ZyXEL Router Prestige 334 User Manual
Have a look at the manual ZyXEL Router Prestige 334 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 3 ZyXEL manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Prestige 334 User’s Guide Chapter 6 WAN Screens80 Network Address TranslationNetwork Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Choose None to disable NAT. Choose SUA Only if you have a single public IP address. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server. Choose Full Feature if you have multiple public IP addresses. Full Feature mapping types include: One-to-One, Many-to-One (SUA/PAT), Many-to- Many Overload, Many- One-to-One and Server. When you select Full Feature you must configure at least one address mapping set! For more information about NAT refer to the NAT chapter in this Users Guide. Metric (PPPoE and PPTP only)This field sets this routes priority among the routes the Prestige uses. The metric represents the cost of transmission. A router determines the best route for transmission by choosing a path with the lowest cost. RIP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. The number must be between 1 and 15; a number greater than 15 means the link is down. The smaller the number, the lower the cost. Private (PPPoE and PPTP only)This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts. RIP DirectionRIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only. When set to Both or Out Only, the Prestige will broadcast its routing table periodically. When set to Both or In Only, the Prestige will incorporate RIP information that it receives. When set to None, the Prestige will not send any RIP packets and will ignore any RIP packets received. By default, RIP Direction is set to Both. RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the Prestige sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, the RIP Version field is set to RIP-1. Table 19 WAN: IP LABELDESCRIPTION
Prestige 334 User’s Guide 81Chapter 6 WAN Screens 6.6 Configuring WAN MAC To change your Prestige’s WAN MAC settings, click WA N, then the WAN MAC tab. The screen appears as shown. Figure 23 MAC Setup The MAC address screen allows users to configure the WAN ports MAC address by either using the factory default or cloning the MAC address from a computer on your LAN. Choose Factory Default to select the factory assigned default MAC Address. MulticastChoose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN. Allow between WAN and LANSelect this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic. Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN. Allow Trigger DialSelect this option to allow NetBIOS packets to initiate calls. ApplyClick Apply to save your changes back to the Prestige. ResetClick Reset to begin configuring this screen afresh. Table 19 WAN: IP LABELDESCRIPTION
Prestige 334 User’s Guide Chapter 6 WAN Screens82 Otherwise, click Spoof this computers MAC address - IP Address and enter the IP address of the computer on the LAN whose MAC you are cloning. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different ROM file. It is recommended that you clone the MAC address prior to hooking up the WAN Port. 6.7 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the Prestige cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the Prestige still provides firewall protection. Figure 24 Traffic Redirect WAN Setup The following network topology allows you to avoid triangle route security issues (see the Appendices) when the backup gateway is connected to the LAN. Use IP alias to configure the LAN into two or three logical networks with the Prestige itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2). Configure a LAN to LAN/Prestige firewall rule that forwards packets from the protected LAN (Subnet 1) to the backup gateway (Subnet 2).
Prestige 334 User’s Guide 83Chapter 6 WAN Screens Figure 25 Traffic Redirect LAN Setup 6.8 Configuring Traffic Redirect To change your Prestige’s Traffic Redirect settings, click WA N, then the Traffic Redirect tab. The screen appears as shown. Figure 26 WAN: Traffic Redirect The following table describes the labels in this screen. Table 20 Traffic Redirect LABELDESCRIPTION ActiveSelect this check box to have the Prestige use traffic redirect if the normal WAN connection goes down. Backup Gateway IP AddressType the IP address of your backup gateway in dotted decimal notation. The Prestige automatically forwards traffic to this IP address if the Prestiges Internet connection terminates.
Prestige 334 User’s Guide Chapter 6 WAN Screens84 MetricThis field sets this routes priority among the routes the Prestige uses. The metric represents the cost of transmission. A router determines the best route for transmission by choosing a path with the lowest cost. RIP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. The number must be between 1 and 15; a number greater than 15 means the link is down. The smaller the number, the lower the cost. Check WAN IP AddressConfiguration of this field is optional. If you do not enter an IP address here, the Prestige will use the default gateway IP address. Configure this field to test your Prestiges WAN accessibility. Type the IP address of a reliable nearby computer (for example, your ISPs DNS server address). If you are using PPTP or PPPoE Encapsulation, type 0.0.0.0 to configure the Prestige to check the PVC (Permanent Virtual Circuit) or PPTP tunnel. Fail ToleranceType the number of times your Prestige may attempt and fail to connect to the Internet before traffic is forwarded to the backup gateway. Period (seconds)Type the number of seconds for the Prestige to wait between checks to see if it can connect to the WAN IP address (Check WAN IP Address field) or default gateway. Allow more time if your destination IP address handles lots of traffic. Timeout (seconds)Type the number of seconds for your Prestige to wait for a ping response from the IP Address in the Check WAN IP Address field before it times out. The WAN connection is considered down after the Prestige times out the number of times specified in the Fail Tolerance field. Use a higher value in this field if your network is busy or congested. ApplyClick Apply to save your changes back to the Prestige. ResetClick Reset to begin configuring this screen afresh. Table 20 Traffic Redirect LABELDESCRIPTION
Prestige 334 User’s Guide Chapter 7 Network Address Translation (NAT) Screens 86 CHAPTER7 Network Address Translation (NAT) Screens This chapter discusses how to configure NAT on the Prestige. 7.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. 7.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the Prestige. For example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts. Global/local denotes the IP address of a host in a packet as the packet traverses a router. For example, the local address refers to the IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side. Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side. The following table summarizes this information. Table 21 NAT Definitions TE R MDESCRIPTION InsideThis refers to the host on the LAN. OutsideThis refers to the host on the WAN. LocalThis refers to the packet address (source or destination) as the packet travels on the LAN. GlobalThis refers to the packet address (source or destination) as the packet travels on the WAN.
Prestige 334 User’s Guide 87 Chapter 7 Network Address Translation (NAT) Screens 7.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed. The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers (for example a web server and a telnet server) on your local network and make them accessible to the outside world. If you do not define any servers (for Many-to-One and Many-to-Many Overload mapping), NAT offers the additional benefit of firewall protection. With no servers defined, your Prestige filters out all incoming inquiries, thus preventing intruders from probing your network. For more information on IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT). 7.1.3 How NAT Works Each packet has two addresses – a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN, and the IGA is the destination address on the WAN. NAT maps private (local) IP addresses to globally unique ones required for communication with hosts on other networks. It replaces the original IP source address (and TCP or UDP source port numbers for Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The Prestige keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this. Note: NAT never changes the IP address (either local or global) of an outside host.
Prestige 334 User’s Guide Chapter 7 Network Address Translation (NAT) Screens 88 Figure 27 How NAT Works 7.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the Prestige can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
Prestige 334 User’s Guide 89 Chapter 7 Network Address Translation (NAT) Screens Figure 28 NAT Application With IP Alias 7.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: •One to One: In One-to-One mode, the Prestige maps one local IP address to one global IP address. •Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL’s Single User Account feature (the SUA Only option). •Many-to-Many Overload: In Many-to-Many Overload mode, the Prestige maps the multiple local IP addresses to shared global IP addresses. •Many One-to-One: In Many-One-to-One mode, the Prestige maps each local IP address to a unique global IP address. •Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Note: Port numbers do not change for One-to-One and Many One-to-One NAT mapping types.