General FAQ
Advanced FAQ
ZyWALL processes an Ethernet frame traversing between it's interfaces without modifying source or destination addresses in the header of the Ethernet frame in bridge mode. All bridging ports behave as though they are located on the same network segment. Firewall in bridge mode acts much like a layer 2 switch or bridge. Because there is no routing or network address translation, the IP addresses on the protected network must be valid routable addresses.
What's the difference between routing mode and bridge mode?
When ZyWALL is in routing mode, the WAN, LAN, DMZ interfaces are on different network segment. If ZyWALL is in bridge mode, the WAN, LAN, DMZ interfaces are all on the same network segment.
What is the benefit of firewall bridge mode?
Changing existing network topology is one of the most headache tasks for network administrators. Firewall in bridge mode helps the administrators to deploy security protection for the networks you want to proctect without changing the existing topology.
What is STP (Spanning Tree Protocol)?
Spanning
Tree Protocol (STP) is a Layer 2 protocol designed to run on bridges and
switches. The specification for STP is defined in IEEE 802.1D. The main purpose
of STP is to ensure that you do not run into a loop situation when you have
redundant paths in your network. STP detects/disables network loops and provides
backup links between switches or bridges. It allows the device to interact with
other STP compliant devices in your network to ensure that only one path exists
between any two stations on the network.
What is RSTP (Rapid Spanning Tree Protocol)?
Rapid Spanning Tree Protocol (RSTP) is an evolution of the Spanning Tree Protocol (802.1D standard) and provides for faster spanning tree convergence after a topology change.
What is the impact of STP/RSTP on ZyWALL's Firwall?
We strongly suggest customers to avoid loop topology as possible as they can, and let RSTP function off, if they would like to apply Firewall function. Since firewall function is directional, by default, traffic from WAN to LAN is blocked but traffic from LAN to WAN is forwarded. STP/RSTP protocols are to cut a loop topology to a tree structure, and the tree structure is dependent on the priority/path cost parameters. So the tree structure decided by STP/RSTP, may guide traffic to a blocked direction.
What are functions supported in bridge mode?
Firewall, Content Filter, Wireless LAN, Authentication Server (for WLAN authentication), System Statistics, Certificates (for Https Management), Remote Management, Bandwidth Management, Centralized Logs, Maintenance. Please note VPN, DHCP, Routing, SUA/NAT, Static Route, Policy Route, UPnP functions are not supported in bridge mode.
What is the ZyWALL Internet Access Sharing Router?
The ZyWALL series fulfills a range of application environments, from small and medium businesses, SOHO, or Telecommuters, to home user or education applications. The ZyWALL series provides a robust Firewall to protect your network, and the IPSec VPN function allows you to create a secure connection for e-business. ZyWALL's design helps users to save expenses, minimize maintenance, and simultaneously provide a high quality networking environment.
The ZyWALL series is a robust solution complete with everything needed for providing Internet access to multiple workstations through your cable or ADSL modem. The router equipped with 2 auto-MDI/MDIX 10/100Mbps Ethernet WAN port, 1 auto-MDI/MDIX 10/100Mbps Etherent LAN port, 4 auto-MDI/MDIX 10/100Mbps DMZ port and 802.11b wireless capability. It is the most simple and affordable solution for multiple and instant broadband Internet access router with 802.11 wireless support.
Virtually all-popular applications over Internet, such as Web, E-Mail, FTP, Telnet, Gopher, are supported. ZyWALL is designed for SOHO, branch offices, workgroups, and educational users.
Will the ZyWALL work with my Internet connection?The ZyWALL is designed to be compatible with cable and ADSL modems. Most external Cable and ADSL modems use an Ethernet port to connect to your computer so the ZyWALL is placed in the line between the computer and the External modem. As long as your Internet Access device has an Ethernet port, you can use the ZyWALL. Besides, if your ISP supports PPPoE you can also use the ZyWALL, because PPPoE had been supported in the ZyWALL.
What do I need to use the ZyWALL?
You need a ADSL modem or cable modem with an Ethernet port to use the ZyWALL. The ZyWALL has two Ethernet ports: LAN port and WAN port. You should connect the computer to the LAN port and connect the external modem to the WAN port. If the ISP uses PPPoE or RoadRunner Authentication you need the user account to enter in the ZyWALL.
What is PPPoE?
