Zyxel USG1100 User Manual

Displayed below is the user manual for USG1100 by Zyxel which is a product in the Hardware Firewalls category. This manual has pages.

Related Manuals

Zyxel P-871M Manual

Zyxel GS-105B Manual

Zyxel 793H Manual

Zyxel USG-20 Manual

Zyxel ES1100-8P Manual

Zyxel XGS4700-48F Manual

Zyxel NWA3550-N Manual

Quick Start Guide

www.zyxel.com

ZyWALL 110/310/1100 Series

VPN Firewall

Ve rsion 3.10

Edition 4, 01/2014

User’s Guide

Default Login Details

LAN Port IP Address https://192.168.1.1

User Name admin

Password 1234

ZyWALL 110/310/1100 Series User’s Guide2

IMPORTANT!

READ CAREFULLY BEFORE USE.

KEEP THIS GUIDE FOR FUTURE REFERENCE.

This is a User’s Guide for a series of products. Not all products support all firmware features.

Screenshots and graphics in this book may differ slightly from your product due to differences in

your product firmware or your computer operating system. Every effort has been made to ensure

that the information in this manual is accurate.

Screen Identification Syntax Convention

The > symbol is used to identify a mouse click in a path to access a screen in the web configurator.

For example, Configuration > Network > Interface > Ethernet means first you click the

Configuration icon in the navigation panel, then click the Network menu item, then the

Interface submenu and finally the Ethernet tab in order to access the Ethernet interface screen.

Related Documentation

•Quick Start Guide

The Quick Start Guide shows how to connect the ZyWALL and access the Web Configurator

wizards. (See the wizard real time help for information on configuring each screen.) It also

contains a connection diagram and package contents list.

• CLI Reference Guide

The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the

ZyWALL.

Note: It is recommended you use the Web Configurator to configure the ZyWALL.

• Web Configurator Online Help

Click the help icon in any screen for help in configuring that screen and supplementary

information.

ZyWALL 110/310/1100 Series User’s Guide 3

Part I: User’s Guide .........................................................................................16

Chapter 1

Introduction.........................................................................................................................................18

1.1 Overview ................ ... ................ ... .... ... ................ ... ... .... ................ ... ... ... .... .......................................18

1.2 Management Overview ................ .... ... ... ... ... .... ................ ... ... .... ... ... ... ... ................. ... ... ... .................20

1.3 Web Configurator ................ ... ................ ... ... ................. ... ... ... ................ .... ... ....................................21

1.3.1 Web Configurator Access ........................................................................................................21

1.3.2 Web Configurator Screens Overview ......................................................................................22

1.3.3 Navigation Panel ................ .... ... ... ... ... .... .................................................................................26

1.3.4 Tables and Lists .................. .... ... ... ... ... .... ................ ... ... ................ .... ... ... ................ .................29

Chapter 2

Installation Setup Wizard...................................................................................................................33

2.1 Installation Setup Wizard Screens ...................................................................................................33

2.1.1 Internet Access Setup - WAN Interface ..................................................................................33

2.1.2 Internet Access: Ethernet ............... ... .....................................................................................34

2.1.3 Internet Access: PPPoE ......... ... ... ... ... .... ................ ... ... .... ... ... ................ ... .... ... ... ....................34

2.1.4 Internet Access: PPTP ...... .... ................ ... ... ... .... ... ................ ... ... .... ... ... ................ ... .... ..........35

2.1.5 ISP Parameters ............ ... ... .... ... ... ................ ... .... ... ................ ... ... ................. ... ... ... .................35

2.1.6 Internet Access - Finish ..........................................................................................................36

Chapter 3

Hardware Introduction .......................................................................................................................37

3.1 Default Zones, Interfaces, and Ports ................... ... ... .... ... ... ... .... ... ... ... ... ................. ... ... ... ... ..............37

3.2 Stopping the ZyWALL .......................................................................................................................38

3.3 Rack-mounting ................ .... ... ... ................ ... .... ... ... ... ................. ... ... ... ... .... ................ .......................38

3.4 Wall-mounting ........... ... ... .... ... ... ... ................ .... ... ... ................ .... ... ... ................ ... .... ..........................39

3.5 Front Panel LEDs ............ .... ... ... ... .... ................ ... ... ... .... ... ................ ... ... .... ... ... .................................39

3.5.1 Rear Panels ............... ... ... ................ ... .... ................ ... ... .... ................ ... ... ... .............. ................41

Chapter 4

Quick Setup Wizards..........................................................................................................................42

4.1 Quick Setup Overview .. ................ .... ... ... ... ... ................. ... ... ... .... ... ................ ... ... .... ... ... ....................42

4.2 WAN Interface Quick Setup ..............................................................................................................42

4.2.1 Choose an Ethernet Interface .... ................ ... ... .... ... ... ... .... ... ... ... ... ................. ... ... ... ... .... ... .......43

4.2.2 Select WAN Type ....... ... ... ... .... ... ... ... ................ .... ... ................ ... ... .... ................ ... ... ... ..............43

4.2.3 Configure WAN Settings ..........................................................................................................44

4.2.4 WAN and ISP Connection Settings .........................................................................................44

4.2.5 Quick Setup Interface Wizard: Summary ..... ...........................................................................46

4.3 VPN Setup Wizard ............................................................................................................................47

4.3.1 Welcome ................ ................. ... ... ... ................ .... ... ... ................ ... .... ................ ... ....................47

4.3.2 VPN Setup Wizard: Wizard Type .............................................................................................48

ZyWALL 110/310/1100 Series User’s Guide4

4.3.3 VPN Express Wizard - Scenario .............................................................................................49

4.3.4 VPN Express Wizard - Configuration .... ... ................ ... .... ... ................ ... ... .... ................ ... ... ... .50

4.3.5 VPN Express Wizard - Summary ................ ................ .... ... ................ ... ... ................ .... ... .......50

4.3.6 VPN Express Wizard - Finish .................................................................................................51

4.3.7 VPN Advanced Wizard - Scenario .........................................................................................52

4.3.8 VPN Advanced Wizard - Phase 1 Settings .............................................................................53

4.3.9 VPN Advanced Wizard - Phase 2 ...........................................................................................55

4.3.10 VPN Advanced Wizard - Summary ......................................................................................56

4.3.11 VPN Advanced Wizard - Finish .................. ... .... ................ ... ... ... .... ... ... ... .... ................ ... ... ....56

4.4 VPN Settings for Configuration Provisioning Wizard: Wizard Type .... ... .... ... ... ... ................ .... ... ... ... .57

4.4.1 Configuration Provisioning Express Wizard - VPN Settings ...................................................58

4.4.2 Configuration Provisioning VPN Express Wizard - Configuration ..........................................59

4.4.3 VPN Settings for Configuration Provisioning Express Wizard - Summary .............................60

4.4.4 VPN Settings for Configuration Provisioning Express Wizard - Finish ...................................61

4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario ...........................62

4.4.6 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 1 Settings ..............63

4.4.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 2 ............................64

4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard - Summary ..........................65

4.4.9 VPN Settings for Configuration Provisioning Advanced Wizard- Finish .................................65

Chapter 5

Dashboard...........................................................................................................................................67

5.1 Overview ................ ... ................ ... .... ... ................ ... ... .... ................ ... ... ... .... .......................................67

5.1.1 What You Can Do in this Chapter ............................................................................................67

5.2 The Dashboard Screen .....................................................................................................................67

5.2.1 The CPU Usage Screen ..........................................................................................................72

5.2.2 The Memory Usage Screen ...... ... ... ... .... ... ... ... .... ... ................ ... ... .... ... ... ... .... ................ ... .......73

5.2.3 The Active Sessions Screen ....................................................................................................73

5.2.4 The VPN Status Screen ............. ... ... ... .... ... ... ... .... ................ ... ... ... .... ... ................ ... ... .... ..........74

5.2.5 The DHCP Table Screen .........................................................................................................75

5.2.6 The Number of Login Users Screen .......................................................................................76

Part II: Technical Reference............................................................................77

Chapter 6

Monitor.................................................................................................................................................79

6.1 Overview ................ ... ................ ... .... ... ................ ... ... .... ................ ... ... ... .... .......................................79

6.1.1 What You Can Do in this Chapter ............................................................................................79

6.2 The Port Statistics Screen ................................................................................................................80

6.2.1 The Port Statistics Graph S creen .......... ... ... ................ .... ... ... ... ... .... ... ... ................ ... .... ... .......81

6.3 Interface Status Screen .....................................................................................................................82

ZyWALL 110/310/1100 Series User’s Guide 5

6.4 The Traffic Statistics Screen ..............................................................................................................86

6.5 The Session Monitor Screen . ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ................ ... ... ... .... ... ... ... ... ..............89

6.6 The DDNS Status Screen .................................................................................................................91

6.7 IP/MAC Binding Monitor ......... ... ... ................ .... ... ... ... .... ................ ... ... ... .... ... ................ ... .................91

6.8 The Login Users Screen ..................................................................................................................92

6.9 Cellular Status Screen .. ... ................. ... ... ... ................ .... ... ................ ... ... .... ................ ... . ...................93

6.9.1 More Information .......... ... ................ ... .... ... ... ... ................. ... ... ... ... .... ................ ... ... ... ..............95

6.10 USB Storage Screen .......................................................................................................................96

6.11 The IPSec Monitor Screen ..............................................................................................................97

6.11.1 Regular Expressions in Searching IPSec SAs .......................................................................98

6.12 The SSL Connection Monitor Screen ......... ....... ...... ....... ...... ....... ...... ....... ...... ... ....... ...... ....... ..........99

6.13 The L2TP over IPSec Session Monitor Screen ...............................................................................99

6.14 Log Screen ....................................................................................................................................100

Chapter 7

Interfaces...........................................................................................................................................103

7.1 Interface Overview ................. ... ... .... ... ... ... ... ................. ... ... ... .... ... ... ... ................ .... ... .....................103

7.1.1 What You Can Do in this Chapter ..........................................................................................103

7.1.2 What You Need to Know .. ... .... ... ................ ... ... .... ... ... ................ ... .... ... ... ... ................ .... ........103

7.1.3 What You Need to Do First ........... ... ... .... ... ... ... .... ... ... ... .... ... ................ ... ... .... ... ... ... ... ............108

7.2 Port Role Screen .............................................................................................................................108

7.3 Ethernet Summary Screen ........ ... .... ... ... ... ... .... ................ ... ... .... ... ... ... ... ................. ... ... ... ... ............109

7.3.1 Ethernet Edit ............. ... ... ................ ... .... ... ... ................ .... ... ... ................ ... .... ... .....................110

7.3.2 Object References ..... ... ... ... ................ .... ... ... ... ................. ... ... ... ................ .... ... ... ..................122

7.3.3 Add/Edit DHCPv6 Reques t/R elease Options ................... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... .....123

7.3.4 Add/Edit DHCP Extended Options ............ ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..124

7.4 PPP Interfaces ................................................................................................................................125

7.4.1 PPP Interface Summary ..... ...................................................................................................126

7.4.2 PPP Interface Add or Edit .....................................................................................................127

7.5 Cellular Configuration Screen (3G) .. ... ... .........................................................................................132

7.5.1 Cellular Add/Edit Screen .......................................................................................................134

7.6 Tunnel Interfaces ......... ................ .... ... ... ... ................ .... ... ... ................ ... .... ... ..................................140

7.6.1 Configuring a Tunnel ................. ... ... ... .... ... ... ... .... ................ ... ... ... .... ... ................ ... ... ............142

7.6.2 Tunnel Add or Edit Screen .....................................................................................................143

7.7 VLAN Interfaces .............................................................................................................................147

7.7.1 VLAN Summary Screen ........................................................................................................148

7.7.2 VLAN Add/Edit ......................................................................................................................150

7.8 Bridge Interfaces ............................................................................................................................159

7.8.1 Bridge Summary .............. ... .... ... ... ................ ... .... ... ... ... ................ .... ... ... ... .... ........................160

7.8.2 Bridge Add/Edit .....................................................................................................................162

7.9 Virtual Interfaces ............................................................................................................................170

7.9.1 Virtual Interfaces Add/Edit ............... ... .... ... ... ................ .... ... ... ................ ... .... ... .....................171

7.10 Interface Technical Reference .......................................................................................................172

ZyWALL 110/310/1100 Series User’s Guide6

Chapter 8

Trunk..................................................................................................................................................176

8.1 Overview ................ ... ................ ... .... ... ................ ... ... .... ................ ... ... ... .... .....................................176

8.1.1 What You Can Do in this Chapter ..........................................................................................176

8.1.2 What You Need to Know .. ... .... ... ................ ... ... .... ... ... ................ ... .... ... ... ... ................ .... ........176

8.2 The Trunk Summary Screen ...........................................................................................................179

8.2.1 Configuring a User-Defined Trunk .......... ...............................................................................180

8.2.2 Configuring the Syst em Default Trunk ..................................................................................182

Chapter 9

Policy and Static Routes..................................................................................................................185

9.1 Policy and Static Routes Overview .................................................................................................185

9.1.1 What You Can Do in this Chapter ..........................................................................................185

9.1.2 What You Need to Know .... .... ... ... ... ................ .... ... ... ... ................ .... ... ... ... .... ................ ........186

9.2 Policy Route Screen ........................................................................................................................187

9.2.1 Policy Route Edit Screen .......................................................................................................189

9.3 IP Static Route Screen ....................................................................................................................193

9.3.1 Static Route Add/Edit Screen ................................................................................................194

9.4 Policy Routing Technical Reference ................. ... ... ... .... ................ ... ... ... .... ... ... ... .... ... ... ... ...............195

Chapter 10

Routing Protocols.............................................................................................................................197

10.1 Routing Protocols Overview ..........................................................................................................197

10.1.1 What You Can Do in this Chapter ........................................................................................197

10.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........197

10.2 The RIP Screen ................. ... ... ... .... ................ ... ... ... .... ... ... ... .... ................ ... ... ... .... ... .....................197

10.3 The OSPF Screen ................ ... ... .... ... ... ... ... .... ................ ... ... .... ... ... ... ... ................. ... ... ..................199

10.3.1 Configuring the OSPF Screen .............................................................................................202

10.3.2 OSPF Area Add/Edit Screen ..............................................................................................204

10.3.3 Virtual Link Add/Edit Screen ...............................................................................................206

10.4 Routing Protocol Technical Reference ..........................................................................................206

Chapter 11

Zones .................................................................................................................................................208

11.1 Zones Overview ............................................................................................................................208

11.1.1 What You Can Do in this Chapter .. ................ .... ... ... ................ ... .... ... ................ ... ... .... ........208

11.1.2 What You Need to Know ......................................................................................................208

11.2 The Zone Screen ...........................................................................................................................209

11.3 Zone Edit .......................................................................................................................................210

Chapter 12

DDNS..................................................................................................................................................212

12.1 DDNS Overview ............................................................................................................................212

ZyWALL 110/310/1100 Series User’s Guide 7

12.1.1 What You Can Do in this Chapter ........................................................................................212

12.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........212

12.2 The DDNS Screen ........................................................................................................................213

12.2.1 The Dynamic DNS Add/Edit Screen ....................................................................................214

Chapter 13

NAT.....................................................................................................................................................217

13.1 NAT Overview ...............................................................................................................................217

13.1.1 What You Can Do in this Chapter ........................................................................................217

13.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........217

13.2 The NAT Screen ......... ... ................. ... ... ... ... .... ................ ... ... .... ... ... ................ ... .... ... ... ..................218

13.2.1 The NAT Add/Edit Screen ........ ... ... ... ...................................................................................219

13.3 NAT Technical Reference ..............................................................................................................221

Chapter 14

HTTP Redirect...................................................................................................................................224

14.1 Overview .......................................................................................................................................224

14.1.1 What You Can Do in this Chapter ........................................................................................224

14.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........224

14.2 The HTTP Redirect Screen ...........................................................................................................225

14.2.1 The HTTP Redirect Edit Screen ..........................................................................................226

Chapter 15

ALG ....................................................................................................................................................228

15.1 ALG Overview ...............................................................................................................................228

15.1.1 What You Can Do in this Chapter ........................................................................................228

15.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........228

15.1.3 Before You Begin .................................................................................................................231

15.2 The ALG Screen ...........................................................................................................................231

15.3 ALG Technical Reference .............................................................................................................233

Chapter 16

IP/MAC Binding.................................................................................................................................235

16.1 IP/MAC Binding Overview .............................................................................................................235

16.1.1 What You Can Do in this Chapter ........................................................................................235

16.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........235

16.2 IP/MAC Binding Summary ............................................................................................................236

16.2.1 IP/MAC Binding Edit ............................................................................................................236

16.2.2 Static DHCP Edit .................................................................................................................237

16.3 IP/MAC Binding Exempt List .........................................................................................................238

Chapter 17

Inbound Load Balancing..................................................................................................................240

ZyWALL 110/310/1100 Series User’s Guide8

17.1 Inbound Load Balancing Overview ...............................................................................................240

17.1.1 What You Can Do in this Chapter ........................................................................................240

17.2 The Inbound LB Screen ................................................................................................................241

