Zyxel Prestige 660H Series Manual
External, Firewall protection, DHCP support, ARP support, auto-uplink (auto MDI/MDI-X), Stateful Packet Inspection (SPI), DoS attack prevention, content…
ZyXEL P-660H series is an all-in-one affordable router, compatible with high-speed ADSL, ADSL2 and ADSL2+ interfaces over existing copper lines. With speed up to 12Mbps (ADSL2) or 24Mbps (ADSL2+), the P-660H series offers higher data transfer rates and better bandwidth than traditional ADSL gateways. It also supports RE ADSL (Reach-Extended ADSL) for higher speed and longer distance. With excellent performance and upward compatibility, the P-660H series is great as the bridge between today's... Read more [ Report abuse or wrong photo | Share your Zyxel Prestige 660H Series photo ]
User reviews and opinions
|iaw4||9:54am on Tuesday, July 13th, 2010|
|Disappointed & happy. Disappointed that the product I received does not work. Happy that the seller has offered to replace the P-660 router. Works great; low latency I use this modem with the ISP Speakeasy, at regular DSL speeds of 3.0/768. The modem does what a modem is supposed to do.|
|zurik||11:34am on Sunday, May 9th, 2010|
|Wrong item shipped The wrong items was received. I Ordered the ZyXEL P-600R-ELNK; they shipped a different #.|
|mcd7||3:38am on Monday, April 26th, 2010|
|Great Product I already had a wired ZyXEL that came free from my ISP, so picked this for that reason. Easy to set up, now have Laptops, Wii.|
|paperjam||1:26pm on Wednesday, April 7th, 2010|
|SNOW JOB SELLER DID NOT SHIP ITEM I PURCHASED. SHIPPED ONE OF LESSER VALUE WHICH WAS NOT COMPATITABLE WITH MY SYSTEM.|
Comments posted on www.ps2netdrivers.net are solely the views and opinions of the people posting them and do not necessarily reflect the views or opinions of us.
Prestige 660H/HW Series
802.11g Wireless ADSL 2+ 4-port Gateway
Prestige 660H ADSL 2+ 4 Port Gateway over POTS Prestige 660H ADSL 2+ 4 Port Gateway over
B e n e f i t s
Higher-speed Internet Access The Prestige 660H/HW series is capable of supporting high-speed ADSL, ADSL2 and ADSL2+ over existing copper lines. With speeds of up to 12Mbps
Prestige 660HW 802.11g Wireless ADSL Port
(ADSL2) or 24Mbps (ADSL2+), the Prestige 660H/HW series offers higher data transfer rates and better bandwidth than traditional ADSL enabled
Gateway over POTS
gateways. The Prestige 660H/HW series also support RE ADSL (Reach Extended ADSL) for better performance at greater distance. The Prestige 660H/HW series offers the key link between todays communications
Gateway over ISDN/U-R2 ZyXELs Prestige 660H/HW series is an all-in-one ADSL gateway for Home and SOHO applications. The ADSL gateway integrates a high-speed ADSL2+ port, 4-port 10/100Mbps auto MDI/MDIX Ethernet switch and a 54Mbps IEEE 802.11g wireless connectivity (Prestige 660HW only). The Prestige 660H/HW series provides SPI (Stateful Packet Inspection) and many Firewall security features to protect against network intrusion. Additional features such as Zero Configuration, Traffic Redirect, and MBM (Media Bandwidth Management), maximize performance while minimizing operation and maintenance costs. Management is further simplified with Web-based configuration and administrator wizards. Highperforming, secure and easy to use, ZyXELs Prestige 660H/HW is the best choice for Home and SOHO needs.
services and tomorrows converged services. Higher-speed and Wider-range Wireless LAN Connectivity (Prestige 660HW only) Compliance with 802.11g wireless standard allows for data transmission speeds of up to 54Mbps. With 802.11g+ wireless technology, the Prestige 660HW series delivers wireless transmission rates of up to 100 Mbps when used with ZyXELs ZyAIR G-160 Wireless PC Card. The Prestige 660HW series easily extends a wired network for mobility and flexibility. Robust, State-of-the-Art Firewall Security The ICSA certified ZyNOS operating system ensures state-of-the-art Firewall performance and robust security from the Prestige 660H/HW series. Based on Stateful Packet Inspection, DoS (Denial of Service) and DDoS, it provides the first line of defense against hackers, network intruders, and other hazardous threats. Media Bandwidth Management (MBM) The Prestige 660H/HW series enables network administrators to allocate network resources while guaranteeing Quality of Service (QoS). The MBM (Media Bandwidth Management) function prioritizes media services, increasing productivity and efficiency in daily operation by tailoring a system to specific demands such as VoIP, video streaming, videoconferencing and MP3 applications. Zero Configuration The Prestige 660H/HWs Zero Configuration technology allows users to hook up a DSL connection without hassle. The user-friendly design, which is embedded in the gateway, is OS independent and supports all kinds of operating systems in the host PC.
