Screen Use this screen to maintain basic information about each SIP account. Your VoIP service provider (the company that lets you make phone calls over the Internet) should provide this. You can also enable and disable each SIP account. To access this screen, click VoIP > SIP >

SIP Settings. Figure 104 VoIP > SIP > SIP Settings Each field is described in the following table. Table 59 VoIP > SIP > SIP Settings LABEL SIP Account DESCRIPTION Select the SIP account you want to see in this screen. If you change this field, the screen automatically refreshes. SIP Settings Active SIP Account NumberEnter your SIP number. In the full SIP URI, this is the part before the @ symbol. Select this if you want the ZyXEL Device to use this account. Clear it if you do not want the ZyXEL Device to use this account. You can use up to 127 printable ASCII characters. SIP Local PortEnter the ZyXEL Device s listening port number, if your VoIP service provider gave SIP Server Address you one. Otherwise, keep the default value. Enter the IP address or domain name of the SIP server provided by your VoIP service provider. You can use up to 95 printable ASCII characters. It does not matter whether the SIP server is a proxy, redirect or register server. SIP Server PortEnter the SIP server s listening port number, if your VoIP service provider gave you one. Otherwise, keep the default value. MAX-200HW2 Series Users Guide 157 Chapter 12SIP Table 59 VoIP > SIP > SIP Settings LABEL REGISTER Server Address DESCRIPTION Enter the IP address or domain name of the SIP register server, if your VoIP service provider gave you one. Otherwise, enter the same address you entered in the SIP Server Address field. You can use up to 95 printable ASCII characters. Enter the SIP register servers listening port number, if your VoIP service provider gave you one. Otherwise, enter the same port number you entered in the SIP Server Port field. SIP Service Enter the SIP service domain name. In the full SIP URI, this is the part after the @

Domain symbol. You can use up to 127 printable ASCII Extended set characters. Send Caller IDSelect this if you want to send identification when you make VoIP phone calls. REGISTER Server Port Clear this if you do not want to send identification. Authentication User NameEnter the user name for registering this SIP account, exactly as it was given to you. You can use up to 95 printable ASCII characters. PasswordEnter the user name for registering this SIP account, exactly as it was given to you. You can use up to 95 printable ASCII Extended set characters. Click this to save your changes. Click this to set every field in this screen to its last-saved value. Click this to edit the advanced settings for this SIP account. The Advanced SIP Setup screen appears. Apply Reset Advanced Setup 12.2.2 Advanced SIP Setup Screen Use this screen to maintain advanced settings for each SIP account. To access this screen, click Advanced Setup in VoIP > SIP > SIP Settings. 158 MAX-200HW2 Series Users Guide Figure 105 VoIP > SIP > SIP Settings > Advanced Chapter 12SIP MAX-200HW2 Series Users Guide 159 Chapter 12SIP Each field is described in the following table. Table 60 VoIP > SIP > SIP Settings > Advanced LABEL SIP AccountThis field displays the SIP account you see in this screen. SIP Server Settings URL TypeSelect whether or not to include the SIP service domain name when the ZyXEL DESCRIPTION Expiration Duration Device sends the SIP number. SIP - include the SIP service domain name TEL - do not include the SIP service domain name Enter the number of seconds your SIP account is registered with the SIP register server before it is deleted. The ZyXEL Device automatically tries to re-register your SIP account when one-half of this time has passed. (The SIP register server might have a different expiration.) Enter the number of seconds the ZyXEL Device waits before it tries again to register the SIP account, if the first try failed or if there is no response. Register Re-send timer Session ExpiresEnter the number of seconds the conversation can last before the call is automatically disconnected. Usually, when one-half of this time has passed, the ZyXEL Device or the other party updates this timer to prevent this from happening. Min-SEEnter the minimum number of seconds the ZyXEL Device accepts for a session expiration time when it receives a request to start a SIP session. If the request has a shorter time, the ZyXEL Device rejects it. RTP Port Range Start Port End Port Voice Compression Primary Compression Type Secondary Compression Type Third Compression Type enter the port number at the beginning of the range in the Start Port field enter the port number at the end of the range in the End Port field. Enter the listening port number(s) for RTP traffic, if your VoIP service provider gave you this information. Otherwise, keep the default values. To enter one port number, enter the port number in the Start Port and End Port fields. To enter a range of ports, Select the type of voice coder/decoder (codec) that you want the ZyXEL Device to use. G.711 provides high voice quality but requires more bandwidth (64 kbps). G.711A is typically used in Europe. G.711u is typically used in North America and Japan. G.723 provides good voice quality, and requires 20 or 40 kbps. In contrast, G.729 requires only 8 kbps. The ZyXEL Device must use the same codec as the peer. When two SIP devices start a SIP session, they must agree on a codec. Select the ZyXEL Devices first choice for voice coder/decoder. Select the ZyXEL Devices second choice for voice coder/decoder. Select None if you only want the ZyXEL Device to accept the first choice. This field is disabled if Secondary Compression Type is None. Select the ZyXEL Devices third choice for voice coder/decoder. Select None if you only want the ZyXEL Device to accept the first or second choice. 160 MAX-200HW2 Series Users Guide Chapter 12SIP Table 60 VoIP > SIP > SIP Settings > Advanced LABEL DTMF Mode DESCRIPTION Control how the ZyXEL Device handles the tones that your telephone makes when you push its buttons. You should use the same mode your VoIP service provider uses. RFC 2833 - send the DTMF tones in RTP packets PCM - send the DTMF tones in the voice data stream. This method works best when you are using a codec that does not use compression (like G.711). Codecs that use compression (like G.729) can distort the tones. SIP INFO - send the DTMF tones in SIP messages STUN ActiveSelect this if all of the following conditions are satisfied. There is a NAT router between the ZyXEL Device and the SIP server. The NAT router is not a SIP ALG. Your VoIP service provider gave you an IP address or domain name for a STUN server. Otherwise, clear this field. Server AddressEnter the IP address or domain name of the STUN server provided by your VoIP service provider. Server PortEnter the STUN server s listening port, if your VoIP service provider gave you one. Otherwise, keep the default value. Use NAT ActiveSelect this if you want the ZyXEL Device to send SIP traffic to a specific NAT router. You must also configure the NAT router to forward traffic with the specified port to the ZyXEL Device. This eliminates the need for STUN or a SIP ALG. Server AddressEnter the public IP address or domain name of the NAT router. Server PortEnter the port number that your SIP sessions use with the public IP address of the NAT router. Outbound Proxy ActiveSelect this if your VoIP service provider has a SIP outbound server to handle voice calls. This allows the ZyXEL Device to work with any type of NAT router and eliminates the need for STUN or a SIP ALG. Turn off any SIP ALG on a NAT router in front of the ZyXEL Device to keep it from retranslating the IP address (since this is already handled by the outbound proxy server). Server AddressEnter the IP address or domain name of the SIP outbound proxy server. Server PortEnter the SIP outbound proxy server s listening port, if your VoIP service provider gave you one. Otherwise, keep the default value. NAT Keep Alive ActiveSelect this to stop NAT routers between the ZyXEL Device and SIP server (a SIP proxy server or outbound proxy server) from dropping the SIP session. The ZyXEL Device does this by sending SIP notify messages to the SIP server based on the specified interval. Select this if the SIP server is a SIP proxy server. Select this if the SIP server is an outbound proxy server. You must enable Outbound Proxy to use this. Enter how often (in seconds) the ZyXEL Device should send SIP notify messages to the SIP server. Keep Alive with SIP Proxy Keep Alive with Outbound Proxy Keep Alive Interval MWI (Message Waiting Indication) MAX-200HW2 Series Users Guide 161 Chapter 12SIP Table 60 VoIP > SIP > SIP Settings > Advanced LABEL EnableSelect this if you want to hear a waiting (beeping) dial tone on your phone when DESCRIPTION you have at least one voice message. Your VoIP service provider must support this feature. Expiration TimeKeep the default value, unless your VoIP service provider tells you to change it. Enter the number of seconds the SIP server should provide the message waiting service each time the ZyXEL Device subscribes to the service. Before this time passes, the ZyXEL Device automatically subscribes again. Fax OptionThis field controls how the ZyXEL Device handles fax messages. G.711 Fax Passthrough T.38 Fax RelaySelect this if the ZyXEL Device should send fax messages as UDP or TCP/IP Select this if the ZyXEL Device should use G.711 to send fax messages. The peer devices must also use G.711. packets through IP networks. This provides better quality, but it may have inter-

operability problems. The peer devices must also use T.38. Call Forward Call Forward Table Caller Ringing EnableCheck this box if you want people to hear a customized recording when they call Select which call forwarding table you want the ZyXEL Device to use for incoming calls. You set up these tables in VoIP > Phone Book > Incoming Call Policy. you. Select the tone you want people to hear when they call you. See Section 12.1.11 on page 155 for information on how to record these tones. Caller Ringing Tone On Hold EnableCheck this box if you want people to hear a customized recording when you put them on hold. On Hold ToneSelect the tone you want people to hear when you put them on hold. See 12.1.11 on page 155 for information on how to record these tones. Section

<BackClick this to return to the Apply Reset Click this to save your changes. Click this to set every field in this screen to its last-saved value. SIP Settings screen without saving your changes. 12.2.3 SIP QoS Screen Use this screen to maintain ToS and VLAN settings for the ZyXEL Device. To access this screen, click VoIP > SIP > QoS. 162 MAX-200HW2 Series Users Guide Figure 106 VoIP > SIP > QoS Chapter 12SIP Each field is described in the following table. Table 61 VoIP > SIP > QoS LABEL SIP TOS Priority Setting RTP TOS Priority Setting Voice VLAN IDSelect this if the ZyXEL Device has to be a member of a VLAN to communicate DESCRIPTION Enter the priority for SIP voice transmissions. The ZyXEL Device creates Type of Service priority tags with this priority to voice traffic that it transmits. Enter the priority for RTP voice transmissions. The ZyXEL Device creates Type of Service priority tags with this priority to RTP traffic that it transmits. with the SIP server. Ask your network administrator, if you are not sure. Enter the VLAN ID provided by your network administrator in the field on the right. Your LAN and gateway must be configured to use VLAN tags. Otherwise, clear this field. Click this to save your changes. Click this to set every field in this screen to its last-saved value. Apply Reset MAX-200HW2 Series Users Guide 163 Chapter 12SIP 164 MAX-200HW2 Series Users Guide CHAPTER 13 Phone Use these screens to configure the phone you use to make phone calls with the ZyXEL Device. 13.1 Phone Overview You can configure the volume, echo cancellation, VAD settings and custom tones for the phone port on the ZyXEL Device. You can also select which SIP account to use for making outgoing calls. 13.1.1 Voice Activity Detection/Silence Suppression/Comfort Noise Voice Activity Detection (VAD) detects whether or not speech is present. This lets the ZyXEL Device reduce the bandwidth that a call uses by not transmitting silent packets when you are not speaking. When using VAD, the ZyXEL Device generates comfort noise when the other party is not speaking. The comfort noise lets you know that the line is still connected as total silence could easily be mistaken for a lost connection. 13.1.2 Echo Cancellation G.168 is an ITU-T standard for eliminating the echo caused by the sound of your voice reverberating in the telephone receiver while you talk. 13.1.3 Supplementary Phone Services Overview Supplementary services such as call hold, call waiting, call transfer, etc. are generally available from your VoIP service provider. The ZyXEL Device supports the following services:

Call Hold Call Waiting Making a Second Call Call Transfer Call Forwarding Three-Way Conference Internal Calls Caller ID CLIP (Calling Line Identification Presentation) MAX-200HW2 Series Users Guide 165 Chapter 13Phone CLIR (Calling Line Identification Restriction) To take full advantage of the supplementary phone services available though the ZyXEL Device's phone port, you may need to subscribe to the services from your VoIP service provider. 13.1.3.1 The Flash Key Flashing means to press the hook for a short period of time (a few hundred milliseconds) before releasing it. On newer telephones, there should be a "flash" key (button) that generates the signal electronically. If the flash key is not available, you can tap (press and immediately release) the hook by hand to achieve the same effect. However, using the flash key is preferred since the timing is much more precise. The ZyXEL Device may interpret manual tapping as hanging up if the duration is too long You can invoke all the supplementary services by using the flash key. 13.1.3.2 Europe Type Supplementary Phone Services This section describes how to use supplementary phone services with the Europe TypeCall Service Mode. Commands for supplementary services are listed in the table below. After pressing the flash key, if you do not issue the sub-command before the default sub-

command timeout (2 seconds) expires or issue an invalid sub-command, the current operation will be aborted. Table 62 European Type Flash Key Commands COMMAND Flash Put a current call on hold to place a second call. SUB-COMMAND DESCRIPTION Switch back to the call (if there is no second call). Flash0Drop the call presently on hold or reject an incoming call which is waiting for answer. Flash1Disconnect the current phone connection and answer the incoming call or resume with caller presently on hold. Flash21. Switch back and forth between two calls. 2. Put a current call on hold to answer an incoming call. 3. Separate the current three-way conference call into two individual calls (one is on-line, the other is on hold). Flash3Create three-way conference connection. Flash *98#Transfer the call to another phone. 13.1.3.2.1 European Call Hold Call hold allows you to put a call (A) on hold by pressing the flash key. If you have another call, press the flash key and then 2 to switch back and forth between caller A and B by putting either one on hold. Press the flash key and then 0 to disconnect the call presently on hold and keep the current call on line. 166 MAX-200HW2 Series Users Guide Chapter 13Phone Press the flash key and then 1 to disconnect the current call and resume the call on hold. If you hang up the phone but a caller is still on hold, there will be a remind ring. 13.1.3.2.2 European Call Waiting This allows you to place a call on hold while you answer another incoming call on the same telephone (directory) number. If there is a second call to a telephone number, you will hear a call waiting tone. Take one of the following actions. Reject the second call. Press the flash key and then press 0. Disconnect the first call and answer the second call. Either press the flash key and press 1, or just hang up the phone and then answer the phone after it rings. Put the first call on hold and answer the second call. Press the flash key and then 2. 13.1.3.2.3 European Call Transfer Do the following to transfer an incoming call (that you have answered) to another phone. 1 Press the flash key to put the caller on hold. 2 When you hear the dial tone, dial *98# followed by the number to which you want to transfer the call. to operate the Intercom. 3 After you hear the ring signal or the second party answers it, hang up the phone. 13.1.3.2.4 European Three-Way Conference Use the following steps to make three-way conference calls. 1 When you are on the phone talking to someone, place the flash key to put the caller on hold and get a dial tone. 2 Dial a phone number directly to make another call. 3 When the second call is answered, press the flash key and press 3 to create a three-way conversation. 4 Hang up the phone to drop the connection. 5 If you want to separate the activated three-way conference into two individual connections (one is on-line, the other is on hold), press the flash key and press 2. 13.1.3.3 USA Type Supplementary Services This section describes how to use supplementary phone services with the USA TypeCall Service Mode. Commands for supplementary services are listed in the table below. MAX-200HW2 Series Users Guide 167 Chapter 13Phone After pressing the flash key, if you do not issue the sub-command before the default sub-

command timeout (2 seconds) expires or issue an invalid sub-command, the current operation will be aborted. Table 63 USA Type Flash Key Commands COMMAND Flash Put a current call on hold to place a second call. After the second SUB-COMMAND DESCRIPTION call is successful, press the flash key again to have a three-way conference call. Put a current call on hold to answer an incoming call. Flash *98#Transfer the call to another phone. 13.1.3.3.1 USA Call Hold Call hold allows you to put a call (A) on hold by pressing the flash key. If you have another call, press the flash key to switch back and forth between caller A and B by putting either one on hold. If you hang up the phone but a caller is still on hold, there will be a remind ring. 13.1.3.3.2 USA Call Waiting This allows you to place a call on hold while you answer another incoming call on the same telephone (directory) number. If there is a second call to your telephone number, you will hear a call waiting tone. Press the flash key to put the first call on hold and answer the second call. 13.1.3.3.3 USA Call Transfer Do the following to transfer an incoming call (that you have answered) to another phone. 1 Press the flash key to put the caller on hold. 2 When you hear the dial tone, dial *98# followed by the number to which you want to transfer the call. to operate the Intercom. 3 After you hear the ring signal or the second party answers it, hang up the phone. 13.1.3.3.4 USA Three-Way Conference Use the following steps to make three-way conference calls. 1 When you are on the phone talking to someone, place the flash key to put the caller on hold and get a dial tone. 2 Dial a phone number directly to make another call. 3 When the second call is answered, press the flash key, wait for the sub-command tone and press 3 to create a three-way conversation. 4 Hang up the phone to drop the connection. 5 If you want to separate the activated three-way conference into two individual connections (one is on-line, the other is on hold), press the flash key, wait for the sub-

command tone and press 2. 168 MAX-200HW2 Series Users Guide Chapter 13Phone 13.2 Phone Screens 13.2.1 Analog Phone Screen Use this screen to control which SIP accounts and PSTN line each phone uses. To access this screen, click VoIP > Phone > Analog Phone. Figure 107 VoIP > Phone > Analog Phone Each field is described in the following table. Table 64 VoIP > Phone > Analog Phone LABEL Phone Port Settings Outgoing Call Use SIP1Select this if you want this phone port to use the SIP1 account when it makes DESCRIPTION Select the phone port you want to see in this screen. If you change this field, the screen automatically refreshes. calls. If you select both SIP accounts, the ZyXEL Device tries to use SIP2 first. SIP2Select this if you want this phone port to use the SIP2 account when it makes calls. If you select both SIP accounts, the ZyXEL Device tries to use SIP2 first. Incoming Call apply to SIP1Select this if you want to receive phone calls for the SIP1 account on this phone port. If you select more than one source for incoming calls, there is no way to distinguish between them when you receive phone calls. SIP2Select this if you want to receive phone calls for the SIP2 account on this phone Apply Reset Advanced Setup port. If you select more than one source for incoming calls, there is no way to distinguish between them when you receive phone calls. Click this to save your changes. Click this to set every field in this screen to its last-saved value. Click this to edit the advanced settings for this phone port. The Advanced Analog Phone Setup screen appears. MAX-200HW2 Series Users Guide 169 Chapter 13Phone 13.2.2 Advanced Analog Phone Setup Screen Use this screen to edit advanced settings for each phone port. To access this screen, click Advanced Setup in VoIP > Phone > Analog Phone. Figure 108 VoIP > Phone > Analog Phone > Advanced Each field is described in the following table. Table 65 VoIP > Phone > Analog Phone > Advanced LABEL Analog Phone Voice Volume Control Speaking VolumeEnter the loudness that the ZyXEL Device uses for speech that it sends to the DESCRIPTION This field displays the phone port you see in this screen. peer device. -1 is the quietest, and 1 is the loudest. Listening VolumeEnter the loudness that the ZyXEL Device uses for speech that it receives from the peer device. -1 is the quietest, and 1 is the loudest. Echo Cancellation G.168 ActiveSelect this if you want to eliminate the echo caused by the sound of your voice reverberating in the telephone receiver while you talk. Dialing Interval Select Dialing Interval Select Enter the number of seconds the ZyXEL Device should wait after you stop dialing numbers before it makes the phone call. The value depends on how quickly you dial phone numbers. If you select Active Immediate Dial in VoIP > Phone > Common, you can press the pound key (#) to tell the ZyXEL Device to make the phone call immediately, regardless of this setting. VAD SupportSelect this if the ZyXEL Device should stop transmitting when you are not speaking. This reduces the bandwidth the ZyXEL Device uses.

<BackClick this to return to the Apply Reset Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its last-saved value. Analog Phone screen without saving your changes. 170 MAX-200HW2 Series Users Guide Chapter 13Phone 13.2.3 Common Phone Settings Screen Use this screen to activate and deactivate immediate dialing. To access this screen, click VoIP

> Phone > Common. Figure 109 VoIP > Phone > Common Each field is described in the following table. Table 66 VoIP > Phone > Common LABEL Active Immediate Dial DESCRIPTION Select this if you want to use the pound key (#) to tell the ZyXEL Device to make the phone call immediately, instead of waiting the number of seconds you selected in the Dialing Interval Select in VoIP > Phone > Analog Phone. If you select this, dial the phone number, and then press the pound key if you do not want to wait. The ZyXEL Device makes the call immediately. Click this to save your changes. Click this to set every field in this screen to its last-saved value. Apply Reset 13.2.4 Phone Region Screen Use this screen to maintain settings that often depend on which region of the world the ZyXEL Device is in. To access this screen, click VoIP > Phone > Region. Figure 110 VoIP > Phone > Region Each field is described in the following table. Table 67 VoIP > Phone > Region LABEL DESCRIPTION Select the place in which the ZyXEL Device is located. Do not select Default. Region Settings Call Service Mode Select the mode for supplementary phone services (call hold, call waiting, call transfer and three-way conference calls) that your VoIP service provider supports. Europe Type - use supplementary phone services in European mode USA Type - use supplementary phone services American mode You might have to subscribe to these services to use them. Contact your VoIP service provider. MAX-200HW2 Series Users Guide 171 Chapter 13Phone Table 67 VoIP > Phone > Region LABEL DESCRIPTION Click this to save your changes and to apply them to the ZyXEL Device. Apply Reset Click this to set every field in this screen to its last-saved value. 172 MAX-200HW2 Series Users Guide CHAPTER 14 Phone Book Use these screens to maintain call-forwarding rules and speed-dial settings. 14.1 Phone Book Overview Speed dial provides shortcuts for dialing frequently used (VoIP) phone numbers. It is also required if you want to make peer-to-peer calls. In peer-to-peer calls, you call another VoIP device directly without going through a SIP server. In the ZyXEL Device, you must set up a speed dial entry in the phone book in order to do this. Select Non-Proxy (Use IP or URL) in the Type column and enter the callees IP address or domain name. The ZyXEL Device sends SIP INVITE requests to the peer VoIP device when you use the speed dial entry. You do not need to configure a SIP account in order to make a peer-to-peer VoIP call. 14.2 Phone Book Screens 14.2.1 Incoming Call Policy Screen Use this screen to maintain rules for handling incoming calls. You can block, redirect, or accept them. To access this screen, click VoIP > Phone Book > Incoming Call Policy. MAX-200HW2 Series Users Guide 173 Chapter 14Phone Book Figure 111 VoIP > Phone Book > Incoming Call Policy You can create two sets of call-forwarding rules. Each one is stored in a call-forwarding table. Each field is described in the following table. Table 68 VoIP > Phone Book > Incoming Call Policy LABEL Table Number Forward to Number Setup Unconditional Forward to Number Busy Forward to Number No Answer Forward to Number No Answer Waiting Time DESCRIPTION Select the call-forwarding table you want to see in this screen. If you change this field, the screen automatically refreshes. The ZyXEL Device checks these rules, in the order in which they appear, after it checks the rules in the Advanced Setup section. Select this if you want the ZyXEL Device to forward all incoming calls to the specified phone number, regardless of other rules in the Forward to Number section. Specify the phone number in the field on the right. Select this if you want the ZyXEL Device to forward incoming calls to the specified phone number if the phone port is busy. Specify the phone number in the field on the right. If you have call waiting, the incoming call is forwarded to the specified phone number if you reject or ignore the second incoming call. Select this if you want the ZyXEL Device to forward incoming calls to the specified phone number if the call is unanswered. (See No Answer Waiting Time.) Specify the phone number in the field on the right. This field is used by the No Answer Forward to Number feature and No Answer conditions below. Enter the number of seconds the ZyXEL Device should wait for you to answer an incoming call before it considers the call is unanswered. Advanced SetupThe ZyXEL Device checks these rules before it checks the rules in the Number section. Forward to 174 MAX-200HW2 Series Users Guide Chapter 14Phone Book Table 68 VoIP > Phone Book > Incoming Call Policy LABEL