17.2.1 The Inbound LB Add/Edit Screen ........................................................................................242

17.2.2 The Inbound LB Member Add/Edit Screen ..........................................................................244

Chapter 18

Authentication Policy........................................... ........... .......... ........... ............................................246

18.1 Overview .......................................................................................................................................246

18.1.1 What You Can Do in this Chapter ........................................................................................246

18.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........246

18.2 Authentication Policy Screen ........................................................................................................247

18.2.1 Creating/Editing an Authentication Policy ............................................................................249

18.3 User-aware Access Control Example ......................... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ................ .....251

18.3.1 Set Up User Accounts ... ... .... ... ... ... ... .... ...............................................................................251

18.3.2 Set Up User Groups ... .........................................................................................................252

18.3.3 Set Up User Authentication Using the RADIUS Server .......................................................252

18.3.4 User Group Authentication Using the RADIUS Server ........................................................254

Chapter 19

Firewall ..............................................................................................................................................256

19.1 Overview .......................................................................................................................................256

19.1.1 What You Can Do in this Chapter ........................................................................................256

19.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........256

19.2 The Firewall Screen ... ... .... ... ... ... .... ... ... ... ................ .... ... ... ... .... ... ... ... ................ .... ... ... ..................259

19.2.1 Configuring the Firewall Screen ..........................................................................................259

19.2.2 The Firewall Add/Edit Screen .. ... ...... ...................................................................................263

19.3 The Session Limit Screen .............................................................................................................264

19.3.1 The Session Limit Add/Edit Screen .....................................................................................266

19.4 Firewall Rule Configuration Example ............................................................................................267

19.5 Firewall Rule Example Applications ..............................................................................................269

Chapter 20

IPSec VPN.............................................................. ........... .................................................................272

20.1 Virtual Private Networks (VPN) Overview .....................................................................................272

20.1.1 What You Can Do in this Chapter ........................................................................................273

20.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........274

20.1.3 Before You Begin .................................................................................................................275

20.2 The VPN Connection Screen ........................................................................................................276

20.2.1 The VPN Connection Add/Edit (IKE) Screen .......................................................................277

20.2.2 The VPN Connection Add/Edit Manual Key Screen ............................................................283

20.3 The VPN Gateway Screen ............................................................................................................285

20.3.1 The VPN Gateway Add/Edit Screen ....................................................................................286

ZyWALL 110/310/1100 Series User’s Guide 9

20.4 VPN Concentrator ........................................................................................................................292

20.4.1 VPN Concentrator Requirements and Suggestions ............................................................293

20.4.2 VPN Concentrator Screen ...................................................................................................293

20.4.3 The VPN Concentrator Add/Edit Screen ....... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ................ ..293

20.5 ZyWALL IPSec VPN Client Configuration Provisioning ....... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... .....294

20.6 IPSec VPN Background Information .............................................................................................296

Chapter 21

SSL VPN ............................................................................................................................................308

21.1 Overview .......................................................................................................................................308

21.1.1 What You Can Do in this Chapter ........................................................................................308

21.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........308

21.2 The SSL Access Privilege Screen ................................................................................................309

21.2.1 The SSL Access Policy Add/Edit Screen ...........................................................................310

21.3 The SSL Global Setting Screen ........ ... ... ... ...................................................................................313

21.3.1 How to Upload a Custom Logo ......... ....................... ....................... ...................... ............... 314

21.4 SSL VPN Example ........................................................................................................................315

Chapter 22

SSL User Screens.............................................................................................................................318

22.1 Overview .......................................................................................................................................318

22.1.1 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........318

22.2 Remote SSL User Login ...............................................................................................................319

22.3 The SSL VPN User Screens ...... .... ... ................ ... ... .... ... ... ... .... ... ................ ... ... .... ... ... ... ... .... ........322

22.4 Bookmarking the ZyWALL ............................................................................................................323

22.5 Logging Out of the SSL VPN User Screens ..................................................................................324

22.6 SSL User Application Screen ........................................................................................................324

22.7 SSL User File Sharing ...................................................................................................................325

22.7.1 The Main File Sharing Screen .............................................................................................325

22.7.2 Opening a File or Folder ......................................................................................................326

22.7.3 Downloading a File ..............................................................................................................327

22.7.4 Saving a File ........................................................................................................................327

22.7.5 Creating a New Folder .........................................................................................................328

22.7.6 Renaming a File or Folder ...................................................................................................328

22.7.7 Deleting a File or Folder ......................................................................................................329

22.7.8 Uploading a File .......... ...................... ....................... ....................... ...................... ...............329

Chapter 23

ZyWALL SecuExtender ....................................................................................................................331

23.1 The ZyWALL SecuExtender Icon ..................................................................................................331

23.2 Status ............................................................................................................................................331

23.3 View Log .......................................................................................................................................332

23.4 Suspend and Resume the Connection .........................................................................................333

ZyWALL 110/310/1100 Series User’s Guide10

23.5 Stop the Connection ......................................................................................................................333

23.6 Uninstalling the ZyWALL SecuExtender .......................................................................................333

Chapter 24

L2TP VPN...........................................................................................................................................335

24.1 Overview .......................................................................................................................................335

24.1.1 What You Can Do in this Chapter ........................................................................................335

24.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........335

24.2 L2TP VPN Screen ................ ... ... .... ... ... ... ... .... ................ ... ... .... ... ... ... ... ................. ... ... ..................337

Chapter 25

Bandwidth Management.................................................................................................................339

25.1 Overview .......................................................................................................................................339

25.1.1 What You Can Do in this Chapter ........................................................................................339

25.1.2 What You Need to Know .....................................................................................................339

25.2 The Bandwidth Management Screen ............................................................................................343

25.2.1 The Bandwidth Management Add/Edit Screen ........... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..345

Chapter 26

Device HA..........................................................................................................................................349

26.1 Overview .......................................................................................................................................349

26.1.1 What You Can Do in this Chapter ........................................................................................349

26.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........349

26.1.3 Before You Begin .................................................................................................................350

26.2 Device HA General .......................................................................................................................350

26.3 The Active-Passive Mode Screen .................................................................................................351

26.3.1 Configuring Active-Passive Mode Device HA ......................................................................353

26.4 Configuring an Active-Passive Mode Monitored Interface ............................................................355

26.5 Device HA Technical Reference ....................................................................................................356

Chapter 27

User/Group........................................................................................................................................361

27.1 Overview .......................................................................................................................................361

27.1.1 What You Can Do in this Chapter ........................................................................................361

27.1.2 What You Need To Know .....................................................................................................361

27.2 User Summary Screen ..................................................................................................................363

27.2.1 User Add/Edit Screen ..........................................................................................................364

27.3 User Group Summary Screen .......................................................................................................366

27.3.1 Group Add/Edit Screen ........................................................................................................367

27.4 The User/Group Setting Screen ................ .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ........368

27.4.1 Default User Authentication Timeout Settings Edit Screens ................................................370

27.4.2 User Aware Login Example .................................................................................................371

27.5 User /Group Technical Reference .................................................................................................372

ZyWALL 110/310/1100 Series User’s Guide 11

Chapter 28

Addresses .........................................................................................................................................374

28.1 Overview .......................................................................................................................................374

28.1.1 What You Can Do in this Chapter ........................................................................................374

28.1.2 What You Need To Know .....................................................................................................374

28.2 Address Summary Screen ...... ... .... ... ... ... ... .... ... ... ... .... ... ... ................ ... .... ... ... ... .... ... ... ... ... ............374

28.2.1 IPv4 Address Add/Edit Screen ............................................................................................376

28.2.2 IPv6 Address Add/Edit Screen ............................................................................................377

28.3 Address Group Summary Screen .................................................................................................378

28.3.1 Address Group Add/Edit Screen .......... ... ... ... .... ... ... ... .... ... ... ................ ... .... ... ... ... ...............379

Chapter 29

Services.............................................................................................................................................380

29.1 Overview .......................................................................................................................................380

29.1.1 What You Can Do in this Chapter ........................................................................................380

29.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........380

29.2 The Service Summary Screen ......................................................................................................381

29.2.1 The Service Add/Edit Screen ..............................................................................................382

29.3 The Service Group Summary Screen ........... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ................ .....383

29.3.1 The Service Group Add/Edit Screen ...................................................................................384

Chapter 30

Schedules..........................................................................................................................................386

30.1 Overview .......................................................................................................................................386

30.1.1 What You Can Do in this Chapter ........................................................................................386

30.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........386

30.2 The Schedule Summary Screen ...................................................................................................387

30.2.1 The One-Time Schedule Add/Edit Screen ...........................................................................388

30.2.2 The Recurring Schedule Add/Edit Screen ..... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ...............389

Chapter 31

AAA Server........................................................................................................................................390

31.1 Overview .......................................................................................................................................390

31.1.1 Directory Service (AD/LDAP) ..............................................................................................390

31.1.2 RADIUS Server ...................................................................................................................390

31.1.3 ASAS ...................................................................................................................................391

31.1.4 What You Can Do in this Chapter ........................................................................................391

31.1.5 What You Need To Know .....................................................................................................391

31.2 Active Directory or LDAP Server Summary ..................................................................................393

31.2.1 Adding an Active Directory or LDAP Server ........................................................................393

31.3 RADIUS Server Summary .............................................................................................................396

31.3.1 Adding a RADIUS Server ...................................................................................................396

ZyWALL 110/310/1100 Series User’s Guide12

Chapter 32

Authentication Method......................................................................................................... ............399

32.1 Overview .......................................................................................................................................399

32.1.1 What You Can Do in this Chapter ........................................................................................399

32.1.2 Before You Begin .................................................................................................................399

32.1.3 Example: Selecting a VPN Authentication Method ..............................................................399

32.2 Authentication Method Objects .....................................................................................................400

32.2.1 Creating an Authentication Method Ob jec t .... .... ... ... ... .... ... ... ... ... .... ................ ... ... ... .... ... ... ..400

Chapter 33

Certificates ........................................................................................................................................403

33.1 Overview .......................................................................................................................................403

33.1.1 What You Can Do in this Chapter ........................................................................................403

33.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........403

33.1.3 Verifying a Certificate ...........................................................................................................405

33.2 The My Certificates Screen ...........................................................................................................406

33.2.1 The My Certificates Add Screen ..........................................................................................407

33.2.2 The My Certificates Edit Screen . ... ... ................. ... ... ... ................ .... ... ... ................ ... .... ... .....409

33.2.3 The My Certificates Import Screen .....................................................................................412

33.3 The Trusted Certificates Screen ..................................................................................................413

33.3.1 The Trusted Certificates Edit Screen ..................................................................................414

33.3.2 The Trusted Certificates Import Screen ..............................................................................417

33.4 Certificates Technical Reference ...................................................................................................418

Chapter 34

ISP Accounts.....................................................................................................................................419

34.1 Overview .......................................................................................................................................419

34.1.1 What You Can Do in this Chapter ........................................................................................419

34.2 ISP Account Summary ..................................................................................................................419

34.2.1 ISP Account Edit .................................................................................................................420

Chapter 35

SSL Application ................................................................................................................................422

35.1 Overview .......................................................................................................................................422

35.1.1 What You Can Do in this Chapter ........................................................................................422

35.1.2 What You Need to Know ....... ............ ............. .......... ............. ............. ............. ............. ........422

35.1.3 Example: Specifying a Web Site for Access ........................................................................423

35.2 The SSL Application Screen ................ ... ... ................. ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... ............424

35.2.1 Creating/Editing an SSL Application Object ........................................................................425

Chapter 36

DHCPv6..............................................................................................................................................428

36.1 Overview .......................................................................................................................................428

ZyWALL 110/310/1100 Series User’s Guide 13

36.1.1 What You Can Do in this Chapter ........................................................................................428

36.2 The DHCPv6 Request Screen ................ ... .... ... ... ... .... ... ... ... ................ .... ... ... ... .... ... ... ..................428

36.2.1 DHCPv6 Request Add/Edit Screen .....................................................................................429

36.3 The DHCPv6 Lease Screen . ... ... .... ... ................ ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... ............429

36.3.1 DHCPv6 Lease Add/Edit Screen .........................................................................................430

Chapter 37

System...............................................................................................................................................432

37.1 Overview .......................................................................................................................................432

37.1.1 What You Can Do in this Chapter ........................................................................................432

37.2 Host Name ....................................................................................................................................433

37.3 USB Storage .................................................................................................................................433

37.4 Date and Time ...............................................................................................................................434

37.4.1 Pre-defined NTP Time Servers List ...... ... ... ... .... ................ ... ... ... ................. ... ... ... ...............437

37.4.2 Time Server Synchronization ... ................ ................ ................ ................ ................ ............437

37.5 Console Port Speed ......................................................................................................................438

37.6 DNS Overview ...............................................................................................................................439

37.6.1 DNS Server Address Assignment .......................................................................................439

37.6.2 Configuring the DNS Screen ...............................................................................................439

37.6.3 Address Record ...................... ... ... ......................................................................................441

37.6.4 PTR Record .........................................................................................................................441

37.6.5 Adding an Address/PTR Record .........................................................................................442

37.6.6 Domain Zone Forwarder ............... ... .... ................ ... ... ................ .... ... ................ ... ... ............442

37.6.7 Adding a Domain Zone Forwarder ......................................................................................442

37.6.8 MX Record ..........................................................................................................................443

37.6.9 Adding a MX Record ...........................................................................................................443

37.6.10 Adding a DNS Service Control Rule ...................... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..444

37.7 WWW Overview ............................................................................................................................445

37.7.1 Service Access Limitations ..................................................................................................445

37.7.2 System T imeout ...................................................................................................................445

37.7.3 HTTPS .................................................................................................................................445

37.7.4 Configuring WWW Service Control .....................................................................................446

37.7.5 Service Control Rules ..........................................................................................................449

37.7.6 Customizing the WWW Login Page ....................................................................................450

37.7.7 HTTPS Example ..................................................................................................................454

37.8 SSH ............................................................................................................................................461

37.8.1 How SSH Works ............... .... ... ................ ... ... .... ... ... ................ ... .... ... ... ................ ... ............462

37.8.2 SSH Implementation on the ZyWALL ..................................................................................463

37.8.3 Requirements for Using SSH ............ .... ... ... ... .... ................ ... ... ... ................. ... ... ... ...............463

37.8.4 Configuring SSH ..................................................................................................................463

37.8.5 Secure Telnet Using SSH Examples ...................................................................................464

37.9 Telnet ............................................................................................................................................465

37.9.1 Configuring Telnet ................................................................................................................465

ZyWALL 110/310/1100 Series User’s Guide14

37.10 FTP ............................................................................................................................................467

37.10.1 Configuring FTP ................................................................................................................467

37.11 SNMP ... ... ... ... .... ................ ... ... .... ................ ... ... ... .... ................ ... ... ... ................. ........................468

37.11. 1 Supported MIBs ........... ... .... ... ... ... ................ .... ... ... ... .... ................ ... ... ... .... ... .....................469

37.11. 2 SNMP Traps ... ... .... ... ... ... .... ... ... ... ................ .... ... ... ... .... ................ ... ... ... .... ... .....................470

37.11. 3 Configuring SNMP ....... ... .... ... ... ................ ... .... ... ... ... ................ .... ... ... ... .... ................ ........470

37.12 Language Screen ........................................................................................................................472

37.13 IPv6 Screen .............. ... .... ... ... ... .... ... ................ ... ... .... ... ... ... .... ................ ... ... ... .... ... .....................472

Chapter 38

Log and Report .................................................................................................................................474

38.1 Overview .......................................................................................................................................474

38.1.1 What You Can Do In this Chapter ........................................................................................474

38.2 Email Daily Report ........................................................................................................................474

38.3 Log Setting Screens .....................................................................................................................476

38.3.1 Log Setting Summary ..........................................................................................................476

38.3.2 Edit System Log Settings ...................................................................................................478

38.3.3 Edit Log on USB Storage Setting ........ ... ... ... .... ... ... ... .... ................ ... ... ... ................ .... ... ... ..480

38.3.4 Edit Remote Server Log Settings .......................................................................................482

38.3.5 Log Category Settings Screen .............................................................................................484

Chapter 39

File Manager......................................................................................................................................488

39.1 Overview .......................................................................................................................................488

39.1.1 What You Can Do in this Chapter ........................................................................................488

39.1.2 What you Need to Know ......................................................................................................488

39.2 The Configuration File Screen ......................................................................................................490

39.3 The Firmware Package Screen ....................................................................................................494

39.4 The Shell Script Screen ...............................................................................................................496

Chapter 40

Diagnostics ......................................................................................................................................499

40.1 Overview .......................................................................................................................................499

40.1.1 What You Can Do in this Chapter ........................................................................................499

40.2 The Diagnostic Screen ............ ... .... ... ... ... ... .... ................ ... ... .... ... ... ... ... ................. ... ... ... ...............499

40.2.1 The Diagnostics Files Screen .................. ............................................................................500

40.3 The Packet Capture Screen ..........................................................................................................501

40.3.1 The Packet Capture Files Screen ........................................................................................503

40.4 Core Dump Screen .......................................................................................................................504

40.4.1 Core Dump Files Screen .....................................................................................................505

40.5 The System Log Screen ................................................................................................................505

Chapter 41

Packet Flow Explore.........................................................................................................................507

ZyWALL 110/310/1100 Series User’s Guide 15

41.1 Overview .......................................................................................................................................507

41.1.1 What You Can Do in this Chapter ........................................................................................507

41.2 The Routing Status Screen ...........................................................................................................507

41.3 The SNAT Status Screen ..............................................................................................................511

Chapter 42

Reboot ...............................................................................................................................................514

42.1 Overview .......................................................................................................................................514

42.1.1 What You Need To Know .....................................................................................................514

42.2 The Reboot Screen .......................................................................................................................514

Chapter 43

Shutdown...........................................................................................................................................515

43.1 Overview .......................................................................................................................................515

43.1.1 What You Need To Know .....................................................................................................515

43.2 The Shutdown Screen ...................................................................................................................515

Chapter 44

Troubleshooting................................................................................................................................516

44.1 Resetting the ZyWALL ..................................................................................................................524

44.2 Getting More Troubleshooting Help ..............................................................................................525

Appendix A Legal Information..........................................................................................................526

Index ..................................................................................................................................................529

PART I

User’s Guide

ZyWALL 110/310/1100 Series User’s Guide 18

CHAPTER 1

Introduction

1.1 Overview

Note: This help covers the following ZyWALL models and refers to them all as “ZyWALL”.

