Chapter 9 Interfaces Configuration > Network > Interface > Ethernet > Edit (OPT) These screen’s fields are described in the table below. Table 94 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION IPv4/IPv6 View / IPv4 View / IPv6 View Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 9 Interfaces Table 94 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Port This is the name of the Ethernet interface’s physical port. Zone Select the zone to which this interface is to belong. You use zones to apply security settings such as security policy, IDP, remote management, anti-malware, and application patrol. Make sure to select the correct zone as otherwise traffic may be blocked by a security policy. MAC Address This field is read-only.
Chapter 9 Interfaces Table 94 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Link-Local Address This displays the IPv6 link-local address and the network prefix that the Zyxel Device generates itself for the interface. IPv6 Address/ Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to use a static IP address. This field is optional.
Chapter 9 Interfaces Table 94 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address. Customized DUID If you want to use a customized DUID, enter it here for the interface. Enable Rapid Commit Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load.
Chapter 9 Interfaces Table 94 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION MTU The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device discards the packet and sends an error message to the sender to inform this. Hop Limit Enter the maximum number of network segments that a packet can cross before reaching the destination.
Chapter 9 Interfaces Table 94 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Connectivity Check These fields appear when Interface Properties is External or General. The interface can regularly check the connection to the gateway you specified to make sure it is still available.
Chapter 9 Interfaces Table 94 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL IP Pool Start Address DESCRIPTION Enter the IP address from which the Zyxel Device begins allocating IP addresses. If you want to assign a static IP address to a specific computer, use the Static DHCP Table. If this field is blank, the Pool Size must also be blank.
Chapter 9 Interfaces Table 94 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL PXE Server DESCRIPTION PXE (Preboot eXecution Environment) allows a client computer to use the network to boot up and install an operating system via a PXE-capable Network Interface Card (NIC). PXE is available for computers on internal interfaces to allow them to boot up using boot software on a PXE server.
Chapter 9 Interfaces Table 94 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Passive Interface Select this to stop forwarding OSPF routing information from the selected interface. As a result, this interface only receives routing information. Authentication Select an authentication method, or disable authentication. To exchange OSPF routing information with peer border routers, you must use the same authentication method that they use.
Chapter 9 Interfaces Table 94 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Configure PPPoE/PPTP Click PPPoE/PPTP if this interface’s Internet connection uses PPPoE or PPTP or L2TP. Configure VLAN Click VLAN if you want to configure a VLAN interface for this Ethernet interface. Configure WAN TRUNK Click WAN TRUNK to go to a screen where you can set this interface to be part of a WAN trunk for load balancing.
Chapter 9 Interfaces To allow the Zyxel Device to answer external interface ARP requests on behalf of a device on a supported interface, select the interface, click Add or Edit, then click Add in the Proxy ARP section of the screen. Figure 181 Interface > Edit > Add Proxy ARP The following table describes labels that can appear in this screen.
Chapter 9 Interfaces Figure 182 Configuration > Network > Interface > Create Virtual Interface Each field is described in the table below. Table 96 Configuration > Network > Interface > Create Virtual Interface LABEL DESCRIPTION Interface Properties Interface Name This field is read-only. It displays the name of the virtual interface, which is automatically derived from the underlying Ethernet interface, VLAN interface, or bridge interface. Description Enter a description of this interface.
Chapter 9 Interfaces Figure 183 References The following table describes labels that can appear in this screen. Table 97 References LABEL DESCRIPTION Name This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window. # This field is a sequential value, and it is not associated with any entry. Service This is the type of setting that references the selected object.
Chapter 9 Interfaces 9.4.6 Add/Edit DHCP Extended Options When you configure an interface as a DHCPv4 server, you can additionally add DHCP extended options which have the Zyxel Device to add more information in the DHCP packets. The available fields vary depending on the DHCP option you select in this screen. To open the screen, click Configuration > Network > Interface > Ethernet > Edit, select DHCP Server in the DHCP Setting section, and then click Add or Edit in the Extended Options table.
Chapter 9 Interfaces Table 98 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options LABEL DESCRIPTION OK Click this to close this screen and update the settings to the previous Edit screen. Cancel Click Cancel to close the screen. The following table lists the available DHCP extended options (defined in RFCs) on the Zyxel Device. See RFCs for more information.
Chapter 9 Interfaces Figure 186 Example: PPPoE/PPTP/L2TP Interfaces PPPoE/PPTP/L2TP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/PPTP/L2TP interfaces and other interfaces. • You must also configure an ISP account object for the PPPoE/PPTP/L2TP interface to use.
Chapter 9 Interfaces Each field is described in the table below. Table 100 Configuration > Network > Interface > PPP LABEL DESCRIPTION User Configuration / System Default The Zyxel Device comes with the (non-removable) System Default PPP interfaces preconfigured. You can create (and delete) User Configuration PPP interfaces. System Default PPP interfaces vary by model. Add Click this to create a new user-configured PPP interface.
Chapter 9 Interfaces Figure 188 Configuration > Network > Interface > PPP > Add ZyWALL ATP Series User’s Guide 246
Chapter 9 Interfaces Each field is explained in the following table. Table 101 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION IPv4/IPv6 View / IPv4 View / IPv6 View Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 9 Interfaces Table 101 Configuration > Network > Interface > PPP > Add (continued) LABEL Gateway DESCRIPTION This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. Metric IPv6 Address Assignment Enter the priority of the gateway (the ISP) on this interface.
Chapter 9 Interfaces Table 101 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address. Customized DUID If you want to use a customized DUID, enter it here for the interface. Enable Rapid Commit Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load.
Chapter 9 Interfaces Table 101 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. Check Port This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check.
Chapter 9 Interfaces See the following table for a comparison between 2G, 2.5G, 2.75G, 3G and 4G wireless technologies. Table 102 2G, 2.5G, 2.75G, 3G, 3.5G and 4G Wireless Technologies NAME TYPE 2G MOBILE PHONE AND DATA STANDARDS GSM-BASED CDMA-BASED Circuitswitched GSM (Global System for Mobile Communications), Personal Handyphone System (PHS), etc. Interim Standard 95 (IS-95), the first CDMA-based digital cellular standard pioneered by Qualcomm. The brand name for IS-95 is cdmaOne.
Chapter 9 Interfaces Figure 189 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 103 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Add Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.
Chapter 9 Interfaces Table 103 Configuration > Network > Interface > Cellular (continued) LABEL DESCRIPTION Latest Version This displays the latest supported mobile broadband dongle list version number. Current Version This displays the currently supported (by the Zyxel Device) mobile broadband dongle list version number.
Chapter 9 Interfaces Figure 190 Configuration > Network > Interface > Cellular > Add / Edit ZyWALL ATP Series User’s Guide 254
Chapter 9 Interfaces The following table describes the labels in this screen. Table 104 Configuration > Network > Interface > Cellular > Add / Edit LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this option to turn on this interface. Interface Properties Interface Name Select a name for the interface.
Chapter 9 Interfaces Table 104 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL User Name DESCRIPTION This field displays when you select an authentication type other than None. This field is readonly if you selected Device in the profile selection. If this field is configurable, enter the user name for this mobile broadband card exactly as the service provider gave it to you. You can use 1 ~ 64 alphanumeric and #:%-_@$./ characters.
Chapter 9 Interfaces Table 104 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION Check Fail Tolerance Enter the number of consecutive failures before the Zyxel Device stops routing through the gateway. Check Default Gateway Select this to use the default gateway for the connectivity check. Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.
Chapter 9 Interfaces Table 104 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL Network Selection DESCRIPTION Home network is the network to which you are originally subscribed. Select Home to have the mobile broadband device connect only to the home network. If the home network is down, the Zyxel Device’s mobile broadband Internet connection is also unavailable.
Chapter 9 Interfaces Table 104 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL Log DESCRIPTION Select None to not create a log when the Zyxel Device takes this action, Log to create a log, or Log-alert to create an alert log. If you select Log or Log-alert you can also select recurring every to have the Zyxel Device send a log or alert for this event periodically. Specify how often (from 1 to 65535 minutes) to send the log or alert.
Chapter 9 Interfaces IPv6-in-IPv4 Tunneling Use this mode on the WAN of the Zyxel Device if • your Zyxel Device has a public IPv4 IP address given from your ISP, and • you want to transmit your IPv6 packets to one and only one remote site whose LAN network is also an IPv6 network. With this mode, the Zyxel Device encapsulates IPv6 packets within IPv4 packets across the Internet. You must know the WAN IP address of the remote gateway device.
Chapter 9 Interfaces Figure 194 6to4 Tunnel IPv6 IPv6 IPv4 Internet IPv6 9.7.1 Configuring a Tunnel This screen lists the Zyxel Device’s configured tunnel interfaces. To access this screen, click Network > Interface > Tunnel. Figure 195 Network > Interface > Tunnel Each field is explained in the following table. Table 105 Network > Interface > Tunnel LABEL DESCRIPTION Add Click this to create a new GRE tunnel interface.