#This field is a sequential value, and it is not associated with a specific rule. The DESCRIPTION sequence is important, however. The ZyXEL Device checks each rule in order, and it only follows the first one that applies. ActivateSelect this to enable this rule. Clear this to disable this rule. Incoming Call Number Forward to Number Enter the phone number to which this rule applies. Enter the phone number to which you want to forward incoming calls from the Incoming Call Number. You may leave this field blank, depending on the Condition. ConditionSelect the situations in which you want to forward incoming calls from the Incoming Call Number, or select an alternative action. Unconditional - The ZyXEL Device immediately forwards any calls from the Incoming Call Number to the Forward to Number. Busy - The ZyXEL Device forwards any calls from the Incoming Call Number to the Forward to Number when your SIP account already has a call connected. No Answer - The ZyXEL Device forwards any calls from the Incoming Call Number to the Forward to Number when the call is unanswered. (See No Answer Waiting Time.) Block - The ZyXEL Device rejects calls from the Incoming Call Number. Accept - The ZyXEL Device allows calls from the Incoming Call Number. You might create a rule with this condition if you do not want incoming calls from someone to be forwarded by rules in the Forward to Number section. Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its last-saved value. Apply Reset 14.2.2 Speed Dial Screen You have to create speed-dial entries if you want to make peer-to-peer calls or call SIP numbers that use letters. You can also create speed-dial entries for frequently-used SIP phone numbers. Use this screen to add, edit, or remove speed-dial entries. To access this screen, click VoIP > Phone Book > Speed Dial. MAX-200HW2 Series Users Guide 175 Chapter 14Phone Book Figure 112 VoIP > Phone Book > Speed Dial Each field is described in the following table. Table 69 VoIP > Phone Book > Speed Dial DESCRIPTION LABEL Use this section to create or edit speed-dial entries. Speed Dial Speed Dial Select the speed-dial number you want to use for this phone number. NumberEnter the SIP number you want the ZyXEL Device to call when you dial the speed-

dial number. NameEnter a name to identify the party you call when you dial the speed-dial number. You can use up to 127 printable ASCII characters. TypeSelect Use Proxy if you want to use one of your SIP accounts to call this phone number. Select Non-Proxy (Use IP or URL) if you want to use a different SIP server or if you want to make a peer-to-peer call. In this case, enter the IP address or domain name of the SIP server or the other party in the field below. AddClick this to use the information in the Speed Dial section to update the Speed Dial Phone Book section. Use this section to look at all the speed-dial entries and to erase them. Speed Dial Phone Book Speed DialThis field displays the speed-dial number you should dial to use this entry. You should dial the numbers the way they appear in the screen. NumberThis field displays the SIP number the ZyXEL Device calls when you dial the speed-dial number. NameThis field displays the name of the party you call when you dial the speed-dial number. DestinationThis field is blank, if the speed-dial entry uses one of your SIP accounts. Otherwise, this field shows the IP address or domain name of the SIP server or other party. (This field corresponds with the Type field in the Speed Dial section.) 176 MAX-200HW2 Series Users Guide Chapter 14Phone Book Table 69 VoIP > Phone Book > Speed Dial LABEL ModifyUse this field to edit or erase the speed-dial entry. DESCRIPTION Click the Edit icon to copy the information for this speed-dial entry into the Speed Dial section, where you can change it. Click the Remove icon to erase this speed-dial entry. Click this to erase all the speed-dial entries. Click this to set every field in this screen to its last-saved value. Clear Reset MAX-200HW2 Series Users Guide 177 Chapter 14Phone Book 178 MAX-200HW2 Series Users Guide CHAPTER 15 Firewall Use these screens to enable, configure and disable the firewall that protects your ZyXEL Device and your LAN from unwanted or malicious traffic. 15.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term "firewall" is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. Of course, firewalls cannot solve every security problem. A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy. It should never be the only mechanism or method employed. For a firewall to guard effectively, you must design and deploy it appropriately. This requires integrating the firewall into a broad information-security policy. In addition, specific policies must be implemented within the firewall itself. 15.1.1 Stateful Inspection Firewall. Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also

"inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency; however, they may lack the granular application level access control or caching that some proxies support. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises. 15.1.2 About the ZyXEL Device Firewall The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated. The ZyXEL Device's purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The ZyXEL Device is installed between the LAN and a WiMAX base station connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN. MAX-200HW2 Series Users Guide 179 Chapter 15Firewall The ZyXEL Device has one Ethernet (LAN) port. The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP and the World Wide Web. However, inbound access is not allowed (by default) unless the remote host is authorized to use a specific service. 15.1.3 Guidelines For Enhancing Security With Your Firewall 1 Change the default password via web configurator. 2 Think about access control before you connect to the network in any way. 3 Limit who can access your router. 4 Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network. 5 For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. 6 Protect against IP spoofing by making sure the firewall is active. 7 Keep the firewall in a secured (locked) room. 15.1.4 The Firewall, NAT and Remote Management Figure 113 Firewall Rule Directions 15.1.4.1 LAN-to-WAN rules LAN-to-WAN rules are local network to Internet firewall rules. The default is to forward all traffic from your local network to the Internet. You can block certain LAN-to-WAN traffic in the Services screen (click the Services tab). All services displayed in the Blocked Services list box are LAN-to-WAN firewall rules that block those services originating from the LAN. Blocked LAN-to-WAN packets are considered alerts. Alerts are higher priority logs that include system errors, attacks and attempted access to blocked web sites. Alerts appear in red in the View Log screen. You may choose to have alerts e-mailed immediately in the Log Settings screen. 180 MAX-200HW2 Series Users Guide Chapter 15Firewall LAN-to-LAN/ZyXEL Device means the LAN to the ZyXEL Device LAN interface. This is always allowed, as this is how you manage the ZyXEL Device from your local computer. 15.1.4.2 WAN-to-LAN rules WAN-to-LAN rules are Internet to your local network firewall rules. The default is to block all traffic from the Internet to your local network. How can you forward certain WAN to LAN traffic? You may allow traffic originating from the WAN to be forwarded to the LAN by:

Configuring NAT port forwarding rules. Configuring One-to-One and Many-One-to-One NAT mapping rules in the SMT NAT menus. Configuring WAN or LAN & WAN access for services in the Remote Management screens or SMT menus. When you allow remote management from the WAN, you are actually configuring WAN-to-WAN/ZyXEL Device firewall rules. WAN-to-WAN/ZyXEL Device firewall rules are Internet to the ZyXEL Device WAN interface firewall rules. The default is to block all such traffic. When you decide what WAN-to-LAN packets to log, you are in fact deciding what WAN-to-LAN and WAN-to-WAN/ZyXEL Device packets to log. Forwarded WAN-to-LAN packets are not considered alerts. 15.2 Triangle Route When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyXEL Device to protect your LAN against attacks. Figure 114 Ideal Firewall Setup 15.2.1 The Triangle Route Problem A traffic route is a path for sending or receiving data packets between two Ethernet devices. You may have more than one connection to the Internet (through one or more ISPs). If an alternate gateway is on the LAN (and its IP address is in the same subnet as the ZyXEL Devices LAN IP address), the triangle route (also called asymmetrical route) problem may occur. The steps below describe the triangle route problem. 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN. 2 The ZyXEL Device reroutes the SYN packet through Gateway A on the LAN to the WAN. MAX-200HW2 Series Users Guide 181 Chapter 15Firewall 3 The reply from the WAN goes directly to the computer on the LAN without going through the ZyXEL Device. As a result, the ZyXEL Device resets the connection, as the connection has not been acknowledged. Figure 115 Triangle Route Problem 15.2.2 Solving the Triangle Route Problem If you have the ZyXEL Device allow triangle route sessions, traffic from the WAN can go directly to a LAN computer without passing through the ZyXEL Device and its firewall protection. Another solution is to use IP alias. IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL Device being the gateway for each logical network. Its like having multiple LAN networks that actually use the same physical cables and ports. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the ZyXEL Device to your LAN. The following steps describe such a scenario. 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN. 2 The ZyXEL Devicereroutes the packet to Gateway A, which is in Subnet 2. 3 The reply from the WAN goes to the ZyXEL Device. 4 The ZyXEL Device then sends it to the computer on the LAN in Subnet 1. Figure 116 IP Alias 182 MAX-200HW2 Series Users Guide Chapter 15Firewall 15.3 Firewall Screens 15.3.1 General Firewall Screen Use this screen to configure the basic settings for your firewall. To access this screen, click Security > Firewall > General. Figure 117 Security > Firewall > General Each field is described in the following table. Table 70 Security > Firewall > General LABEL Enable Firewall DESCRIPTION Select this to activate the firewall. The ZyXEL Device controls access and protects against Denial of Service (DoS) attacks when the firewall is activated. Select this if you want to let some traffic from the WAN go directly to a computer in the LAN without passing through the ZyXEL Device. See the appendices for more information about triangle route topology. Select the maximum number of NAT rules and firewall rules the ZyXEL Device enforces at one time. The ZyXEL Device automatically allocates memory for the maximum number of rules, regardless of whether or not there is a rule to enforce. This is the same number you enter in Network > NAT > General. This field displays each direction that packets pass through the ZyXEL Device. Select the situations in which you want to create log entries for firewall events. No Log - do not create any log entries Log Blocked - (LAN to WAN only) create log entries when packets are blocked Log Forwarded - (WAN to LAN only) create log entries when packets are forwarded Log All - create log entries for every packet Click this to save your changes. Click this to set every field in this screen to its last-saved value. Bypass Triangle Route Max NAT/Firewall Session Per User Packet Direction Log Apply Reset 15.3.2 Firewall Services Screen Use this screen to enable service blocking, to set up the date and time service blocking is effective, and to maintain the list of services you want to block. To access this screen, click Security > Firewall > Services. MAX-200HW2 Series Users Guide 183 Chapter 15Firewall Figure 118 Security > Firewall > Services DESCRIPTION Each field is described in the following table. Table 71 Security > Firewall > Services LABEL Service Setup Enable Services Blocking Available Services Select this to activate service blocking. The Schedule to Block section controls what days and what times service blocking is actually effective, however. This is a list of pre-defined services (destination ports) you may prohibit your LAN computers from using. Select the port you want to block, and click Add to add the port to the Blocked Services field. A custom port is a service that is not available in the pre-defined Available Services list. You must define it using the Type and Port Number fields. See Appendix F on page 333 for some examples of services. This is a list of services (ports) that are inaccessible to computers on your LAN when service blocking is effective. To remove a service from this list, select the service, and click Delete. Select TCP or UDP, based on which one the custom port uses. Enter the range of port numbers that defines the service. For example, suppose you want to define the Gnutella service. Select TCP type and enter a port range of 6345-6349. Click this to add the selected service in Available Services to the Blocked Services list. Select a service in the Blocked Services, and click this to remove the service from the list. Click this to remove all the services in the Blocked Services list. Blocked Services Type Port Number Add Delete Clear All Schedule to Block 184 MAX-200HW2 Series Users Guide Chapter 15Firewall Table 71 Security > Firewall > Services LABEL Day to Block Time of Day to Block Apply Reset DESCRIPTION Select which days of the week you want the service blocking to be effective. Select what time each day you want service blocking to be effective. Enter times in 24-hour format; for example, 3:00pm should be entered as 15:00. Click this to save your changes. Click this to set every field in this screen to its last-saved value. MAX-200HW2 Series Users Guide 185 Chapter 15Firewall 186 MAX-200HW2 Series Users Guide CHAPTER 16 Certificates This chapter gives background information about public-key certificates and explains how to use the Certificates screens. 16.1 Certificates Overview The ZyXEL Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owners identity and public key. Certificates provide a way to exchange public keys for use in authentication. A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the ZyXEL Device to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure. These keys work like a handwritten signature (in fact, certificates are often referred to as digital signatures). Only you can write your signature exactly as it ought to look. When people know what your signature ought to look like, they can verify whether something was signed by you, or by someone else. In the same way, your private key writes your digital signature and your public key allows people to verify whether data was signed by you, or by someone else. This process works as follows. 1 Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). 2 Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. 3 Tim uses his private key to sign the message and sends it to Jenny. 4 Jenny receives the message and uses Tims public key to verify it. Jenny knows that the message is from Tim, and she knows that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tims private key). 5 Additionally, Jenny uses her own private key to sign a message and Tim uses Jennys public key to verify the message. MAX-200HW2 Series Users Guide 187 Chapter 16Certificates The ZyXEL Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm. The certification authority uses its private key to sign certificates. Anyone can then use the certification authoritys public key to verify the certificates. A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been revoked. Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyXEL Device can check a peers certificate against a directory servers list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure). 16.1.1 Advantages of Certificates Certificates offer the following benefits. The ZyXEL Device only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate. Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys. 16.2 Self-signed Certificates You can have the ZyXEL Device act as a certification authority and sign its own certificates. 16.3 Factory Default Certificate The ZyXEL Device generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. 16.3.1 Certificate File Formats Any certificate that you want to import has to be in one of these file formats:

Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form. 188 MAX-200HW2 Series Users Guide Chapter 16Certificates Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The ZyXEL Device currently allows the importation of a PKS#7 file that contains a single certificate. PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. Be careful to not convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default. 16.4 Certificate Configuration Screens Summary This section summarizes how to manage certificates on the ZyXEL Device. Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyXEL Devices CA-signed certificates. Use the Trusted CAs screens to save CA certificates and trusted remote host certificates to the ZyXEL Device. The ZyXEL Device will trust any valid certificate that you have imported as a trusted certificate. It will also trust any valid certificate signed by any of the certificates that you have imported as a trusted certificate. 16.5 Verifying a Certificate Before you import a certificate into the ZyXEL Device, you should verify that you have the correct certificate. This is especially true of trusted certificates since the ZyXEL Device also trusts any valid certificate signed by any of the imported trusted certificates. 16.5.1 Checking the Fingerprint of a Certificate on Your Computer A certificates fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificates fingerprint to verify that you have the actual certificate. 1 Browse to where you have the certificate saved on your computer. 2 Make sure that the certificate has a .cer or .crt file name extension. Figure 119 Remote Host Certificates MAX-200HW2 Series Users Guide 189 Chapter 16Certificates 3 Double-click the certificates icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 120 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 16.6 My Certificates Screen Click Security > Certificates > My Certificates to open the My Certificates screen. This is the ZyXEL Devices summary list of certificates and certification requests. 190 MAX-200HW2 Series Users Guide Figure 121 Security > Certificates > My Certificates Chapter 16Certificates The following table describes the labels in this screen. Table 72 Security > Certificates > My Certificates LABEL PKI Storage Space in Use DESCRIPTION This bar displays the percentage of the ZyXEL Devices PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.

#This field displays the certificate index number. The certificates are listed in alphabetical order. NameThis field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. TypeThis field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request. SELF represents a self-signed certificate.

*SELF represents the default self-signed certificate which signs the imported remote host certificates. CERT represents a certificate issued by a certification authority. SubjectThis field displays identifying informat ion about the certificates owner, such as CN

(Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. IssuerThis field displays identifying information about the certificate s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field. Valid FromThis field displays the date that the certificate becomes applicable. Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. MAX-200HW2 Series Users Guide 191 Chapter 16Certificates Table 72 Security > Certificates > My Certificates (continued) LABEL ModifyClick the DESCRIPTION Details icon to open a screen with an in-depth list of information about the certificate. Click the Export icon to save a copy of the certificate without its private key. Browse to the location you want to use and click Save. Click the Remove icon to delete a certificate. A window displays asking you to confirm that you want to delete the certificate. Subsequent certificates move up by one when you take this action. The ZyXEL Device keeps all of your certificates unless you specifically delete them. Uploading new firmware or default configuration file does not delete your certificates. You cannot delete certificates that any of the ZyXEL Devices features are configured to use. ImportClick CreateClick Import to open a screen where you can save a certificate to the ZyXEL Device. Create to go to the screen where you can have the ZyXEL Device generate a certificate or a certification request. RefreshClick Refresh to display the current validity status of the certificates. 16.6.1 My Certificates Create Screen Click Security > Certificates > My Certificates and then the Create icon to open the My Certificates Create screen. Use this screen to have the ZyXEL Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. 192 MAX-200HW2 Series Users Guide Figure 122 Security > Certificates > My Certificates > Create Chapter 16Certificates The following table describes the labels in this screen. Table 73 Security > Certificates > My Certificates > Create LABEL Certificate NameType a name to identify this certificate. You can use up to 31 alphanumeric DESCRIPTION and ;~!@#$%^&()_+[]{},.=- characters. Subject InformationUse these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information. Common Name Select a radio button to identify th e certificates owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or e-

mail address is for identification purposes only and can be any string. A domain name can be up to 255 characters. You can use alphanumeric characters, the hyphen and periods. An e-mail address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore. Organizational UnitIdentify the organizational unit or department to which the certificate owner belongs. You can use up to 63 characters. You can use alphanumeric characters, the hyphen and the underscore. OrganizationIdentify the company or group to which the certificate owner belongs. You can use up to 63 characters. You can use alphanumeric characters, the hyphen and the underscore. MAX-200HW2 Series Users Guide 193 Chapter 16Certificates Table 73 Security > Certificates > My Certificates > Create LABEL CountryIdentify the state in which the certificate owner is located. You can use up to DESCRIPTION 31 characters. You can use alphanumeric characters, the hyphen and the underscore. Key LengthSelect a number from the drop-down list box to determine how many bits the key should use (512 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space. Enrollment OptionsThese radio buttons deal with how and when the certificate is to be generated. Create a self-signed certificate Create a certification request and save it locally for later manual enrollment Create a certification request and enroll for a certificate immediately online Select Create a self-signed certificate to have the ZyXEL Device generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates. Select Create a certification request and save it locally for later manual enrollment to have the ZyXEL Device generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority. Copy the certification request from the My Certificate Details screen (see Section 16.6.2 on page 195) and then send it to the certification authority. Select Create a certification request and enroll for a certificate immediately online to have the ZyXEL Device generate a request for a certificate and apply to a certification authority for a certificate. You must have the certification authoritys certificate already imported in the Trusted CAs screen. When you select this option, you must select the certification authoritys enrollment protocol and the certification authoritys certificate from the drop-

down list boxes and enter the certification authoritys server address. You also need to fill in the Reference Number and Key if the certification authority requires them. Enrollment ProtocolThis field applies when you select Create a certification request and enroll for a certificate immediately online. Select the certification authoritys enrollment protocol from the drop-down list box. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco. Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.509 working group of the Internet Engineering Task Force (IETF) and is specified in RFC 2510. CA Server Address This field applies when you select Create a certification request and enroll for a certificate immediately online. Enter the IP address (or URL) of the certification authority server. For a URL, you can use up to 511 of the following characters. a-zA-Z0-9'()+,/

CA CertificateThis field applies when you select Create a certification request and enroll for a certificate immediately online. Select the certification authoritys certificate from the CA Certificate drop-down list box. You must have the certification authoritys certificate already imported in the Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the ZyXEL Device's list of certificates of trusted certification authorities. 194 MAX-200HW2 Series Users Guide Chapter 16Certificates Table 73 Security > Certificates > My Certificates > Create LABEL Request Authentication DESCRIPTION When you select Create a certification request and enroll for a certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request. Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol. Just the Key field displays if your certification authority uses the SCEP enrollment protocol. For the reference number, use 0 to 99999999. For the key, use up to 31 of the following characters. a-zA-Z0-

9;|`~!@#$%^&*()_+\{}':,./<>=-

ApplyClick CancelClick Apply to begin certificate or certification request generation. Cancel to quit and return to the My Certificates screen. If you configured the My Certificate Create screen to have the ZyXEL Device enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen. Click Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyXEL Device to enroll a certificate online. 16.6.2 My Certificate Details Screen Click Security > Certificates > My Certificates and then the Details iconto open the My Certificate Details screen. You can use this screen to view in-depth certificate information and change the certificates name. MAX-200HW2 Series Users Guide 195 Chapter 16Certificates Figure 123 Security > Certificates > My Certificates > Details The following table describes the labels in this screen. Table 74 Security > Certificates > My Certificates > Details LABEL NameThis field displays the identifying name of this certificate. You can use up to 31 DESCRIPTION alphanumeric and ;~!@#$%^&()_+[]{},.=- characters. PropertySelect Default self-signed certificate which signs the imported remote host certificates to use this certificate to sign the remote host certificates you upload in the Security > Certificates > Trusted CAs screen. Certification PathThis field displays for a certificate, not a certification request. Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself). If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The ZyXEL Device does not trust the certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked. Refresh to display the certification path. These read-only fields display detailed information about the certificate. RefreshClick Certificate Information 196 MAX-200HW2 Series Users Guide Chapter 16Certificates Table 74 Security > Certificates > My Certificates > Details LABEL TypeThis field displays general information about the certificate. CA-signed means DESCRIPTION that a Certification Authority signed the certificate. Self-signed means that the certificates owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates. VersionThis field displays the X.509 version number. Serial NumberThis field displays the certificate authority or generated by the ZyXEL Device. s identification number given by the certification SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country

(C). IssuerThis field displays identifying in formation about the certificates issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same as the Subject Name field. none displays for a certification request. Signature AlgorithmThis field displays the type of algorithm that was used to sign the certificate. The ZyXEL Device uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm). Valid FromThis field displays the date that the certificate becomes applicable. none displays for a certification request. Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. none displays for a certification request. Key AlgorithmThis field displays the type of algorithm that was used to generate the certificates key pair (the ZyXEL Device uses RSA encryption) and the length of the key set in bits (1024 bits for example). This field displays the certificate owners IP address (IP), domain name (DNS) or e-mail address (EMAIL). Subject Alternative Name Key UsageThis field displays for what functions the certificate s key can be used. For example, DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text. Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authoritys certificate and Path Length Constraint=1 means that there can only be one certification authority in the certificates path. This field does not display for a certification request. MD5 FingerprintThis is the certificate the MD5 algorithm. s message digest that the ZyXEL Device calculated using SHA1 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm. MAX-200HW2 Series Users Guide 197 Chapter 16Certificates Table 74 Security > Certificates > My Certificates > Details LABEL Certificate in PEM

(Base-64) Encoded Format DESCRIPTION This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert the binary certificate into a printable form. You can copy and paste a certification request into a certification authoritys web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment. You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example). ApplyClick CancelClick Apply to save your changes back to the ZyXEL Device. You can only change the name. Cancel to quit and return to the My Certificates screen. 16.6.3 My Certificate Import Screen Click Security > Certificates > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to upload an existing certificate to the ZyXEL Device. You can import a certificate that matches a corresponding certification request that was generated by the ZyXEL Device. The certificate you import replaces the corresponding request in the My Certificates screen. You must remove any spaces from the certificates filename before you can import it. 198 MAX-200HW2 Series Users Guide Figure 124 Security > Certificates > My Certificates > Import Chapter 16Certificates The following table describes the labels in this screen. Table 75 Security > Certificates > My Certificates > Import LABEL File Path Type in the location of the file you want to upload in this field or click DESCRIPTION You cannot import a certificate with the same name as a certificate that is already in the ZyXEL Device. Browse to find it. Browse Click ApplyClick CancelClick Browse to find the certificate file you want to upload. Apply to save the certificate on the ZyXEL Device. Cancel to quit and return to the My Certificates screen. 16.7 Trusted CAs Click Security > Certificates > Trusted CAs to open the Trusted CAs screen. This screen displays a summary list of certificates of the certification authorities that you have set the ZyXEL Device to accept as trusted. The ZyXEL Device accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities. MAX-200HW2 Series Users Guide 199 Chapter 16Certificates Figure 125 Security > Certificates > Trusted CAs The following table describes the labels in this screen. Table 76 Security > Certificates > Trusted CAs LABEL PKI Storage Space in Use DESCRIPTION This bar displays the percentage of the ZyXEL Devices PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.

