ZyXEL Router Prestige 334 User Manual
Have a look at the manual ZyXEL Router Prestige 334 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 3 ZyXEL manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Prestige 334 User’s Guide
Chapter 25 Network Address Translation (NAT) 250
Figure 128 Example 3: Menu 15.2
25.5.4 Example 4: NAT Unfriendly Application Programs
Some applications do not support NAT Mapping using TCP or UDP port address translation.
In this case it is better to use Many-to-Many No Overload mapping as port numbers do not
change for Many-to-Many No Overload (and One-to-One) NAT mapping types. The
following figure illustrates this.
Menu 15.2 - NAT Server Setup
Rule Start Port No. End Port No. IP Address
---------------------------------------------------
1. Default Default 0.0.0.0
2. 80 80 192.168.1.21
3. 25 25 192.168.1.20
4. 0 0 0.0.0.0
5. 0 0 0.0.0.0
6. 0 0 0.0.0.0
7. 0 0 0.0.0.0
8. 0 0 0.0.0.0
9. 0 0 0.0.0.0
10. 0 0 0.0.0.0
11. 0 0 0.0.0.0
12. 0 0 0.0.0.0
Press ENTER to Confirm or ESC to Cancel:
HTTP:80 FTP:21 Telnet:23 SMTP:25 POP3:110 PPTP:1723
Prestige 334 User’s Guide
251 Chapter 25 Network Address Translation (NAT)
Figure 129 NAT Example 4
Follow the steps outlined in example 3 to configure these two menus as follows
Figure 130 Example 4: Menu 15.1.1.1 Address Mapping Rule.
After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as
shown next.
Note: Other applications such as some gaming programs are
NAT unfriendly because they embed addressing information in
the data stream. These applications won’t work through NAT
even when using One-to-One and Many-to-Many No Overload
mapping types.
Menu 15.1.1.1 Address Mapping Rule
Type= Many-One-to-One
Local IP:
Start= 192.168.1.10
End = 192.168.1.12
Global IP:
Start= 10.132.50.1
End = 10.132.50.3
Press ENTER to Confirm or ESC to Cancel:
Prestige 334 User’s Guide
Chapter 25 Network Address Translation (NAT) 252
Figure 131 Example 4: Menu 15.1.1 Address Mapping Rules
25.6 Configuring Trigger Port Forwarding
Enter 3 in menu 15 to display Menu 15.3 — Trigger Port Setup, shown next.
Menu 15.1.1 - Address Mapping Rules
Set Name= Example4
Idx Local Start IP Local End IP Global Start IP Global End IP Type
--- -------------- -------------- --------------- --------------- ------
1. 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M:M NO OV
2.
3.
4.
5.
6.
7.
8.
9.
10.
Action= Edit Select Rule=
Press ENTER to Confirm or ESC to Cancel:
Note: Only one LAN computer can use a trigger port (range) at
a time.
Prestige 334 User’s Guide
253 Chapter 25 Network Address Translation (NAT)
Figure 132 Menu 15.3 Trigger Port Setup
The following table describes the fields in this screen.
Menu 15.3 - Trigger Port Setup
Incoming Trigger
Rule Name Start Port End Port Start Port End Port
----------------------------------------------------------------------
1. Real Audio 6970 7170 7070 7070
2. 0 0 0 0
3. 0 0 0 0
4. 0 0 0 0
5. 0 0 0 0
6. 0 0 0 0
7. 0 0 0 0
8. 0 0 0 0
9. 0 0 0 0
10. 0 0 0 0
11. 0 0 0 0
12. 0 0 0 0
Press ENTER to Confirm or ESC to Cancel:
Table 84 Menu 15.3 Trigger Port Setup
FIELDDESCRIPTION
RuleThis is the rule index number.
NameEnter a unique name for identification purposes. You may enter up to 15 characters in
this field. All characters are permitted - including spaces.
IncomingIncoming is a port (or a range of ports) that a server on the WAN uses when it sends
out a particular service. The Prestige forwards the traffic with this port (or range of
ports) to the client computer on the LAN that requested the service.
Start Po rtEnter a port number or the starting port number in a range of port numbers.
End PortEnter a port number or the ending port number in a range of port numbers.
TriggerThe trigger port is a port (or a range of ports) that causes (or triggers) the Prestige to
record the IP address of the LAN computer that sent the traffic to a server on the
WAN.
Start Po rtEnter a port number or the starting port number in a range of port numbers.
End PortEnter a port number or the ending port number in a range of port numbers.
Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC]
at any time to cancel.
Prestige 334 User’s Guide Chapter 26 Enabling the Firewall 254 CHAPTER26 Enabling the Firewall This chapter shows you how to get started with the Prestige firewall. 26.1 Remote Management and the Firewall When SMT menu 24.11 is configured to allow management (see the Remote Management chapter) and the firewall is enabled: • The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it. • The firewall allows remote management from the LAN. 26.2 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your Prestige has to offer. For this reason, it is recommended that you configure your firewall using the web configurator, see the following chapters for instructions. SMT screens allow you to activate the firewall and view firewall logs. 26.3 Enabling the Firewall From the main menu enter 21 to go to Menu 21 - Filter and Firewall Setup to display the screen shown next. Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Ye s in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Additional rules may be configured using the web configurator.
Prestige 334 User’s Guide
255 Chapter 26 Enabling the Firewall
Figure 133 Menu 21.2 Firewall Setup
Menu 21.2 - Firewall Setup
The firewall protects against Denial of Service (DoS) attacks when
it is active.
Your network is vulnerable to attacks when the firewall is turned off.
Refer to the Users Guide for details about the firewall default
policies.
You may define additional Policy rules or modify existing ones but
please exercise extreme caution in doing so.
Active: No
You can use the Web Configurator to configure the firewall.
Press ENTER to Confirm or ESC to Cancel:
Note: Use the web configurator or the command interpreter to
configure the firewall rules.
Prestige 334 User’s Guide Chapter 27 Filter Configuration 256 CHAPTER27 Filter Configuration This chapter shows you how to create and apply filters. 27.1 Introduction to Filters Your Prestige uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens the data to determine if the packet should be allowed to pass. Data filters are divided into incoming and outgoing filters, depending on the direction of the packet relative to a port. Data filtering can be applied on either the WAN side or the LAN side. Call filtering is used to determine if a packet should be allowed to trigger a call. Remote node call filtering is only applicable when using PPPoE encapsulation. Outgoing packets must undergo data filtering before they encounter call filtering as shown in the following figure. Figure 134 Outgoing Packet Filtering Process For incoming packets, your Prestige applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets.
Prestige 334 User’s Guide 257 Chapter 27 Filter Configuration 27.1.1 The Filter Structure of the Prestige A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The Prestige allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set. You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. Sets of factory default filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming telnet sessions. A summary of their filter rules is shown in the figures that follow. The following figure illustrates the logic flow when executing a filter rule. See also Figure 139 for the logic flow when executing an IP filter.
Prestige 334 User’s Guide Chapter 27 Filter Configuration 258 Figure 135 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. 27.2 Configuring a Filter Set The Prestige includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1Enter 21 in the main menu to open menu 21.
Prestige 334 User’s Guide
259 Chapter 27 Filter Configuration
Figure 136 Menu 21: Filter and Firewall Setup
2Enter 1 to bring up the following menu.
Figure 137 Menu 21.1: Filter Set Configuration
3Select the filter set you wish to configure (1-12) and press [ENTER].
4Enter a descriptive name or comment in the Edit Comments field and press [ENTER].
5Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter
Rules Summary.
This screen shows the summary of the existing rules in the filter set. The following tables
contain a brief description of the abbreviations used in the previous menus.
Menu 21 - Filter and Firewall Setup
1. Filter Setup
2. Firewall Setup
Enter Menu Selection Number:
Menu 21.1 - Filter Set Configuration
Filter Filter
Set # Comments Set # Comments
------ ----------------- ------ -----------------
1 _______________ 7 _______________
2 _______________ 8 _______________
3 _______________ 9 _______________
4 _______________ 10 _______________
5 _______________ 11 _______________
6 _______________ 12 _______________
Enter Filter Set Number to Configure= 0
Edit Comments= N/A
Press ENTER to Confirm or ESC to Cancel:
Table 85 Abbreviations Used in the Filter Rules Summary Menu
FIELDDESCRIPTION
#The filter rule number: 1 to 6.
AActive: “Y” means the rule is active. “N” means the rule is inactive.
Ty peThe type of filter rule: “GEN” for Generic, “IP” for TCP/IP.
Filter RulesThese parameters are displayed here.
MMore.
“Y” means there are more rules to check which form a rule chain with the present rule. An
action cannot be taken until the rule chain is complete.
“N” means there are no more rules to check. You can specify an action to be taken i.e.,
forward the packet, drop the packet or check the next rule. For the latter, the next rule is
independent of the rule just checked.