PPPoE stands for Point-to-Point Protocol
Over Ethernet that is an IETF draft standard specifying
how a computer interacts with a broadband modem (i.e. xDSL, cable, wireless, etc.) to
achieve access to the high-speed data networks via a familiar PPP dialer such as 'Dial-Up
Networking' user interface. PPPoE supports a broad range of existing applications and
service including authentication, accounting, secure access and configuration management.
There are some service providers running of PPPoE today. Before configuring PPPoE in the
ZyWALL, please make sure your ISP supports PPPoE.
Does the ZyWALL support PPPoE?
Yes. The ZyWALL supports PPPoE since ZyNOS 2.50.
How do I know I am using PPPoE?
PPPoE requires a user account to login to the provider's server. If you need to configure a user name and password on your computer to connect to the ISP you are probably using PPPoE. If you are simply connected to the Internet when you turn on your computer, you probably are not. You can also check your ISP or the information sheet given by the ISP. Please choose PPPoE as the encapsulation type in the ZyWALL if the ISP uses PPPoE.
Why does my provider use PPPoE?
PPPoE emulates a familiar Dial-Up connection. It allows your ISP to provide services using their existing network configuration over the broadband connections. Besides, PPPoE supports a broad range of existing applications and service including authentication, accounting, secure access and configuration management.
Which Internet Applications can I use with the ZyWALL?
Most common applications includes MIRC, PPTP, ICQ, Cu- SeeMe, NetMeeting, IP/TV, RealPlayer, VDOLive, Quake, Quake11, Quake111, StarCraft, & Quick Time.
How can I configure the ZyWALL?The ZyWALL supports 10/100M Ethernet to connect to the computer and 10M Ethernet to connect to the external cable or ADSL modem..
What can we do with ZyWALL?Browse the World Wide Web (WWW), send and receive individual e-mail, and download software. These are just a few of many benefits you can enjoy when you put the whole office on-line with the ZyWALL Internet Access Sharing Router.
Does ZyWALL support dynamic IP addressing?The ZyWALL supports either a static or dynamic IP address from ISP.
What is the difference between the internal IP and the real IP from my ISP?
Internal IPs are sometimes referred to as virtual IPs. They are a group of up to 255 IPs that are used and recognized internally on the local area network. They are not intended to be recognized on the Internet. The real IP from ISP, instead, can be recognized or pinged by another real IP. The ZyWALL Internet Access Sharing Router works like an intelligent router that routes between the virtual IP and the real IP.
How does e-mail work through the ZyWALL?
It depends on what kind of IP you have: Static or Dynamic. If your company has a domain name, it means that you have a static IP address. Suppose your company's e-mail address is xxx@mycompany.com. Joe and Debbie will be able to send e-mail through ZyWALL Internet Access Sharing Router using jane@mycompany.com and debbie@mycompany.com respectively as their e-mail addresses. They will be able to retrieve their individual private and secure e-mail, if they have been assigned the proper access right.
If your company does not have a domain name, it means that your ISP provides you with a dynamic IP address.
Suppose your company's e-mail address is mycompany@ispname.com. Jane and John will be able to send e-mail through ZyWALL Internet Access Sharing Router using "jane"<mycompany@ispname.com> and "john"<mycompany@ispname.com> respectively as their e-mail addresses. Again, they will be able to retrieve their individual private and secured e-mail, if they have been assigned the proper access right.
What is the main difference between WinGate and the ZyWALL?
What is the difference between the 'Standard' and 'RoadRunner' service?
The US Road Runner service requires the user to "log in" to the service before it can send any packets to the outside network. This is apparently implemented in the TAS (Toshiba Authentication System) with a packet filtering firewall in the upstream direction. Before login, one can send ICMP packets (e.g., ping) to the outside Internet, but nearly all other upstream TCP and UDP packets are blocked. The user can only speak to the local DNS/login server. Downstream packets do not appear to be filtered or blocked at any time.
While Standard service means the cable services which have no login requirement. ZyWALL
supports both Road Runner & Standard services in menu 4 for connecting to cable ISPs.
Is it possible to access a server running behind SUA from the outside Internet? If possible, how?
Yes, it is possible because ZyWALL delivers the packet to the local server
by looking up to a SUA server table. Therefore, to make a local server accessible to the
outside users, the port number and the inside IP address of the server must be configured
in Menu 15 - SUA Server Setup.
What DHCP capability does the ZyWALL support?
The ZyWALL supports DHCP client on the WAN port and DHCP server on the LAN
port. The ZyWALL's DHCP client allows it to get the Internet IP address from ISP
automatically. The ZyWALL's DHCP server allows it to automatically assign IP and DNS
addresses to the clients on the local LAN.