http://www.TWAcomm.com Toll Free: (877) 892-2666
F e a t u r e s
ADSL Compliant RADSL (ANSI T1.413 Issue 2) G.dmt ADSL over POTS (G.992.1 Annex A) G.dmt ADSL over ISDN (G.992.1 Annex B and U-R2) G.lite (G.992.2) ADSL2 G.dmt.bis (G.992.3)* ADSL2 G.lite.bis (G.992.4)* ADSL2+ (G.992.5)* Reach Extended ADSL (RE ADSL)* ATM Support 8 PVCs Support RFC 1483/2684 Multiple Protocol over AAL5 RFC 2364 PPP over AAL5 RFC 2516 PPP over Ethernet VC and LLC Multiplexing Traffic Shaping UBR, CBR, VBR-nrt ATM Forum UNI 3.1/ 4.0 PVC I.610 OAM F4/F5 loop-back, AIS, and RDI OAM cells TR-37, TR-62 DSL Auto Configuration* Firewall Security Stateful Packet Inspection Prevent DoS, DDoS Attack Policy based Access Control Content Filtering IP & Generic Packet Filtering Real-time Attack Alert and Logs Wireless (Prestige 660HW only) 802.11g Compliance 802.11g+ 100Mbps Accelerator* Comply with 802.11b+ 22Mbps 64/128/256 bits WEP Encryption Dynamic WEP Key MAC Address Filtering WPA, WPA-PSK/TKIP 802.1X Authentication with RADIUS Client Routing Support IEEE 802.1d Transparent Bridging IP Routing: TCP, UDP, ICMP, ARP RIP1v1 and RIPv2 IP Multicast IGMP v1/v2 IP Policy Route IP Management SUA/Multi-NAT Internet Sharing Multimedia Support VPN (IPSec, PPTP, L2TP) Pass-through DHCP Server/Relay/Client DNS Proxy Dynamic DNS UPnP Support Network Management Web based Configuration Command-line Interpreter (CLI) Telnet Remote Management SNMP Support FTP/TFTP firmware upgrade and configuration backup/restore Built-in Diagnostic Tool Application Traffic Redirect MBM (Media Bandwidth Management) QoS Zero Configuration Call Scheduling Budget Management
* For future release
S p e c i f i c a t i o n s
Hardware Specification ADSL: One RJ-11 or RJ-45 Port LAN: 4-Port Switch,10/100M Auto MDI/MDIX Antenna: 2dbi Reset Button Status LEDs Indicator Power: 12V DC Physical Specification Dimensions: 180(L) x 128(D) x 36(H) mm Weight: 350g Operating Environment Temperature: 0 ~ 40C Humidity: 20 ~ 85% (non-condensing)
A p p l i c a t i o n
D i a g r a m
Internet Security/WLAN Applications
Content Filtering Firewall
World Wide Web
ZyAIR 11g PC Card ZyAIR 11g USB Adapter r ZyAIR 11g PCI Card
Media Bandwidth Management
VoD Server VoD 1000K TV IP-based Set-top box Gaming 70K Online Gaming VoIP 100K VoIP Phone
This product is designed for the 2.4 GHz WLAN network throughout the EC region
Corporate Headquarters ZyXEL Communications Corp. Tel: +886-3-578-3942 Fax: +886-3-578-2439 Email: email@example.com http://www.zyxel.com http://www.zyxel.com.tw
Denmark Tel: +00 Fax: +07 Email: firstname.lastname@example.org http://www.zyxel.dk Finland Tel: +358-9-Fax: +358-9-Email: email@example.com http://www.zyxel.fi
France Tel: +33 (0)97 Fax: +33 (0)20 Email: firstname.lastname@example.org http://www.zyxel.fr Germany Tel: +Fax: +Email: email@example.com http://www.zyxel.de
North America Tel: +1-800-255-4101, +1-714-632-0882 Fax: +1-714-632-0858 Email: firstname.lastname@example.org http://www.us.zyxel.com Norway Tel: +80 Fax: +81 Email: email@example.com http://www.zyxel.no
Spain Tel: +Fax: +Email: firstname.lastname@example.org http:// www.zyxel.es Sweden Tel: +Fax: +Email: email@example.com http://www.zyxel.se
Copyright2004 ZyXEL Communications Corporation. All rights reserved. ZyXEL, the ZyXEL logo are registered trademarks of ZyXEL Communications Corp. Other trademarks and service names referenced are properties of their respective holders. All specifications are subject to change without notice.
sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions. 13. Is it possible to access a server running behind SUA from the outside Internet? If possible, how? Yes, it is possible because P-660 delivers the packet to the local server by looking up to a SUA server table. Therefore, to make a local server accessible to the outside users, the port number and the inside IP address of the server must be configured in Menu 15.2.1 - NAT Server Setup. 14. When do I need Multi-NAT?
Make local server accessible from outside Internet
When NAT is enabled the local computers are not accessible from outside. You can use Multi-NAT to make an internal server accessible from outside.
Support Non-NAT Friendly Applications
Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address. Thus, users on the same network can not login to the same server simultaneously. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address. 15. What IP/Port mapping does Multi-NAT support? NAT supports five types of IP/port mapping. They are: One to One, Many to One, Many to Many Overload, Many to Many No Overload and Server. The details of the mapping between ILA and IGA are described as below. Here we define the local IP addresses as the Internal Local Addresses (ILA) and the global IP addresses as the Inside Global Address (IGA), 1. One to One In One-to-One mode, the P-660 maps one ILA to one IGA. 2. Many to One In Many-to-One mode, the P-660 maps multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyNOS routers supported (the SUA only option in today's routers).