Featur es and interface names vary by model. K e y fe ature di ffe re nces be tw ee n ZyWALL models are

as follows. Other features are common to all models although features may vary slightly by model.

See the specific product’s datasheet for detailed specifications.

Here are some ZyWALL application scenarios.

IPv6 Routing

The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6

policy routes and IPv6 objects. The ZyWALL can also route IPv6 packets through IPv4 networks

using different tunneling methods.

Figure 1 Applications: IPv6 Routing

VPN Connectivity

Set up VPN tunnels with other companies, branch offices, telecommuters, and business tr avelers to

provide secure access to your network. You can also purchase the ZyWALL OTPv2 One-Time

Password S ystem for strong two-factor authentication for Web Configurator, Web access, SSL VPN,

and ZyXEL IPSec VPN client user logins.

Table 1 Model-Specific Features

FEATURE ZYWALL

Rack-mounting 110, 310, 1100

Wall-mounting 110

Port Role (s ee Section 7.2 on page 108) 110

Compact Flash Card Slot (not supported at the time of writing) 110

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide 19

Figure 2 Applications: VPN Connectivity

SSL VPN Network Access

SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just

browses to the ZyWALL’s web address and enters his user name and password to securely connect

to the Z y WALL’s network. Here full tunnel mode creates a virtual connection for a remote user and

gives him a private IP address in the same subnet as the local network so he can access network

resources in the same way as if he were part of the internal network.

Figure 3 SSL VPN With Full Tunnel Mode

User-Aware Access Control

Set up security policies to restrict access to sensitive information and shared resources based on

the user who is trying to access it. In the following figure user A can access both the Internet and

an internal file server. User B has a lower level of access and can only access the Internet. User C is

not even logged in and cannot access either.

O T P PIN

SafeWord 2008

Authentication Server

File Email Web-based

Server Server Application

*****

Web Mail File Share

Web-based Application

https://

Application Server

Non-Web

LAN (192.168.1.X)

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide

Figure 4 Applications: User-Aware Access Control

Load Balancing

Set up multiple connections to the Internet on the same port, or different ports, including cellular

interfaces. In either case, you can balance the tr affic loads between them.

Figure 5 Applications: Multiple WAN Interfaces

1.2 Management Overview

You can manage the ZyWALL in the following ways.

Web Configurator

The Web Configurator allows easy Z yWALL setup and management using an Internet browser. This

User’s Guide provides information about the Web Configurator.

Figure 6 Managing the ZyWALL: Web Configurator

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide 21

Command-Line Interface (CLI)

The CLI allows you to use text-based commands to configure the ZyWALL. Access it using remote

management (for example, SSH or Telnet) or via the physical or Web Configurator console port.

See the Command Reference Guide for CLI details. The default settings for the console port are:

1.3 Web Configurator

In order to use the Web Configurator, you must:

• Use one of the followin g web browser versions or later: Internet Explorer 7, Firefo x 3.5, Chr ome

9.0

• Allow pop-up windows (blocked by default in Windows XP Service Pack 2)

• Enable JavaScripts, Java permissions, and cookies

The recommended screen resolution is 1024 x 768 pixels.

1.3.1 Web Configurator Access

1Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide.

2In your browser go to http://192.168.1.1. By default, the ZyW ALL automatically routes this request

to its HTTPS server, and it is recommended to keep this setting. The Login screen appears.

3Type the user name (default: “admin”) and password (default: “1234”).

If you have a OTP (One-Time Password) token generate a number and enter it in the One-Time

Password field. The number is only good for one login. You must use the token to gener ate a n ew

number the next time you log in.

Table 2 Console Port Default Settings

SETTING VALUE

Speed 115200 bps

Data Bits 8

Parity None

Stop Bit 1

Flow Control Off

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide

4Click Login. If you logged in using the default user name and password, the Update Admin Info

screen appears. Otherwise, the dashboard appears.

5Follow the directions in the Update Admin Info screen. If you change the default password, the

opens if the ZyWALL is using its default configuration; otherwise the dashboard appears.

1.3.2 Web Configurator Screens Overview

The Web Configurator screen is divided into these parts (as illustrated on page 22):

•A - title bar

•B - navigation panel

•C - main window

Ti tle Bar

Figure 7 Title Bar

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide 23

The title bar icons in the upper right corner provide the following functions.

About

Click About to display basic information about the ZyWALL.

Figure 8 About

Site Map

Click Site MAP to see an overview of links to the W eb Configur ator screens. Click a screen’s link to

go to that screen.

Table 3 Title Bar: Web Configurator Icons

LABEL DESCRIPTION

Logout Click this to log out of the Web Configurator.

Help Click this to open the help page for the current screen.

About Click this to display basic information about the ZyWALL.

Site Map Click this to see an overview of links to the Web Configurator screens.

Object Reference Click this to check which configuration items reference an object.

Console Click this to open a Java-b ased console window from which you can run comma nd line

interface (CLI) commands. You will be prompted to enter your user name and password.

See the Command Reference Guide for information about the commands.

CLI Click this to open a popup window that displays the CLI commands sent by the Web

Configurator to the ZyWALL.

Table 4 About

LABEL DESCRIPTION

Boot Module This shows the version number of the software that handles the booting process of the

ZyWALL.

Current Version This shows the firmware version of the ZyWALL.

Released Date This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released.

OK Click this to close the screen.

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide

Figure 9 Site Map

Object Reference

Click Object Reference to open the Object Reference screen. Select the type of object and the

individual object and click Refresh to show which configuration settings reference the object.

Figure 10 Object Reference

The fields vary with the type of object. This table describes labels that can appear in this screen.

Table 5 Object References

LABEL DESCRIPTION

Object Name This i dentifies the object f or which the configur ation settings that us e it are display ed. Click the

object’s name to display the object’s configuration screen in the main window.

# This field is a sequential value, and it is not associated with any entry.

Service This is the type of setting that references the selected object. Click a service’s name to display

the service’s configuration screen in the main window.

Priority If it is applicabl e, this field lists the refer e ncing configuration item’s position in its list,

otherwise N/A displays.

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide 25

Console

Click Console to open a Java-based console window from which you can run CLI commands. You

will be prompted to enter your user name and password. See the Command Reference Guide for

information about the commands.

Figure 11 Console Window

CLI Messages

Click CLI to look at the CLI commands sen t by the W e b Configurator. Open the pop-up window and

then click some menus in the web configurator to dislay the corresponding commands.

Figure 12 CLI Messages

Name This field identifies the configuration item that references the object.

Description If the referencing configuration item has a description configured, it displays here.

Refresh Click this to update the information in this screen.

Cancel Click Cancel to close the screen.

Table 5 Object References (continued)

LABEL DESCRIPTION

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide

1.3.3 Navigation Panel

Use the navigation panel menu items to open status and configuration screens. Click the arrow in

the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The

following sections introduce the ZyWALL’s navigation panel menus and their screens.

Figure 13 Navigation Panel

Dashboard

The dashboard displays gene ral device information, system status, system resource usage,, and

interface status in widgets that y ou can re- arr ange to suit your needs. See the W eb Help for details

on the dashboard.

Monitor Menu

The monitor menu screens display status and statistics information.

Table 6 Monitor Menu Screens Summary

FOLDER OR LINK TAB FUNCTION

System Status

Port S tatistics Displays packet statistics for each physical port.

Interface

Status Displays general interface information and packet statistics.

Traffic

Statistics Collect and display traffic statistics.

Session

Monitor Displays the status of all current ses sions.

DDNS Status Displays the status of the ZyWALL’s DDNS domain names.

IP/MAC Binding Lists the devices that have received an IP address from ZyWALL interfaces

using IP/MAC binding.

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide 27

Configuration Menu

Use the configuration menu screens to configure the ZyWALL’s features.

Cellular Status Disp lays details about the ZyWALL’s 3G connection st atus.

USB Storage Displays details about USB device connected to the ZyWALL.

VPN Monitor

IPSec Displays and manages the active IPSec SAs.

SSL Lists users currently logged into the VPN SSL client portal. You can also log

out individual users and delete related s ession information.

L2TP over

IPSec Displays details about current L2 TP sessions.

Log Lists log entrie s.

Table 7 Configuration Menu Screens Summary

FOLDER OR LINK TAB FUNCTION

Quick Setup Quickly configure WAN interfaces or VPN connections.

Network

Interface Port Role Use this screen to set t h e ZyWALL’s flexible ports as LAN1, WLAN,

or DMZ.

Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces.

PPP Create and manage PPPoE and PPTP interfaces.

Cellular Configure a cellul ar Internet connection for an installed 3G card.

Tunnel Configur e tunneling between IPv4 and IPv6 networks.

VLAN Create and manage VLAN interfaces and virtual VLAN interfaces.

Bridge Create and manage bridges and virtual bridge interfaces.

Trunk Create and manage trunks (groups of interfaces) for load

balancing.

Routing Policy Ro ute Create and manage routing policies.

Static Route Create and manage IP static routing information.

RIP Configure device-level RIP settings.

OSPF Configure device -level OSPF settings, including areas and virtual

links.

Zone Configure zones used to define various policies.

DDNS DDNS Define and manage the ZyWALL’s DDNS domain names.

NAT Set up and manage port forwarding rules.

HTTP Redirect Set up and manage HTTP redirection rules.

ALG Configure SIP, H.323, and FTP pass-through settin gs.

IP/MAC

Binding Summary Configure IP to MAC address bindings for devices connected to

each supported interface.

Exempt List Configure ranges of IP addresses to which the ZyWALL does not

apply IP/MAC binding.

DNS Inbound

LB DNS Load

Balancing Configure DNS Load Balancing.

Auth. Policy Define rules to force user authentication.

Table 6 Monitor Menu Screens Summary (continued)

FOLDER OR LINK TAB FUNCTION

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide

Firewall Firewall Create and manage level-3 traffic rules.

Session Control Limit the number of concurrent client NAT/firewall sessions.

VPN

IPSec VPN VPN Connection Configure IPSec tunnels.

VPN Gateway Configure IKE tunnels.

Concentrator Combine IPSec VPN connections into a single secure network

Configuration

Provisioning Set who can retrieve VPN rule settings from the ZyWA LL using the

ZyWALL IPSec VPN Client.

SSL VPN Access Privilege Configure SSL VPN access rights for users and groups.

Global Setting Configure the ZyWALL’s SSL VPN settings that apply to all

connections.

L2TP VPN L2TP VPN Configure L2TP over IPSec tunnels.

BWM BWM Enable and configure bandwidth management rules.

Device HA General Configure device HA global settings, and see the status of each

interface monitored by device HA.

Active-Passive

Mode Configure active-passive mode device HA.

Object

User/Group User Create and manage users.

Group Create and manage groups of users.

Setting Manage default settings for all users, general settings for user

sessions, and rules to force user authentication.

Address Address Create and manage host, range, and network (subnet) addresses.

Address Group Create and manage groups of addresses.

Service Service Create and manage TCP and UDP services.

Service Group Create and manage groups of services.

Schedule Schedule Create one-time and recurring schedules.

AAA Server Active Directory Configure the Active Directory settings.

LDAP Configure the LDAP set ti ngs.

RADIUS Configure the RADIUS settings.

Auth. Method Authentication

Method Create and manage ways of authenticating users.

Certificate My Certificates Create and manage the ZyWALL’s certificates.

Trusted Certificates Import and manage certificates from trusted sources.

ISP Account ISP Account Create and manage ISP account information for PPPoE/PPTP

interfaces.

SSL Application Create SSL web application objects.

DHCPv6 Request Configure IPv6 DHCP requ est ty pe and interface information.

Lease Configure IPv6 DHCP lease type and interface information.

System

Host Name Configure the system and domain name for the ZyWALL.

USB Storage Settings Configure the settings for the connected USB devices.

Date/Time Configure the current date, time, and time zone in the ZyWALL.

Table 7 Configuration Menu Screens Summary (continued)

FOLDER OR LINK TAB FUNCTION

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide 29

Maintenance Menu

Use the maintenance menu screens to manage configuration and firmware files, run diagnostics,

and reboot or shut down the Zy WALL.

1.3.4 Tables and Lists

Web Configurator tables and lists are flexible with several options for how to display their entries.

Click a column heading to sort the table’s entries according to that column’s criteria.

Console Speed Set the console speed.

DNS Configure the DNS server and address records for the ZyWALL.

WWW Service Control Configure HTTP, HTTPS, and general authentication.

SSH Configure SSH se rver and SSH service settings.

TELNET Configure telnet server settings for the ZyWALL.

FTP Configure FTP server settings .

SNMP Configure SNMP communities and services.

Language Select the Web Configurator language.

IPv6 Enable IPv6 globally on the ZyWALL here.

Log & Report

Email Daily

Report Configure where and how to send daily reports and what reports to

send.

Log Settings Configure the system log, e-mail logs, and remote syslog servers.

Table 8 Maintenance Menu Screens Summary

FOLDER

OR LINK TAB FUNCTION

File

Manager Configuration File Manage and upload conf iguration files for the ZyWALL.

Firmware Package View the current firmware version and to upload firmware.

Shell Script Manage and run shell script files for the ZyWALL.

Diagnostics Diagnostic Collect diagnostic information.

Packet Capture Capture packets for analysis.

Core Dump Connect a USB device to the ZyWALL and save the ZyWAL L operating

system kernel to it here.

System Log Connect a USB device to the ZyWALL and archive the ZyWALL system logs

to it here.

Packet

Flow

Explore

Routing Status Check how the ZyWALL determines where to route a packet.

SNAT Status View a clear picture on how the ZyWALL converts a packet’s source IP

address and check the related settings.

Reboot Restart the ZyWALL.

Shutdown Turn off the ZyWALL.

Table 7 Configuration Menu Screens Summary (continued)

FOLDER OR LINK TAB FUNCTION

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide

Figure 14 Sorting Table Entries by a Column’s Criteria

Click the down arrow next to a column heading for more options about how to display the entries.

The options available vary depending on the type of fields in the column. Here are some examples

of what you can do:

• Sort in ascending or descending (reverse) alphabetical order

• Select which columns to display

• Group entries by field

• Show entries in groups

• Filter by mathematical operators (<, >, or =) or searching for text

Figure 15 Common Table Column Options

Select a column heading cell’s right border and drag to re-size the column.

Figure 16 Resizing a Table Column

Select a column heading and drag and drop it to change the column order. A green check mark

displays next to the column’s title when you drag the column to a valid new location.

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide 31

Figure 17 Moving Columns

Use the icons and fields at the bottom of the table to navigate to different pages of entries and

control how many entries display at a time.

Figure 18 Navigating Pages of Table Entries

The tables have icons for working with table entries. You can often use the [Shift] or [Ctrl] key to

select multiple entries to remove, activate, or deactivate.

Figure 19 Common Table Icons

Here are descriptions for the most common table icons.

Table 9 Common Table Icons

LABEL DESCRIPTION

Add Click this to create a new entry. For features where the entry’s position in the numbered list is

important (features where the ZyWALL applies the table’s entries in order like the firewall for

example), you can select an entry and c li ck Add to create a new entry after the selected entry.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify the

entry’s settings. In some tables you can just click a table entry and ed it it directly in the table.

For those t ypes of tables small re d triangles display for table entries with changes that you have

not yet applied.

Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it

before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Connect To connect an entry, select it an d click Connect.

Disconnect To disconnect an entry, select it and click Disconnect.

Object

References Select an entry and click Object References to check which settings use the entry.

Move To change an entry’s position in a numbered list, se lect it and click Move to display a field to

type a number for where you want to put that entry and press [ENTER] to move the entry to the

number that you typed. For example, if you type 6, the entry you are moving becomes number 6

and the previous entry 6 (if there is one) gets pushed up (or down) one.