Chapter 9 Interfaces Table 105 Network > Interface > Tunnel (continued) LABEL DESCRIPTION IP Address This is the IP address of the interface. If the interface is active (and connected), the Zyxel Device tunnels local traffic sent to this IP address to the Remote Gateway Address. Tunnel Mode This is the tunnel mode of the interface (GRE, IPv6-in-IPv4 or 6to4). This field also displays the interface’s IPv4 IP address and subnet mask if it is a GRE tunnel.
Chapter 9 Interfaces Figure 196 Network > Interface > Tunnel > Add/Edit Each field is explained in the following table. Table 106 Network > Interface > Tunnel > Add/Edit LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Select this to enable this interface. Clear this to disable this interface.
Chapter 9 Interfaces Table 106 Network > Interface > Tunnel > Add/Edit (continued) LABEL DESCRIPTION Interface Name This field is read-only if you are editing an existing tunnel interface. Enter the name of the tunnel interface. The format is tunnelx, where x is 0 - 3. For example, tunnel0. Zone Use this field to select the zone to which this interface belongs. This controls what security settings the Zyxel Device applies to this interface.
Chapter 9 Interfaces Table 106 Network > Interface > Tunnel > Add/Edit (continued) LABEL Remote Gateway Address DESCRIPTION Enter the IP address or domain name of the remote gateway to which this interface tunnels traffic. Automatic displays in this field if you are configuring a 6to4 tunnel. It means the 6to4 tunnel will help forward packets to the corresponding remote gateway automatically by looking at the packet’s destination address.
Chapter 9 Interfaces 9.8 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 197 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs.
Chapter 9 Interfaces • Better manageability - You can align network policies more appropriately for users. For example, you can create different content filtering rules for each VLAN (each department in the example above), and you can set different bandwidth limits for each VLAN. These rules are also independent of the physical network, so you can change the physical network without changing policies. In this example, the new switch handles the following types of traffic: • Inside VLAN 2.
Chapter 9 Interfaces Each field is explained in the following table. Table 107 Configuration > Network > Interface > VLAN LABEL DESCRIPTION Configuration / IPv6 Configuration Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network. Both sections have similar fields as described below.
Chapter 9 Interfaces Figure 200 Configuration > Network > Interface > VLAN > Add /Edit ZyWALL ATP Series User’s Guide 269
Chapter 9 Interfaces ZyWALL ATP Series User’s Guide 270
Chapter 9 Interfaces Each field is explained in the following table. Table 108 Configuration > Network > Interface > VLAN > Add / Edit LABEL DESCRIPTION IPv4/IPv6 View / IPv4 View / IPv6 View Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 9 Interfaces Table 108 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Priority Code This is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated outgoing VLAN traffic. “0” is the lowest priority level and “7” is the highest. See Table 179 on page 451. The setting configured in Configuration > BWM overwrites the priority setting here. Description Enter a description of this interface.
Chapter 9 Interfaces Table 108 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL IPv6 Address/ Prefix Length DESCRIPTION Enter the IPv6 address and the prefix length for this interface if you want to configure a static IP address for this interface. This field is optional. The prefix length indicates what the left-most part of the IP address is the same for all computers in the network, that is, the network address.
Chapter 9 Interfaces Table 108 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Customized DUID If you want to use a customized DUID, enter it here for the interface. Enable Rapid Commit Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load. Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.
Chapter 9 Interfaces Table 108 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION MTU The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Hop Limit Enter the maximum number of network segments that a packet can cross before reaching the destination.
Chapter 9 Interfaces Table 108 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Connectivity Check The Zyxel Device can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often to check the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Zyxel Device stops routing to the gateway.
Chapter 9 Interfaces Table 108 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL Pool Size DESCRIPTION Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the Zyxel Device can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses. If this field is blank, the IP Pool Start Address must also be blank.
Chapter 9 Interfaces Table 108 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific entry. IP Address Enter the IP address to assign to a device with this entry’s MAC address.
Chapter 9 Interfaces Table 108 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION MAC Address Setting This section appears when Interface Properties is External or General. Have the interface use either the factory assigned default MAC address, a manually specified MAC address, or clone the MAC address of another device or computer. Use Default MAC Address Select this option to have the interface use the factory assigned default MAC address.
Chapter 9 Interfaces Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments. When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table. It also looks up the destination MAC address in the table. If the bridge knows on which port the destination MAC address is located, it sends the packet to that port.
Chapter 9 Interfaces A bridge interface may consist of the following members: • Zero or one VLAN interfaces (and any associated virtual VLAN interfaces) • Any number of Ethernet interfaces (and any associated virtual Ethernet interfaces) When you create a bridge interface, the Zyxel Device removes the members’ entries from the routing table and adds the bridge interface’s entries to the routing table. For example, this table shows the routing table before and after you create bridge interface br0 (250.250.
Chapter 9 Interfaces Each field is described in the following table. Table 112 Configuration > Network > Interface > Bridge LABEL DESCRIPTION Configuration / IPv6 Configuration Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network. Both sections have similar fields as described below. Add Click this to create a new entry.
Chapter 9 Interfaces Figure 202 Configuration > Network > Interface > Bridge > Add / Edit ZyWALL ATP Series User’s Guide 283
Chapter 9 Interfaces ZyWALL ATP Series User’s Guide 284
Chapter 9 Interfaces Each field is described in the table below. Table 113 Configuration > Network > Interface > Bridge > Add / Edit LABEL DESCRIPTION IPv4/IPv6 View / IPv4 View / IPv6 View Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 9 Interfaces Table 113 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL Available DESCRIPTION This field displays Ethernet interfaces and VLAN interfaces that can become part of the bridge interface. An interface is not available in the following situations: • • There is a virtual interface on top of it It is already used in a different bridge interface Select one, and click the >> arrow to add it to the bridge interface.
Chapter 9 Interfaces Table 113 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL IPv6 Address/ Prefix Length DESCRIPTION Enter the IPv6 address and the prefix length for this interface if you want to use a static IP address. This field is optional. The prefix length indicates what the left-most part of the IP address is the same for all computers in the network, that is, the network address.
Chapter 9 Interfaces Table 113 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Customized DUID If you want to use a customized DUID, enter it here for the interface. Enable Rapid Commit Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load. Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.
Chapter 9 Interfaces Table 113 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL Router Preference DESCRIPTION Select the router preference (Low, Medium or High) for the interface. The interface sends this preference in the router advertisements to tell hosts what preference they should use for the Zyxel Device. This helps hosts to choose their default router especially when there are multiple IPv6 router in the network.
Chapter 9 Interfaces Table 113 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL Ingress Bandwidth MTU DESCRIPTION This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can receive from the network through the interface. Allowed values are 0 - 1048576. Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface.
Chapter 9 Interfaces Table 113 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL Lease time DESCRIPTION Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid. Extended Options Add This table is available if you selected DHCP server.
Chapter 9 Interfaces Table 113 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Connectivity Check The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Zyxel Device stops routing to the gateway.
Chapter 9 Interfaces Table 113 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Related Setting Configure WAN TRUNK Click WAN TRUNK to go to a screen where you can configure the interface as part of a WAN trunk for load balancing. Configure Policy Route Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this bridge interface. OK Click OK to save your changes back to the Zyxel Device.
Chapter 9 Interfaces 9.10.2 VTI Screen To access this screen, click Configuration > Network > Interface > VTI. Figure 204 Configuration > Network > Interface > VTI The following table describes the fields in this screen. Table 114 Configuration > Network > Interface > VTI LABEL DESCRIPTION Configuration Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Chapter 9 Interfaces Figure 205 Configuration > Network > Interface > VTI > Add Each field is described in the table below. Table 115 Configuration > Network > Interface > VTI > Add LABEL DESCRIPTION General Settings Enable Select this to enable VTI. Clear this to disable it. Interface Properties Interface Name This field is read-only if you are editing an existing VPN tunnel interface.
Chapter 9 Interfaces Table 115 Configuration > Network > Interface > VTI > Add (continued) LABEL DESCRIPTION Zone Select a zone. Make sure that the zone you select does not have traffic blocked by a security feature such as a security policy. vpn-rule You should have created a VPN tunnel first for a VPN Tunnel Interface scenario. Select one of the VPN Tunnel Interface scenario rules that you created. IP Address Assignment IP Address Enter the IP address for this interface.
Chapter 9 Interfaces Table 115 Configuration > Network > Interface > VTI > Add (continued) LABEL DESCRIPTION Enable RIP Select this to enable RIP in this interface. Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information. Out-Only - This interface sends routing information. Send Version This field is effective when RIP is enabled.
Chapter 9 Interfaces 9.11 Trunk Overview Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links. Maybe you have two Internet connections with different bandwidths.
Chapter 9 Interfaces If link sticking had been configured, the Zyxel Device would have still used wan1 to send LAN user A’s request to the server and server would have given the user A access. Load Balancing Algorithms The following sections describe the load balancing algorithms the Zyxel Device can use to decide which interface the traffic (from the LAN) should use for a session. In the load balancing section, a session may refer to normal connection-oriented, UDP or SNMP2 traffic.