3. Many to Many Overload In Many-to-Many Overload mode, the P-660 maps the multiple ILA to shared IGA. 4. Many One-to-One In Many One-to-One mode, the P-660 maps each ILA to unique IGA. 5. Server In Server mode, the P-660 maps multiple inside servers to one global IP address. This allows us to specify multiple servers of different types behind the NAT for outside access. Note, if you want to map each server to one unique IGA please use the One-to-One mode. The following table summarizes these types. NAT Type One-to-One Many-to-One (SUA/PAT) IP Mapping ILA1<--->IGA1 ILA1<--->IGA1 ILA2<--->IGA1.
ILA1<--->IGA1 ILA2<--->IGA2 Many-to-Many ILA3<--->IGA1 Overload ILA4<--->IGA2. Many One-to-One ILA1<--->IGA1 ILA2<--->IGA2 ILA3<--->IGA3 ILA4<--->IGA4. Server 1 IP<--->IGA1 Server 2 IP<--->IGA1
16. How many network users can the SUA/NAT support? The Prestige does not limit the number of the users but the number of the sessions. The P-660 supports 1024/2048 sessions that you can use the 'ip nat iface wanif0 st' command in menu 24.8 to view the current active sessions.
10. What is DDNS wildcard? Does the P-660 support DDNS wildcard? Some DDNS servers support the wildcard feature which allows the hostname, *.yourhost.dyndns.org, to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful when there are multiple servers inside and you want users to be able to use things such as www.yourhost.dyndns.org and still reach your hostname. Yes, the P-660 supports DDNS wildcard that http://www.dyndns.org/ supports. When using wildcard, you simply enter yourhost.dyndns.org in the Host field in Menu 1.1 Configure Dynamic DNS. 11. Can the P-660's SUA handle IPSec packets sent by the IPSec gateway? Yes, the P-660's SUA can handle IPSec ESP Tunneling mode. We know when packets go through SUA, SUA will change the source IP address and source port for the host. To pass IPSec packets, SUA must understand the ESP packet with protocol number 50, replace the source IP address of the IPSec gateway to the router's WAN IP address. However, SUA should not change the source port of the UDP packets which are used for key managements. Because the remote gateway checks this source port during connections, the port thus is not allowed to be changed. 12. How do I setup my P-660 for routing IPSec packets over SUA? For outgoing IPSec tunnels, no extra setting is required. For forwarding the inbound IPSec ESP tunnel, A 'Default' server set in menu 15.2.1 is required. It is because SUA makes your LAN appear as a single machine to the outside world. LAN users are invisible to outside users. So, to make an internal server for outside access, we must specify the service port and the LAN IP of this server in Menu 15. Thus SUA is able to forward the incoming packets to the requested service behind SUA and the outside users access the server using the P-660's WAN IP address. So, we have to configure the internal IPsec as a default server (unspecified service port) in menu 15.2.1 when it acts a server gateway. 13. What is Traffic Shaping? Traffic Shaping is a feature in the P-660. It allocates the bandwidth to WAN dynamically and aims at boosting the efficiency of the bandwidth. If there are serveral VCs in the P-660 but only one VC activated at one time, the P-660 allocates all the Bandwidth to the VC and the VC gets full bandwidth. If another VCs are avtivated later, the bandwidth is yield to other VCs after ward.
14. What do the parameters (PCR, SCR, MBS) mean? Traffic shaping parameters (PCR, SCR, MBS) can be set in Menu 4 and Menu 11.6 and is valid for both incoming and outgoing direction since G.shdsl is symmetric. Peak Cell Rate(PCR): The maximum bandwidth allocated to this connection. The VC connection throughput is limited by PCR. Sustainable Cell Rate(SCR): The least guaranteed bandwidth of a VC. When there are multi-VCs on the same line, the VC throughput is guaranteed by SCR. Maximum Burst Size(MBS): The amount of cells transmitted through this VC at the Peak Cell Rate before yielding to other VCs. Total bandwidth of the line is dedicated to single VC if there is only one VC on the line. However, as the other VC asking the bandwidth, the MBS defines the maximum number of cells transmitted via this VC with Peak Cell rate before yielding to other VCs. The P-660 holds the parameters for shaping the traffic among its virtual channels. If you do not need traffic shaping, please set SCR = 0, MBS = 0 and PCR as the maximum value according to the line rate (for example, 2.3 Mbps line rate will result PCR as 5424 cell/sec.) 15.Why do we perform traffic shaping in the P-660 ? The P-660 must manage traffic fairly and provide bandwidth allocation for different sorts of applications, such as voice, video, and data. All applications have their own natural bit rate. Large data transactions have a fluctuating natural bit rate. The P-660 is able to support variable traffic among different virtual connections. Certain traffic may be discarded if the virtual connection experiences congestion. Traffic shaping defines a set of actions taken by the P-660 to avoid congestion; traffic shaping takes measures to adapt to unpredictable fluctuations in traffic flows and other problems among virtual connections.
Set up your P-660 The following procedure shows you how to configure your P-660 as Router mode for routing traffic. We will use SMT menu to guide you through the related menu. You can use console or Telnet for finishing these configurations. 1. Configure P-660 as router mode in Menu 1 General Setup.
Menu 1 General Setup System Name= P-660 Location=
Contact Person's Name= Domain Name= Edit Dynamic DNS= No Route IP= Yes Bridge= No
2. Configure a LAN IP for the P-660 and the DHCP settings in Menu 3.2-TCP/IP Ethernet Setup. The settings except of the DNS addresses shown below are the pre-configured defaults.