#This field displays the certificate index number. The certificates are listed in alphabetical order. NameThis field displays the name used to identify this certificate. SubjectThis field displays identifying information about the certificate

(Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. s owner, such as CN IssuerThis field displays identifying information about the certificates issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field. Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. CRL IssuerThis field displays Yes if the certification authority issues CRL (Certificate Revocation Lists) for the certificates that it has issued and you have selected the Check incoming certificates issued by this CA against a CRL check box in the certificates details screen to have the ZyXEL Device check the CRL before trusting any certificates issued by the certification authority. Otherwise the field displays No. ModifyClick the Details icon to open a screen with an in-depth list of information about the certificate. Use the Export icon to save the certificate to a computer. Click the icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. Click the Remove icon to delete the certificate. A window displays asking you to confirm that you want to delete the certificate. Note that subsequent certificates move up by one when you take this action. 200 MAX-200HW2 Series Users Guide Chapter 16Certificates Table 76 Security > Certificates > Trusted CAs (continued) LABEL ImportClick DESCRIPTION Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the ZyXEL Device. RefreshClick this button to display the current validity status of the certificates. 16.8 Trusted CA Details Click Security > Certificates > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen. Use this screen to view in-depth information about the certification authoritys certificate, change the certificates name and set whether or not you want the ZyXEL Device to check a certification authoritys list of revoked certificates before trusting a certificate issued by the certification authority. Figure 126 Security > Certificates > Trusted CAs > Details MAX-200HW2 Series Users Guide 201 Chapter 16Certificates The following table describes the labels in this screen. Table 77 Security > Certificates > Trusted CAs > Details LABEL NameThis field displays the identifying name of this certificate. If you want to change DESCRIPTION Property Check incoming certificates issued by this CA against a CRL Certification PathClick the the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces). Select this check box to have the ZyXEL Device check incoming certificates that are issued by this certification authority against a Certificate Revocation List

(CRL). Clear this check box to have the ZyXEL Device not check incoming certificates that are issued by this certification authority against a Certificate Revocation List

(CRL). Refresh button to have this read-only text box display the end entity s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entitys certificate. If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the end entitys own certificate). The ZyXEL Device does not trust the end entity s certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked. Refresh to display the certification path. RefreshClick Certificate Information TypeThis field displays general information about the certificate. CA-signed means These read-only fields display detailed information about the certificate. that a Certification Authority signed the certificate. Self-signed means that the certificates owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates. VersionThis field displays the X.509 version number. Serial NumberThis field displays the certificate authority. s identification number given by the certification SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country

(C). IssuerThis field displays identifying info rmation about the certificates issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field. Signature AlgorithmThis field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm). Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. Key AlgorithmThis field displays the type of algorithm that was used to generate the certificates key pair (the ZyXEL Device uses RSA encryption) and the length of the key set in bits (1024 bits for example). 202 MAX-200HW2 Series Users Guide Chapter 16Certificates Table 77 Security > Certificates > Trusted CAs > Details (continued) LABEL DESCRIPTION MD5 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. SHA1 FingerprintThis is the cert Certificate in PEM

(Base-64) Encoded Format ificates message digest that the ZyXEL Device calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert the binary certificate into a printable form. You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example). ApplyClick Apply to save your changes back to the ZyXEL Device. You can only change the name and/or set whether or not you want the ZyXEL Device to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority. CancelClick Cancel to quit and return to the Trusted CAs screen. 16.9 Trusted CA Import Click Security > Certificates > Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen. Follow the instructions in this screen to save a trusted certification authoritys certificate from a computer to the ZyXEL Device. The ZyXEL Device trusts any valid certificate signed by any of the imported trusted CA certificates. You must remove any spaces from the certificates filename before you can import the certificate. MAX-200HW2 Series Users Guide 203 Chapter 16Certificates Figure 127 Security > Certificates > Trusted CAs > Import DESCRIPTION The following table describes the labels in this screen. Table 78 Security > Certificates > Trusted CAs Import LABEL File Path Type in the location of the file you want to upload in this field or click Choose... Click ApplyClick CancelClick Choose... to find the certificate file you want to upload. Apply to save the certificate on the ZyXEL Device. Cancel to quit and return to the Trusted CAs screen. Browse to find it. 204 MAX-200HW2 Series Users Guide CHAPTER 17 Content Filter Use these screens to create and enforce policies that restrict access to the Internet based on content. 17.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords. The ZyXEL Device can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. The ZyXEL Device also allows you to define time periods and days during which the ZyXEL Device performs content filtering. 17.2 Content Filtering Screens 17.2.1 Content Filter Screen Use this screen to set up a trusted IP address, which web features are restricted, and which keywords are blocked when content filtering is effective. To access this screen, click Security

> Content Filter > Filter. MAX-200HW2 Series Users Guide 205 Chapter 17Content Filter Figure 128 Security > Content Filter > Filter DESCRIPTION Each field is described in the following table. Table 79 Security > Content Filter > Filter LABEL Trusted IP Setup Trusted Computer IP Address Restrict Web Features You can allow a specific computer to access all Internet resources without the restrictions you set in these screens. Enter the IP address of the trusted computer. Select the web features you want to disable. If a user downloads a page with a restricted feature, that part of the web page appears blank or grayed out. ActiveX - This is a tool for building dynamic and active Web pages and distributed object applications. When you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again. Java - This is used to build downloadable Web components or Internet and intranet business applications of all kinds. Cookies - This is used by Web servers to track usage and to provide service based on ID. Web Proxy - This is a server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN, it is possible for LAN users to avoid content filtering restrictions. Keyword Blocking Enable URL Keyword Blocking Keyword Add Keyword List Select this if you want the ZyXEL Device to block Web sites based on words in the web site address. For example, if you block the keyword bad, http://

www.website.com/bad.html is blocked. Type a keyword you want to block in this field. You can use up to 64 printable ASCII characters. There is no wildcard character, however. Click this to add the specified Keyword to the Keyword List. You can enter up to 64 keywords. This field displays the keywords that are blocked when Enable URL Keyword Blocking is selected. To delete a keyword, select it, click Delete, and click Apply. 206 MAX-200HW2 Series Users Guide Chapter 17Content Filter Table 79 Security > Content Filter > Filter LABEL Delete DESCRIPTION Click Delete to remove the selected keyword in the Keyword List. The keyword disappears after you click Apply. Click this button to remove all of the keywords in the Keyword List. Enter the message that is displayed when the ZyXEL Devices content filter feature blocks access to a web site. Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its last-saved value. Clear All Denied Access Message Apply Cancel 17.2.2 Content Filter Schedule Screen Use this screen to set up the schedule when content filtering is effective. To access this screen, click Security > Content Filter > Schedule. Figure 129 Security > Content Filter > Schedule Each field is described in the following table. Table 80 Security > Content Filter > Schedule LABEL Day to Block Time of Day to Block Apply Reset DESCRIPTION Select which days of the week you want content filtering to be effective. Select what time each day you want content filtering to be effective. Enter times in 24-hour format; for example, 3:00pm should be entered as 15:00. Click this to save your changes. Click this to set every field in this screen to its last-saved value. MAX-200HW2 Series Users Guide 207 Chapter 17Content Filter 208 MAX-200HW2 Series Users Guide CHAPTER 18 Static Route Use these screens to configure static routes on the ZyXEL Device. 18.1 Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the ZyXEL Device has no knowledge of the networks beyond. For instance, the ZyXEL Device knows about network N2 in the following figure through remote node Router 1. However, the ZyXEL Device is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2). The static routes are for you to tell the ZyXEL Device about the networks beyond the remote nodes. Figure 130 Example of Static Routing Topology 18.2 Static Route Screens 18.2.1 IP Static Route Screen Use this screen to look at static routes in the ZyXEL Device. To access this screen, click Management > Static Route > IP Static Route. MAX-200HW2 Series Users Guide 209 Chapter 18Static Route The first static route is the default route and cannot be modified or deleted. Figure 131 Management > Static Route > IP Static Route Each field is described in the following table. Table 81 Management > Static Route > IP Static Route LABEL

DESCRIPTION This field is a sequential value, and it is not associated with a specific rule. The sequence is important, however. The ZyXEL Device checks each rule in order, and it follows only the first one that applies. This field displays the name that describes the static route. This field shows whether this static route is active (Yes) or not (No). This field displays the destination IP address(es) that this static route affects. This field displays the IP address of the gateway to which the ZyXEL Device should send packets for the specified Destination. The gateway is a router or a switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations. Use this field to edit or erase the static route. Click the Edit icon to open the IP Static Route Edit screen for this static route. Click the Remove icon to erase this static route. Name Active Destination Gateway Modify 18.2.2 IP Static Route Edit Screen Use this screen to edit a static route in the ZyXEL Device. To access this screen, click an Edit icon in Management > Static Route > IP Static Route. 210 MAX-200HW2 Series Users Guide Figure 132 Management > Static Route > IP Static Route > Edit Chapter 18Static Route Each field is described in the following table. Table 82 Management > Static Route > IP Static Route > Edit LABEL Route Name Active DESCRIPTION Enter the name of the static route. Select this if you want the static route to be used. Clear this if you do not want the static route to be used. Select this if you do not want the ZyXEL Device to tell other routers about this static route. For example, you might select this if the static route is in your LAN. Clear this if you want the ZyXEL Device to tell other routers about this static route. Enter one of the destination IP addresses that this static route affects. Enter the subnet mask that defines the range of destination IP addresses that this static route affects. If this static route affects only one IP address, enter 255.255.255.255. Enter the IP address of the gateway to which the ZyXEL Device should send packets for the specified Destination. The gateway is a router or a switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations. Usually, you should keep the default value. This field is related to RIP. See Chapter 9 on page 119 for more information. The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". The smaller the metric, the lower the "cost". RIP uses hop count as the measurement of cost, where 1 is for a directly-connected network. The metric must be 1-15; if you use a value higher than 15, the routers assume the link is down. Click this to save your changes and to apply them to the ZyXEL Device. Click this to return to the previous screen without saving your changes. Private Destination IP Address IP Subnet Mask Gateway IP Address Metric Apply Cancel MAX-200HW2 Series Users Guide 211 Chapter 18Static Route 212 MAX-200HW2 Series Users Guide CHAPTER 19 Remote MGMT Use these screens to control which computers can use which services to access the ZyXEL Device on each interface. 19.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyXEL Device interface (if any) from which computers. You may manage your ZyXEL Device from a remote location via:

Table 83 ALL (LAN and WAN) Neither (Disable). Internet (WAN only) LAN only To disable remote management of a service, select Disable in the corresponding Server Access field. You may only have one remote management session running at a time. The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows. 1 Telnet 2 HTTP 19.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when:

1 A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2 You have disabled that service in one of the remote management screens. 3 The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the ZyXEL Device will disconnect the session immediately. 4 There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. 19.1.2 Remote Management and NAT When NAT is enabled:

MAX-200HW2 Series Users Guide 213 Chapter 19Remote MGMT Use the ZyXEL Devices WAN IP address when configuring from the WAN. Use the ZyXEL Devices LAN IP address when configuring from the LAN. 19.1.3 System Timeout There is a default system management idle timeout of five minutes (three hundred seconds). The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. You can change the timeout period in the Maintenance > System > General screen. 19.2 Remote Management Screens 19.2.1 WWW Screen Use this screen to control HTTP access to your ZyXEL Device. To access this screen, click Management > Remote MGMT > WWW. Figure 133 Management > Remote MGMT > WWW Each field is described in the following table. Table 84 Management > Remote MGMT > WWW LABEL Server Port DESCRIPTION Enter the port number this service can use to access the ZyXEL Device. The computer must use the same port number. Select the interface(s) through which a computer may access the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Select Selected to only allow the computer with the IP address that you specify to access the ZyXEL Device using this service. Click this to save your changes. Click this to set every field in this screen to its default value. Server Access Secured Client IP Address Apply Reset 19.2.2 Telnet Screen Use this screen to control Telnet access to your ZyXEL Device. To access this screen, click Management > Remote MGMT > Telnet. 214 MAX-200HW2 Series Users Guide Figure 134 Management > Remote MGMT > Telnet Chapter 19Remote MGMT Each field is described in the following table. Table 85 Management > Remote MGMT > Telnet LABEL Server Port DESCRIPTION Enter the port number this service can use to access the ZyXEL Device. The computer must use the same port number. Select the interface(s) through which a computer may access the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Select Selected to only allow the computer with the IP address that you specify to access the ZyXEL Device using this service. Click this to save your changes. Click this to set every field in this screen to its default value. Server Access Secured Client IP Address Apply Reset 19.2.3 FTP Screen Use this screen to control FTP access to your ZyXEL Device. To access this screen, click Management > Remote MGMT > FTP. Figure 135 Management > Remote MGMT > FTP Each field is described in the following table. Table 86 Management > Remote MGMT > FTP LABEL Server Port DESCRIPTION Enter the port number this service can use to access the ZyXEL Device. The computer must use the same port number. Select the interface(s) through which a computer may access the ZyXEL Device using this service. Server Access MAX-200HW2 Series Users Guide 215 Chapter 19Remote MGMT Table 86 Management > Remote MGMT > FTP LABEL Secured Client IP Address DESCRIPTION Select All to allow any computer to access the ZyXEL Device using this service. Select Selected to only allow the computer with the IP address that you specify to access the ZyXEL Device using this service. Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its default value. Apply Reset 19.3 SNMP Simple Network Management Protocol (SNMP) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyXEL Device supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyXEL Device through the network. The ZyXEL Device supports SNMP version one (SNMPv1) and version two (SNMPv2). The next figure illustrates an SNMP management operation. SNMP is only available if TCP/IP is configured. Figure 136 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyXEL Device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices. 216 MAX-200HW2 Series Users Guide Chapter 19Remote MGMT The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:

Get - Allows the manager to retrieve an object variable from the agent. GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. Set - Allows the manager to set values for object variables within an agent. Trap - Used by the agent to inform the manager of some events. 19.3.1 Supported MIBs The ZyXEL Device supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 19.3.2 SNMP Traps The ZyXEL Device will send traps to the SNMP manager when any one of the following events occurs:

Table 87 SNMP Traps TRAP # TRAP NAME 0 1 4 coldStart (defined in RFC-1215) warmStart (defined in RFC-1215) authenticationFailure (defined in RFC-1215) DESCRIPTION A trap is sent after booting (power on). A trap is sent after booting (software reboot). A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community (password). A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start). A trap is sent with the message "System reboot by user!" if reboot is done intentionally, (for example, download new files, CI command "sys reboot", etc.). A trap is sent with the message of the fatal code if the system reboots because of fatal errors. 6 6a 6b whyReboot (defined in ZYXEL-

MIB) For intentional reboot:

For fatal error:

19.3.3 Configuring SNMP To change your ZyXEL Devices SNMP settings, click Advanced > Remote MGMT >

SNMP. The screen appears as shown. Use this screen to control FTP access to your ZyXEL Device. To access this screen, click Management > Remote MGMT > SNMP. MAX-200HW2 Series Users Guide 217 Chapter 19Remote MGMT Figure 137 Management > Remote MGMT > SNMP The following table describes the labels in this screen. Table 88 Remote Management: SNMP LABEL SNMP Configuration Get Community DESCRIPTION Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Enter the Set community, which is the password for incoming Set requests from the management station. The default is public and allows all requests. Enter the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests. Enter the IP address of the station to send your SNMP traps to. You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Select the interface(s) through which a computer may access the ZyXEL Device using this service. A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service. Click this button to save your customized settings and exit this screen. Click this button to set each field in this screen to its default value. Set Community Trap Community Trap Destination SNMP Port Access Status Secured Client IP Apply Reset 19.3.4 DNS Screen Use this screen to control DNS access to your ZyXEL Device. To access this screen, click Management > Remote MGMT > DNS. 218 MAX-200HW2 Series Users Guide Figure 138 Management > Remote MGMT > DNS Chapter 19Remote MGMT Each field is described in the following table. Table 89 Management > Remote MGMT > DNS LABEL Server Port DESCRIPTION This field is read-only. This field displays the port number this service uses to access the ZyXEL Device. The computer must use the same port number. Select the interface(s) through which a computer may access the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Select Selected to only allow the computer with the IP address that you specify to access the ZyXEL Device using this service. Click this to save your changes. Click this to set every field in this screen to its last-saved value. Server Access Secured Client IP Address Apply Reset 19.3.5 Security Screen Use this screen to control how your ZyXEL Device responds to other types of requests. To access this screen, click Management > Remote MGMT > Security. Figure 139 Management > Remote MGMT > Security MAX-200HW2 Series Users Guide 219 Chapter 19Remote MGMT Each field is described in the following table. Table 90 Management > Remote MGMT > Security LABEL Respond to Ping on DESCRIPTION Select the interface(s) on which the ZyXEL Device should respond to incoming ping requests. Disable - the ZyXEL Device does not respond to any ping requests. LAN - the ZyXEL Device only responds to ping requests received from the LAN. WAN - the ZyXEL Device only responds to ping requests received from the WAN. LAN & WAN - the ZyXEL Device responds to ping requests received from the LAN or the WAN. Select this to prevent outsiders from discovering your ZyXEL Device by sending requests to unsupported port numbers. If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists. Your ZyXEL Device supports anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed. If you clear this, your ZyXEL Device replies with an ICMP Port Unreachable packet for a port probe on unused UDP ports and with a TCP Reset packet for a port probe on unused TCP ports. Click this to save your changes. Click this to set every field in this screen to its default value. Do not respond to requests for unauthorized services Apply Cancel 220 MAX-200HW2 Series Users Guide CHAPTER 20 UPnP Use this screen to set up UPnP. 20.1 Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use. 20.1.1 How do I know if I'm using UPnP?

UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device. 20.1.2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following:

Dynamic port mapping Learning public IP addresses Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See Chapter 10 on page 129 for further information about NAT. 20.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. MAX-200HW2 Series Users Guide 221 Chapter 20UPnP 20.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP Implementors Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0

(Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still being tested. The ZyXEL Device only sends UPnP multicasts to the LAN. See later sections for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows. 20.2 UPnP Examples 20.2.1 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP. 20.2.1.1 Installing UPnP in Windows Me Follow the steps below to install the UPnP in Windows Me. 1 Click Start and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Figure 140 Add/Remove Programs: Windows Setup: Communication 222 MAX-200HW2 Series Users Guide 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. Figure 141 Add/Remove Programs: Windows Setup: Communication Components Chapter 20UPnP 4 Click OK to go back to the Add/Remove Programs Properties window and click Next. 5 Restart the computer when prompted. 20.2.1.2 Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. 1 Click Start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components . Figure 142 Network Connections 4 The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details. MAX-200HW2 Series Users Guide 223 Chapter 20UPnP Figure 143 Windows Optional Networking Components Wizard 5 In the Networking Services window, select the Universal Plug and Play check box. Figure 144 Networking Services 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 224 MAX-200HW2 Series Users Guide Chapter 20UPnP 20.2.2 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device. Make sure the computer is connected to a LAN port of the ZyXEL Device. Turn on your computer and the ZyXEL Device. 20.2.2.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. Figure 145 Network Connections 3 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. MAX-200HW2 Series Users Guide 225 Chapter 20UPnP Figure 146 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings. 226 MAX-200HW2 Series Users Guide Figure 147 Internet Connection Properties: Advanced Settings Chapter 20UPnP Figure 148 Internet Connection Properties: Advanced Settings: Add 5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 6 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray. MAX-200HW2 Series Users Guide 227 Chapter 20UPnP Figure 149 System Tray Icon 7 Double-click on the icon to display your current Internet connection status. Figure 150 Internet Connection Status 20.2.2.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first. This becomes helpful if you do not know the IP address of the ZyXEL Device. Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 228 MAX-200HW2 Series Users Guide Figure 151 Network Connections Chapter 20UPnP 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your ZyXEL Device and select Invoke. The web configurator login screen displays. MAX-200HW2 Series Users Guide 229 Chapter 20UPnP Figure 152 Network Connections: My Network Places 6 Right-click on the icon for your ZyXEL Device and select Properties. A properties window displays with basic information about the ZyXEL Device. Figure 153 Network Connections: My Network Places: Properties: Example 230 MAX-200HW2 Series Users Guide Chapter 20UPnP 20.3 UPnP Screen Use this screen to set up UPnP in your ZyXEL Device. To access this screen, click Management > UPnP. Figure 154 Management > UPnP Each field is described in the following table. Table 91 Management > UPnP DESCRIPTION LABEL Device Name This field identifies your device in UPnP applications. Select this to activate UPnP. Be aware that anyone could use a UPnP application Enable the to open the web configurator's login screen without entering the ZyXEL Device's Universal Plug and Play (UPnP) IP address. You still have to enter the password, however. Feature Allow users to make configuration changes through UPnP Select this to allow UPnP-enabled applications to automatically configure the ZyXEL Device so that they can communicate through the ZyXEL Device. For example, using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled application. Select this to allow traffic from UPnP-enabled applications to bypass the firewall. Clear this if you want the firewall to check UPnP application packets (for example, MSN packets). Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its default value. Allow UPnP to pass through Firewall Apply Cancel MAX-200HW2 Series Users Guide 231 Chapter 20UPnP 232 MAX-200HW2 Series Users Guide CHAPTER 21 System Use this screen to set up general system settings, change the system mode, change the password, configure the DDNS server settings, and set the current date and time. 21.1 System Features Overview 21.1.1 System Name System Name is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name". In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the System Name. In Windows 2000, click Start, Settings and Control Panel and then double-click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name. In Windows XP, click Start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyXEL Device System Name. 21.1.2 Domain Name The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the ZyXEL Device via DHCP. 21.1.3 DNS Server Address Assignment Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyXEL Device can get the DNS server addresses in the following ways. 1 The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the SYSTEM General screen. MAX-200HW2 Series Users Guide 233 Chapter 21System 2 If the ISP did not give you DNS server information, leave the DNS Server fields in the SYSTEM General screen set to 0.0.0.0 for the ISP to dynamically assign the DNS server IP addresses. 21.1.4 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address. First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key. Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname. If you have a private WAN IP address, then you cannot use Dynamic DNS. 21.1.5 Pre-defined NTP Time Servers List The ZyXEL Device uses the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified. The ZyXEL Device can use this pre-defined list of time servers regardless of the Time Protocol you select. When the ZyXEL Device uses the pre-defined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the ZyXEL Device goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried. Table 92 Pre-defined NTP Time Servers ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu tock.usno.navy.mil ntp3.cs.wisc.edu ntp.cs.strath.ac.uk 234 MAX-200HW2 Series Users Guide Chapter 21System Table 92 Pre-defined NTP Time Servers ntp1.sp.se time1.stupi.se tick.stdtime.gov.tw tock.stdtime.gov.tw time.stdtime.gov.tw 21.1.6 Resetting the Time The ZyXEL Device resets the time in the following instances:

When the ZyXEL Device starts up. When you click Apply in the Time Setting Screen. 24-hour intervals after starting. 21.2 System Screens 21.2.1 General System Screen Use this screen to change the ZyXEL Devices mode, set up the ZyXEL Devices system name, domain name, idle timeout, and administrator password. To access this screen, click Maintenance > System > General. Figure 155 Maintenance > System > General DESCRIPTION Each field is described in the following table. Table 93 Maintenance > System > General LABEL System Setup System NameEnter your computer's "Computer Name". This is for identification purposes, but some ISPs also check this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes - and underscores "_" are accepted. MAX-200HW2 Series Users Guide 235 Chapter 21System Table 93 Maintenance > System > General LABEL Domain NameEnter the domain name entry that is propagated to DHCP clients on the LAN. If DESCRIPTION Administrator Inactivity Timer you leave this blank, the domain name obtained from the ISP is used. Use up to 38 alphanumeric characters. Spaces are not allowed, but dashes - and periods

"." are accepted. Enter the number of minutes a management session can be left idle before the session times out. After it times out, you have to log in again. A value of "0" means a management session never times out, no matter how long it has been left idle. This is not recommended. Long idle timeouts may have security risks. The default is five minutes. Password Setup Old PasswordEnter the current password you use to access the ZyXEL Device. New PasswordEnter the new password for the ZyXEL Device. You can use up to 30 characters. As you type the password, the screen displays an asterisk (*) for each character you type. Retype to ConfirmEnter the new password again. Apply Reset Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its default value. 21.2.2 Dynamic DNS Screen Use this screen to set up the ZyXEL Device as a dynamic DNS client. To access this screen, click Maintenance > System > Dynamic DNS. Figure 156 Maintenance > System > Dynamic DNS 236 MAX-200HW2 Series Users Guide Chapter 21System DESCRIPTION Each field is described in the following table. Table 94 Maintenance > System > Dynamic DNS LABEL Dynamic DNS Setup Enable Dynamic DNS Service Provider Dynamic DNS Type Host Name Select this to use dynamic DNS. User Name Password Enable Wildcard Option Enable offline option IP Address Update Policy Use WAN IP Address Dynamic DNS server auto detect IP address Select the name of your Dynamic DNS service provider. Select the type of service that you are registered for from your Dynamic DNS service provider. Enter the host name. You can specify up to two host names, separated by a comma (","). Enter your user name. Enter the password assigned to you. Select this to enable the DynDNS Wildcard feature. This field is available when CustomDNS is selected in the DDNS Type field. Select this if your Dynamic DNS service provider redirects traffic to a URL that you can specify while you are off line. Check with your Dynamic DNS service provider. Select this if you want the ZyXEL Device to update the domain name with the WAN port's IP address. Select this if you want the DDNS server to update the IP address of the host name(s) automatically. Select this optionwhen there are one or more NAT routers between the ZyXEL Device and the DDNS server. Note: The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS server. Use specified IP address Apply Reset Select this if you want to use the specified IP address with the host name(s). Then, specify the IP address. Use this option if you have a static IP address. Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its default value. 21.2.3 Time Setting Screen Use this screen to set the date, time, and time zone in the ZyXEL Device. To access this screen, click Maintenance > System > Time Setting. MAX-200HW2 Series Users Guide 237 Chapter 21System Figure 157 Maintenance > System > Time Setting DESCRIPTION This section displays the current date and time. Each field is described in the following table. Table 95 Maintenance > System > Time Setting LABEL Current Time and Date Time and Date Setup Manual New Time New Date Get from Time Server Time ProtocolSelect the time service protocol that your time server uses.Check with your ISP or Select this if you want to specify the current date and time in the fields below. Enter the new time in this field, and click Apply. Enter the new date in this field, and click Apply. Select this if you want to use a time server to update the current date and time in the ZyXEL Device. network administrator, or use trial-and-error to find a protocol that works. Daytime (RFC 867) - This format is day/month/year/time zone. Time (RFC 868) - This format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0. NTP (RFC 1305) - This format is similar to Time (RFC 868). Enter the IP address or URL of your time server. Check with your ISP or network administrator if you are unsure of this information. Time Server Address Time Zone Setup Time ZoneSelect the time zone at your location. Daylight SavingsSelect this if your location uses daylight savings time. Daylight savings is a period from late spring to early fall when many places set their clocks ahead of normal local time by one hour to give more daytime light in the evening. 238 MAX-200HW2 Series Users Guide Chapter 21System Table 95 Maintenance > System > Time Setting LABEL Start DateEnter which hour on which day of which week of which month daylight-savings DESCRIPTION time starts. End DateEnter which hour on the which day of which week of which month daylight-savings Apply Reset time ends. Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its last-saved value. MAX-200HW2 Series Users Guide 239 Chapter 21System 240 MAX-200HW2 Series Users Guide CHAPTER 22 Logs Use these screens to look at log entries and alerts and to configure the ZyXEL Devices log and alert settings. 22.1 Logs Overview For a list of log messages, see Section 22.3 on page 245. 22.1.1 Alerts An alert is a type of log that warrants more serious attention. Some categories such as System Errors consist of both logs and alerts. 22.1.2 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on. An external log analyzer can reconstruct and analyze the traffic flowing through the device after collecting the traffic logs. MAX-200HW2 Series Users Guide 241 Chapter 22Logs Table 96 Syslog Logs LOG MESSAGE Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>"

dst="<dstIP:dstPort>" msg="<msg>"

note="<note>" devID="<mac address>"

cat="<category>"

Traffic Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>"

dst="<dstIP:dstPort>" msg="Traffic Log"

note="Traffic Log" devID="<mac address>" cat="Traffic Log"

duration=seconds sent=sentBytes rcvd=receiveBytes dir="<from:to>"

protoID=IPProtocolID proto="serviceName" trans="IPSec/

Normal"

DESCRIPTION This message is sent by the system ("RAS" displays as the system name if you havent configured one) when the router generates a syslog. The facility is defined in the Log Settings screen. The severity is the logs syslog class. The definition of messages and notes are defined in the various log charts throughout this appendix. The devID is the MAC address of the routers LAN port. The cat is the same as the category in the routers logs. This message is sent by the device when the connection

(session) is closed. The facility is defined in the Log Settings screen. The severity is the traffic log type. The message and note always display "Traffic Log". The "proto"

field lists the service name. The "dir" field lists the incoming and outgoing interfaces ("LAN:LAN", "LAN:WAN",

"LAN:DEV" for example). The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Table 97 RFC-2408 ISAKMP Payload Types LOG DISPLAY SA PROP TRANS KE ID CER CER_REQ HASH SIG NONCE NOTFY DEL VID PAYLOAD TYPE Security Association Proposal Transform Key Exchange Identification Certificate Certificate Request Hash Signature Nonce Notification Delete Vendor ID 242 MAX-200HW2 Series Users Guide Chapter 22Logs 22.2 Logs Screens 22.2.1 Log Viewer Screen Use this screen to look at log entries and alerts. Alerts are written in red. To access this screen, click Maintenance > Logs > View Log. Figure 158 Maintenance > Logs > View Log Click a column header to sort log entries in descending (later-to-earlier) order. Click again to sort in ascending order. The small triangle next to a column header indicates how the table is currently sorted (pointing downward is descending; pointing upward is ascending). Each field is described in the following table. Table 98 Maintenance > Logs > View Log LABEL Display DESCRIPTION Select a category whose log entries you want to view. To view all logs, select All Logs. The list of categories depends on what log categories are selected in the Log Settings page. Click this to send the log screen to the e-mail address specified in the Log Settings page. Click Refresh to renew the log screen. Click Clear Log to clear all the log entries, regardless of what is shown on the log screen. This field is a sequential value, and it is not associated with a specific log entry. This field displays the time the log entry was recorded. This field displays the reason for the log entry. See Section 22.3 on page 245. This field displays the source IP address and the port number of the incoming packet. In many cases, some or all of this information may not be available. This field lists the destination IP address and the port number of the incoming packet. In many cases, some or all of this information may not be available. This field displays additional information about the log entry. Email Log Now Refresh Clear Log

Time Message Source Destination Note 22.2.2 Log Settings Screen Use this screen to configure where the ZyXEL Device sends logs and alerts, the schedule for sending logs, and which logs and alerts are sent or recorded. To access this screen, click Maintenance > Logs > Log Settings. MAX-200HW2 Series Users Guide 243 Chapter 22Logs Figure 159 Maintenance > Logs > Log Settings Each field is described in the following table. Table 99 Maintenance > Logs > Log Settings LABEL E-mail Log Settings Mail Server DESCRIPTION Mail Subject Send Log to Send Alerts to Enter the server name or the IP address of the mail server the ZyXEL Device should use to e-mail logs and alerts. Leave this field blank if you do not want to send logs or alerts by e-mail. Enter the subject line used in e-mail messages the ZyXEL Device sends. Enter the e-mail address to which log entries are sent by e-mail. Leave this field blank if you do not want to send logs by e-mail. Enter the e-mail address to which alerts are sent by e-mail. Leave this field blank if you do not want to send alerts by e-mail. 244 MAX-200HW2 Series Users Guide Chapter 22Logs Table 99 Maintenance > Logs > Log Settings LABEL Log Schedule DESCRIPTION Select the frequency with which the ZyXEL Device should send log messages by e-mail. Daily Weekly Hourly When Log is Full None. If the Weekly or the Daily option is selected, specify a time of day when the E-mail should be sent. If the Weekly option is selected, then also specify which day of the week the E-mail should be sent. If the When Log is Full option is selected, an alert is sent when the log fills up. If you select None, no log messages are sent. This field is only available when you select Weekly in the Log Schedule field. Select which day of the week to send the logs. This field is only available when you select Daily or Weekly in the Log Schedule field. Enter the time of day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs. Select this to clear all logs and alert messages after logs are sent by e-mail. Syslog logging sends a log to an external syslog server used to store logs. Select this to enable syslog logging. Enter the server name or IP address of the syslog server that logs the selected categories of logs. Select a location. The log facility allows you to log the messages in different files in the syslog server. See the documentation of your syslog for more details. Select the categories of logs that you want to record. Select the categories of alerts that you want the ZyXEL Device to send immediately. Click this to save your changes and to apply them to the ZyXEL Device. Click this to set every field in this screen to its last-saved value. Day for Sending Log Time for Sending Log Clear log after sending mail Syslog Logging Active Syslog Server IP Address Log Facility Active Log and Alert Log Send immediate alert Apply Cancel 22.3 Log Message Descriptions The following tables provide descriptions of example log messages. Table 100 System Error Logs LOG MESSAGE WAN connection is down. DESCRIPTION The WAN connection is down. You cannot access the network through this interface. This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.

%s exceeds the max. number of session per host!

MAX-200HW2 Series Users Guide 245 Chapter 22Logs Table 101 System Maintenance Logs LOG MESSAGE Time calibration is successful Time calibration failed WAN interface gets IP: %s DHCP client gets %s DHCP client IP expired DHCP server assigns %s Successful WEB login WEB login failed TELNET Login Successfully TELNET Login Fail Successful FTP login FTP login failed NAT Session Table is Full!