Chapter 9 Interfaces traffic on that interface. This queue then moves to the back of the list. The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty. The Weighted Round Robin (WRR) algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different.
Chapter 9 Interfaces 9.12 The Trunk Summary Screen Click Configuration > Network > Interface > Trunk to open the Trunk screen. The Trunk Summary screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 209 Configuration > Network > Interface > Trunk The following table describes the items in this screen.
Chapter 9 Interfaces Table 117 Configuration > Network > Interface > Trunk (continued) LABEL DESCRIPTION User Configuration / System Default The Zyxel Device automatically adds all external interfaces into the pre-configured system default SYSTEM_DEFAULT_WAN_TRUNK. You cannot delete it. You can create your own User Configuration trunks and customize the algorithm, member interfaces and the active/passive mode. Add Click this to create a new user-configured trunk.
Chapter 9 Interfaces Each field is described in the table below. Table 118 Configuration > Network > Interface > Trunk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editing an existing trunk. When adding a new trunk, enter a descriptive name for this trunk. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 9 Interfaces Table 118 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Ingress Bandwidth This is reserved for future use. This field displays with the least load first load balancing algorithm. It displays the maximum number of kilobits of data the Zyxel Device is to allow to come in through the interface per second. Note: You can configure the bandwidth of an interface in the corresponding interface edit screen.
Chapter 9 Interfaces Each field is described in the table below. Table 119 Configuration > Network > Interface > Trunk > Edit (System Default) LABEL DESCRIPTION Name This field displays the name of the selected system default trunk. Load Balancing Algorithm Select the load balancing method to use for the trunk. Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights.
Chapter 9 Interfaces IP Address Assignment Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table. Figure 212 Example: Entry in the Routing Table Derived from Interfaces lan1 wan1 Table 120 Example: Routing Table Entries for Interfaces IP ADDRESS(ES) DESTINATION 100.100.1.1/16 lan1 200.200.200.1/24 wan1 For example, if the Zyxel Device gets a packet with a destination address of 100.100.25.25, it routes the packet to interface lan1.
Chapter 9 Interfaces If the interface gets its IP address and subnet mask from a DHCP server, the DHCP server also specifies the gateway, if any. Interface Parameters The Zyxel Device restricts the amount of traffic into and out of the Zyxel Device through each interface. • Egress bandwidth sets the amount of traffic the Zyxel Device sends out through the interface to the network. • Ingress bandwidth sets the amount of traffic the Zyxel Device allows in through the interface from the network.
Chapter 9 Interfaces • IP address - If the DHCP client’s MAC address is in the Zyxel Device’s static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size. Table 122 Example: Assigning IP Addresses from a Pool START IP ADDRESS POOL SIZE RANGE OF ASSIGNED IP ADDRESS 50.50.50.33 5 50.50.50.33 - 50.50.50.37 75.75.75.1 200 75.75.75.1 - 75.75.75.200 99.99.1.1 1023 99.99.1.
Chapter 9 Interfaces PPTP is used to set up virtual private networks (VPN) in unsecured TCP/IP environments. It sets up two sessions. 1 The first one runs on TCP port 1723. It is used to start and manage the second one. 2 The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions.
C H A P T E R 10 Routing 10.1 Policy and Static Routes Overview Use policy routes and static routes to override the Zyxel Device’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the Zyxel Device’s LAN interface. The Zyxel Device routes most traffic from A to the Internet through the Zyxel Device’s default gateway (R1).
Chapter 10 Routing 10.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the Zyxel Device takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.
Chapter 10 Routing traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types. DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired.
Chapter 10 Routing Figure 214 Configuration > Network > Routing > Policy Route The following table describes the labels in this screen. Table 123 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Filter / Hide Filter Click this button to display a greater or lesser number of configuration fields. IPv4 Configuration / IPv6 Configuration Use the IPv4 Configuration section for IPv4 network settings.
Chapter 10 Routing Table 123 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION # This is the number of an individual policy route. Status This icon is lit when the entry is active, red when the next hop’s connection is down, and dimmed when the entry is inactive. User This is the name of the user (group) object from which the packets are sent. any means all users. Schedule This is the name of the schedule object. none means the route is active at all times if enabled.
Chapter 10 Routing Figure 215 Configuration > Network > Routing > Policy Route > Add/Edit (IPv4 Configuration) ZyWALL ATP Series User’s Guide 315
Chapter 10 Routing Figure 216 Configuration > Network > Routing > Policy Route > Add/Edit (IPv6 Configuration) The following table describes the labels in this screen. Table 124 Configuration > Network > Routing > Policy Route > Add/Edit LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. Create new Object Use this to configure any new settings objects that you need to use in this screen.
Chapter 10 Routing Table 124 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Code Select a DSCP code point value of incoming packets to which this policy route applies or select User Define to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment. any means all DSCP value or no DSCP marker. default means traffic with a DSCP value of 0.
Chapter 10 Routing Table 124 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Marking Set how the Zyxel Device handles the DSCP value of the outgoing packets that match this route. Select one of the pre-defined DSCP values to apply or select User Define to specify another DSCP value. The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences.
Chapter 10 Routing 10.3 IP Static Route Screen Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure static routes used for your IPv6 networks on this screen.
Chapter 10 Routing Figure 218 Configuration > Network > Routing > Static Route > Add (IPv4 Configuration) Figure 219 Configuration > Network > Routing > Static Route > Add (IPv6 Configuration) The following table describes the labels in this screen. Table 126 Configuration > Network > Routing > Static Route > Add LABEL DESCRIPTION Destination IP This parameter specifies the IP network address of the final destination. Routing is always based on network number.
Chapter 10 Routing 10.4 Policy Routing Technical Reference Here is more detailed information about some of the features you can configure in policy routing. NAT and SNAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network. Use SNAT (Source NAT) to change the source IP address in one network to a different IP address in another network.
Chapter 10 Routing Routing protocols are usually only used in networks using multiple routers like campuses or large enterprises. • Use the RIP screen (see Section 10.6 on page 322) to configure the Zyxel Device to use RIP to receive and/or send routing information. • Use the OSPF screen (see Section 10.7 on page 324) to configure general OSPF settings and manage OSPF areas. • Use the OSPF Area Add/Edit screen (see Section 10.7.2 on page 328) to create or edit an OSPF area.
Chapter 10 Routing Figure 220 Configuration > Network > Routing > RIP The following table describes the labels in this screen. Table 129 Configuration > Network > Routing Protocol > RIP LABEL DESCRIPTION Authentication The transmitting and receiving routers must have the same key. For RIP, authentication is not available in RIP version 1. In RIP version 2, you can only select one authentication type for all interfaces. Authentication Select the authentication method used in the RIP network.
Chapter 10 Routing 10.7 The OSPF Screen OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS). OSPF offers some advantages over vector-space routing protocols like RIP. • OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently.
Chapter 10 Routing Figure 221 OSPF: Types of Areas This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y. Area 2 is a stub area. It has routing information about the OSPF AS, but it depends on a default route to send information to networks X and Y. Area 3 is a NSSA.
Chapter 10 Routing Figure 222 OSPF: Types of Routers In order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR). All of the routers only exchange information with the DR and the BDR, instead of exchanging information with all of the other routers in the group. The DR and BDR are selected by priority; if two routers have the same priority, the highest router ID is used.
Chapter 10 Routing 1 Enable OSPF. 2 Set up the OSPF areas. 3 Configure the appropriate interfaces. See Section 9.4.1 on page 222. 4 Set up virtual links, as needed. 10.7.1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the Zyxel Device uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them.
Chapter 10 Routing Table 131 Configuration > Network > Routing Protocol > OSPF (continued) LABEL Metric Area DESCRIPTION Type the external cost for routes provided by RIP. The metric represents the “cost” of transmission for routing purposes. The way this is used depends on the Type field. This value is usually the average cost in the OSPF AS, and it can be between 1 and 16777214. This section displays information about OSPF areas in the Zyxel Device. Add Click this to create a new OSPF area.
Chapter 10 Routing The following table describes the labels in this screen. Table 132 Configuration > Network > Routing > OSPF > Add LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format. Type Select the type of OSPF area. Normal - This area is a normal area. It has routing information about the OSPF AS and about networks outside the OSPF AS. Stub - This area is an stub area.
Chapter 10 Routing Table 132 Configuration > Network > Routing > OSPF > Add (continued) LABEL DESCRIPTION Authentication This is the authentication method the virtual link uses. This authentication protects the integrity, but not the confidentiality, of routing updates. For OSPF, the Zyxel Device supports a default authentication type by area. If you want to use this default in an interface or virtual link, you set the associated Authentication Type field to Same as Area.
Chapter 10 Routing The following table describes the labels in this screen. Table 133 Configuration > Network > Routing > OSPF > Add > Add LABEL DESCRIPTION Peer Router ID Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link. Authentication Select the authentication method the virtual link uses. This authentication protects the integrity, but not the confidentiality, of routing updates. For OSPF, the Zyxel Device supports a default authentication type by area.