What are the capability and difference of wireless feature of ZyWALL and P316?
Wireless in ZyWALL series support embeded 802.1x MD5/CHAP authentication of 32 client where as p316 does not.
What is the coverage range of Wireless in ZyWALL?
The coverage range typically is 50m~80m indoor, 150m~300m outdoor. The actual range may very depends on environment, as to obstacles and walls, RF interference, etc in the environment.
How do I used the reset button, more over what field of parameter will be reset by reset button?
You can used a sharp pointed object insert it into the little reset hole beside the power connector. Press down the reset button and hold down for approx 10 second, the unit will be reset . When the reset button is press the device all parameter will be reset back to factory default include ESSID, password, IP address.
The default IP address is 192.168.1.1, Password 1234, ESSID Wireless.
Advanced FAQ
How does the ZyWALL support TFTP?
In addition to the direct console port connection, the ZyWALL supports the uploading/download of the firmware and configuration file using TFTP (Trivial File Transfer Protocol) over LAN.
Can the ZyWALL support TFTP over WAN?
Although TFTP should work over WAN as well, it is not recommended because of the potential data corruption problems.
How can I upload data to outside Internet over the one-way cable?
A workaround is to use an alternate path for your upstream path, such as a dialup connection to an Internet service provider. So, if you can find another way to get your upstream packets to the Internet you will still be able to receive downstream packets via ZyWALL.
ZyWALL supports 100 baseT. So the max speed is 100 Mbps. However, Internet Access speed of DSL/Cable Modem limits max available speed. In other words, if you get 2Mbps/512kbps down stream and up stream for Internet Access, then the max available speed is 2Mbps/512 kbps, even if you get 100 Mbps in local LAN.
My ZyWALL can not get an IP address from the ISP to connect to the Internet, what can I do?
Currently, there are various ways that ISPs control their users. That is, the WAN IP is provided only when the user is checked as an authorized user. The ISPs currently use three ways:
Check if the 'MAC address' is valid
Check if the 'Host Name' is valid, e.g., @home
Check if the 'User ID' is valid, e.g., RR-Toshiba Authentication Service, RR-Manager Authentication Service
If you are not able to get the Internet IP from the ISP, check which authentication method your ISP uses and troubleshoot the problem as described below.
1. Your ISP checks the 'MAC address'
Some ISPs only provide an IP address to the user with an authorized MAC address. This authorized MAC can be the PC's MAC which is used by the ISP for the authentication. So, if a new network card is used or the ZyWALL is attached to the cable modem directly, the ISP will reject the DHCP discovery from this MAC, thus no IP is assigned by the ISP.
The ZyWALL supports to clone the MAC from the first PC the ISP installed to be its WAN MAC. To clone the MAC from the PC you need to enter that PC's IP in menu 2. Once the MAC is received by the ZyWALL, the WAN MAC in menu 24.1 will be updated and used for the ISP's authentication.
|
Key settings:
Assigned By, Choose 'IP address attached on LAN'.
IP Address, Enter the IP address of the PC which is installed by the ISP at the first installation.
2. Your ISP checks the 'Host Name'
Some ISPs take advantage of the 'host name' message in a DHCP packet such as @home to do the authentication. When first installing, the ISP's tech people configure the host name as the 'Computer Name' of the PC in the 'Networking' settings. When the ZyWALL is attached to the cable modem to connect to the ISP, we should configure this host name in the ZyWALL's system (menu 1).
|
Key Setting:
System Name=, The system name must be the same as the PC's computer name.
3. Your ISP checks 'User ID'
This authentication type is used by RoadRunner ISP, currently they use RR-TAS(Toshiba Authentication Service) and RR-Manager authentications. You must configure the correct 'Service Type', username and password for your ISP in menu 4.
|
Key settings:
How do I make VPN client x work through my ZyWALL?
The only VPN known for certain to work through the ZyWALL is Microsoft
PPTP.
What is Multi-NAT?
NAT (Network Address Translation-NAT RFC 1631) is the translation of an Internet Protocol address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and "unmaps" the global IP addresses on incoming packets back into local IP addresses. The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP. In addition, you can designate servers, e.g., a web server and a telnet server, on your local network and make them accessible to the outside world. If you do not define any servers, NAT offers the additional benefit of firewall protection. In such case, all incoming connections to your network will be filtered out by the ZyWALL, thus preventing intruders from probing your network.