Menu 3.2 - TCP/IP and DHCP Setup DHCP Setup DHCP= Server Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 6 Primary DNS Server= 220.127.116.11 Secondary DNS Server= 18.104.22.168 Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1 Multicast= None IP Policies= Edit IP Alias= No
3. Configure for Internet setup in Menu 4-Internet Access Setup.
Menu 4 - Internet Access Setup ISP's Name= CHT Encapsulation= PPPoE Multiplexing= LLC-based VPI #= 0 VCI #= 33 ATM QoS Type= CBR Peak Cell Rate (PCR)= 0 Sustain Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 My Login= firstname.lastname@example.org
My Password= ******** Idle Timeout (sec)= 0 IP Address Assignment= Dynamic IP Address= N/A Network Address Translation= SUA Only Address Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:
Encapsulation Multiplexing VPI & VCI number Single User Account IP Address Assignment IP Address
Select the correct Encapsulation type that your ISP supports. For example, RFC 1483. Select the correct Multiplexing type that your ISP supports. For example, LLC. Specify a VPI (Virtual Path Identifier) and a VCI (Virtual Channel Identifier) given to you by your ISP. Set to Yes if you only have a single IP account for sharing with local computers. Set to Dynamic if the ISP provides the IP for the P-660 dynamically. Otherwise, set to Static and enter the IP in the following IP Address field. This field can not be configured if the ISP provides the IP for the P-660 dynamically. Otherwise, enter the IP that the ISP gives to you.
The following table explains the fields in this screen. Please note that the fields in this menu are read-only. Field
Set Name Idx Local Start IP
This is the name of the set you selected in Menu 15.1 or enter the name of a new set you want to create. This is the index or rule number. This is the starting local IP address (ILA).
SUA 1 0.0.0.0 for the Many-to-One type.
This is the starting local IP address (ILA). If the rule is for Local End IP all local IPs, then the Start IP is 0.0.0.0 and the End IP is 255.255.255.255 255.255.255.255. Global Start This is the starting global IP address (IGA). If you have a 0.0.0.0 IP dynamic IP, enter 0.0.0.0 as the Global Start IP. Global End This is the ending global IP address (IGA). IP Type This is the NAT mapping types. N/A Many-to-One and Server
Please note that the fields in this menu are read-only. However, the settings of the server set 1 can be modified in menu 15.2.1.
Now let's look at Option 1 in Menu 15.1. Enter 1 to bring up this menu.
Menu 15.1.1 - Address Mapping Rules Set Name= ? Idx Local Start IP Local End IP Global Start IP Global End IP --- --------------- --------------- --------------- --------------- -----1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Action= Edit , Select Rule= 0 Press ENTER to Confirm or ESC to Cancel:
We will just look at the differences from the previous menu. Note that, this screen is not read only, so we have extra Action and Select Rule fields. Not also that the [?] in the Set Name field means that this is a required field and you must enter a name for the set. The description of the other fields is as described above. The Type, Local and Global Start/End IPs are configured in Menu 15.1.1 (described later) and the values are displayed here. Field
Enter a name for this set of rules. This is a required field. Please note that if this field is left blank, the entire set will be deleted. They are 4 actions. The default is Edit. Edit means you want to edit a selected rule (see following field). Insert Before means to insert a new rule before the rule selected. The rule after the selected rule will then be moved down by one rule. Delete means to delete the selected rule and then all the rules after the selected one will be advanced one rule. Save Set means to save the whole set (note when you choose this action the Select Rule item will be disabled).
Edit Insert Before Delete Save Set
When you choose Edit, Insert Before or Save Set in the previous Select Rule field the cursor jumps to this field to allow you to select the rule to apply the action in question.
Menu 15.2.1 - NAT Server Setup (Used for SUA Only) Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 192.168.1.33 3. 192.168.1.36
4. 5. 6. 7. 8. 9. 10. 11. 12.
Press ENTER to Confirm or ESC to Cancel:
The most often used port numbers are shown in the following table. Please refer RFC 1700 for further information about port numbers.
Service FTP Telnet SMTP DNS (Domain Name Server) www-http (Web) PPTP (Point-to-Point Tunneling Protocol) Examples
Port Number 80 1723
Internet Access Only Internet Access with an Internal Server Using Multiple Global IP addresses for clients and servers Support Non NAT Friendly Applications
1. Internet Access Only In our Internet Access example, we only need one rule where all our ILAs map to one IGA assigned by the ISP. See the following figure.
Menu 4 - Internet Access Setup ISP's Name= CHT Encapsulation= PPPoE Multiplexing= LLC-based VPI #= 0 VCI #= 33 ATM QoS Type= CBR Peak Cell Rate (PCR)= 0 Sustain Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 My Login= email@example.com My Password= ******** Idle Timeout (sec)= 0 IP Address Assignment= Dynamic IP Address= N/A Network Address Translation= SUA Only Address Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel :
From Menu 4 shown above simply choose the SUA Only option from the NAT field. This is the Many-to-One mapping discussed earlier. The SUA read only option from the NAT field in menu 4 and 11.3 is specifically pre-configured to handle this case.
2. Internet Access with an Internal Server
In this case, we do exactly as above (use the convenient pre-configured SUA Only set) and also go to Menu 15.2.1-NAT Server Setup (Used for SUA Only) to specify the Internet Server behind the NAT as shown in the NAT as shown below.
Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 192.168.1.33 3. 0.0.0.0 4. 0.0.0.0 5. 0.0.0.0 6. 0.0.0.0 7. 0.0.0.0 8. 0.0.0.0 9. 0.0.0.0 10. 0.0.0.0 11. 0.0.0.0 12. 0.0.0.0 Press ENTER to Confirm or ESC to Cancel:
3. Using Multiple Global IP addresses for clients and servers (One-to-One, Many-to-One, Server Set mapping types are used)
The packets need to be blocked are as follows. Please configure two filter sets with 4 and 2 rules respectively based on the following packets in SMT menu 21. Filter Set 1: Rule 1-Destination port number 137 with protocol number 6 (TCP) Rule 2-Destination port number 137 with protocol number 17 (UDP) Rule 3-Destination port number 138 with protocol number 6 (TCP) Rule 4-Destination port number 138 with protocol number 17 (UDP) Rule 5-Destination port number 139 with protocol number 6 (TCP) Rule 6-Destination port number 139 with protocol number 17 (UDP) Filter Set 2: Rule 1-Source port number 137, Destination port number 53 with protocol number 6 (TCP) Rule 2-Source port number 137, Destination port number 53 with protocol number 17 (UDP) Before starting to set the filter rules, please enter a name for each filter set in the 'Comments' field first.
Menu 21 - Filter Set Configuration Filter Set # -----Filter Comments Set # Comments ---------------------- ----------------NetBIOS_WAN 7 _______________ NetBIOS_LAN 8 _______________ _______________ 9 _______________ _______________ 10 _______________ _______________ 11 _______________ _______________ 12 _______________ Enter Filter Set Number to Configure= 1 Edit Comments= Press ENTER to Confirm or ESC to Cancel:
Configure the first filter set 'NetBIOS_WAN' by selecting the Filter Set number 1.
Rule 1-Destination port number 137 with protocol number 6 (TCP)
Menu 21.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule
Rule 2-Destination port number 137 with protocol number 17 (UDP)
Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Drop
Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel:
Configure the second filter set 'NetBIOS_LAN' by selecting the Filter Set number 2.
Rule 1-Source port number 137, Destination port number 53 with protocol number 6 (TCP)
Menu 21.2.1 - TCP/IP Filter Rule Filter #: 2,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 53 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel:
1. Rule 2-Source port number 137, Destination port number 53 with protocol number 17 (UDP)
Menu 21.2.2 - TCP/IP Filter Rule Filter #: 2,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 53 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal TCP Estab= N/A More= No Log= None
Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel:
2. After the first filter set is finished, you will get the complete rules summary as below.
Menu 21.2 - Filter Rules Summary # A Type Filter Rules Mmn - - ---- ---------------------------------------------- - - 1 Y IP Pr=6, SA=0.0.0.0, SP=137, DA=0.0.0.0, DP=53 N D N 2 Y IP Pr=17, SA=0.0.0.0, SP=137, DA=0.0.0.0, DP=53 N D F
3. Apply the filter set 'NetBIOS_LAN' in the 'Input protocol filters=' in the Menu 3 for blocking the packets from LAN
Menu 3.1 - General Ethernet Setup Input Filter Sets: protocol filters= 2 device filters= Output Filter Sets: protocol filters= device filters=
7. Using the Dynamic DNS (DDNS) What is DDNS?
The DDNS service, an IP Registry provides a public central database where information such as email addresses, hostnames, IPs etc. can be stored and retrieved. This solves the problems if your DNS server uses an IP associated with dynamic IPs.
Without DDNS, we always tell the users to use the WAN IP of the P-660 to access the internal server. It is inconvenient for the users if this IP is dynamic. With DDNS supported by the P-660, you apply a DNS name (e.g., www.zyxel.com.tw) for your server (e.g., Web server) from a DDNS server. The outside users can always access the web server using the www.zyxel.com.tw regardless of the WAN IP of the P-660. When the ISP assigns the P-660 a new IP, the P-660 must inform the DDNS server the change of this IP so that the server can update its IP-to-DNS entry. Once the IP-to-DNS table in the DDNS server is updated, the DNS name for your web server (i.e., www.zyxel.com.tw) is still usable. The DDNS server stores password-protected email addresses with IPs and hostnames and accepts queries based on email addresses. So, there must be an email entry in the P-660 menu 1. The DDNS servers the P-660 supports currently is WWW.DYNDNS.ORG where you apply the DNS from and update the WAN IP to.