Chapter 10 Routing 10.8.1 Allow BGP Packets to Enter the Zyxel Device You must first allow BGP packets to enter the Zyxel Device from the WAN. 1 Go to Configuration > Object > Service > Service Group 2 Select the Default_Allow_WAN_To_ZyWALL rule and click Edit. 3 Move BGP from Available to Member. 4 Click OK. Figure 228 Allow BGP to the Zyxel Device 10.8.2 Configuring the BGP Screen Use this screen to configure BGP information about the Zyxel Device and its peer BGP routers.
Chapter 10 Routing Figure 229 Configuration > Network > Routing > BGP The following table describes the labels in this screen. Table 134 Configuration > Network > Routing Protocol > BGP LABEL DESCRIPTION AS Number Type a number from 1 to 4294967295 in this field. Note: The Zyxel Device can only belong to one AS at a time. Router ID Type the IP address of the interface on the Zyxel Device. This field is optional.
Chapter 10 Routing Table 134 Configuration > Network > Routing Protocol > BGP (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. # This field is a sequential value, and it is not associated with a specific area. Network This displays the IP address and the number of subnet mask bits for the peer BGP route. Apply Click this button to save your changes to the Zyxel Device.
Chapter 10 Routing Table 135 Configuration > Network > Routing Protocol > BGP (continued) LABEL DESCRIPTION Update Source Use this to allow BGP sessions use the selected interface for TCP connections. • • • Choose Gateway and then enter the gateway IP address Choose Interface and then select a Zyxel Device interface. Choose None to use the closest interface. MD5 authentication key Type the default password for MD5 authentication of communication between the Zyxel Device and the peer BGP router.
Chapter 10 Routing Figure 231 Scenario 1: CE Router - to - MPLS 10.8.4.2 CE - PE Configuration Process The process for configuring BGP in this scenario is: 1 Configure the AS number for BGP on the Zyxel Device (CE) in Configuration > Network > Routing > BGP. Note: The Zyxel Device can only belong to one AS at a time. 2 Configure the AS number and BGP criteria of the peer BGP routers (PE) in the neighboring AS in Configuration > Network > Routing > BGP > Add Neighbors.
C H A P T E R 11 DDNS 11.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 11.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 11.2 on page 338) to view a list of the configured DDNS domain names and their details. • Use the DDNS Add/Edit screen (see Section 11.2.1 on page 339) to add a domain name to the Zyxel Device or to edit the configuration of an existing domain name. 11.1.
Chapter 11 DDNS 11.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. Click Configuration > Network > DDNS to open the following screen. Figure 232 Configuration > Network > DDNS The following table describes the labels in this screen.
Chapter 11 DDNS Table 137 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings. 11.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the Zyxel Device or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen.
Chapter 11 DDNS Figure 234 Configuration > Network > DDNS > Add - Custom The following table describes the labels in this screen. Table 138 Configuration > Network > DDNS > Add LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. Enable DDNS Profile Select this check box to use this DDNS entry. Profile Name When you are adding a DDNS entry, type a descriptive name for this DDNS entry in the Zyxel Device.
Chapter 11 DDNS Table 138 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Password Type the password provided by the DDNS provider. You can use up to 64 alphanumeric characters and the underscore. Spaces are not allowed. Retype to Confirm Type the password again to confirm it. DDNS Settings Domain name Type the domain name you registered. You can use up to 255 characters.
Chapter 11 DDNS Table 138 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Mail Exchanger This option is only available with a DynDNS account. DynDNS can route email for your domain name to a mail server (called a mail exchanger). For example, DynDNS routes email for john-doe@yourhost.dyndns.org to the host record specified as the mail exchanger. If you are using this service, type the host record of your mail server here. Otherwise leave the field blank. See www.dyndns.
C H A P T E R 12 NAT 12.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the Zyxel Device available outside the private network.
Chapter 12 NAT • Well-known ports range from 0 to 1023. • Registered ports range from 1024 to 49151. • Dynamic ports (also called private ports) range from 49152 to 65535.
Chapter 12 NAT login to the Web Configurator and click Configuration > Network > NAT. The following screen appears, providing a summary of the existing NAT rules. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information. Figure 236 Configuration > Network > NAT The following table describes the labels in this screen.
Chapter 12 NAT Table 140 Configuration > Network > NAT (continued) LABEL DESCRIPTION Internal IP This field displays the new destination IP address for the packet. Protocol This field displays the service used by the packets for this NAT entry. It displays any if there is no restriction on the services. External Port This field displays the original destination port(s) of packets for the NAT entry. This field is blank if there is no restriction on the original destination port.
Chapter 12 NAT Table 141 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Classification Select what kind of NAT this rule is to perform. Virtual Server - This makes computers on a private network behind the Zyxel Device available to a public network outside the Zyxel Device (like the Internet).
Chapter 12 NAT Table 141 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Port Mapping Type Use the drop-down list box to select how many original destination ports this NAT rule supports for the selected destination IP address (Original IP). Choices are: Any - this NAT rule supports all the destination ports. Port - this NAT rule supports one destination port. Ports - this NAT rule supports a range of destination ports.
Chapter 12 NAT 12.3 NAT Technical Reference Here is more detailed information about NAT on the Zyxel Device. NAT Loopback Suppose an NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP email server to give WAN users access. NAT loopback allows other users to also use the rule’s original IP to access the mail server. For example, a LAN user’s computer at IP address 192.168.1.89 queries a public DNS server to resolve the SMTP server’s domain name (xxx.LAN-SMTP.
Chapter 12 NAT Figure 239 LAN to LAN Traffic NAT Source 192.168.1.1 Source 192.168.1.89 SMTP SMTP LAN 192.168.1.21 192.168.1.89 The LAN SMTP server replies to the Zyxel Device’s LAN IP address and the Zyxel Device changes the source address to 1.1.1.1 before sending it to the LAN user. The return traffic’s source matches the original destination address (1.1.1.1).
C H A P T E R 13 Redirect Service 13.1 Overview Redirect Service redirects HTTP and SMTP traffic. 13.1.1 HTTP Redirect HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the Zyxel Device) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web page, its HTTP request is redirected to proxy server A first.
Chapter 13 Redirect Service Figure 242 SMTP Redirect Example 13.1.3 What You Can Do in this Chapter Use the Redirect Service screens (see Section 13.2 on page 354) to display and edit the HTTP and SMTP redirect rules. 13.1.4 What You Need to Know Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Chapter 13 Redirect Service Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule, the Zyxel Device checks the HTTP redirect rules first and forwards HTTP traffic to a proxy server if matched. You need to make sure there is no security policy blocking the HTTP requests from the client to the proxy server. You also need to manually configure a policy route to forward the HTTP traffic from the proxy server to the Internet.
Chapter 13 Redirect Service For SMTP traffic between lan1 and lan2: • a from LAN1 to LAN2 firewall rule to allow SMTP messages from lan1 to lan2. Responses to this request are allowed automatically. • a SMTP redirect rule to forward SMTP traffic from lan1 to SMTP server A. For SMTP traffic between lan2 and wan1: • a from LAN2 to WAN firewall rule (default) to allow SMTP messages from lan2 to wan1. Responses to these requests are allowed automatically.
Chapter 13 Redirect Service Table 142 Configuration > Network > Redirect Service (continued) LABEL DESCRIPTION Status This icon is lit when the entry is active and dimmed when the entry is inactive. Service This is the name of the service: HTTP or SMTP. Name This is the descriptive name of a rule. User/Group This is the user account or user group name to which this rule is applied. Interface This is the interface on which the request must be received.
Chapter 13 Redirect Service The following table describes the labels in this screen. Table 143 Network > Redirect Service > Edit LABEL DESCRIPTION Enable Use this option to turn the Redirect Service rule on or off. Service Select the service to be redirected: HTTP Redirect or SMTP redirect. Name Enter a name to identify this rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
C H A P T E R 14 ALG 14.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the Zyxel Device’s NAT. • SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet. • H.323 - A teleconferencing protocol suite that provides audio, data and video conferencing. • FTP - File Transfer Protocol - an Internet file transfer service.
Chapter 14 ALG FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server is located on the LAN, you must also configure NAT (port forwarding) and security policies if you want to allow access to the server from the WAN. Bandwidth management can be applied to FTP ALG traffic. H.323 ALG • The H.323 ALG supports peer-to-peer H.323 calls. • The H.323 ALG handles H.323 calls that go through NAT or that the Zyxel Device routes. You can also make other H.
Chapter 14 ALG • You do not need to use TURN (Traversal Using Relay NAT) for VoIP devices behind the Zyxel Device when you enable the SIP ALG. • Configuring the SIP ALG to use custom port numbers for SIP traffic also configures the application patrol (see Chapter 26 on page 515) to use the same port numbers for SIP traffic. Likewise, configuring the application patrol to use custom port numbers for SIP traffic also configures SIP ALG to use the same port numbers for SIP traffic.
Chapter 14 ALG policy routes to have calls from LAN IP address A go out through WAN IP address 1 and calls from LAN IP address B go out through WAN IP address 2. Figure 248 VoIP with Multiple WAN IP Addresses 14.1.2 Before You Begin You must also configure the security policy and enable NAT in the Zyxel Device to allow sessions initiated from the WAN. 14.2 The ALG Screen Click Configuration > Network > ALG to open the ALG screen.