Chapter 1 Introduction

ZyWALL 110/310/1100 Series User’s Guide

Working with Lists

When a list of available entries displays next to a list of selected entries, you can often just double-

click an entry to move it from one list to the other. In some lists you can also use the [Shift] or

[Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.

ZyWALL 110/310/1100 Series User’s Guide 33

CHAPTER 2

Installation Setup Wizard

2.1 Installation Setup Wizard Screens

When you log into the Web Configurator for the first time or when you reset the ZyWALL to its

default configuration, the Installation Setup Wizard screen displays. This wizard helps you

configure Internet connection settings and activate subscription services. This chapter provides

information on configuring the W eb Configurator's installation setup wizard. See th e feature-specific

chapters in this User’s Guide for background information.

Figure 20 Installation Setup Wizard

• Click the double arrow in the upper right corner to display or hide the help.

• Click Go to Dashboard to skip the installation setup wizard or click Next to start configuring for

Internet access.

2.1.1 Internet Access Setup - WAN Interface

Use this screen to configure the WAN interface’s type of encapsulation and method of IP address

assignment.

The screens vary depending on the encapsulation type. Refer to information provided by your ISP

to know what to enter in each field. Leave a field blank if you don’t have that information.

Note: Enter the Internet access information exactly as your ISP gave it to you.

•Encapsulation: Choose the Ethernet option when the WAN port is used as a regular Ethernet.

Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from

your ISP.

Chapter 2 Installation Setup Wizard

ZyWALL 110/310/1100 Series User’s Guide

•WAN Interface: This is the interface you are configuring for Internet access.

•Zone: This is the security zone to which this interface and Intern et connection belong.

•IP Address Assignment: Select Auto if your ISP did not assign you a fixed IP address.

Select Static if the ISP assigned a fixed IP address.

2.1.2 Internet Access: Ethernet

This screen is read-only if you set the previous screen’s IP Address Assignment field to Auto.

Use this screen to configure your IP address settings.

Note: Enter the Internet access information exactly as given to you by your ISP.

•Encapsulation: This displays the type of Internet connection you are configuring.

•First WAN Interface: This is the number of the interface that will connect with your ISP.

•Zone: This is the security zone to which this interface and Internet connec tion will belong.

•IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP

Address Assignment in the previous screen.

The following fields display if you selected static IP address assignment.

•IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address.

•Gateway IP Address: Enter the IP address of the router through which this WAN connection

will send traffic (the default gateway).

•First / Second DNS Serve r: These fields display if you selected static IP address assignment.

The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a

DNS server's IP address(es). The DNS server is extremely important because without it, you

must know the IP address of a computer before you can access it. The ZyW ALL uses these (in the

order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the

field as 0.0.0.0 if you do not want to configure DNS servers.

2.1.3 Internet Access: PPPoE

Note: Enter the Internet access information exactly as given to you by your ISP.

2.1.3.1 ISP Parameters

• Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify

and reach the PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up

to 64 characters long.

•Authentication Type - Select an authentication protocol for outgoing connection requests.

Options are:

•CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by the remote node.

•CHAP - Your ZyWALL accepts CHAP only.

•PAP - Your ZyWALL accepts PAP only.

•MSCHAP - Your ZyWALL accepts MSCHAP only.

•MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V 2 only.

•Type the User Name given to you by your ISP. Y ou can use alphanumeric and -_@$./ characters,

and it can be up to 31 characters long.

Chapter 2 Installation Setup Wizard

ZyWALL 110/310/1100 Series User’s Guide 35

•Type the Password associated with the user name. Use up to 64 ASCII characters except the []

and ?. This field can be blank.

•Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle

Timeout in seconds that elapses before the router automatically disconnects from the PPPoE

server.

2.1.3.2 WAN IP Address Assignments

•WAN Interface: This is the name of the interface that will connect with your ISP.

•Zone: This is the security zone to which this interface and Internet connec tion will belong.

•IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP

Address Assignment in the previous screen.

•First / Second DNS Serve r: These fields display if you selected static IP address assignment.

The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a

DNS server's IP address(es). The DNS server is extremely important because without it, you

must know the IP address of a computer before you can access it. The ZyW ALL uses these (in the

order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the

field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server,

you must know the IP address of a machine in order to access it.

2.1.4 Internet Access: PPTP

Note: Enter the Internet access information exactly as given to you by your ISP.

2.1.5 ISP Parameters

•Authentication Type - Select an authentication protocol for outgoing calls. Options are:

•CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by the remote node.

•CHAP - Your ZyWALL accepts CHAP only.

•PAP - Your ZyWALL accepts PAP only.

•MSCHAP - Your ZyWALL accepts MSCHAP only.

•MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V 2 only.

•Type the User Name given to you by your ISP. Y ou can use alphanumeric and -_@$./ characters,

and it can be up to 31 characters long.

•Type the Password associated with the user name. Use up to 64 ASCII characters except the []

and ?. This field can be blank. Re-type your password in the next field to confirm it.

•Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle

Timeout in seconds that elapses before the router automatically disconnects from the PPTP

server.

2.1.5.1 PPTP Configuration

•Base Interface: This identifies the Ethernet interface you configure to connect with a modem or

router.

•Type a Base IP Address (static) assigned to you by your ISP.

• Type the IP Subnet Mask assigned to you by your ISP (if given).

•Server IP: Type the IP address of the PPTP server.

Chapter 2 Installation Setup Wizard

ZyWALL 110/310/1100 Series User’s Guide

•Type a Connection ID or connection name. It must follow the “c:id” and “n:name” format. For

example, C:12 or N:My ISP. This field is optional and depends on the requirements of your

broadband modem or router. You can use alphanumeric and -_: characters, and it can be up to

31 characters long.

2.1.5.2 WAN IP Address Assignments

•First WAN Interface: This is the connection type on the interface you are configuring to

connect with your ISP.

•Zone This is the security zone to which this interface and Internet connection will belong.

•IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP

Address Assignment in the previous screen.

•First / Second DNS Serve r: These fields display if you selected static IP address assignment.

The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a

DNS server's IP address(es). The DNS server is extremely important because without it, you

must know the IP address of a computer before you can access it. The ZyW ALL uses these (in the

order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the

field as 0.0.0.0 if you do not want to configure DNS servers.

2.1.6 Internet Access - Finish

You have set up your ZyWALL to access the Internet. A screen displays with your settings. If they

are not correct, click Back.

ZyWALL 110/310/1100 Series User’s Guide 37

CHAPTER 3

Hardware Introduction

3.1 Default Zones, Interfaces, and Ports

The default configurations for zones, interfaces, and ports are as follows. References to interfaces

may be generic r ather than the specific name used in y our model. F or example, this guide may use

“the WAN interface” rather than “wan1” or “wan2”, “ge2” or” ge3”.

An OPT (optional) Ethernet port can be configured as an additional WAN port, LAN, WLAN, or DMZ

port.

Physical Ports

Interfaces

Zones

ext-wlan

110

LAN1

lan1 LAN2

lan2

WAN

wan1 wan2

P1 P2 P3 P4 P5 P6

WLAN DMZ

dmz

opt

None

Physical Ports

Interfaces

P1 P2 P3 P4 P5 P6

ge1ge2 ge3

ge6

WLAN

ge4ge5

310

Zones WAN

DMZ

LAN

P7 P8

ge8

None

ge7

Physical Ports

Interfaces

P1 P2 P3 P4 P5 P6

ge1ge2 ge3

ge6

ge4ge5

1100

Zones WAN

DMZ

LAN

P7 P8

ge8

None

ge7

Chapter 3 Hardware Introduction

ZyWALL 110/310/1100 Series User’s Guide

Note: Use an 8-wire Ethernet cable to run your Gigab it Ethernet at 1000 Mbps. Using a 4-

wire Ethernet cable limits your connection to 100 Mbps. Note that the connection

speed also depends on what the Ethernet device at the other end can support.

3.2 Stopping the ZyWALL

Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn

off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt.

3.3 Rack-mounting

See Chapter 1 on page 18 for the ZyWALL models that can be rack mounted. Use the following

steps to mount the ZyWALL on an EIA standard size, 19-inch rack or in a wiring closet with other

equipment using a rack -mounting kit. Mak e sure the rack will safely support the combined weight of

all the equipment it contains and that the position of the ZyWALL does not make the rack unstable

or top-heavy. Take all necessary precautions to anchor the rack securely before installing the unit.

Note: Leave 10 cm of clearance at the sides and 20 cm in the rear.

Use a #2 Phillips screwdriver to install the screws.

Note: Failure to use the proper screws may damage the unit.

1Align one bracket with the holes on one side of the ZyWALL and secure it with the included bracket

screws (smaller than the rack-mounting screws).

2Attach the other bracke t in a similar fashion.

3After attaching both mounting brackets, position the ZyWALL in the ra ck and up the bracket holes

with the rack holes. Secure the ZyWALL to the rack with the rack-mounting screws.

Chapter 3 Hardware Introduction

ZyWALL 110/310/1100 Series User’s Guide 39

3.4 Wall-mounting

See Chapter 1 on page 18 for the ZyWALL models that can be wall-mounted. Do the following to

attach your ZyWALL to a wall.

1Screw two screws with 6 mm ~ 8 mm (0.24" ~ 0.31") wide heads into the wall 150 mm apart (see

the figure in step 2). Do not screw the screws all the w a y in to the w all; leave a small gap between

the head of the screw and the wall.

The gap must be big enough for the screw heads to slide into the screw slots and the connection

cables to run down the back of the ZyWALL.

Note: Make sure the screws are securely fixed to the wall and strong enough to hold the

weight of the ZyWALL with the connection cables.

2Use the holes on the bottom of the ZyWALL to hang the ZyWALL on the screws.

3.5 Front Panel LEDs

This section introduces the ZyWALL’s front panel LEDs.

Chapter 3 Hardware Introduction

ZyWALL 110/310/1100 Series User’s Guide

Figure 21 ZyWALL Front P an el

The following tables describe the LEDs.

Ta ble 10 Front Panel LEDs

LED COLOR STATUS DESCRIPTION

PWR Off The ZyWALL is turned off.

Green On The ZyWALL is turned on.

Red On There is a hardware component fail ure. Shut down the device, w ait for a few

minutes and then restart the device (see Section 3.2 on page 38). If the LED

turns red again, then please contact your vendor.

SYS Green Off The ZyWALL is not ready or has failed.

On The ZyWALL is ready and running.

Blinking The ZyWALL is booting.

Red On The ZyWALL xd an error or has failed.

USB Green Off No device is connected to the ZyWALL’s USB port or the connected device is

not supported by the ZyWALL.

On A 3G USB card or USB storage device is conne cted to the USB port.

Orange On Connected to a 3G network through the connected 3G USB card.

P1, P2... Green Off There is no traffic on this port.

Blinking The ZyWALL is sending or receiving packets on this port.

Orange Off There is no connection on this port.

On This port has a successful link.

110

310

1100

Chapter 3 Hardware Introduction

ZyWALL 110/310/1100 Series User’s Guide 41

3.5.1 Rear Panels

The following graphic shows the rear panel of the ZyWALL.

Table 11 Rear Panel

LABEL DESCRIPTION

Console You can use the console port to manage the ZyWALL using CLI commands. You will be

prompted to enter your user name and password. See the Command Reference Guide for

more information about the CLI.

When configuring using the console port, you need a computer equipped with

communications software configured to the following parameters:

• Speed 115200 bps

•Data Bits 8

• Parity None

•Stop Bit 1

• Flow Control Off

CF Card Slot This feature is not supported at the time of writing.

Power Use the included power cord to connect the power socket to a power outlet. Turn the power

switch on if your ZyWALL has a power switch.

Lock Attach a lock-and-cable from the Kensington lock (the small, metal-reinforced, oval hole)

to a permanent object, such as a pole, to secure the Zy WALL in place.

F an The fans are for cooling the ZyW ALL. Make su re they are not obst ructed to allow maxi mum

ventilation.

110

310

1100

ZyWALL 110/310/1100 Series User’s Guide 42

CHAPTER 4

Quick Setup Wizards

4.1 Quick Setup Overview

The Web Configurator's quick setup wizards help you configure Internet and VPN connection

settings. This chapter provides information on configuring the quick setup screens in the Web

Configurator. See the feature-specific chapters in this User’s Guide for background information.

In the Web Configurator, click Configuration > Quick Setup to open the first Quick Setup

screen.

Figure 22 Quick Setup

•WAN Interface

Click this link to open a wizard to set up a WAN (Internet) connection. This wizard creates

matching ISP account settings in the ZyWALL if you use PPPoE or PPTP. See Section 4.2 on page

42.

•VPN SETUP

Use VPN Setup to configure a VPN (Virtual Private Network) rule for a secure connection to

another computer or network. Use VPN Settings for Configuration Provisioning to set up a

VPN rule that can be retrieved with the ZyWALL IPSec VPN Client. You only need to enter a user

name, password and the IP address of the Z yWALL in the Z yW ALL IPSec VPN Client to get all VPN

settings automatically from the ZyWALL. See Section 4.3 on page 47.

4.2 WAN Interface Quick Setup

Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup

Wizard Welcome screen. Use these screens to configure an interface to connect to the Internet.

Click Next.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 43

Figure 23 WAN Interface Quick Setup Wizard

4.2.1 Choose an Ethernet Interface

Select the Ethernet interface that you want to configure for a WAN connection and click Next.

Figure 24 Choose an Ethernet Interface

4.2.2 Select WAN Type

WAN Type Selection: Select the type of encapsulation this connection is to use. Ch oose Ethernet

when the WAN port is used as a regular Ethernet.

Otherwise, choose PPPoE or PPTP for a dial-up connection according to the inf ormation from y our

ISP.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

Figure 25 WAN Interface Setup: Step 2

The screens vary depending on what encapsulation type you use. Refer to information provided by

your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.

Note: Enter the Internet access information exactly as your ISP gave it to you.

4.2.3 Configure WAN Settings

Use this screen to select whether the interface should use a fixed or dynamic IP address.

Figure 26 WAN Interface Setup: Step 2

•WAN Interface: This is the interface you are configuring for Internet access.

•Zone: This is the security zone to which this interface and Intern et connection belong.

•IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address.

Select Static if you have a fixed IP address.

4.2.4 WAN and ISP Connection Settings

Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you set

the IP Address Assignment to Static.

Note: Enter the Internet access information exactly as your ISP gave it to you.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 45

Figure 27 WAN and ISP Connection Settings: (PPTP Shown)

The following table describes the labels in this screen.

Ta ble 12 WAN and ISP Connection Settings

LABEL DESCRIPTION

ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection.

Encapsulation This displays the type of Internet connection you are con figuring.

Authentication

Type Use the drop-down list box to select an authentication protocol for outgoing calls.

Options are:

CHAP/PAP - Your ZyWALL ac c epts either CHAP or PAP when requested by this remote

node.

CHAP - Your ZyWALL accepts CHAP only.

PAP - Your ZyWALL accepts PAP only.

MSCHAP - Yo ur ZyWALL accepts MSCHAP only.

MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only.

User Name Type the use r name given to you by your ISP. You can use alphanumeric and -_@$./

characters, and it can be up to 31 characters long.

Password Type the password associated with the user name above. Use up to 64 ASCII char acters

except the [] and ?. This field can be blank.

Retype to

Confirm Type your password again for confirmation.

Nailed-Up Select Nailed-Up if you do not want the connection to time out.

Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from

the PPPoE server. 0 means no timeout.

PPTP Configuration This section only appears if the interface uses a PPPoE or PPTP Internet connection.

Base Interface This displays the identity of the Ethernet interface you configure to connect with a

modem or router.

Base IP Address Type the (static) IP address assigned to you by your ISP.

IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

4.2.5 Quick Setup Interface Wizard: Summary

This screen displays the WAN interface’s settings.

Figure 28 Interface Wizard: Summary WAN (PPTP Shown)

Server IP Type the IP address of the PPTP server.

Connection ID Enter the connection ID or connection name in this field. It must follow the "c:id" and

"n:name" format. For example, C:12 or N:My ISP.

This field is optional and depends on the requirements of your DSL modem.

You can use alphanumeric and -_: characters, and it can be up to 31 characters long.

WAN Interface

Setup

WAN Interface This displays the identity of the interface you configure to connect with your ISP.

Zone This field displays to which security zone this interface and Internet connection will

belong.

IP Address This field is read-only when the WAN interface uses a d y na m i c IP address. If your WAN

interface uses a static IP address, enter it in this field.

First DNS

Server

Second DNS

Server

These fields only display for an interface with a static IP address. Enter th e DNS server

IP address(es) in the field(s) to the right.

Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not

configure a DNS server, you must know the IP address of a machine in order to access

it.

DNS (Domain Name System) is for mapping a domain name to its corresponding IP

address and vice versa. The DNS server is extremely important becaus e with out it, y ou

must know the IP address of a computer before you can access it. The ZyWALL uses a

system DNS server (in the order you spe cify here) to resolve domain names for VPN,

DDNS and the time server.

Back Click Back to return to the previous screen.

Next Click Next to continue.

Ta ble 12 WAN and ISP Connection Settings (continued)

LABEL DESCRIPTION

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 47

The following table describes the labels in this screen.