1. CDR log(call messages) Format: sdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.) C01 Incoming Call xxxxBps xxxxx (L2TP,xxxxx means Remote Call ID) C01 Incoming Call xxxx (means connected speed) xxxxx (means Remote Call ID) L02 Tunnel Connected(L2TP) C02 OutCall Connected xxxx (means connected speed) xxxxx (means Remote Call ID) C02 CLID call refused L02 Call Terminated C02 Call Terminated Example:
Feb 14 16:57:17 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0 channel 0, call 18, C01 Incoming Call OK Feb 14 17:07:18 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0 channel 0, call 18, C02 Call Terminated
2. Packet triggered log Format: sdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String ); String = Packet trigger: Protocol=xx Data=xxxxxxxxxx Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Example:
Jul 19 11:28:39 192.168.102.2 ZyXEL Communications Corp.: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c020001006162636465666768696 a6b6c6d6e6f7071727374 Jul 19 11:28:56 192.168.102.2 ZyXEL Communications Corp.: Packet Trigger: Protocol=1,
3. Filter log This message is available when the 'Log' is enabled in the filter rule setting. The message consists of the packet header and the log of the filter rules. Format: sdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx]S04>R01mD IP[.] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol (TCP,UDP,ICMP) spo: Source port dpo: Destination port Example:
Jul 19 14:44:09 192.168.1.1 ZyXEL Communications Corp.: IP[Src=22.214.171.124 Dst=192.168.1.33 UDP spo=0035 dpo=05d4]}S03>R01mF Jul 19 14:44:13 192.168.1.1 ZyXEL Communications Corp.: IP[Src=192.168.1.33 Dst=126.96.36.199 ICMP]}S03>R01mF
Check the box to enable BWM on the interface. Note that if you would like to manage traffic from WAN to LAN, you should apply BWM on LAN interface. If you would like to management traffic from WAN to DMZ, please apply BWM on DMZ interface. Enter the total speed to manage on this interface. This value is the budget of the class tree's root. Choose the principle to allocate bandwidth on this interface. Priority-Based allocates bandwidth via priority. Fairness-Based allocates bandwidth by ratio. Check this box if you would like to give residuary bandwidth from Interface to the
Speed Scheduler Maximize
Bandwidth classes who need more bandwidth than configured amount. Do not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class or Usage
you want to limit the bandwidth of each class at the configured value. (Please note that to meat the second condition, you should also disable bandwidth borrowing on the class.)
Go to ADVANCED->BW MGMT->Class Setup, select the interface on which you would like to setup the Class tree. Click the radio button besides the Root Class, then press 'Add Sub-Class'
Class Name Give this class a name, for example, 'App' Bandwidth Budget Priority
Configure the speed you would like to allocate to this class Enter a number between 0 and 7 to set the priority of this class. The higher the number, the higher the priority. The default setting is 3. Check this box if you would like to let this class to borrow bandwidth from it's parents when the required bandwidth is higher than the configured amount. Do not check this if you want to limit the bandwidth of this class at the configured value.(Please note that you should also disable Maximize Bandwidth Usage on the interface to meat the condition.) Check this to specify the traffic types via IP addresses/Port numbers.
Enable Bandwidth Filter
Destination Enter the IP address of destination that meats this class. IP Address Destination Enter the destination subnet mask. Subnet Mask Destination Enter the destination port number of the traffic. Port Source IP Address
Enter the IP address of source that meats this class. Note that for traffic from 'LAN to WAN', since BWM is before NAT, you should use the IP address before NAT processing.
Source Enter the destination subnet mask. Subnet Mask Source Port Enter the source port number of the traffic. Protocol ID Enter the protocol number for the traffic. 1 for ICMP, 6 for TCP or 17 for UDP After configuration BWM, you can check current bandwidth of the configured traffic in ADVANCED->BWM MGMT->Monitor. The values in the column of Current usage (kbps) would display the actually number. 15. Using Zero-Configuration Zero-Configuration and VC auto-hunting
Menu 3.5 - Wireless LAN Setup
ESSID= Wireless Hide ESSID= No Channel ID= CH01 2412MHz RTS Threshold= 0 Frag. Threshold= 2432 WEP= Disable Default Key= N/A Key1= N/A Key2= N/A Key3= N/A Key4= N/A Edit MAC Address Filter= No Press ENTER to Confirm or ESC to Cancel: 3. Configure ESSID, Channel ID, WEP, Default Key and Keys as you desire. Configure Wireless Access Point to Infrastructure mode using Web configurator. To configure Infrastructure mode of your P660HW-T1 wireless AP please follow the steps below. 1. From the web configurator main menu, click advanced->Wireless Lanto display ?Wireless LAN.
2. Configure the desired configuration on P660HW-T1.
3. Finished. Configuration Wireless Station to Infrastructure mode To configure Infrastructure mode on your ZyAIR B-100/B-200/B-300 wireless NIC card please follow the following steps. 1. Double click on the utility icon in your windows task bar the utility will pop up on your windows screen. 2. Select configuration tab.
3. Select Infrastructure from the operation mode pull down menu, fill in an SSID or leave it as any if you wish to connect to any AP than press Apply Change to take effect. 4. Click on Site Survey tab, and press search all the available AP will be listed.
5. Double click on the AP you want to associated with.
6. After the client have associated with the selected AP. The linked AP's channel, current linkup rate, SSID, link quality, and signal strength will show on the Link Info page. You now successfully associate with the selected AP with Infrastructure Mode.
3. MAC Filter
MAC Filter Overview ZyXEL MAC Filter Implementation Configure the WLAN MAC Filter
MAC Filter Overview Users can use MAC Filter as a method to restrict unauthorized stations from accessing the APs. ZyXEL's APs provide the capability for checking MAC address of the station before allowing it to connect to the network. This provides an additional layer of control layer in that only stations with registered MAC addresses can connect. This approach requires that the list of MAC addresses be configured.
ZyXEL MAC Filter Implementation
ZyXEL's MAC Filter Implementation allows users to define a list to allow or block association from STAs. The filter set allows users to input 12 entries in the list. If Allow Association is selected, all other STAs which are not on the list will be denied. Otherwise, if Deny Association is selected, all other STAs which are not on the list will be allowed for association. Users can choose either way to configure their filter rule.