Time initialized by Daytime Server Time initialized by Time server Time initialized by NTP server Connect to Daytime server fail Connect to Time server fail Connect to NTP server fail Too large ICMP packet has been dropped Configuration Change: PC =

0x%x, Task ID = 0x%x DESCRIPTION The device has adjusted its time based on information from the time server. The device failed to get information from the time server. The WAN interface got a new IP address from the DHCP or PPPoE server. A DHCP client got a new IP address from the DHCP server. A DHCP client's IP address has expired. The DHCP server assigned an IP address to a client. Someone has logged on to the device's web configurator interface. Someone has failed to log on to the device's web configurator interface. Someone has logged on to the router via telnet. Someone has failed to log on to the router via telnet. Someone has logged on to the device via ftp. Someone has failed to log on to the device via ftp. The maximum number of NAT session table entries has been exceeded and the table is full. The device got the time and date from the Daytime server. The device got the time and date from the time server. The device got the time and date from the NTP server. The device was not able to connect to the Daytime server. The device was not able to connect to the Time server. The device was not able to connect to the NTP server. The device dropped an ICMP packet that was too large. The device is saving configuration changes. Table 102 Access Control Logs LOG MESSAGE Firewall default policy: [ TCP |

UDP | IGMP | ESP | GRE | OSPF ]

<Packet Direction>

Firewall rule [NOT] match:[ TCP

| UDP | IGMP | ESP | GRE | OSPF

] <Packet Direction>, <rule:%d>

DESCRIPTION Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched the default policy and was blocked or forwarded according to the default policys setting. Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched (or did not match) a configured firewall rule

(denoted by its number) and was blocked or forwarded according to the rule. 246 MAX-200HW2 Series Users Guide Chapter 22Logs DESCRIPTION The firewall allowed a triangle route session to pass through. Table 102 Access Control Logs (continued) LOG MESSAGE Triangle route packet forwarded:

[ TCP | UDP | IGMP | ESP | GRE |

OSPF ]

Packet without a NAT table entry blocked: [ TCP | UDP | IGMP |

ESP | GRE | OSPF ]

Router sent blocked web site message: TCP Exceed maximum sessions per host (%d).The device blocked a session because the host's The router blocked a packet that didn't have a corresponding NAT table entry. The router sent a message to notify a user that the router blocked access to a web site that the user requested. Firewall allowed a packet that matched a NAT session: [ TCP | UDP ]

connections exceeded the maximum sessions per host. A packet from the WAN (TCP or UDP) matched a cone NAT session and the device forwarded it to the LAN. Table 103 TCP Reset Logs LOG MESSAGE Under SYN flood attack, sent TCP RST Exceed TCP MAX incomplete, sent TCP RST Peer TCP state out of order, sent TCP RST Firewall session time out, sent TCP RST Exceed MAX incomplete, sent TCP RST Access block, sent TCP RST DESCRIPTION The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) The router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold.

(the TCP incomplete count is per destination host.) The router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state. The router sent a TCP reset packet when a dynamic firewall session timed out. The default timeout values are as follows:

ICMP idle timeout: 3 minutes UDP idle timeout: 3 minutes TCP connection (three way handshaking) timeout: 270 seconds TCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in the TCP header). TCP idle (established) timeout (s): 150 minutes TCP reset timeout: 10 seconds The router sent a TCP reset packet when the number of incomplete connections (TCP and UDP) exceeded the user-

configured threshold. (Incomplete count is for all TCP and UDP connections through the firewall.)Note: When the number of incomplete connections (TCP + UDP) > Maximum Incomplete High, the router sends TCP RST packets for TCP connections and destroys TOS (firewall dynamic sessions) until incomplete connections < Maximum Incomplete Low. The router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via CI command: sys firewall tcprst). MAX-200HW2 Series Users Guide 247 Chapter 22Logs Table 104 Packet Filter Logs LOG MESSAGE

[ TCP | UDP | ICMP | IGMP |

Generic ] packet filter matched (set: %d, rule: %d) DESCRIPTION Attempted access matched a configured filter rule (denoted by its set and rule number) and was blocked or forwarded according to the rule. For type and code details, see Table 112 on page 251. Table 105 ICMP Logs LOG MESSAGE Firewall default policy: ICMP

<Packet Direction>, <type:%d>,

<code:%d>

Firewall rule [NOT] match: ICMP

<Packet Direction>, <rule:%d>,

<type:%d>, <code:%d>

Triangle route packet forwarded:

ICMP Packet without a NAT table entry blocked: ICMP Unsupported/out-of-order ICMP:

ICMP Router reply ICMP packet: ICMP DESCRIPTION ICMP access matched the default policy and was blocked or forwarded according to the user's setting. ICMP access matched (or didnt match) a firewall rule

(denoted by its number) and was blocked or forwarded according to the rule. The firewall allowed a triangle route session to pass through. The router blocked a packet that didnt have a corresponding NAT table entry. The firewall does not support this kind of ICMP packets or the ICMP packets are out of order. The router sent an ICMP reply packet to the sender. Table 106 CDR Logs LOG MESSAGE board %d line %d channel %d, call %d, %s C01 Outgoing Call dev=%x ch=%x %s board %d line %d channel %d, call %d, %s C02 OutCall Connected %d %s board %d line %d channel %d, call %d, %s C02 Call Terminated DESCRIPTION The router received the setup requirements for a call. call is the reference (count) number of the call. dev is the device type (3 is for dial-up, 6 is for PPPoE). "channel" or ch is the call channel ID.For example, "board 0 line 0 channel 0, call 3, C01 Outgoing Call dev=6 ch=0 "Means the router has dialed to the PPPoE server 3 times. The PPPoE or dial-up call is connected. The PPPoE or dial-up call was disconnected. Table 107 PPP Logs LOG MESSAGE ppp:LCP Starting ppp:LCP Opening ppp:CHAP Opening ppp:IPCP Starting DESCRIPTION The PPP connections Link Control Protocol stage has started. The PPP connections Link Control Protocol stage is opening. The PPP connections Challenge Handshake Authentication Protocol stage is opening. The PPP connections Internet Protocol Control Protocol stage is starting. 248 MAX-200HW2 Series Users Guide Chapter 22Logs Table 107 PPP Logs (continued) LOG MESSAGE ppp:IPCP Opening ppp:LCP Closing ppp:IPCP Closing DESCRIPTION The PPP connections Internet Protocol Control Protocol stage is opening. The PPP connections Link Control Protocol stage is closing. The PPP connections Internet Protocol Control Protocol stage is closing. Table 108 UPnP Logs LOG MESSAGE UPnP pass through Firewall DESCRIPTION UPnP packets can pass through the firewall. Table 109 Content Filtering Logs LOG MESSAGE

%s: Keyword blocking DESCRIPTION The content of a requested web page matched a user defined keyword. The web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites. The web site contains ActiveX. The web site contains a Java applet.

%s: Not in trusted web list

%s: Forbidden Web site The web site is in the forbidden web site list.

%s: Contains ActiveX

%s: Contains Java applet

%s: Contains cookie

%s: Proxy mode detected

%s: Trusted Web site

%s Waiting content filter server timeout DNS resolving failed The web site contains a cookie. The router detected proxy mode in the packet. The web site is in a trusted domain. When the content filter is not on according to the time schedule. The external content filtering server did not respond within the timeout period. The ZyXEL Device cannot get the IP address of the external content filtering via DNS query. Creating socket failed The ZyXEL Device cannot issue a query because TCP/IP socket Connecting to content filter server fail License key is invalid The external content filtering license key is invalid. creation failed, port:port number. The connection to the external content filtering server failed. For type and code details, see Table 112 on page 251. Table 110 Attack Logs LOG MESSAGE attack [ TCP | UDP | IGMP

| ESP | GRE | OSPF ]

attack ICMP (type:%d, code:%d) land [ TCP | UDP | IGMP |

ESP | GRE | OSPF ]

DESCRIPTION The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack. The firewall detected an ICMP attack. The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack. MAX-200HW2 Series Users Guide 249 Chapter 22Logs The firewall detected an IP spoofing attack on the WAN port. The firewall detected an ICMP IP spoofing attack on the WAN port. The firewall detected an ICMP echo attack. DESCRIPTION The firewall detected an ICMP land attack. The firewall detected a TCP syn flood attack. The firewall detected a TCP port scan attack. The firewall detected a TCP teardrop attack. The firewall detected an UDP teardrop attack. The firewall detected an ICMP teardrop attack. Table 110 Attack Logs (continued) LOG MESSAGE land ICMP (type:%d, code:%d) ip spoofing - WAN [ TCP |

UDP | IGMP | ESP | GRE |

OSPF ]

ip spoofing - WAN ICMP

(type:%d, code:%d) icmp echo : ICMP

(type:%d, code:%d) syn flood TCP ports scan TCP teardrop TCP teardrop UDP teardrop ICMP (type:%d, code:%d) illegal command TCP NetBIOS TCP ip spoofing - no routing entry [ TCP | UDP | IGMP

| ESP | GRE | OSPF ]

ip spoofing - no routing entry ICMP (type:%d, code:%d) vulnerability ICMP

(type:%d, code:%d) traceroute ICMP (type:%d, code:%d) ports scan UDPThe firewall detected a UDP port scan attack. Firewall sent TCP packet in response to DoS attack TCP ICMP Source Quench ICMPThe firewall detected an ICMP Source Quench attack. ICMP Time Exceed ICMPThe firewall detected an ICMP Time Exceed attack. ICMP Destination Unreachable ICMP ping of death. ICMPThe firewall detected an ICMP ping of death attack. smurf ICMPThe firewall detected an ICMP smurf attack. The firewall detected an ICMP traceroute attack. The firewall detected an ICMP vulnerability attack. The firewall detected a TCP illegal command attack. The firewall detected a TCP NetBIOS attack. The firewall classified a packet with no source routing entry as an IP spoofing attack. The firewall classified an ICMP packet with no source routing entry as an IP spoofing attack. The firewall detected an ICMP Destination Unreachable attack. The firewall sent TCP packet in response to a DoS attack Table 111 Remote Management Logs LOG MESSAGE Remote Management: FTP deniedAttempted use of FTP service was blocked according to DESCRIPTION remote management settings. Remote Management: TELNET deniedAttempted use of TELNET service was blocked according to remote management settings. 250 MAX-200HW2 Series Users Guide Chapter 22Logs Table 111 Remote Management Logs LOG MESSAGE Remote Management: HTTP or UPnP denied Remote Management: WWW deniedAttempted use of WWW service was blocked according to DESCRIPTION Attempted use of HTTP or UPnP service was blocked according to remote management settings. remote management settings. Remote Management: HTTPS deniedAttempted use of HTTPS service was blocked according to remote management settings. Remote Management: SSH deniedAttempted use of SSH service was blocked according to Remote Management: ICMP Ping response denied Remote Management: DNS deniedAttempted use of DNS service was blocked according to remote management settings. Attempted use of ICMP service was blocked according to remote management settings. remote management settings. Table 112 ICMP Notes TYPE 0 CODE 3 4 5 8 11 12 0 0 1 2 3 4 5 0 0 1 2 3 0 0 1 0 DESCRIPTION Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network. Redirect Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error MAX-200HW2 Series Users Guide 251 Chapter 22Logs 0 14 CODE Table 112 ICMP Notes (continued) TYPE DESCRIPTION 13 Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message 15 16 0 0 0 Table 113 SIP Logs LOG MESSAGE SIP Registration Success by SIP:SIP Phone Number SIP Registration Fail by SIP:SIP Phone Number SIP UnRegistration Success by SIP:SIP Phone Number SIP UnRegistration Fail by SIP:SIP Phone Number Table 114 RTP Logs LOG MESSAGE Error, RTP init fail Error, Call fail: RTP connect fail Error, RTP connection cannot close DESCRIPTION The listed SIP account was successfully registered with a SIP register server. An attempt to register the listed SIP account with a SIP register server was not successful. The listed SIP accounts registration was deleted from the SIP register server. An attempt to delete the listed SIP accounts registration from the SIP register server failed. DESCRIPTION The initialization of an RTP session failed. A VoIP phone call failed because the RTP session could not be established. The termination of an RTP session failed. Table 115 FSM Logs: Caller Side LOG MESSAGE VoIP Call Start Ph[Phone Port Number] <- Outgoing Call Number VoIP Call Established Ph[Phone Port] ->

Outgoing Call Number VoIP Call End Phone[Phone Port]

DESCRIPTION Someone used a phone connected to the listed phone port to initiate a VoIP call to the listed destination. Someone used a phone connected to the listed phone port to make a VoIP call to the listed destination. A VoIP phone call made from a phone connected to the listed phone port has terminated. 252 MAX-200HW2 Series Users Guide