Chapter 14 ALG Figure 249 Configuration > Network > ALG The following table describes the labels in this screen. Table 144 Configuration > Network > ALG LABEL DESCRIPTION Enable SIP ALG Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the Zyxel Device’s NAT. Enabling the SIP ALG also allows you to use the application patrol to detect SIP traffic and manage the SIP traffic’s bandwidth (see Chapter 26 on page 515).
Chapter 14 ALG Table 144 Configuration > Network > ALG (continued) LABEL DESCRIPTION SIP Signaling Inactivity Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the Zyxel Device.
Chapter 14 ALG ALG Some applications cannot operate through NAT (are NAT unfriendly) because they embed IP addresses and port numbers in their packets’ data payload. The Zyxel Device examines and uses IP address and port number information embedded in the VoIP traffic’s data stream. When a device behind the Zyxel Device uses an application for which the Zyxel Device has VoIP pass through enabled, the Zyxel Device translates the device’s private IP address inside the data stream to a public IP address.
C H A P T E R 15 UPnP 15.1 UPnP and NAT-PMP Overview The Zyxel Device supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Chapter 15 UPnP 15.2.2 Cautions with UPnP and NAT-PMP The automated nature of NAT traversal applications in establishing their own services and opening security policy ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP or NAT-PMP device joins a network, it announces its presence with a multicast message. For security reasons, the Zyxel Device allows multicast messages on the LAN only.
Chapter 15 UPnP The following table describes the fields in this screen. Table 145 Configuration > Network > UPnP LABEL DESCRIPTION Enable UPnP Select this check box to activate UPnP on the Zyxel Device. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the Zyxel Device's IP address (although you must still enter the password to access the web configurator).
Chapter 15 UPnP 2 Click Change Advanced Sharing Settings. 3 Select Turn on network discovery and click Save Changes. Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer. This makes it easier to share files and printers.
Chapter 15 UPnP 15.4.1.1 Auto-discover Your UPnP-enabled Network Device Before you follow these steps, make sure you already have UPnP activated on the Zyxel Device and in your computer. Make sure your computer is connected to a LAN port of the Zyxel Device. 1 Open the Windows Explorer and click Network. 2 Right-click the device icon and select Properties. Figure 251 Network Connections 3 In the Internet Connection Properties window, click Settings to see port mappings.
Chapter 15 UPnP Figure 252 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings.
Chapter 15 UPnP Figure 254 Internet Connection Properties: Advanced Settings: Add Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 5 Click OK. Check the network icon on the system tray to see your Internet connection status. Figure 255 System Tray Icon 6 To see more details about your current Internet connection status, right click on the network icon in the system tray and click Open Network and Sharing Center.
Chapter 15 UPnP 2 Click Network and Sharing Center. 3 Click Change advanced sharing settings.
Chapter 15 UPnP 4 Under Domain, select Turn on network discovery and click Save Changes. Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer. This makes it easier to share files and printers. 15.4.3 Auto-discover Your UPnP-enabled Network Device Before you follow these steps, make sure you already have UPnP activated on the Zyxel Device and in your computer.
Chapter 15 UPnP Make sure your computer is connected to the LAN port of the Zyxel Device. 1 Open File Explorer and click Network. 2 Right-click the Zyxel Device icon and select Properties. Figure 257 Network Connections 3 In the Internet Connection Properties window, click Settings to see port mappings. Figure 258 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings.
Chapter 15 UPnP Figure 259 Internet Connection Properties: Advanced Settings Figure 260 Internet Connection Properties: Advanced Settings: Add Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 5 Click OK. Check the network icon on the system tray to see your Internet connection status.
Chapter 15 UPnP Figure 262 Internet Connection Status 15.4.4 Web Configurator Easy Access in Windows 7 With UPnP, you can access the web-based configurator on the Zyxel Device without finding out the IP address of the Zyxel Device first. This comes helpful if you do not know the IP address of the Zyxel Device. Follow the steps below to access the web configurator. 1 Open Windows Explorer. 2 Click Network.
Chapter 15 UPnP Figure 263 Network Connections 3 An icon with the description for each UPnP-enabled device displays under Network Infrastructure. 4 Right-click on the icon for your Zyxel Device and select View device webpage. The web configurator login screen displays. Figure 264 Network Connections: My Network Places 5 Right-click on the icon for your Zyxel Device and select Properties. Click the Network Device tab. A window displays with information about the Zyxel Device.
Chapter 15 UPnP Figure 265 Network Connections: My Network Places: Properties: Example 15.4.5 Web Configurator Easy Access in Windows 10 Follow the steps below to access the Web Configurator. 1 Open File Explorer. 2 Click Network.
Chapter 15 UPnP 3 An icon with the description for each UPnP-enabled device displays under Network Infrastructure. 4 Right-click the icon for your Zyxel Device and select View device webpage. The Web Configurator login screen displays. Figure 267 Network Connections: Network Infrastructure 5 Right-click the icon for your Zyxel Device and select Properties. Click the Network Device tab. A window displays information about the Zyxel Device.
C H A P T E R 16 IP/MAC Binding 16.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The Zyxel Device uses DHCP to assign IP addresses and records the MAC address it assigned to each IP address. The Zyxel Device then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the Zyxel Device.
Chapter 16 IP/MAC Binding Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN, and WLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface’s configuration screen. 16.2 IP/MAC Binding Summary Click Configuration > Network > IP/MAC Binding to open the IP/MAC Binding Summary screen.
Chapter 16 IP/MAC Binding Table 146 Configuration > Network > IP/MAC Binding > Summary (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 16.2.1 IP/MAC Binding Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit screen. Use this screen to configure an interface’s IP to MAC address binding settings.
Chapter 16 IP/MAC Binding Table 147 Configuration > Network > IP/MAC Binding > Edit (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. # This is the index number of the static DHCP entry. IP Address This is the IP address that the Zyxel Device assigns to a device with the entry’s MAC address. MAC Address This is the MAC address of the device to which the Zyxel Device assigns the entry’s IP address.
Chapter 16 IP/MAC Binding 16.3 IP/MAC Binding Exempt List Click Configuration > Network > IP/MAC Binding > Exempt List to open the IP/MAC Binding Exempt List screen. Use this screen to configure ranges of IP addresses to which the Zyxel Device does not apply IP/ MAC binding. Figure 273 Configuration > Network > IP/MAC Binding > Exempt List The following table describes the labels in this screen.
C H A P T E R 17 Layer 2 Isolation 17.1 Overview Layer-2 isolation is used to prevent connected devices from communicating with each other in the Zyxel Device’s local network(s), except for the devices in the white list, when layer-2 isolation is enabled on the Zyxel Device and the local interface(s). Note: The security policy control must be enabled before you can use layer-2 isolation. In the following example, layer-2 isolation is enabled on the Zyxel Device’s interface Vlan1.
Chapter 17 Layer 2 Isolation Figure 275 Configuration > Network > Layer 2 Isolation The following table describes the labels in this screen. Table 150 Configuration > Network > Layer 2 Isolation LABEL DESCRIPTION Enable Layer2 Isolation Select this option to turn on the layer-2 isolation feature on the Zyxel Device. Note: You can enable this feature only when the security policy is enabled.
Chapter 17 Layer 2 Isolation Figure 276 Configuration > Network > Layer 2 Isolation > White List The following table describes the labels in this screen. Table 151 Configuration > Network > Layer 2 Isolation > White List LABEL DESCRIPTION Enable White List Select this option to turn on the white list on the Zyxel Device. Note: You can enable this feature only when the security policy is enabled. Add Click this to add a new rule. Edit Click this to edit the selected rule.
Chapter 17 Layer 2 Isolation Figure 277 Configuration > Network > Layer 2 Isolation > White List > Add/Edit The following table describes the labels in this screen. Table 152 Configuration > Network > Layer 2 Isolation > White List > Add/Edit LABEL DESCRIPTION Enable Select this option to turn on the rule. Host IP Address Enter an IPv4 address associated with this rule. Description Specify a description for the IP address associated with this rule.
C H A P T E R 18 DNS Inbound LB 18.1 DNS Inbound Load Balancing Overview Inbound load balancing enables the Zyxel Device to respond to a DNS query message with a different IP address for DNS name resolution. The Zyxel Device checks which member interface has the least load and responds to the DNS query message with the interface’s IP address. In the following figure, an Internet host (A) sends a DNS query message to the DNS server (D) in order to resolve a domain name of www.example.com.
Chapter 18 DNS Inbound LB 18.2 The DNS Inbound LB Screen The Inbound LB screen provides a summary of all DNS load balancing rules and the details. You can also use this screen to add, edit, or remove the rules. Click Configuration > Network > Inbound LB to open the following screen. Note: After you finish the inbound load balancing settings, go to security policy and NAT screens to configure the corresponding rule and virtual server to allow the Internet users to access your internal servers.