The SUA feature that the ZyWALL supports previously operates by mapping the private IP
addresses to a global IP address. It is only one subset of the NAT. The ZyWALL with ZyNOS
V3.00 supports the most of the features of the NAT based on RFC 1631, and we call this
feature as 'Multi-NAT'. For more information on IP address translation, please
refer to RFC 1631, The IP Network Address Translator (NAT).
When do I need Multi-NAT?
When NAT is enabled the local computers are not accessible from outside. You can use Multi-NAT to make an internal server accessible from outside.
Some servers providing Internet applications such as some mIRC servers do not allow
users to login using the same IP address. Thus, users on the same network can not login to
the same server simultaneously. In this case it is better to use Many-to-Many No Overload
or One-to-One NAT mapping types, thus each user login to the server using a unique global
IP address.
What IP/Port mapping does Multi-NAT
support?
NAT supports five types of IP/port mapping. They are: One to One, Many to One, Many to Many Overload, Many to Many No Overload and Server. The details of the mapping between ILA and IGA are described as below. Here we define the local IP addresses as the Internal Local Addresses (ILA) and the global IP addresses as the Inside Global Address (IGA),
In One-to-One mode, the ZyWALL maps one ILA to one IGA.
In Many-to-One mode, the ZyWALL maps multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyNOS routers supported (the SUA only option in today's routers).
In Many-to-Many Overload mode, the ZyWALL maps the multiple ILA to shared IGA.
In Many-to-Many No Overload mode, the ZyWALL maps each ILA to unique IGA.
In Server mode, the ZyWALL maps multiple inside servers to one global IP address. This allows us to specify multiple servers of different types behind the NAT for outside access. Note, if you want to map each server to one unique IGA please use the One-to-One mode.
The following table summarizes these types.
| NAT Type | IP Mapping |
| One-to-One | ILA1<--->IGA1 |
| Many-to-One (SUA/PAT) | ILA1<--->IGA1 ILA2<--->IGA1 ... |
| Many-to-Many Overload | ILA1<--->IGA1 ILA2<--->IGA2 ILA3<--->IGA1 ILA4<--->IGA2 ... |
| Many-to-Many No Overload | ILA1<--->IGA1 ILA2<--->IGA2 ILA3<--->IGA3 ILA4<--->IGA4 ... |
| Server | Server 1 IP<--->IGA1 Server 2 IP<--->IGA1 |
What is the difference between SUA
and Multi-NAT?
SUA (Single User Account) in previous ZyNOS versions is a NAT set with 2 rules,
Many-to-One and Server. The ZyWALL now has Full Feature NAT support to map global
IP addresses to local IP addresses of clients or servers. With multiple global IP
addresses, multiple severs of the same type (e.g., FTP servers) are allowed on the LAN for
outside access. In previous ZyNOS versions that supported SUA 'visible' servers had to be
of different types. The ZyWALL supports NAT sets on a remote node basis. They are
reusable, but only one set is allowed for each remote node. The ZyWALL supports 2 sets
since there is only one remote node. The default SUA (Read Only) Set in menu 15.1 is a
convenient, pre-configured, read only, Many-to-One mapping set, sufficient for most
purposes and helpful to people already familiar with SUA in previous ZyNOS versions.
BOOTP stands for Bootstrap Protocol. DHCP stands for Dynamic Host Configuration Protocol. Both are mechanisms to dynamically assign an IP address for a TCP/IP client by the server. In this case, the ZyWALL Internet Access Sharing Router is a BOOTP/DHCP server. Win95 and WinNT clients use DHCP to request an internal IP address, while WFW and WinSock clients use BOOTP. TCP/IP clients may specify their own IP or utilize BOOTP/DHCP to request an IP address.
The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname, allowing your computer to be more easily accessed from various locations on the Internet. To use the service, you must first apply an account from several free Web servers such as WWW.DYNDNS.ORG.
Without DDNS, we always tell the users to use the WAN IP of the 312 to reach our internal server. It is inconvenient for the users if this IP is dynamic. With DDNS supported by the ZyWALL, you apply a DNS name (e.g., www.zyxel.com.tw) for your server (e.g., Web server) from a DDNS server. The outside users can always access the web server using the www.zyxel.com.tw regardless of the WAN IP of the 312.
When the ISP assigns the ZyWALL a new IP, the ZyWALL updates this IP to DDNS server so that the server can update its IP-to-DNS entry. Once the IP-to-DNS table in the DDNS server is updated, the DNS name for your web server (i.e., www.zyxel.com.tw) is still usable.