4.3 VPN Setup Wizard

Click VPN Setup in the main Quick Se tup screen to open the VPN Setup Wizard Welcome screen.

Figure 29 VPN Setup Wizard

4.3.1 Welcome

Use wizards to create Virtual Private Network (VPN) rules. After you complete the wizard, th e Phase

1 rule settings appear in the VPN > IPSec VPN > VPN Gateway scree n and the Phase 2 rule

settings appear in the VPN > IPSec VPN > VPN Connection screen.

Ta ble 13 Interface Wizard: Summary WAN

LABEL DESCRIPTION

Encapsulation This displays what encapsulation this interface uses to connect to the Internet.

Service Name This field only appears for a PPPoE interface. It displays the PPPoE service name specified

in the ISP account.

Server IP This field only appears for a PPTP interface. It displays the IP address of the PPTP server.

User Name This is the user name given to you by your ISP.

Nailed-Up If No displays the connection will not time out. Yes means the ZyWALL uses the idle

timeout.

Idle Timeout This is how many seconds the connection can be idle before the router automatically

disconnects from the PPPoE server. 0 means n o timeout.

Connection ID If you specified a connection ID, it displays here.

WAN Interface This identifies the interface you configure to connect with your ISP.

Zone This field displays to which security zone this interface and Internet connection will belong.

IP Address

Assignment This field displays whether the WAN IP address is static or dynamic (Auto).

First DNS Server

Second DNS

Server

If the IP Address Assignment is Static, these fields display the DNS server IP

address(es).

Close Click Close to exit the wizard.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

•VPN Setup configures a VPN tunnel for a secure connection to another computer or network.

•VPN Settings for Configuration Provisioning sets up a VPN rule the ZyWALL IPSec VPN Client

can retrieve. Just enter a user name, password and the IP address of th e ZyWALL in the ZyWALL

IPSec VPN Client to get the VPN settings automatically from the ZyWALL.

Figure 30 VPN Wizard Welcome

4.3.2 VPN Setup Wizard: Wizard Type

Choose Express to create a VPN rule with the default phase 1 and phase 2 settings to connect to

another ZLD-based ZyWALL using a pre-shared key.

Choose Advanced to change the default settings and/or use certificates instead of a pre-shared

key to create a VPN rule to connect to another IPSec device.

Figure 31 VPN Setup Wizard: Wizard Type

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 49

4.3.3 VPN Express Wizard - Scenario

Click the Express radio button as shown in Figure 31 on page 48 to display the following screen.

Figure 32 VPN Express Wizard: Scenario

Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use

1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a

number. This value is case-sensitive.

Select the scenario that best describes your intended VPN connection. The figure on the left of the

screen changes to match the scenario you select.

•Site-to-site - The remote IPSec device has a static IP address or a domain name. This ZyWALL

can initiate the VPN tunnel.

•Site-to-site with Dynamic Peer - The remote IPSec device has a dynamic IP address. Only the

remote IPSec device can initiate the VPN tunnel.

•Remote Access (Server Role) - Allow incoming connections from IPSec VPN clients. The

clients have dynamic IP addresses and are also known as dial-in users. Only the clients can

initiate the VPN tunnel.

•Remote Access (Client Role) - Connect to an IPSec server. This ZyWA LL is the client (dial-in

user) and can initiate the VPN tunnel.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

4.3.4 VPN Express Wizard - Configuration

Figure 33 VPN Express Wizard: Configuration

•Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario.

Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure

gateway) to identify the remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if

the remote IPSec router has a dynamic WAN IP address.

•Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password.

Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”)

characters. Proceed a hexadecimal key with “0x”. You will receive a PYLD_MALFORMED (payload

malformed) packet if the same pre-shared key is not used on both ends.

•Local Policy (IP/Mask): Type the IP address of a computer on your network that can use the

tunnel. You can also specify a subnet. This must match the remote IP address configured on the

remote IPSec device.

•Remote Policy (IP/Mask): Any displays in this field if it is not configurable for the chosen

scenario. Otherwise, type the IP address of a com puter behind the rem ote IPSec device. You can

also specify a subnet. This must match the local IP address configured on the remote IPSec

device.

4.3.5 VPN Express Wizard - Summary

This screen provides a read-only summary of the VPN tunnel’s configuration and commands that

you can copy and paste into another ZLD-based ZyWALL’s command line interf a ce to configur e it.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 51

Figure 34 VPN Express Wizard: Summary

•Rule Name: Identifies the VPN gateway policy.

•Secure Gateway: IP address or domain name of the remote IPSec device. If this field displays

Any, only the remote IPSec device can initiate the VPN connection.

•Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a phase 1

IKE negotiation.

•Local Policy: IP address and subnet mask of the computers on the network behind your ZyW ALL

that can use the tunnel.

•Remote Policy: IP address and subnet mask of the computers on the network behind the

remote IPSec device that can use the tunnel. If this field displays Any, only the remote IPSec

device can initiate the VPN connection.

• Copy and paste the Configuration for Secure Gateway commands into another ZLD-based

Z yWALL’ s command line interface to configure it to serve as the other end of this VPN tunnel. You

can also use a text editor to save these commands as a shell script file with a “.zysh” filename

extension. Use the file manager to run the script in order to configure the VPN connection. See

the commands reference guide for details on the commands displayed in this list.

4.3.6 VPN Express Wizard - Finish

Now the rule is configured on the ZyWALL. The Phase 1 rule settings appear in the VPN > IPSec

VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN >

VPN Connection screen.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

Figure 35 VPN Express Wizard: Finish

Click Close to exit the wizard.

4.3.7 VPN Advanced Wizard - Scenario

Click the Advanced radio button as shown in Figure 31 on page 48 to display the following screen.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 53

Figure 36 VPN Advanced Wizard: Scenario

Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use

1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a

number. This value is case-sensitive.

Select the scenario that best describes your intended VPN connection. The figure on the left of the

screen changes to match the scenario you select.

•Site-to-site - The remote IPSec device has a static IP address or a domain name. This ZyWALL

can initiate the VPN tunnel.

•Site-to-site with Dynamic Peer - The remote IPSec device has a dynamic IP address. Only the

remote IPSec device can initiate the VPN tunnel.

•Remote Access (Server Role) - Allow incoming connections from IPSec VPN clients. The

clients have dynamic IP addresses and are also known as dial-in users. Only the clients can

initiate the VPN tunnel.

•Remote Access (Client Role) - Connect to an IPSec server. This ZyWA LL is the client (dial-in

user) and can initiate the VPN tunnel.

4.3.8 VPN Advanced Wizard - Phase 1 Settings

There are two phases to every IKE (Internet Ke y E xchange) negotiation – ph ase 1 (Authentication)

and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

Figure 37 VPN Advanced Wizard: Phase 1 Settings

•Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario.

Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure

gateway) to identify the remote IPSec device by its IP address or a domain name. Use 0.0.0.0 if

the remote IPSec device has a dynamic WAN IP address.

•My Address (interface): Select an interface from the drop-down list box to use on your

ZyWALL.

•Negotiation Mode: Select Main for identity protection. Select Aggressive to allow more

incoming connections from dynamic IP addresses to use separate passwords.

Note: Multiple S As connecting through a secure gateway mus t have the same negotiation

mode.

•Encryption Algorithm: 3DES and AES use encryption. The longer the key, the higher the

security (this may affect throughput). Both sender and receiver must use the same secret key,

which can be used to encrypt and decrypt the message or to generate and verify a message

authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a

variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also

requires more processing power, resulting in increased latency and decreased throughput.

AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key, and AES256

uses a 256-bit key.

•Authentication Algorithm: MD5 gives minimal security and SHA512 gives the highest

security. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to

authenticate packet data. The stronger the algorithm the slower it is.

•Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1

(default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman

Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit

rand om number.

•SA Life Time: Set how often the Z yWALL renegotiates th e IKE SA. A short SA life time increases

security, but renegotiation tempor arily disconnects the VPN tunnel.

•NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router

between the IPSec devices).

Note: The remote IPSec device mus t also have NA T tr aversal enabled. See the help in the

main IPSec VPN screens for more information.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 55

•Dead Peer Detection (DPD) has the ZyWALL make sure the remote IPSec device is there

before transmitting data through the IKE S A. If th ere has been no tr affic for at least 15 seconds,

the ZyWALL sends a message to the remote IPSec device. If it responds, the ZyWALL transmits

the data. If it does not respond, the ZyWALL shuts down the IKE SA.

•Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one

of the ZyWALL’s certificates.

4.3.9 VPN Advanced Wizard - Phase 2

Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec.

Figure 38 VPN Advanced Wizard: Step 4

•Active Protocol: ESP is compatible with NAT, AH is not.

•Encapsulation: Tunnel is compatible with NAT, Transport is not.

•Encryption Algorithm: 3DES and AES use encryption. The longer the AES key, the higher the

security (this may affect throughput). Null uses no encryption.

•Authentication Algorithm: MD5 gives minimal security and SHA512 gives the highest

security. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to

authenticate packet data. The stronger the algorithm the slower it is.

•SA Life Time: Set how often the Z yWALL renegotiates th e IKE SA. A short SA life time increases

security, but renegotiation tempor arily disconnects the VPN tunnel.

•Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is less secure.

Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may

affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to

Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a

1536 bit random number (more secure, yet slower).

•Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also

specify a subnet. This must match the remote IP address configured on the remote IPSec device.

•Remote Policy (IP/Mask): Type the IP address of a computer behind the remote IPSec device.

You can also specify a subnet. This must match the local IP address configured on the remote

IPSec device.

•Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this

to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

4.3.10 VPN Advanced Wizard - Summary

This is a read-only summary of the VPN tunnel settings.

Figure 39 VPN Advanced Wizard: Step 5

•Rule Name: Identifies the VPN connection (and the VPN gateway).

•Secure Gateway: IP address or domain name of the remote IPSec device.

•Pre-Shared Key: VPN tunnel password.

•Certificate: The certificate the ZyWA LL uses to identify itself when setting up the VPN tunnel.

•Local Policy: IP address and subnet mask of the computers on the network behind your ZyW ALL

that can use the tunnel.

•Remote Policy: IP address and subnet mask of the computers on the network behind the

remote IPSec device that can use the tunnel.

• Copy and paste the Configuration for Remote Gateway commands into another ZLD-based

ZyWALL’s command line interface.

• Click Save to save the VPN rule.

4.3.11 VPN Advanced Wizard - Finish

Now the rule is configured on the ZyWALL. The Phase 1 rule settings appear in the VPN > IPSec

VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN >

VPN Connection screen.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 57

Figure 40 VPN Wizard: Finish

Click Close to exit the wizard.

4.4 VPN Settings for Configuration Provisioning Wizard:

Wizard Type

Use VPN Setti n gs for Configura tion Provision ing to set up a VPN rule that can be retrieved

with the ZyWALL IPSec VPN Client.

VPN rules for the ZyW A LL IPSec VPN Client have certain restrictions. They must not contain the

following settings:

•AH active protocol

•NULL encryption

•SHA512 authentication

• A subnet or range remote policy

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a

pre-shared key.

Choose Advanced to change the default settings and/or use certificates instead of a pre-shared

key in the V PN r ule.

Figure 41 VPN Settings for Configuration Provisioning Express Wizard: Wizard Type

4.4.1 Configuration Provisioning Express Wizar d - VPN Settings

Click the Express radio button as shown in the previous screen to display the following screen.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 59

Figure 42 VPN for Configuration Provisioning Express Wizard: Settings Scenario

Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use

1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a

number. This value is case-sensitive.

Application Scenario: Only the Remote Access (Server R ole) is allowed in this wizard. It

allows incoming connections from the ZyWALL IPSec VPN Client.

4.4.2 Configuration Provisioning VPN Express Wizard - Configuration

Click Next to continue the wizard.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

Figure 43 VPN for Configuration Provisioning Express Wizard: Configuration

•Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows

incoming connections from the ZyWALL IPSec VPN Client.

•Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password.

Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”)

characters. Proceed a hexadecimal key with “0x”. You will receive a PYLD_MALFORMED (payload

malformed) packet if the same pre-shared key is not used on both ends.

•Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also

specify a subnet. This must match the remote IP address configured on the remote IPSec device.

•Remote Policy (IP/Mask): Any displays in this field because it is not configurable in this

wizard.

4.4.3 VPN Settings for Configuration Provisioning Express Wizard -

Summary

This screen has a read-only summary of the VPN tunnel’s configuration and commands you can

copy and paste into another ZLD-based ZyWALL’s command line interface to configure it.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 61

Figure 44 VPN for Configuration Provisioning Express Wizard: Save

•Rule Name: Identifies the VPN gateway policy.

•Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows

incoming connections from the ZyWALL IPSec VPN Client.

•Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a phase 1

IKE negotiation.

•Local P olicy : (Static) IP address and subnet mask of the computers on the network behind your

ZyWALL that can be accessed using the tunnel.

•Remote Policy: Any displays in this field because it is not configurable in this wizard.

•The Con figuration for Secure Gateway displays the configur ation that the ZyWALL IPSec VPN

Client will get from the ZyWALL.

4.4.4 VPN Settings for Configuration Provisioning Express Wizard - Finish

Now the rule is configured on the ZyWALL. The Phase 1 rule settings appear in the VPN > IPSec

VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN >

VPN Connection screen. Enter the IP address of the ZyWALL in the ZyWALL IPSec VPN Client to

get all these VPN settings automatically from the ZyWALL.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

Figure 45 VPN for Configuration Provisioning Express Wizard: Finish

Click Close to exit the wizard.

4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard -

Scenario

Click the Advanced radio button as shown in the screen shown in Figure 41 on page 58 to displ ay

the following screen.

Figure 46 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 63

Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use

1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a

number. This value is case-sensitive.

Application Scenario: Only the Remote Access (Server R ole) is allowed in this wizard. It

allows incoming connections from the ZyWALL IPSec VPN Client.

Click Next to continue the wizard.

4.4.6 VPN Settings for Configuration Provisioning Advanced Wizard - Phase

1 Settings

There are two phases to every IKE (Internet Ke y E xchange) negotiation – ph ase 1 (Authentication)

and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).

Figure 47 VPN for Configuration Provisioning Advanced Wizard: Phase 1 Settings

•Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows

incoming connections from the ZyWALL IPSec VPN Client.

•My Address (interface): Select an interface from the drop-down list box to use on your

ZyWALL.

•Negotiation Mode: Select Main for identity protection. Select Aggressive to allow more

incoming connections from dynamic IP addresses to use separate passwords.

Note: Multiple S As connecting through a secure gateway mus t have the same negotiation

mode.

•Encryption Algorithm: 3DES and AES use encryption. The longer the key, the higher the

security (this may affect through put). Both sender and receiver must know the same secret key,

which can be used to encrypt and decrypt the message or to generate and verify a message

authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a

variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also

requires more processing power, resulting in increased latency and decreased throughput.

AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses

a 256-bit key.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

•Authentication Algorithm: MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are

hash algorithms used to authenticate packet data. MD5 gives minimal security. SHA1 gives

higher security and SHA256 gives the highest security. The stronger the algorithm, the slower it

is.

•Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1

(default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman

Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit

rand om number.

•SA Life Time: Set how often the Z yWALL renegotiates th e IKE SA. A short SA life time increases

security, but renegotiation tempor arily disconnects the VPN tunnel.

•Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one

of the ZyWALL’s certificates.

4.4.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase

Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec.

Figure 48 VPN for Configuration Provisioning Advanced Wizard: Phase 2

•Active Protocol: ESP is compatible with NAT. AH is not available in this wizard.

•Encapsulation: Tunnel is compatible with NAT, Transport is not.

•Encryption Algorithm: 3DES and AES use encryption. The longer the AES key, the higher the

security (this may affect throughput). Null uses no encryption.

•Authentication Algorithm: MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are

hash algorithms used to authenticate packet data. MD5 gives minimal security. SHA1 gives

higher security and SHA256 gives the highest security. The stronger the algorithm, the slower it

is.

•SA Life Time: Set how often the Z yWALL renegotiates th e IKE SA. A short SA life time increases

security, but renegotiation tempor arily disconnects the VPN tunnel.

•Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is less secure.

Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may

affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to

Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a

1536 bit random number (more secure, yet slower).

•Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also

specify a subnet. This must match the remote IP address configured on the remote IPSec device.

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide 65

•Remote Policy (IP/Mask): Any displays in this field because it is not configurable in this

wizard.

•Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this

to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires.

4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard -

Summary

This is a read-only summary of the VPN tunnel settings.

Figure 49 VPN for Configuration Provisioning Advanced Wizard: Summary

•Rule Name: Identifies the VPN connection (and the VPN gateway).

•Secure Gateway: Any displays in this field because it is not configurable in this wizard. It

allows incoming connections from the ZyWALL IPSec VPN Client.

•Pre-Shared Key: VPN tunnel password.

•Certificate: The certificate the ZyWA LL uses to identify itself when setting up the VPN tunnel.

•Local Policy: IP address and subnet mask of the computers on the network behind your ZyW ALL

that can use the tunnel.

•Remote Policy: Any displays in this field because it is not configurable in this wizard.