Chapter 18 DNS Inbound LB Table 153 Configuration > Network > DNS Inbound LB (continued) LABEL DESCRIPTION Query From Address This field displays the source IP address of the DNS query messages to which the Zyxel Device applies the DNS load balancing rule. Query From Zone The Zyxel Device applies the DNS load balancing rule to the query messages received from this zone. Load Balancing Member This field displays the member interfaces which the Zyxel Device manages for load balancing.
Chapter 18 DNS Inbound LB Figure 280 Configuration > Network > DNS Inbound LB > Add The following table describes the labels in this screen. Table 154 Configuration > Network > DNS Inbound LB > Add/Edit LABEL DESCRIPTION Create New Object Use this to configure any new setting objects that you need to use in this screen. General Settings Enable Select this to enable this DNS load balancing rule.
Chapter 18 DNS Inbound LB Table 154 Configuration > Network > DNS Inbound LB > Add/Edit (continued) LABEL DESCRIPTION Zone Select the zone of DNS query messages upon which to apply this rule. Load Balancing Member Load Balancing Algorithm Select a load balancing method to use from the drop-down list box. Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights.
Chapter 18 DNS Inbound LB Figure 281 Configuration > Network > DNS Inbound LB > Add/Edit > Add The following table describes the labels in this screen. Table 155 Configuration > Network > DNS Inbound LB > Add/Edit > Add/Edit LABEL DESCRIPTION Member The Zyxel Device checks each member interface’s loading in the order displayed here. Monitor Interface Select an interface to associate it with the DNS load balancing rule.
C H A P T E R 19 IPnP 19.1 IPnP Overview IP Plug and Play (IPnP) allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, even when the IP addresses of the computer and the Zyxel Device are not in the same subnet.
Chapter 19 IPnP 19.2 IPnP Screen This screen allows you to enable IPnP on the Zyxel Device and specific internal interface(s). To access this screen click Configuration > Network > IPnP. Figure 283 Configuration > Network > IPnP The following table describes the labels in this screen. Table 156 Configuration > Network > IPnP LABEL DESCRIPTION Enable IPnP Select this option to turn on the IPnP feature on the Zyxel Device. Note: You can enable this feature only when the security policy is enabled.
C H A P T E R 20 IPSec VPN 20.1 Virtual Private Networks (VPN) Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Chapter 20 IPSec VPN shared key (shared secret), signatures, or public key encryption. Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, but Aggressive Mode does not. During Phase 2, the remote IPSec routers use the secure channel established in Phase 1 to negotiate Security Associations for IPSec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound). Phase 2 uses Quick Mode (only).
Chapter 20 IPSec VPN L2TP VPN L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or Windows operating systems for secure connections to the network behind the Zyxel Device. The remote users do not need their own IPSec gateways or third-party VPN client software. For example, configure sales representatives’ laptops, tablets, or smartphones to securely connect to the Zyxel Device’s network. See Chapter 22 on page 438 for more on L2TP over IPSec. Figure 286 L2TP VPN 20.
Chapter 20 IPSec VPN Figure 287 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first.
Chapter 20 IPSec VPN Application Scenarios The Zyxel Device’s application scenarios make it easier to configure your VPN connection settings. Table 157 IPSec VPN Application Scenarios SITE-TO-SITE Choose this if the remote IPSec router has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel. The remote IPSec router can also initiate the VPN tunnel if this Zyxel Device has a static IP address or a domain name.
Chapter 20 IPSec VPN 20.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel. • In any VPN connection, you have to select address objects to specify the local policy and remote policy. You should set up the address objects first.
Chapter 20 IPSec VPN Figure 288 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following table. Table 158 Configuration > VPN > IPSec VPN > VPN Connection LABEL DESCRIPTION Global Setting The following two fields are for all IPSec VPN policies. Click on the VPN icon to go to the Zyxel VPN Client product page at the Zyxel website.
Chapter 20 IPSec VPN Table 158 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION References Select an entry and click References to open a screen that shows which settings use the entry. See Section 9.4.4 on page 240 for an example. # This field is a sequential value, and it is not associated with a specific connection. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Chapter 20 IPSec VPN Figure 289 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit ZyWALL ATP Series User’s Guide 404
Chapter 20 IPSec VPN Each field is described in the following table. Table 159 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. Create new Object Use to configure any new settings objects that you need to use in this screen. General Settings Enable Select this check box to activate this VPN connection.
Chapter 20 IPSec VPN Table 159 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL Application Scenario DESCRIPTION Select the scenario that best describes your intended VPN connection. Site-to-site - Choose this if the remote IPSec router has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel. Site-to-site with Dynamic Peer - Choose this if the remote IPSec router has a dynamic IP address. Only the remote IPSec router can initiate the VPN tunnel.
Chapter 20 IPSec VPN Table 159 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION First DNS Server (optional) The Domain Name System (DNS) maps a domain name to an IP address and vice versa. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN. Enter a DNS server's IP address. Second DNS Server (Optional) Enter a secondary DNS server's IP address that is checked if the first one is unavailable.
Chapter 20 IPSec VPN Table 159 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL Encryption DESCRIPTION This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA.
Chapter 20 IPSec VPN Table 159 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION Check Port This field displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.
Chapter 20 IPSec VPN Table 159 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. # This field is a sequential value, and it is not associated with a specific NAT record.
Chapter 20 IPSec VPN Each field is discussed in the following table. See Section 20.3.1 on page 411 for more information. Table 160 Configuration > VPN > IPSec VPN > VPN Gateway LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.
Chapter 20 IPSec VPN Figure 291 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit ZyWALL ATP Series User’s Guide 412
Chapter 20 IPSec VPN Each field is described in the following table. Table 161 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. Create New Object Use to configure any new settings objects that you need to use in this screen. General Settings Enable Select this to activate the VPN Gateway policy.
Chapter 20 IPSec VPN Table 161 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL Pre-Shared Key DESCRIPTION Select this to have the Zyxel Device and remote IPSec router use a pre-shared key (password) of up to 128 characters to identify each other when they negotiate the IKE SA. Type the pre-shared key in the field to the right. The pre-shared key can be: • • alphanumeric characters or ,;.|`~!@#$%^&*()_+\{}':./<>=-" pairs of hexadecimal (0-9, A-F) characters, preceded by “0x”.
Chapter 20 IPSec VPN Table 161 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL Peer ID Type DESCRIPTION Select which type of identification is used to identify the remote IPSec router during authentication.
Chapter 20 IPSec VPN Table 161 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. Encryption Select which key size and encryption algorithm to use in the IKE SA.
Chapter 20 IPSec VPN Table 161 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION X-Auth This displays when using IKEv1. When different users use the same VPN tunnel to connect to the Zyxel Device (telecommuters sharing a tunnel for example), use X-auth to enforce a user name and password check. This way even though telecommuters all know the VPN tunnel’s security settings, each still has to provide a unique user name and password.
Chapter 20 IPSec VPN 20.4 VPN Concentrator A VPN concentrator combines several IPSec VPN connections into one secure network. Figure 292 VPN Topologies (Fully Meshed and Hub and Spoke) 1 2 In a fully-meshed VPN topology (1 in the figure), there is a VPN connection between every pair of routers. In a hub-and-spoke VPN topology (2 in the figure), there is a VPN connection between each spoke router (B, C, D, and E) and the hub router (A), which uses the VPN concentrator.
Chapter 20 IPSec VPN 20.4.2 VPN Concentrator Screen The VPN Concentrator summary screen displays the VPN concentrators in the Zyxel Device. To access this screen, click Configuration > VPN > IPSec VPN > Concentrator. Figure 293 Configuration > VPN > IPSec VPN > Concentrator Each field is discussed in the following table. See Section 20.4.3 on page 419 for more information.
Chapter 20 IPSec VPN Figure 294 Configuration > VPN > IPSec VPN > Concentrator > Add/Edit Each field is described in the following table. Table 163 VPN > IPSec VPN > Concentrator > Add/Edit LABEL DESCRIPTION Name Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Member Select the concentrator’s IPSec VPN connection policies.
Chapter 20 IPSec VPN • A subnet or range remote policy The following VPN Gateway rules configured on the Zyxel Device cannot be provisioned to the IPSec VPN Client: • IPv4 rules with IKEv2 version • IPv4 rules with User-based PSK authentication Note: You must enable IPv6 in System > IPv6 to activate IPv6 VPN tunneling rules. In the Zyxel Device Quick Setup wizard, you can use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that will not violate these restrictions.
Chapter 20 IPSec VPN Table 164 Configuration > VPN > IPSec VPN > Configuration Provisioning (continued) LABEL DESCRIPTION Add Click Add to bind a configured VPN rule to a user or group. Only that user or group may then retrieve the specified VPN rule settings. If you click Add without selecting an entry in advance then the new entry appears as the first entry. Entry order is important as the Zyxel Device searches entries in the order listed here to find a match.
Chapter 20 IPSec VPN Note: Both routers must use the same negotiation mode. These modes are discussed in more detail in Negotiation Mode. Main mode is used in various examples in the rest of this section. The Zyxel Device supports IKEv1 and IKEv2. See Section 20.1 on page 396 for more information. IP Addresses of the Zyxel Device and Remote IPSec Router To set up an IKE SA, you have to specify the IP addresses of the Zyxel Device and remote IPSec router.