Configure the WLAN MAC Filter
The MAC Filter related settings in ZyXEL APs are configured in menu 3.5.1, WLAN MAC Address Filter Configuration. Before you configure the MAC filter, you need to know the MAC address of the client first. If not knowing what your MAC address is,
NOTE: Please check your Prestige's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties./Advanced Tab/Settings.
2. Setup Prestige VPN Using a web browser, login Prestige by giving the LAN IP address of Prestige in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. Go to Advanced -> VPN Select Negotiation Mode to Main, as we configured in Sentinel. Local IP, Address Type is Subnet, Address Start is 0.0.0.0 End/Subnet Mask is 0.0.0.0 Remote IP, leave the field as defalut. My IP Addr is the LAN IP of Prestige. Secure Gateway IP Addr is 0.0.0.0. Select Encapsulation Mode to Tunnel. Check the ESP check box. (AH can not be used in SUA/NAT case) Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in Sentinel. Enter the key string 12345678 in the Preshared Key text box, and click Apply. Press Advanced button to set IKE phase 1 and phase 2 parameters. Telnet or console connect to Prestige SMT menu 24.8, and then issue this command, "ipsec route lan on". Please note that, if you simply issue this command in Menu 24.8, this will be lose efficacy after rebooting, to make it function all the time, please save this command into Prestige by the following CI command in Menu 24.8, a. please type "sys edit autoexec.net" b. press "i", then type "ipsec route lan on" c. press "x", to save the configuration.
See the VPN rule screen shot
Set IKE Phase 1 and Phase 2 parameters.
7. Configure 802.1x and WPA What is the WPA Functionality? Configuration for Access Point Configuration for your PC What is WPA Functionality? Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft. Key differences between WAP and WEP are user authentication and improved data encryption WAP applies IEEE 802.1x Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. You can not use the 662's local user database for WPA authentication purpose since the local user database uses MD5 EAP which can not to generate keys. WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check and IEEE 802.1x. Temporal Key Integrity Protocol uses 128-bits keys that are dynamically generated and distributed by the authentication
reset flag and mask display feature bit display function id list display ISDN firmware type [hostname] display system hostname
P-660 series Support Notes status logs category access [0:none/1:log] attack [0:none/1:log/2:alert/3:both] display error [0:none/1:log/2:alert/3:both] ipsec [0:none/1:log] record the access control logs record and alert the firewall attack logs display the category setting record and alert the system error logs record the access control logs mten [0:none/1:log] upnp [0:none/1:log] urlblocked [0:none/1:log/2:alert/3:both] urlforward [0:none/1:log] clear display errlog clear disp online load mail alertAddr [mail address] display logAddr [mail address] schedule display schedule hour [0-23] schedule minute [0-59] schedule policy [0:full/1:hourly/2:daily/3:weekly/4:none] send alerts to this mail address display mail setting send logs to this mail address display mail schedule hour time to send the logs minute time to send the logs mail schedule policy display log error clear log error turn on/off error log online display load the log setting buffer record the system maintenance logs record upnp logs record and alert the web blocked logs record web forward logs clear log display all logs
P-660 series Support Notes schedule week [0:sun/1:mon/2:tue/3:wed/4:thu/5:fri/6:sat] server [domainName/IP] subject [mail subject] save syslog active [0:no/1:yes] display facility [Local ID(1-7)] server [domainName/IP] mbuf cnt disp clear link pool status disp debug memory memwrite memwl memrl memutil usage display memory allocate and heap status mqueue mcell <address> <len> mid [f|u] display memory queues display memory cells by given ID 169
weekly time to send the logs mail server to send the logs mail subject save the log setting buffer active to enable unix syslog display syslog setting log the messages to different files syslog server to send the logs
display system mbuf count clear system mbuf count list system mbuf link list system mbuf pool display system mbuf status
link <id> [type]
<address> [on|off] <address> <length> <address> <len> [data list.] <address> <address>
display mbuf status display memory content write some data to memory at <address> write long word to memory at <address> read long word at <address>
P-660 series Support Notes msecs mtstart mtstop mtalloc mtfree model proc display stack pstatus queue display [a|f|u] [start#] [end#] display queue by given status and range numbers display a queue by a given number quit reboot [code] quit CI command mode reboot system code = 0 cold boot, = 1 immediately boot = 2 bootModule debug mode display resources trace clear stdio time timer disp trace start stop trcdisp [on|off] [tmValue] <ID> display timer cell set/display timer information online start a timer stop a timer monitor packets 170
[a|f|u] <n-mcell> <size> [n-mcell] <start-idx> [end-idx]
display memory sections start memory test stop memory test allocate memory for testing free the test memory display server model name display all process information
display process's stack by a give TAG display process's status by a give TAG
clear resources trace [second] [hour [min [sec]]] change terminal timeout value display/set system time
P-660 series Support Notes trclog switch online level type disp clear call encapmask trcpacket create destroy channel <name> [none|incoming|outgoing|bothway] <entry> <size> create packet trace buffer packet trace related commands <channel name>=enet0,sdsl00, fr0 set packet trace direction for a given channel string switch disp udp switch [on|off] addr <addr> port <port> parse brief version view wdog 171
[on|off] [on|off] [level] <bitmap>
set system trace log set on/off trace log online set trace level of trace log #:1-10 set trace type of trace log display trace log clear trace display call event
set/display tracelog encapsulation mask
enable smt trace log [on|off] turn on/off the packet trace display packet trace send packet trace to other system set tracepacket upd switch send trace packet to remote udp address set tracepacket udp port [[start_idx], end_idx] parse packet content display packet content briefly display RAS code and driver version <filename> view a text file
P-660 series Support Notes switch cnt romreset server access load disp port save secureip spt dump root rn user slot save size clear cmgr trace disp <ch-name> clear <ch-name> cnt <ch-name> show the connection trace of this channel clear the connection trace of this channel show channel connection related counter socket filter clear disp sw set [on|off] <set> clear filter statistic counter display filter statistic counters set filter status switch display filter rule 172
ZyXEL P-660H series is an all-in-one affordable router, compatible with high-speed ADSL, ADSL2 and ADSL2+ interfaces over existing copper lines. With speed up to 12Mbps (ADSL2) or 24Mbps (ADSL2+), the P-660H series offers higher data transfer rates and better bandwidth than traditional ADSL gateways. It also supports RE ADSL (Reach-Extended ADSL) for higher speed and longer distance. With excellent performance and upward compatibility, the P-660H series is great as the bridge between today's communications needs and tomorrow's converged services. The ICSA-certified ZyNOS operating system ensures state-of-art firewall performance and robust security from the P-660H series. Based on Stateful Packet Inspection, Dos (Denial of Service) and DDoS features, it provides the first line defense against hackers, network intruders, and other harmful threats. The P-660H series enables network administrators to allocate network resources and to guarantee Quality of Service (QoS). The MBM (Media Bandwidth Management) function prioritizes media services, and increases productivity and efficiency in daily operations by tailoring a system to specific demands such as VoIP, video streaming, video-conferencing or MP3 applications.