•The Con figuration for Secure Gateway displays the configur ation that the ZyWALL IPSec VPN

Client will get from the ZyWALL.

• Click Save to save the VPN rule.

4.4.9 VPN Settings for Configuration Provisioning Advanced Wizar d- Finish

Now the rule is configured on the ZyWALL. The Phase 1 rule settings appear in the VPN > IPSec

VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN >

Chapter 4 Quick Setup Wizards

ZyWALL 110/310/1100 Series User’s Guide

VPN Connection screen. Enter the IP address of the Z yWALL in the ZyWALL IPSec VPN Client to

get all these VPN settings automatically from the ZyWALL.

Figure 50 VPN for Configuration Provisioning Advanced Wizard: Finish

Click Close to exit the wizard.

ZyWALL 110/310/1100 Series User’s Guide 67

CHAPTER 5

Dashboard

5.1 Overview

Use the Dashboard screens to check status information about the ZyWALL.

5.1.1 What You Can Do in this Chapter

Use the Dashboard screens for the following.

•Use the main Dashboard screen (see Section 5.2 on page 67) to see the ZyWALL’s general

device information, system status, system resource usage, licensed service status, and interface

status. You can also display other status screens for more information.

•Use the VPN status screen (see Section 5.2.4 on page 74) to look at the VPN tunnels that are

currently established.

•Use the DHCP Table screen (see Section 5. 2.5 on page 7 5) to look at the IP addresses currently

assigned to DHCP clients and the IP addresses reserved for specific MAC addresses.

•Use the Current Users screen (see Section 5.2.6 on page 76) to look at a list of the users

currently logged into the ZyWALL.

5.2 The Dashboard Screen

The Dashboard screen displays when you log into the ZyWALL or click Dashboard in the

navigation panel. The dashboard displays general device information, system status, system

resource usage, licensed service status, and interface status in widgets that you can re-arrange to

suit your needs. You can also collapse, refresh, and close individual widgets.

Chapter 5 Dashboard

ZyWALL 110/310/1100 Series User’s Guide

Figure 51 Dashboard

The following table describes the labels in this screen.

Ta ble 14 Dashboard

LABEL DESCRIPTION

Widget Setting

(A) Use this link to open or close widgets by selecting/clearing the associate d checkbox.

Up Arrow (B) Cl ick this to coll apse a widget. It then becomes a down arrow . Click it again to enlarge the

widget again.

Refresh Time

Setting (C) Set the interval for refreshing the information displayed in the widget.

Refresh Now (D) Click this to update the widget’s information immediately.

Close Widget (E) Click this to close the widget. Use Widget Setting to re-open it.

Virtual Device

Rear Panel Click this to view details about the ZyWALL’s rear panel. Hover your cursor over a

connected interface or slot to displ ay status details.

Front Panel Click this to view details abo u t the status of th e ZyWALL’s front panel LEDs and

connections. See Section 3.5 on page 39 for LED descriptions. An unc onnected inte rface or

slot appears grayed out.

The following front and rear panel labels display when you hover your cursor over a

connected interface or slot.

Name This field displays the name of each interface.

Slot This field displays the name of each extension slot.

CDE

Chapter 5 Dashboard

ZyWALL 110/310/1100 Series User’s Guide 69

Device This field displays the name of the device connected to the USB port if one is connected.

Status This field displays the current status of each interface or device installed in a slot. The

possible values depend on what type of interface it is.

Inactive - The Ethernet interface is disabl ed.

Down - The Ethe rnet interface is e nabled but not connected.

Speed / Duplex - The Ethernet interface is enabled and connected. This field displays the

port speed and duplex setting (Full or Half).

For cellular (3G) interfaces, see Section 7.5 on page 132 the Web Help for the status that

can appear.

Zone This field displays the zone to which the interface is currently assigned.

IP Address/

Mask This field displays the current IP address and subnet mask assigned to the interface. If the

interface is a member of an active virtual router, this field displays the IP address it is

currently using. This is either the static IP address of th e interface (if it is the master) or

the management IP address (if it is a back up).

Device

Information This identifies a device installed in one of the ZyWALL’s extension slots or USB ports.

System

Name This field displays the name used to identify the ZyWALL on any network. Click the icon to

open the screen where you can change it.

Model Name This field displays the model name of this ZyWALL.

Serial

Number This field displays the serial number of this ZyWALL. The serial number is used for device

tracking and control.

MAC Address

Range This field displays the MAC addresses used by the ZyWALL. Each physical port has one

MAC address. The first MAC address is assigned to physical port 1, the second MAC

address is assigned to physical port 2, and so on.

Firmware

Version This field displays the version number and date of the firmware the ZyWALL is currently

running. Click the icon to open the screen where you can upload firmware.

System Status

System

Uptime This field displays how long the ZyWALL has been running since it la st restarted or was

turned on.

Current

Date/Time This field displays the current date and time in the ZyWALL. The format is yyyy-mm-dd

hh:mm:ss.

VPN Status Click this to look at the VPN tunnels that are currently established. See Section 5.2.1 on

page 72.

DHCP Table Click this to look at the IP addresses currently assigned to the ZyWALL’s DHCP clients and

the IP addresses reserved for speci f ic MAC addresses. See Section 5.2.5 on page 75.

Current Login

User This field displays the user name used to log in to the current session, the amount of

reauthentication time remaining, and the amount of lease time remaining.

Number of

pop-open a list of the users who are currently logged in to the ZyWALL.

Ta ble 14 Dashboard (continue d)

LABEL DESCRIPTION

Chapter 5 Dashboard

ZyWALL 110/310/1100 Series User’s Guide

Boot Status This field displays details about the ZyWALL’s startup state.

OK - The ZyWALL started up successfully.

Firmware update OK - A firmware update was successful.

Problematic configuration after firmware update - The application of the

configuration failed after a firmware upgrade.

System default configuration - The ZyWALL successfully applied the system default

configuration. This occurs when the ZyWALL starts for the first time or you intentionally

reset the ZyWALL to the system default settings.

Fallback to lastgood configuration - The ZyWALL was unable to apply the startup-

config.conf configuration file and fell back to the lastgood.conf configu ration file.

Fallback to system default configuration - The ZyWALL was unable to apply the

lastgood.conf configuration file an d fell back to the system default co nfiguration file

(system-default.conf).

Booting in progress - The ZyWALL is still applying the system configuration.

System

Resources

CPU Usage This field displays what percentage of the ZyW ALL’s processi ng capability is currently being

used. Hover your cursor over this field to display the Show CPU Usage icon that takes

you to a chart of the ZyWALL’s recent CPU usage.

Memory

Usage This field displays what percentage of the ZyWALL’s RAM is currently being used. Hover

your cursor over this field to display the Show Memory Usage icon that takes you to a

chart of the ZyWALL’s recent memory usage.

Flash Usage This field displays what percentage of the ZyWALL’s onboard flash memory is currently

being used.

USB Storage

Usage This field shows how much storage in the USB device connected to the ZyWALL is in use.

Active

Sessions This field shows how many sessions, established and non-established, that pass through/

from/to/within the ZyWALL. Hover your cursor over this field to di splay icons. Click the

Detail icon to go to the Session Monitor screen to se e details about the ac ti ve sessions.

Click the Show Active Sessions icon to display a chart of Z yWA LL’ s recent se ssion usage.

Extension Slot This section of the screen displays the status of the extension card slot the USB ports.

Extension

Slot This field displays the name of each extension slot.

Device This field displays the name of the device connected to the extension slot (or none if no

device is detected).

USB Flash Drive - Indicates a connected USB storage device and the drive’s storage

capacity.

Status For cellular (3G) interfaces, see Section 6.10 on page 96 the Web Help for the status that

can appear.

Ready - A USB storage device connected to the ZyWALL is ready for the ZyWALL to use.

Unused - The ZyWALL is unable to mount a USB storage device connected to the ZyWALL.

Interface Status

Summary If an Ethernet interface does not have any physical ports associated with i t, its entry is

displayed in light gray text. Click the Detail icon to go to a (more detailed) summary

screen of interface statistics.

# This shows how many interfaces there are.

Name This field displays the name of each interface.

Ta ble 14 Dashboard (continue d)

LABEL DESCRIPTION

Chapter 5 Dashboard

ZyWALL 110/310/1100 Series User’s Guide 71

Status This field displays the current stat us of each interface. The possible v alues depend on what

type of interface it is.

For Ethernet interfaces:

Inactive - The Ethernet interface is disabl ed.

Down - The Ethe rnet interface does not have any physical ports associated with it or the

Ethernet interface is enabled but not connected.

Speed / Duplex - The Ethernet interface is enabled and connected. This field displays the

port speed and duplex setting (Full or Half).

For PPP interfaces:

Connected - The PPP interface is connected.

Disconnected - The PPP interface is not connected.

If the PPP interface is disabled, it does not appear in the list.

Zone This field displays the zone to which the interface is currently assigned.

IP Addr/

Netmask This field displays the current IP address and subnet mask assigned to the interface. If the

IP address is 0.0.0.0/0. 0.0.0, the interface is disabled or did not rece ive an IP address and

subnet mask via DHCP.

If this interface is a membe r of an ac ti v e virtual router, this field displa ys t he IP address it

is currently using. This is either the static IP address of the interface (if it is the mas ter) or

the management IP address (if it is a back up).

Action Use this field to get or to update the IP address for the interface.

Click Renew to send a new DHCP request to a DHCP server.

Click the Connect icon to have the ZyWALL try to connect a PPPoE/PPTP interfa ce. If the

interface cannot use one of t hese ways to get or to update its IP address, this field displays

n/a.

Click the Disconnect icon to stop a PPPoE/PPTP connection.

Top 5 Firewall

Rules that

blocked IPv4

(IPv6) Traffic

This section displ ays the most triggered fiv e firewall rules that cau sed the Z yWALL to block

# This is the entry’s rank in the list of the most commonly triggered firewall rules.

Priority This is the position of the triggered firewall rule in the global rule list. The ordering of

firewall rules is important as rules are applied in sequence.

From This shows the zone packets came from that the triggered firewall rule.

To This shows the zone packets went to that the triggered firewall rule.

Description This field displays the descriptive name (if any) of the triggered firewall rule.

Hits This field displays how many times the firewall rule was triggered.

Schedule This field displays the schedule object of the triggered firewall rule.

User This is the user name or user group name of the triggered firewall rule.

IPv4 (IPv6)

Source This displays the source IPv4 (IPv6) address object of the triggered firewall rule.

IPv4 (IPv6)

Destination This displays the destination IPv4 (IPv6) address object of the triggered firewall rule.

Service This displays the service object of the triggered firewall rule.

Access This field displays whether the triggered firewall rul e denied (silently discarded) or rejected

the passage of packets of the triggered firewall rule.

Ta ble 14 Dashboard (continue d)

LABEL DESCRIPTION

Chapter 5 Dashboard

ZyWALL 110/310/1100 Series User’s Guide

5.2.1 The CPU Usage Screen

Use this screen to look at a chart of the ZyWALL’s recent CPU usage. To access this screen, click

CPU Usage in the dashboard.

Figure 52 Dashboard > CPU Usage

The following table describes the labels in this screen.

Logs This field displays whether a log (and alert) was created for the triggered firewall rule.

The Latest Alert

Logs These fields display recent logs generated by the ZyWALL.

# This is the entry’s rank in the list of alert logs.

Time This field displays the date and time the log was created.

Priority This field displays the severity of the log.

Category This field displays the type of log generated.

Message This field displays the actual log message.

Source This field displays the source address (if any) in the packet that generated the log.

Destination This field displays the destination address (if any) in the packet that generated the log.

Protocol This field displays the service protocol in the packet that generated the log.

Note This field displays descriptive information (if any) of the log.

Ta ble 14 Dashboard (continue d)

LABEL DESCRIPTION

Ta ble 15 Dashboard > CPU Usage

LABEL DESCRIPTION

The y-axis represents the percentage of CPU usage.

The x-axis shows the time period over which the CPU usage occurred

Refresh Interval Enter how often you want this window to be automatically updated.

Refresh Click this to update the information in the window right away.

Chapter 5 Dashboard

ZyWALL 110/310/1100 Series User’s Guide 73

5.2.2 The Memory Usage Screen

Use this screen to look at a chart of the ZyWALL’s recent memory (RAM) usage. To access this

screen, click Memory Usage in the dashboard.

Figure 53 Dashboard > Memory Usage

The following table describes the labels in this screen.

5.2.3 The Active Sessions Screen

Use this screen to look at a chart of the ZyWALL’s recent traffic session usage. To access this

screen, click Session Usage in the dashboard.

Ta ble 16 Dashboard > Memory Usage

LABEL DESCRIPTION

The y-axis represents the percentage of RAM usage.

The x-axis shows the time period over which the R A M usage occurred

Refresh Interval Enter how often you want this window to be automatically updated.

Refresh Click this to update the information in the window right away.

Chapter 5 Dashboard

ZyWALL 110/310/1100 Series User’s Guide

Figure 54 Dashboard > Session Usage

The following table describes the labels in this screen.

5.2.4 The VPN Status Screen

Use this screen to look at the VPN tu nnels that are currently established. To access this screen, click

VPN Status in System Status in the dashboard.

Figure 55 Dashboard > System Status > VPN Status

Ta ble 17 Dashboard > Session Usage

LABEL DESCRIPTION

Sessions The y-axis represents the number of session.

The x-axis shows the time period over which the session usage occurred

Refresh Interval Enter how often you want this window to be automatically updated.

Refresh Click this to update the information in the window right away.

Chapter 5 Dashboard

ZyWALL 110/310/1100 Series User’s Guide 75

The following table describes the labels in this screen.

5.2.5 The DHCP Table Screen

Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses

reserved for specific MAC addresses. To access this screen, click DHCP Table in System Status in

the dashboard.

Figure 56 Dashboard > System Status >DHCP Table

The following table describes the labels in this screen.

Ta ble 18 Dashboard > V PN Status

LABEL DESCRIPTION

# This field is a sequential value, and it is not associated with a specific SA.

Name This field displays the name of the IPSec SA.

Encapsulation Th is field displays how the IPS ec SA is encapsulated.

Algorithm This field displays the encryption and authentication algorithms used in the SA.

Refresh Interval Select how often you want this window to be updated automatically.

Refresh Click this to update the information in the window right away.

Ta ble 19 Dashboard > D HCP Table

LABEL DESCRIPTION

# This field is a sequential value, and it is not associated with a specific entry.

Interface This field identifies the interface that assigned an IP address to a DHCP client.

IP Address This field displays the IP address currently assigned to a DHCP client or reserved for a specific

MAC address. Click the column’s heading cell to sort the table entries by IP address. Click the

heading cell again to reverse the sort order.

Host Name This field displays the name used to identify this device on the network (the computer name).

The ZyWALL learns these from the DHCP client requests. “None” shows here for a static DHCP

entry.

MAC Address This field displays the MAC address to which the IP address is currently assigned or for which

the IP address is reserved. Click the column’s heading cell to sort the table entries by MAC

address. Click the headin g cell again to reverse th e sort order.

Description F or a static DHCP entry , the host name or the description you configured shows here. This field

is blank for dynamic DHCP entries.

Reserve If this field is selected, this entry is a static DHCP entry. The IP address is reserved for the MAC

address.

If this field is clear, this entry is a dynamic DHCP entry. The IP address is assigned to a DHCP

client.

To create a static DHCP entry using an existing dynamic DHCP entry, select this field, and then

click Apply.

To remove a static DHCP entry, clear this field, and then click Apply.

Chapter 5 Dashboard

ZyWALL 110/310/1100 Series User’s Guide

5.2.6 The Number of Login Users Screen

Use this screen to look at a list of the users currently logged into the Zy WALL. Users wh o close their

browsers without logging out are still shown as logged in here. To access this screen, click Number

of Login Users in System Status in the dashboard or Monitor > Login User.

Figure 57 Dashboard > System Status > Number of Login Users

The following table describes the labels in this screen.

Ta ble 20 Dashboard > Number of Login Use rs

LABEL DESCRIPTION

# This field is a sequential value and is not associated with any entry.

User ID This field displays the user name of each user who is currently logged in to the ZyWALL.

Reauth Lease T. This field displays the amount of reauthentication time remaining and the amount of lease

time remaining for each user. See Chapter 27 on page 361 for more information.

Type This field displays the way the user logged in to the ZyWALL.

IP address This field displays the IP address of the computer used to log in to the ZyWALL.

User Info This field displays the types of user accounts the ZyW ALL uses. If the user type is ext-user

(external us er), this field will show its external-group information when you move your

mouse over it.

If the external user matches two external-group objects, both external-group object

names will be shown.

Force Logout Click this icon to end a user’s session.

PART II

Technical Reference

ZyWALL 110/310/1100 Series User’s Guide 79

CHAPTER 6

Monitor

6.1 Overview

Use the Monitor screens to check status and statistics information.

6.1.1 What You Can Do in this Chapter

Use the Monitor screens for the following.

•Use the System Status > Port Statistics screen (see Section 6.2 on page 80) to look at packet

statistics for each physical port.