Chapter 20 IPSec VPN • Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively tripling the strength of DES. • Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES. Some Zyxel Devices also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks of data.
Chapter 20 IPSec VPN Figure 298 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued) Step 5: pre-shared key Zyxel Device identity, consisting of - ID type - content Step 6: pre-shared key Remote IPSec router identity, consisting of - ID type - content 5 X Y 6 You have to create (and distribute) a pre-shared key. The Zyxel Device and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged.
Chapter 20 IPSec VPN Table 166 VPN Example: Mismatching ID Type and Content ZYXEL DEVICE REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.20 Peer ID content: tom@yourcompany.com It is also possible to configure the Zyxel Device to ignore the identity of the remote IPSec router. In this case, you usually set the peer ID type to Any.
Chapter 20 IPSec VPN Figure 299 VPN/NAT Example X A Y If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel. Most routers like router A now have an IPSec pass-thru feature. This feature helps router A recognize VPN packets and route them appropriately.
Chapter 20 IPSec VPN Certificates It is possible for the Zyxel Device and remote IPSec router to authenticate each other with certificates. In this case, you do not have to set up the pre-shared key, local identity, or remote identity because the certificates provide this information instead. • Instead of using the pre-shared key, the Zyxel Device and remote IPSec router check the signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match.
Chapter 20 IPSec VPN Figure 300 VPN: Transport and Tunnel Mode Encapsulation Transport Mode Packet IP Header AH/ESP Header TCP Header Data Tunnel Mode Packet IP Header AH/ESP Header IP Header TCP Header Data In tunnel mode, the Zyxel Device uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: • Outside header: The outside IP header contains the IP address of the Zyxel Device or remote IPSec router, whichever is the destination.
Chapter 20 IPSec VPN NAT for Inbound and Outbound Traffic The Zyxel Device can translate the following types of network addresses in IPSec SA. • Source address in outbound packets - this translation is necessary if you want the Zyxel Device to route packets from computers outside the local network through the IPSec SA. • Source address in inbound packets - this translation hides the source address of computers in the remote network.
Chapter 20 IPSec VPN • Source - the original source address; the remote network (B). • Destination - the original destination address; the local network (A). • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address. Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the Zyxel Device to forward some packets from the remote network to a specific computer in the local network.
C H A P T E R 21 SSL VPN 21.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software. 21.1.1 What You Can Do in this Chapter • Use the VPN > SSL VPN > Access Privilege screens (see Section 21.2 on page 433) to configure SSL access policies. • Use the Click VPN > SSL VPN > Global Setting screen (see Section 21.
Chapter 21 SSL VPN SSL Access Policy Objects The SSL access policies reference the following objects. If you update this information, in response to changes, the Zyxel Device automatically propagates the changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed. Table 167 Objects OBJECT SCREEN DESCRIPTION User Accounts User Account/ User Group Configure a user account or user group to which you want to apply this SSL access policy.
Chapter 21 SSL VPN The following table describes the labels in this screen. Table 168 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Access Policy Summary This screen shows a summary of SSL VPN policies created. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Chapter 21 SSL VPN Figure 305 VPN > SSL VPN > Add/Edit The following table describes the labels in this screen. Table 169 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable Policy Select this option to activate this SSL access policy. Name Enter a descriptive name to identify this policy. You can enter up to 31 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed.
Chapter 21 SSL VPN Table 169 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION User/Group The Selectable User/Group Objects list displays the name(s) of the user account and/or user group(s) to which you have not applied an SSL access policy yet. To associate a user or user group to this SSL access policy, select a user account or user group and click the right arrow button to add to the Selected User/Group Objects list. You can select more than one name.
Chapter 21 SSL VPN Figure 306 VPN > SSL VPN > Global Setting The following table describes the labels in this screen. Table 170 VPN > SSL VPN > Global Setting LABEL DESCRIPTION Global Setting Network Extension Local IP Specify the IP address of the Zyxel Device (or a gateway device) for full tunnel mode SSL VPN access. Leave this field to the default settings unless it conflicts with another interface. Apply Click Apply to save the changes and/or start the logo file upload process.
C H A P T E R 22 L2TP VPN 22.1 Overview L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, Windows or Mac OS X operating systems for secure connections to the network behind the Zyxel Device. The remote users do not need their own IPSec gateways or third-party VPN client software.
Chapter 22 L2TP VPN IPSec Configuration Required for L2TP VPN You must configure an IPSec VPN connection prior to proper L2TP VPN usage (see Chapter 22 on page 438 for details). The IPSec VPN connection must: • Be enabled. • Use transport mode. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address.
Chapter 22 L2TP VPN Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information. Figure 309 Configuration > VPN > L2TP VPN The following table describes the fields in this screen. Table 171 Configuration > VPN > L2TP VPN LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 22 L2TP VPN Table 171 Configuration > VPN > L2TP VPN (continued) LABEL DESCRIPTION Authentication Server Certificate Select the certificate to use to identify the Zyxel Device for L2TP VPN connections. You must have certificates already configured in the My Certificates screen. The certificate is used with the EAP, PEAP, and MSCHAPv2 authentication protocols. Allowed User The remote user must log into the Zyxel Device to use the L2TP VPN tunnel.
Chapter 22 L2TP VPN 2 Go to Configuration > VPN > IPSec VPN > VPN Connection and click Add for IPv4 Configuration to create a new VPN connection. 3 Select Remote Access (Server Role) as the VPN scenario for the remote client. 4 Select the NAT router WAN IP address object as the Local Policy. 5 Go to Configuration > VPN > L2TP VPN and select the VPN Connection just configured.
Chapter 22 L2TP VPN ZyWALL ATP Series User’s Guide 443
C H A P T E R 23 BWM (Bandwidth Management) 23.1 Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. 23.1.1 What You Can Do in this Chapter Use the BWM screens (see Section 23.
Chapter 23 BWM (Bandwidth Management) In the following example, you configure a Per user bandwidth management rule for radius-users to limit outgoing traffic to 300 kbs. Then all radius-users (A, B and C) can send 300 kbps of traffic. Figure 311 Bandwidth Management Per User Type DiffServ and DSCP Marking QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority.
Chapter 23 BWM (Bandwidth Management) Figure 312 LAN1 to WAN Connection and Packet Directions Outbound and Inbound Bandwidth Limits You can limit an application’s outbound or inbound bandwidth. This limit keeps the traffic from using up too much of the out-going interface’s bandwidth. This way you can make sure there is bandwidth for other applications. When you apply a bandwidth limit to outbound or inbound traffic, each member of the out-going zone can send up to the limit.
Chapter 23 BWM (Bandwidth Management) Maximize Bandwidth Usage Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to “borrow” any unused bandwidth on the out-going interface. After each application gets its configured bandwidth rate, the Zyxel Device uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled. Unused bandwidth is divided equally.
Chapter 23 BWM (Bandwidth Management) Priority Effect Here the configured rates total more than the available bandwidth. Because server A has higher priority, it gets up to it’s configured rate (800 kbps), leaving only 200 kbps for server B. Table 173 Priority Effect POLICY CONFIGURED RATE MAX. B. U.
Chapter 23 BWM (Bandwidth Management) The default bandwidth management policy is the one with the priority of “default”. It is the last policy the Zyxel Device checks if traffic does not match any other bandwidth management policies you have configured. You cannot remove, activate, deactivate or move the default bandwidth management policy. Figure 315 Configuration > Bandwidth Management The following table describes the labels in this screen. See Section 23.2.1 on page 451 for more information as well.
Chapter 23 BWM (Bandwidth Management) Table 176 Configuration > Bandwidth Management LABEL DESCRIPTION User This is the type of user account to which the policy applies. If any displays, the policy applies to all user accounts. Schedule This is the schedule that defines when the policy applies. none means the policy always applies. Incoming Interface This is the source interface of the traffic to which this policy applies.
Chapter 23 BWM (Bandwidth Management) Table 176 Configuration > Bandwidth Management LABEL DESCRIPTION DSCP Marking This is how the Zyxel Device handles the DSCP value of the incoming and outgoing packets that match this policy. In - Inbound, the traffic the Zyxel Device sends to a connection’s initiator. Out - Outbound, the traffic the Zyxel Device sends out from a connection’s initiator. If this field displays a DSCP value, the Zyxel Device applies that DSCP value to the route’s outgoing packets.
Chapter 23 BWM (Bandwidth Management) Table 179 Priority Code and Types of Traffic PRIORITY TRAFFIC TYPES 6 Internetwork Control 7 (highest) Network Control To access this screen, go to the Configuration > Bandwidth Management screen (see Section 23.2 on page 448), and click either the Add icon or an Edit icon.
Chapter 23 BWM (Bandwidth Management) Figure 317 Configuration > Bandwidth Management > Add/Edit The following table describes the labels in this screen. Table 180 Configuration > Bandwidth Management > Add/Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable Select this check box to turn on this policy. Description Enter a description of this policy. It is not used elsewhere.