When you want your internal server to be accessed by using DNS name rather than using the dynamic IP address we can use the DDNS service. The DDNS server allows to alias a dynamic IP address to a static hostname. Whenever the ISP assigns you a new IP, the ZyWALL sends this IP to the DDNS server for its updates.
What DDNS servers does the ZyWALL support?
The DDNS servers the ZyWALL supports currently is WWW.DYNDNS.ORG where you apply the DNS from and update the WAN IP to.
Some DDNS servers support the wildcard feature which allows the hostname, *.yourhost.dyndns.org, to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful when there are multiple servers inside and you want users to be able to use things such as www.yourhost.dyndns.org and still reach your hostname.
Does the ZyWALL support DDNS wildcard?
Yes, the ZyWALL supports DDNS wildcard that WWW.DynDNS.ORG supports. When using wildcard, you simply enter yourhost.dyndns.org in the Host field in Menu 1.1.
Can the ZyWALL SUA handle IPsec packets sent by the IPsec gateway?
Yes, the ZyWALL's SUA can handle IPsec ESP Tunneling mode. We know when packets go through SUA, SUA will change the source IP address and source port for the host. To pass IPsec packets, SUA must understand the ESP packet with protocol number 50, replace the source IP address of the IPsec gateway to the router's WAN IP address. However, SUA should not change the source port of the UDP packets which are used for key managements. Because the remote gateway checks this source port during connections, the port thus is not allowed to be changed.
How do I setup my ZyWALL for routing IPsec packets over SUA?
For outgoing IPsec tunnels, no extra setting is required. For forwarding the inbound IPsec ESP tunnel, A 'Default' server set in menu 15 is required. It is because SUA makes your LAN appear as a single machine to the outside world. LAN users are invisible to outside users. So, to make an internal server for outside access, we must specify the service port and the LAN IP of this server in Menu 15. Thus SUA is able to forward the incoming packets to the requested service behind SUA and the outside users access the server using the ZyWALL's WAN IP address. So, we have to configure the internal IPsec as a default server (unspecified service port) in menu 15 when it acts a server gateway.What is the default antenna type and gain on wireless in new ZyWALL series?
Wireless in new ZyWALL series are equipped with internal patch antenna in it's wireless module.
How can I access internal server via public IP address assigned on WAN?
You should be able to access your internal server via it's internal IP address when SUA is on, to access your internal server via the public IP address assigned on WAN, you can enter CI command "ip nat loopback on" in SMT Menu 24.8, To make the configuration permanently, you need to add this command to the system boot file (autoexec.net). You can refer to Product Support Note section on www.zyxel.com for configuration details.
What is the RF power output of wireless in ZyWALL?
The output of wireless in ZyWALL is 19dBm or 79mW from the RF module.
What wireless security mechanism are supported by ZyWALL?
Wireless in ZyWALL supports below security mechanisms.
What is the Open System and Shared Key Authentication?
Open System:
The default authentication
service that simply announces the desire to associate with another station or
access point. A station can authenticate with any other station or access point
using open system authentication if the receiving station designates open system
authentication.
Share Key:
The optional authentication that
involves a more rigorous exchange of frames, ensuring that the requesting
station is authentic. For a station to use shared key authentication, it must
implement WEP.
What Authentication Type does ZyWALL support?
Wireless in ZyWALLsupport null authentication when WEP is disabled as specified by IEEE 802.11b standard, and when WEP is enabled it is using shared key authentication and data are encrypted at the same time.
I have problem associated with ZyWALL with Symbol wireless PcMCIA card when WEP is enabled, why?
This is because wireless in ZyWALL when WEP is enabled it is authenticating Using Shared key authentication. Symbol PCMCIA client do not support Shared key Authentication. You can make it work by type CI command “wlan authen 3” in SMT Menu 24.8, To make the configuration permanently, you need to add this command to the system boot file (autoexec.net). You can refer to Product Support Note section on www.zyxel.com for configuration details.
What are 802.1x authentication type and which authentication type does ZyWALL 802.1x embeded server support.
802.1x specify the following authentication type, and the ZyWALL's embeded 802.1x server only support MD5/CHAP authentication.
Why can't I use video conferencing with MSN 4.6?
This is because MSN 4.6 require support of UPnP (Universal plug n’ play). To be able to use MSN through ZyWALL, you have to enable the UPnP feature under Advanced-> UPNP and Check the enable UPnP check box and press "Apply button" to make it active.
All contents copyright © 2003 ZyXEL Communications Corporation.