|Device Type||Router - 4-port switch (integrated)|
|Data Link Protocol||Ethernet, Fast Ethernet|
|Network / Transport Protocol||TCP/IP, PPTP, UDP/IP, L2TP, ICMP/IP, IPSec, PPPoE, PPPoA|
|Routing Protocol||RIP-1, RIP-2, IGMPv2, IGMP|
|Remote Management Protocol||SNMP, Telnet, HTTP|
|Features||Firewall protection, DHCP support, ARP support, auto-uplink (auto MDI/MDI-X), Stateful Packet Inspection (SPI), DoS attack prevention, content filtering, packet filtering, dynamic DNS server, VPN passthrough, firmware upgradable, DDos attack prevention, Media Bandwidth Management (MBM), Zero Configuration Technology, Multimedia Auto Provisioner (MAP)|
|Compliant Standards||IEEE 802.1D, UPnP|
|Framing Format||ANSI T1.413|
|Digital Signaling Protocol||ADSL Lite, ADSL, ADSL2, ADSL2+, READSL|
|Protocols & Specifications||ITU G.992.1 (G.DMT), ITU G.992.2 (G.Lite), ITU G.994.1 (G.hs), ITU G.992.3 (G.DMT.bis), ITU G.992.4 (G.lite.bis), ITU G.992.5|
|Max Transfer Rate||24 Mbps|
|Expansion / Connectivity|
|Interfaces||WAN : 1 x ADSL LAN : 4 x 10Base-T/100Base-TX - RJ-45|
|Power Device||Power adapter - external|
|Compliant Standards||CE, FCC|
|Min Operating Temperature||32 °F|
|Max Operating Temperature||122 °F|
|Humidity Range Operating||20 - 95%|
|Universal Product Identifiers|
|Part Numbers||91-004-582009B, 91-004-582012B|
YP-VP1 CT-S920S Tassimo Koala Presario 9000 Series Stinger MU128 VP-DC161 PSW125 Kodak 8500 20U53 81034 AVR-2105 TX-L26x10B AZ1826 12 QB5150W VGN-AR71ZU Combi RS CX-7000 System EL-2611CB3- Amarys 400 CDR 500 KD-G311EY MVX250I SGH-C180 CBX-T3 Siemens A40 1642wlmi 37-070 APC 350 DSC-S730 X642E YZ250F-2008 Series Tribeca Imageclass D860 Samsung M610 SG200E Icfir7 42PFL5603H O Printer ZFC22 9K Tu-x1E Moto Z8 1330 B SGH-M200 Backmeister 8600 Headphones F5D7230 Sbctt650 RH200MH CLS45I P-660HN Es30 LN550 Aficio1027 RL40egsw Phone-MD7261 FR-2LE WC2130 Furman MP20 MW8CX-mw10C Sansui 441 CS 8 APA1100 PD726W 41049 Midiboard CTK-571 Limousine Victoria CDX-GT610UI Crown-victoria-2001 CUV4X PNA 205 CQ-C3355N LE26A456c2D Review GCR-8523B Md 5319 Industry Argos TR500A 1200U UA40C7000WF LSQ090H-2 Storage FU Vaic MP11 Magna 2 HTS3568DW V-325N MM-C550D Laguna CD43 323HD60 CDP-CX153 YP-U5 DCR-TRV18E KV-32FQ70K
manuel d'instructions, Guide de l'utilisateur | Manual de instrucciones, Instrucciones de uso | Bedienungsanleitung, Bedienungsanleitung | Manual de Instruções, guia do usuário | инструкция | návod na použitie, Užívateľská príručka, návod k použití | bruksanvisningen | instrukcja, podręcznik użytkownika | kullanım kılavuzu, Kullanım | kézikönyv, használati útmutató | manuale di istruzioni, istruzioni d'uso | handleiding, gebruikershandleiding
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101