Chapter 23 BWM (Bandwidth Management) Table 180 Configuration > Bandwidth Management > Add/Edit LABEL DESCRIPTION User Select a user name or user group to which to apply the policy. Use Create new Object if you need to configure a new user account. Select any to apply the policy for every user. Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one. Otherwise, select none to make the policy always effective.
Chapter 23 BWM (Bandwidth Management) Table 180 Configuration > Bandwidth Management > Add/Edit LABEL Inbound kbps DESCRIPTION Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the Zyxel Device sends to a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the Zyxel Device sends to the initiator.
Chapter 23 BWM (Bandwidth Management) 23.2.1.1 Adding Objects for the BWM Policy Objects are parameters to which the Policy rules are built upon. There are three kinds of objects you can add/edit for the BWM policy, they are User, Schedule and Address objects. Click Configuration > BWM > Add > Create New Object > Add User to see the following screen. Figure 318 Configuration >BWM > Create New Object > Add User The following table describes the fields in the above screen.
Chapter 23 BWM (Bandwidth Management) Table 181 Configuration > BWM > Create New Object > Add User LABEL DESCRIPTION Password Type a password for the user object. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘ \ () ), and it can be up to eight characters long. Retype Retype the password to confirm. Description Enter a description for this user object. It is not used elsewhere.
Chapter 23 BWM (Bandwidth Management) Figure 319 Configuration > BWM > Create New Object > Add Schedule The following table describes the fields in the above screen. Table 182 Configuration > BWM > Create New Object > Add Schedule LABEL DESCRIPTION Name Enter a name for the schedule object of the rule. Type Select an option from the drop down menu for the schedule object. It will show One Time or Recurring.
Chapter 23 BWM (Bandwidth Management) Figure 320 Configuration > BWM > Create New Object > Add Address The following table describes the fields in the above screen. Table 183 Configuration > BWM > Create New Object > Add Address LABEL DESCRIPTION Name Enter a name for the Address object of the rule. Address Type Select an Address Type from the drop down menu on the right. The Address Types are Host, Range, Subnet, Interface IP, Interface Subnet, and Interface Gateway.
C H A P T E R 24 Web Authentication 24.1 Web Auth Overview Web authentication can intercept network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions. Once authentication is successful, they can then connect to the rest of the network or Internet.
Chapter 24 Web Authentication 24.1.2 What You Need to Know Single Sign-On A SSO (Single Sign On) agent integrates Domain Controller and Zyxel Device authentication mechanisms, so that users just need to log in once (single) to get access to permitted resources.
Chapter 24 Web Authentication Figure 322 Configuration > Web Authentication > General The following table gives an overview of the objects you can configure. Table 184 Configuration > Web Authentication > General LABEL DESCRIPTION Global Setting Enable Web Authentication Select the check box to turn on the web authentication feature. Otherwise, clear the check box to turn it off.
Chapter 24 Web Authentication Table 184 Configuration > Web Authentication > General (continued) LABEL DESCRIPTION Exceptional Services Use this table to list services that users can access without logging in. Click Add to change the list’s membership. A screen appears. Available services appear on the left. Select any services you want users to be able to access without logging in and click the right arrow button to add them. The member services are on the right.
Chapter 24 Web Authentication Table 184 Configuration > Web Authentication > General (continued) LABEL DESCRIPTION Authentication This field displays the authentication requirement for users when their traffic matches this policy. unnecessary - Users do not need to be authenticated. required - Users need to be authenticated. They must manually go to the login screen or user agreement page. The Zyxel Device will not redirect them to the login screen. force - Users need to be authenticated.
Chapter 24 Web Authentication Creating/Editing an Authentication Policy Open the Configuration > Web Authentication > General screen, then click the Add icon or select an entry and click the Edit icon in the Web Authentication Policy Summary section to open the Auth. Policy Add/Edit screen. Use this screen to configure an authentication policy. Figure 325 Configuration > Web Authentication > General > Add Authentication Policy The following table gives an overview of the objects you can configure.
Chapter 24 Web Authentication Table 185 Configuration > Web Authentication > General > Add Authentication Policy (continued) LABEL DESCRIPTION Authentication Select the authentication requirement for users when their traffic matches this policy. unnecessary - Users do not need to be authenticated. required - Users need to be authenticated. If Force User Authentication is selected, all HTTP traffic from unauthenticated users is redirected to a default or user-defined login page.
Chapter 24 Web Authentication Figure 326 Configuration > Object > User/Group > User > Add 3 Repeat this process to set up the remaining user accounts. 24.2.1.2 Set Up User Groups Set up the user groups and assign the users to the user groups. 1 Click Configuration > Object > User/Group > Group. Click the Add icon. 2 Enter the name of the group. In this example, it is “Finance”. Then, select Object/Leo and click the right arrow to move him to the Member list.
Chapter 24 Web Authentication 24.2.1.3 Set Up User Authentication Using the RADIUS Server This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the Zyxel Device to use the authentication method. Finally, force users to log into the Zyxel Device before it routes traffic for them. 1 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry.
Chapter 24 Web Authentication Figure 330 Configuration > Web Authentication 4 In the Web Authentication Policy Summary section, click the Add icon to set up a default policy that has priority over other policies and forces every user to log into the Zyxel Device before the Zyxel Device routes traffic for them. 5 Select Enable Policy. Enter a descriptive name, “default_policy” for example. Set the Authentication field to required, and make sure Force User Authentication is selected.
Chapter 24 Web Authentication Figure 331 Configuration > Web Authentication: General: Add When the users try to browse the web (or use any HTTP application), the login screen appears. They have to log in using the user name and password in the RADIUS server. 24.2.1.4 User Group Authentication Using the RADIUS Server The previous example showed how to have a RADIUS server authenticate individual user accounts.
Chapter 24 Web Authentication Figure 332 Configuration > Object > AAA Server > RADIUS > Add 2 Now you add ext-group-user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration > Object > User/ Group > User. Click the Add icon. Enter a user name and set the User Type to ext-group-user.
Chapter 24 Web Authentication Figure 333 Configuration > Object > User/Group > User > Add 3 Repeat this process to set up the remaining groups of user accounts. 24.2.2 Authentication Type Screen Use this screen to view, create and manage the authentication type profiles on the Zyxel Device. An authentication type profile decides which type of web authentication pages to be used for user authentication.
Chapter 24 Web Authentication Table 186 Configuration > Web Authentication > Authentication Type (continued) LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific entry. Name This field displays the name of the profile. default-web-portal: the default login page built into the Zyxel Device. Note: You can also customize the default login page built into the Zyxel Device in the System > WWW > Login Page screen.
Chapter 24 Web Authentication Figure 336 Configuration > Web Authentication > Authentication Type: Add/Edit (User Agreement) The following table describes the labels in this screen. Table 187 Configuration > Web Authentication > Authentication Type: Add/Edit LABEL DESCRIPTION Type Select the type of the web authentication page through which users authenticate their connections.
Chapter 24 Web Authentication Table 187 Configuration > Web Authentication > Authentication Type: Add/Edit (continued) LABEL DESCRIPTION External Web Portal Select this to use a custom login page from an external web portal instead of the one uploaded to the Zyxel Device. You can configure the look and feel of the web portal page. Login URL Specify the login page’s URL; for example, http://IIS server IP Address/login.html.
Chapter 24 Web Authentication Table 187 Configuration > Web Authentication > Authentication Type: Add/Edit (continued) LABEL Welcome URL DESCRIPTION Specify the welcome page’s URL; for example, http://IIS server IP Address/welcome.html. The Internet Information Server (IIS) is the web server on which the user agreement files are installed. If you leave this field blank, the Zyxel Device will use the welcome page of internal user agreement file.
Chapter 24 Web Authentication Figure 338 Configuration > Web Authentication > Custom User Agreement File The following table describes the labels in this screen. Table 188 Configuration > Web Authentication > Custom Web Portal / User Agreement File LABEL DESCRIPTION Remove Click a file’s row to select it and click Remove to delete it from the Zyxel Device. Download Click a file’s row to select it and click Download to save the zipped file to your computer.
Chapter 24 Web Authentication Note: The Zyxel Device, the DC, the SSO agent and the AD server must all be in the same domain and be able to communicate with each other. SSO does not support IPv6, LDAP or RADIUS; you must use it in an IPv4 network environment with Windows AD (Active Directory) authentication database. You must enable Web Authentication in the Configuration > Web Authentication screen.
Chapter 24 Web Authentication 24.4 SSO - Zyxel Device Configuration This section shows what you have to do on the Zyxel Device in order to use SSO.
Chapter 24 Web Authentication Figure 340 Configuration > Web Authentication > SSO The following table gives an overview of the objects you can configure. Table 190 Configuration > Web Authentication > SSO LABEL DESCRIPTION Listen Port The default agent listening port is 2158. If you change it on the Zyxel Device, then change it to the same number in the Gateway Port field on the SSO agent too. Type a number ranging from 1025 to 65535.