•Use the System Status > Port Statistics > Graph View screen (see Section 6.2 on page 80)

to look at a line graph of packet statistics for each physical port.

•Use the System Status > Interface Status screen (Section 6.3 on page 82) to see all of the

ZyWALL’s interfaces and their packet statistics.

•Use the System Status > Traffic Statistics screen (see Section 6.4 on page 86) to start or

stop data collection and view statistics.

•Use the System Status > Session Monitor screen (see Section 6.5 on page 89) to view

sessions by user or service.

•Use the System Status > DDNS St atus screen (see Section 6.6 on page 91) to view the status

of the ZyWALL’s DDNS domain names.

•Use the System Status > IP/MAC Binding screen (Section 6.7 on page 91) to view a list of

devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled.

•Use the System Status > Login Users screen (Section 6.8 on page 92) to look at a list of the

users currently logged into the ZyWALL.

•Use the System Status > Cellular Status screen (Section 6.9 on page 93) to check your 3G

connection status.

•Use the System Status > USB Storage screen (Section 6.10 on page 96) to view information

about a connected USB storage device.

•Use the VPN Monitor > IPSec screen (Section 6.11 on page 97) to display and manage active

IPSec SAs.

•Use the VPN Monitor > SSL screen (see Se ction 6.12 on page 99) to list the users currently

logged into the VPN SSL client portal. You can also log out individual users and delete related

session information.

•Use the VPN Monitor > L2TP over IPSec screen (see Section 6.13 on page 99) to display

and manage the ZyWALL’s connected L2TP VPN sessions.

•Use the Log (Section 6.14 on page 100) screen to view the Z yW ALL’s current log messages. You

can change the way the log is displayed, you can e-mail the log, and you can also clear the log in

this screen.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

6.2 The Port Statistics Screen

Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen,

click Monitor > System Status > Port Statistics.

Figure 58 Monitor > System Status > Port Statistics

The following table describes the labels in this screen.

Ta ble 21 Monitor > System Status > Port Statistics

LABEL DESCRIPTION

Poll Interval Enter how often you want this window to be updated automatically, and click Set

Interval.

Set Interval Click this to set th e Poll Interval the screen uses.

Stop Click th is to stop the wi ndow from updati ng autom atically. You can start it again by sett ing

the Poll Interval and clicking Set Interval .

Switch to

Graphic View Click this to display the port statistics as a line graph.

# This field displays the port’s number in the list.

Port This field displays the physical port number.

Status This field displays the current status of the physical port.

Down - The physical port is not connected.

Speed / Duplex - The physical port is connected. This field displays the port speed and

duplex setting (Full or Half).

TxPkts This field displays the number of packets transmitted from the ZyWALL on the physical

port since it was last connected.

RxPkts This field displays the number of packets received by the ZyWALL on the physical port

since it was last connected.

Collisions This field displays the number of collisions on the phys ical port since it was last connect ed.

Tx B/s This field displays the transmission speed, in bytes per se con d, on th e physical port in the

one-second interval before the screen updated.

Rx B/s This field displays the reception speed, in bytes per second, on the physical port in the

one-second interval before the screen updated.

Up Time This field displays how long the physical port has been connected.

System Up Time This field displays how long the ZyWALL has been runnin g since it last restarted or was

turned on.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide 81

6.2.1 The Port Statistics Graph Screen

Use this screen to look at a line graph of packet statistics for each physical port. To access this

screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button.

Figure 59 Monitor > System Status > Port Statistics > Switch to Graphic View

The following table describes the labels in this screen.

Ta ble 22 Monitor > System Status > Port Statistics > Switch to Graphic View

LABEL DESCRIPTION

Refresh Interval Enter how often you want this window to be automatically updated.

Refresh Now Click this to update the information in the window right away.

Port Selection Select the number of the physical port for which you want to display graphics.

Switch to Grid

View Click this to display the port statistics as a table.

bps The y-axis represents the speed of transmission or reception.

time The x-axis shows the time period over which the transmis sion or reception occurred

TX This line represents traffic transmitted from the ZyWALL on the physical port since it was

last connected.

RX This line re presents the tr affic received by the ZyW ALL on the ph ysical port since it w as last

connected.

Last Update This field displays the date and time the information in the window was last updated.

System Up Time This field displays how long the ZyWALL has been runnin g since it last restarted or was

turned on.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

6.3 Interface Status Screen

This screen lists all of the ZyW ALL’s interfaces and gives packet statistics for them. Click Monitor >

System Status > Interface Status to access this screen.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide 83

Figure 60 Monitor > System Status > Interface Status

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

Each field is described in the following table.

Ta ble 23 Monitor > System Status > Interface Status

LABEL DESCRIPTION

Interface Status If an Ethernet interface does not have any physical ports associated with it, its entry is

displayed in light gray text.

Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the

Ethernet interfaces.

Name This field displays the name of each interface. If there is an Expand icon (plus-sign) next

to the name, click this to look at the status of virtual interfaces on top of this interface.

Port This field displays the physical port number.

Status This field displays the current status of each interface. The possible values depend on what

type of interface it is.

For Ethernet interfaces:

Inactive - The Ethernet interface is disabl ed.

Down - The Ethe rnet interface is e nabled but not connected.

Speed / Du plex - The Ethernet interface is enabled and connected. This field displays the

port speed and duplex setting (Full or Half).

For cellular (3G) interfaces, see Section 6.10 on page 96 the Web Help for the status that

can appear.

For virtual interfaces, this field always displays Up. If the virtual interface is disabled, it

does not appear in the list.

For VLAN and bridge interfaces, this field alwa ys displays Up. If the VLAN or bridge

interface is disabled, it does not appear in the list.

For PPP interfaces:

Connected - The PPP interface is connected.

Disconnected - The PPP interface is not connected.

If the PPP interface is disabled, it does not appear in the list.

Zone This field displays the zone to which the interface is assigned.

IP Addr/Netmask This field displays the current IP address and subnet mask assign ed to the interfac e. If the

IP address and subnet mask are 0.0.0.0, the interface is disabled or did not receive an IP

address and subnet mask via DHCP.

If this interface is a member of an active virtual router, this field displays the IP address it

is currently using. This is either the static IP address of the interface (if it is the master) or

the management IP address (if it is a back up).

IP Assignment This field displays how the interface gets its IP address.

Static - This interface has a static IP address.

DHCP Client - This interface gets its IP address from a DHCP server.

Services This field lists which services the interface provides to the network. Examples include

DHCP relay, DHCP server, DDNS, RIP, and OSPF. This field displays n/a if the interface

does not provide any services to the network.

Action Use this field to get or to update the IP address for the interface. Click Renew to send a

new DHCP request to a DHCP server. Click Connect to try to connect a PPPoE/PPTP

interface. If the interface cannot use one of these ways to get or to update its IP address,

this field displays n/a.

Tunnel Interface

Status This displays the details of the ZyWALL’s configured tunnel interfaces.

Name This field displays the name of the interface.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide 85

Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is

inactive.

Zone This field displays the zone to which the interface is assigned.

IP Address This is the IP address of the interface. If the interface is active (and connected), the

ZyWALL tunnels local traffic sent to this IP address to the Remote Gateway Address.

My Address This is the interface or IP address uses to identify itself to the remote gateway. The

ZyWALL uses this as the source for the packets it tunnels to the remote gateway.

Remote Gateway

Address This is the IP address or domain name of the remote gateway to which this inte rface

tunnels traffic.

Mode This field displays the tunnel mode that you are using.

Action This field lis ts whic h servic es t he interface pro vides to the network. This field displays n/a

if the interface does not provide any services to the network.

IPv6 Interface

Status This section displays the status of the IPv6 interface. If an Ethernet interface does not

have any physical ports associated with it, its entry is displayed in light gray text.

Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the

Ethernet interfaces.

Name This field displays the name of each interface. If there is an Expand icon (plus-sign) next

to the name, click this to look at the status of virtual interfaces on top of this interface.

Port This field displays the physical port number.

Status This field displays the current status of each interface. The possible values depend on what

type of interface it is.

For Ethernet interfaces:

Inactive - The Ethernet interface is disabl ed.

Down - The Ethe rnet interface is e nabled but not connected.

Speed / Du plex - The Ethernet interface is enabled and connected. This field displays the

port speed and duplex setting (Full or Half).

For cellular (3G) interfaces, see Section 6.9 on page 93 the Web Help for the status that

can appear.

For virtual interfaces, this field always displays Up. If the virtual interface is disabled, it

does not appear in the list.

For VLAN and bridge interfaces, this field alwa ys displays Up. If the VLAN or bridge

interface is disabled, it does not appear in the list.

For PPP interfaces:

Connected - The PPP interface is connected.

Disconnected - The PPP interface is not connected.

If the PPP interface is disabled, it does not appear in the list.

HA Status This field displays the status of the interface in the virtual router.

Active - This interface is the master interface in the virtual router.

Stand-By - This interface is a backup interface in the virtual router.

Fault - This VRRP group is not functioning in the virtual router right now. For example, this

might happen if the interface is down.

n/a - Device HA is not active on the interface.

Zone This field displays the zone to which the interface is assigned.

Ta ble 23 Monitor > System Status > Interface Status (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

6.4 The Traffic Statistics Screen

Click Monitor > System Status > Traffic Statistics to display the Traffic Statistics screen. This

screen provides basic information about the following for example:

• Most-visited Web sites and the number of times each one was visited. This count may not be

accurate in some cases because the ZyWALL counts HTTP GET packets. Please see Table 24 on

page 87 for more information.

• Most-used protocols or service ports and the amount of traffic on each one

IP Address This field displays the current IPv6 address assigned to the interface. If the IPv6 address is

not displayed, the interface is disabled or did not receive an IPv6 address via DHCP.

If this interface is a member of an active virtual router, this field displays the IP address it

is currently using. This is either the static IP address of the interface (if it is the master) or

the management IP address (if it is a back up).

IP Assignment This field displays how the interface gets its IP address.

Static - This interface has a static IP address.

DHCP Client - This interface gets its IP address from a DHCP server.

Services This field lists which services the interface provides to the network. Examples include

DHCP relay, DHCP server, DDNS, RIP, and OSPF. This field displays n/a if the interface

does not provide any services to the network.

Action Use this field to get or to update the IP address for the interface. Click Renew to send a

new DHCP request to a DHCP server. Click Connect to try to connect a PPPoE/PPTP

interface. If the interface cannot use one of these ways to get or to update its IP address,

this field displays n/a.

Interface

Statistics This table provides packet statistics for each interface.

Refresh Click this button to update the information in the screen.

Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the

Ethernet interfaces.

Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to

the name, click this to look at the statistics for virtual interfaces on top of this interface.

Status This field displays the current status of the interface.

Down - The interface is not connected.

Speed / Duplex - The interface is connected. This field displays the port speed and

duplex setting (Full or Half).

This field displays Connected and the accumulated connection time (hh:mm:ss) when the

PPP interface is connected.

TxPkts This field displays the number of packets transmitted from the ZyWALL on the interface

since it was last connected.

RxPkts This field displays the number of packets received by the ZyWALL on the interface since it

was last connected.

Tx B/s This field dis play s the tr ansm ission speed, in bytes per second, on the interface in the one-

second interval before the screen updated.

Rx B/s This field displays the reception speed, in bytes per second, on the interface in the one-

second interval before the screen updated.

Ta ble 23 Monitor > System Status > Interface Status (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide 87

• LAN IP with heaviest traffic and how much traffic has been sent to and from each one

You use the Traffic Statistics screen to tell the ZyWALL when to start and when to stop collecting

information for these reports. You cannot schedule data collection; you have to start and stop it

manually in the Traffic Statistics screen.

Figure 61 Monitor > System Status > Traffic Statistics

There is a limit on the number of records shown in the report. Please see Table 25 on page 89 for

more information. The following table describes the labels in this screen.

Ta ble 24 Monitor > System Status > Traffic Statistics

LABEL DESCRIPTION

Data Collection

Collect Statistics Select this to have the ZyW ALL collect data for the report. If the ZyW ALL has already been

collecting data, the collection period displays to the right. The progress is not tracked here

real-time, but you can click the Refresh butt o n to update it.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Statistics

Interface Select the interface from which to collect information. You c a n collect information from

Ethernet, VLAN, bridge and PPPoE/PPTP interfaces.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

Traffic Type Select the type of report to display. Choices are:

Host IP Address/User - display s the IP addresse s or users with the most tr affic and how

much traffic has been sent to and from each one.

Service/Port - displays the most-used protocols or service ports and the amount of

traffic for each one.

Web Site Hits - displays the most-visited Web sites an d ho w many times each one has

been visited.

Each type of report has different information in the report (below).

Refresh Click this button to update the report display.

Flush Data Click this butto n to discard all of the screen’s statistics and update the report display.

These fields are available when the Traffic Type is Host IP Address/User.

# This field is the rank of each record. The IP addresses and users are sorted by the amount

of traffic.

IP Address/User This field displays the IP address or user in this record. The maximum number of IP

addresses or users in this report is indicated in Table 25 on page 89.

Direction This field indicates whet her the IP address or user is sending or receiving traffic.

Ingress- traffic is coming from the IP address or user to the ZyWALL.

Egress - traffic is going from the ZyWALL to the IP address or user.

Amount This field displays how much traffic was sent or received from the indicated IP address or

user. If the Direction is Ingress, a red bar is displayed; if the Direction is Egress, a

blue bar is displayed. The unit of measure is bytes, Kbytes, Mbytes or Gbytes, depending

on the amount of traffic for the particular IP address or user. The count starts over at zero

if the number of bytes passes the byte count limit. See Table 25 on page 89.

These fields are available when the Traffic Type is Service/Port.

# This field is the rank of each record. The protocols and service ports are sorted by the

amount of traffic.

Service/Port This field displays the service and port in this record. The maximum number of services

and service ports in this report is indicated in Table 25 on page 89.

Protocol This field indicates what protocol the service was using.

Direction This field indicates whet her the indicated protocol or service port is sending or receiving

traffic.

Ingress - traffic is coming into the router through the interface

Egress - traffic is going out from the router through the interface

Amount This field displa ys how muc h tr affi c w as sent or received from the indicated service / port.

If the Direction is Ingress, a red bar is displayed; if the Direction is Egress, a blue bar

is displayed. The unit of measure is bytes, Kbytes, Mbytes, Gbytes, or Tbytes, depending

on the amount of traffic for the part icular protocol or service port. The count starts ov er at

zero if the number of bytes passes the byte count limit. See Table 25 on page 89.

These fields are available when the Traffic Type is Web Site Hits.

# This field is the rank of each record. The domain names are sorted by the number of hits.

Web Site This field displays the domain names most often visit ed. The ZyWALL counts each page

viewed on a Web site as another hit. The maximum number of domain names in this report

is indicated in Ta ble 25 on page 89.

Hits This field displays how many hits the Web site received. The ZyWALL counts hits by

counting HTTP GET packets. Many W eb sites have HT TP GET references to other W eb sites,

and the ZyWALL counts these as hits too. The count starts over at zero if the number of

hits passes the hit count limit. See Table 25 on page 89.

Ta ble 24 Monitor > System Status > Traffic Statistics (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide 89

The following table displays the maximum number of records shown in the report, the byte count

limit, and the hit count limit.

6.5 The Session Monitor Screen

The Session Monitor screen displays all established sessions that pass through the ZyWALL for

debugging or statistical analysis. It is not possible to manage sessions in this screen. The following

information is displayed.

• User who started the session

• Protocol or service port used

• Source address

• Destination address

• Number of bytes received (so far)

• Number of bytes transmitted (so far)

• Duration (so far)

You can look at all established sessions that passed through the Z yW ALL by user, service, source IP

address, or destination IP address. You can also filter the information by user, protocol / service or

service group, source address, and/or destination address and view it by user.

Click Monitor > System Status > Session Monitor to display the following screen.

Figure 62 Monitor > System Status > Session Monitor

Ta ble 25 Maximum Values for Reports

LABEL DESCRIPTION

Maximum Number of Records 20

Byte Count Limit 264 bytes; this is just less than 17 million terabytes.

Hit Count Limit 264 hits; this is over 1.8 x 1019 hits.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

The following table describes the labels in this screen.

Ta ble 26 Monitor > System Status > Session Monitor

LABEL DESCRIPTION

View Select how you want the established sessions that passed through the ZyWALL to be

displayed. Choices are:

sessions by users - display all active sessions grouped by user

sessions by services - display all active sessions grouped by service or protocol

sessions by source IP - display all active sessions grouped by source IP address

sessions by destination IP - display all active sessions grouped by destination IP

address

all sessions - filter the active sessions by the User, Service, Source Address, and

Destination Address, and display each session individually (sorted by user).

Refresh Click this button to update the information on the screen. The screen also refreshes

automatically when you open and close the screen.

The User, Service, Source Address, and Destination Address fields display if you view

all sessions. Select your desired filter criteria and click the Search button to filter the list

of sessions.

User This field displays when View is set to all sessions. Type the user whose sessions you

want to view. It is not possible to type part of the user name or use wildcards in this field;

you must enter the whole user name.

Service This field displays when View is set to all sessions. Select the service or service group

whose sessions you want to view. The Zy WALL identifies the service by comparing the

protocol and destination port of each packet to the protocol an d port of each services that

is defined. (See Chapter 29 on page 380 for more information about services.)

Source This field displays when View is set to all sessions. Type the source IP address whose

sessions you want to view. You cannot include the source port.

Destination This field di splays when View is set to all sessions. Type the destination IP address

whose sessions you want to view. You cannot include the destination port.

Search This button displays when View is set to all sessions. Click this button to update the

information on the screen using the filter criteria in the User, Service, Source Address,

and Destination Address fields.

User This field displays the user in each active session.

If you are looking at the sessions by users (or all sessions) report, click + or - to

display or hide details about a user’s sessions.

Service This field displays the protocol used in each active se ssion.

If you are looking at the sessions by services report, click + or - to display or hide

details about a protocol’s sessions.

Source This field di splays the source IP address and port in each active session.

If you are looking at the sessions by source IP report, click + or - to display or hide

details about a source IP address’s sessions.

Destination This field displays the destination IP address and port in each active session.

If you are looking at the sessions by destination IP report, click + or - to display or

hide details about a desti nation IP address’s sessions.

Rx This field displays the amount of information received by the source in the active session.

Tx This field displays the amount of information transmitted by the source in the active

session.

Duration This fie ld displays the length of the active session in seconds.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide 91

6.6 The DDNS Status Screen

The DDNS Status screen shows the status of the ZyW ALL’ s DDNS domain names. Click Monitor >

System Status > DDNS Status to open the following screen.

Figure 63 Monitor > System Status > DDNS Status

The following table describes the labels in this screen.

6.7 IP/MAC Binding Monitor

Click Monitor > Sy st em St atus > IP/MAC Binding to open the IP/MAC Binding Monitor

screen. This screen lists the devices that have received an IP address from Z yWALL interfaces with

IP/MAC binding enabled and have ever established a session with the ZyWALL. Devices that have

never established a session with the ZyWALL do not display in the list.

Figure 64 Monitor > System Status > IP/MAC Binding

Ta ble 27 Monitor > System Status > DDNS Status

LABEL DESCRIPTION

Update Click this to have the ZyWALL update the profile to the DDN S server. The ZyWALL

attempts to resolve the IP address for the domain name.

Profile Name This field displays the descriptive profile name for this entry.

Domain Name This field displays each domain name the ZyWALL can route.

Effective IP This is the (resolved) IP address of the domain name.

Last Update Status This shows whether the last attempt to resolve the IP address for the domain name

was successful or not. Updating means the ZyWALL is currently attempting to

resolve the IP address for the domain name.

Last Update Time This shows when the last attempt to resolve the IP address for the domain name

occurred (in year-month-day hour:minute:second format).

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

The following table describes the labels in this screen.

6.8 The Login Users Screen

Use this screen to look at a list of the users currently logged into the ZyW ALL. To access this screen,

click Monitor > System St atus > Login Users.

Figure 65 Monitor > System Status > Login Users

The following table describes the labels in this screen.

Ta ble 28 Monitor > System Status > IP/MAC Binding

LABEL DESCRIPTION

Interface Select a ZyW ALL interface that has IP/MAC binding enabled to show to which devices

it has assigned an IP address.

#This is the index number of an IP/MAC binding entry.

IP Address This is the IP address that the ZyWALL assigned to a device.

Host Name This field displays the name used to identify this device on the network (the computer

name). The ZyWALL learns these from the DHCP client requests.

MAC Address This field displays the MAC address to which the IP address is currently assigned.

Last Access This is when the device last established a session with the ZyWALL through this

interface.

Refresh Click this button to update the information in the screen.

Ta ble 29 Monitor > System Status > Login Users

LABEL DESCRIPTION

# This field is a sequential value and is not associated with any entry.

User ID This field displays the user name of each user who is currently logged in to the

ZyWALL.

Reauth Lease T. This field displays the amount of reauthentication time remaining and the amount of

lease time remaining for each user. See Chapter 27 on page 361.

Type This field displays the way the user logged in to the ZyWALL.

IP Address This field displays the IP address of the computer used to log in to the ZyWALL.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide 93

6.9 Cellular Status Screen

This screen displays your 3G connection status. Click Monitor > System Status > Cellular

Status to display this screen.

Figure 66 Monitor > System Status > Cellular Status

The following table describes the labels in this screen.

User Info This field displays the types of user accounts the ZyWALL uses. If the user type is

ext-user (external user), this field will show its external-group information when y ou

move your mouse over it.

If the external user matches two external-group objects, both external-group object

names will be sh own.

Force Logout Select a user ID and click this icon to end a user’s session.

Refresh Click thi s button to update the information in the screen.

Ta ble 29 Monitor > System Status > Login Users (continued)

LABEL DESCRIPTION

Ta ble 30 Monitor > System Status > Cellular Status

LABEL DESCRIPTION

Refresh Click this button to update the information in the screen.

More Information Click this to display more information on your 3G, such as the signal strength,

IMEA/ESN and IMSI. This is only available when the 3G device attached and

activated on your ZyWALL. Refer to Section 6.9.1 on page 95.

# This field is a sequential value, and it is not associated with any interface.

Extension Slot This field displays where the entry’s cellular card is located.

Connected Device This field displays the model name of the cellular card.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

Status No device - no 3G device is connected to the ZyWALL.

No Service - no 3G network is available in the area; you cannot connect to the

Internet.

Limited Service - returned by the service provid er in cases where the SIM card is

expired, the user failed to pay for the service and so on; you cannot connect to the

Internet.

Device detected - displays when you connect a 3G device.

Device error - a 3G device is connected but there is an error.

Probe device fail - the ZyWALL’s test of the 3G device failed.

Probe device ok - the ZyWALL’s test of the 3G device succeeded.

Init device fail - the ZyWALL was not able to initialize the 3G device.

Init device ok - the ZyWALL initialized the 3G card.

Check lock fa il - the ZyWALL’s check of whether or not the 3G device is locked

failed.

Device locked - the 3G device is locked.

SIM error - there is a SIM card error on the 3G device.

SIM locked-PUK - the PUK is locked on the 3G device’s SIM card.

SIM locked-PIN - the PIN is locked on the 3G device’s SIM card.

Unlock PUK fail - Your attempt to unlock a WCDMA 3G device’s PUK failed

because you entered an incorrect PUK.

Unlock PIN fail - Your attempt to unlock a WCDMA 3G device’s PIN failed

because you entered an incorrect PIN.

Unlock device fail - Your attempt to unlock a CDMA2000 3G device failed

because you entered an incorrect device code.

Device unlocked - You entered the correct device code and unlocked a

CDMA2000 3G device.

Get dev-info fail - The ZyWALL cannot get cellular device information.

Get dev-info ok - The ZyWALL succeeded in retrieving 3G device information.

Searching network - The 3G device is searching for a network.

Get signal fail - The 3G device cannot get a signal from a network.

Network found - The 3G device found a network.

Apply conf ig - The ZyWALL is applying your configuration to the 3G device.

Inactive - The 3G interface is disabled.

Active - The 3G interface is enabled.

Incorrect device - The connected 3 G device is not compatible with the ZyWALL.

Correct device - The ZyWALL detected a compatible 3G device.

Set band fail - Applying your band selection was not successful.

Set band ok - The ZyWALL successfully applied your band selection.

Set profile fail - Applying your ISP settings was not successful.

Set profile ok - The ZyWALL successfully applied your ISP settings.

PPP fail - The ZyWALL failed to create a PPP connection for the cellular interface.

Need auth-password - You need to enter the password for the 3G card in the

cellular edit screen.

Device re ady - The ZyWALL succes sfully applied al l of your configur ation and y ou

can use the 3G connection.

Service Provider This displays the name of your network ser vice provider. This shows Limited

Service if the service provider has stopped service to the 3G SIM card. For

example if the bill has not been paid or the account has expired.

Cellular System This field displays what type of cellular network the 3G connection is using. The

network type varies depending on the 3G card you inserted and could be UMTS,

UMTS/HSDPA, GPRS or EDGE when you insert a GSM 3G card, or 1xRTT, EVDO

Rev.0 or EVDO Rev.A when you insert a CDMA 3G card.

Signal Quality This displays the strength of the signal. The signal strength mainly depends on the

antenna output power and the distance between your ZyWALL and the service

provider’s base station.

Ta ble 30 Monitor > System Status > Cellular Status (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide 95

6.9.1 More Information

This screen displays more information on your 3G, such as the signal strength, IMEA/ESN and IMSI

that helps identify your 3G device and SIM card. Click Monitor > System Status > More

Information to display this screen.

Note: This screen is only available when the 3G devi ce is attached to and activated on t he

ZyWALL.

Figure 67 Monitor > System Status > More Information

The following table describes the labels in this screen.

Ta ble 31 Monitor > System Status > More Information

LABEL DESCRIPTION

Extension Slot This field displays where the entry’s cellular card is locate d.

Service Provider This displays the name of your network service provider. This shows Limited

Service if the service provider has stopped service to the 3G SIM card. For example

if the bill has not been paid or the account has expired.

Cellular System This field displays what type of cel l u l ar network the 3G connecti o n is usin g . Th e

network type varies depending on the 3G card you inserted and could be UMTS,

UMTS/HSDPA, GPRS or EDGE when you insert a GSM 3G card, or 1xRTT, EVDO

Rev.0 or EVDO Rev.A when you insert a CDMA 3G card.

Signal Strength This is the Signal Quality measured in dBm.

Signal Quality This displays the strength of the signal. The signal strength mainly depends on the

antenna output power and the distance between your ZyWALL and the service

provider’s base station.

Device Manufacturer This shows the name of the company that produced the 3G device .

Device Model This field di splays the model name of the cell ular card.

Device Firmware This shows the software version of the 3G device.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

6.10 USB Storage Screen

This screen displays information about a connected USB storage device. Click Monitor > System

Status > USB Storage to display this screen.

Figure 68 Monitor > System Status > USB Storage

The following table describes the labels in this screen.

Device IMEI/ESN IMEI (International Mobile Equ ipm ent Identity) is a 15-digit code in decimal format

that identifies the 3G device.

ESN (Electronic Serial Number) is an 8-digit code in hexadecimal format that

identifies the 3G device.

SIM Card IMSI IMSI (International Mobile Subscriber Identity) is a 15-digit code that identifies the

SIM card.

Ta ble 31 Monitor > System Status > More Information (continued)

LABEL DESCRIPTION

Ta ble 32 Monitor > System Status > USB Storage

LABEL DESCRIPTION

Device description This is a basic description of the type of USB devi ce.

Usage This field displays how much of the USB storage device’ s capacity is currently being

used out of its total capacity and what percentage that makes.

Filesystem This field displays what file system the USB storage device is formatted with. This

field displays Unknown if the file system of the USB storage device is not

supported by the ZyWALL, such as NTFS.

Speed This field displays the connection speed the USB storage device supports.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide 97

6.11 The IPSec Monitor Screen

You can use the IPSec Monitor screen to display and to manage active IPSec To access this

screen, click Monitor > VPN Monitor > IPSec. The following screen appears. SAs. Click a

column’ s heading cell to sort the table entries by that column’ s criteria. Click the heading cell again

to reverse the sort order.

Figure 69 Monitor > VPN Monitor > IPSec

Status Ready - you can have the ZyWALL use the U S B storage device.

Click Remove Now to stop the ZyWALL from using the USB st or age device so y o u

can remove it.

Unused - the connected USB storage device was manually unmounted by using

the Remove Now button or for some reason the ZyWALL cannot mo unt it.

Click Use It to have the ZyWALL mount a connect ed USB storage device. This

button is grayed out if the file system is not supported (unknown) by the ZyWALL.

none - no USB storage device is connected.

Detail This field displays any other information the ZyWALL retrieves from the USB

storage device.

Deactivated - the use of a USB storage device is disabled (turned off) on the

ZyWALL.

OutofSpace - the available disk space is less than the disk space full threshold

(see Section 37.2 on page 433 for how to configure this threshold).

Mounting - the ZyWALL is mounting th e USB storage device.

Removing - the ZyWALL is unmounting the USB storage device.

none - the USB dev ice is operating normally or not connected.

Ta ble 32 Monitor > System Status > USB Storage (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

Each field is described in the following table.

6.11.1 Regular Expressions in Searching IPSec SAs

A question mark (?) lets a single character in the VPN connection or policy name v ary. For example,

use “a?c” (without the quotation marks) to specify abc, acc and so on.

Wildcards (*) let multiple VPN connection or policy names match the pattern. For example, use

“*abc” (without the quotation marks) to specify any VPN connection or policy name that ends with

“abc”. A VPN connection named “testabc” would match. There could be any number (of any type) of

characters in front of the “abc” at the end and the VPN connection or policy name would still match.

A VPN connection or policy name named “testacc” for example would not match.

A * in the middle of a VPN connection or policy name has the Z yW ALL check the beginning and end

and ignore the middle. For example, with “abc*123”, any VPN connection or policy name starting

with “abc” and ending in “123” matches, no matter how many characters are in between.

Ta ble 33 Monitor > VPN Monitor > IPSec

LABEL DESCRIPTION

Name Enter the name of a IPSe c SA here and clic k Search to find it (if it is associ ated).

You can use a keyword or regular expression. Use up to 30 alphanumeric and

_+-.()!$*^:?|{}[]<>/ characters. See Section 6.11.1 on page 98 for more

details.

Policy Enter the IP address(es) or names of the local and remote policies for an IPSec

SA and click Search to find it. You can use a keyword or regular expression. Use

up to 30 alphanumeric and _+-.()!$*^:?|{}[] <>/ characters. See Section

6.11.1 on page 98 for more details.

Search Click this button to search for an IPSec SA that matches the i nformation you

specified above.

Disconnect Select an IPSec SA and c lick this button to disconnect it.

Total Connection This field displays the total number of associated IPSec SAs.

connection per page Select how many entries you want to display on each page.

Page x of x This is the number of the page of entries currently displayed and the total

number of pages of entries. Type a page number to go to or use the arrows to

navigate the pages of entries.

# This field is a sequential value, and it is not associated with a specific SA.

Name This field displays the name of the IPSec SA.

Encapsulation This field displays how the IPSec SA is encapsulated.

Policy This field displays the content of the local and remot e policies for this IPSec SA.

The IP addresses, not the address objects, are displayed.

Algorithm This field displays the encryption and authentication algorithms used in the SA.

Up Time This field displays how many seconds the IPSec SA has been active. This field

displays N/A if the IPSec SA uses manual keys.

Timeout This field displays how many seconds remain in the SA life time, before the

ZyWALL automatically disconnects the IPSec SA. This field displays N/A if the

IPSec SA uses manual keys.

Inbound (Bytes) This field displays the amount of traffic that has gone through the IPSec SA from

the remote IPSec router to the ZyWALL since the IPSec SA was established.

Outbound (Bytes) This field displays the amount of traffic that has gone through the IPSec SA from

the ZyWALL to the remo te IPSec router since the IPSec SA was esta blished.

Refresh Click Refresh to update the information in the display.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide 99

The whole VPN connection or policy name has to match if you do not use a question mark or

asterisk.

6.12 The SSL Connection Monitor Screen

The ZyWALL keeps track of the users who are currently logged into the VPN SSL client Click

Monitor > VPN Monitor > SSL to display the user list.

portal. Use this screen to do the following:

• View a list of active SSL VPN connections.

• Log out individual users and delete related session information.

Once a user logs out, the corresponding entry is removed from the Connection Monitor screen.

Figure 70 Monitor > VPN Monitor > SSL

The following table describes the labels in this screen.

6.13 The L2TP over IPSec Session Monitor Screen

Click Monitor > VPN Monitor > L2TP over IPSec to open the following screen. Use this screen

to display and manage the ZyWALL’s connec ted L2TP VPN sessions.

Ta ble 34 Monitor > VPN Monitor > SSL

LABEL DESCRIPTION

Disconnect Select a connection and click this button to terminate the user’s connection and

delete corresponding session information from the ZyWALL.

# This field displays the index number.

User This field displays the account user name used to establish this SSL VPN connection.

Access This field displays the name of the SSL VPN application the user is accessing.

Connected Time This field displays the time this connection was established.

Inbound (Bytes) This field displays the number of bytes received by the ZyWALL on this connection.

Outbound (Bytes) This field displays the number of bytes transmitted by the ZyWALL on this

connection.

Refresh Click Refresh to update this screen.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

100

Figure 71 Monitor > VPN Monitor > L2TP over IPSec

The following table describes the fields in this screen.

6.14 Log Screen

Log messages are stored in two separate logs, one for regular log messages and one for debugging

messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can

select a specific category of log messages (for example, firewall or user). You can also look at the

debugging log by selecting Debug Log. All debugging messages have the same priority.

To access this screen, click Monitor > Log. The log is displayed in the following screen.

Note: When a log reaches the maximum number of log messages, new log messages

automatically overwrite existing log messages, starting with the oldest existing log

message first.

• The maximum possible number of log messages in the ZyW AL L varies by model.

Events that generate an alert (as well as a log message) display in red. Re gular logs display in

black. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the

heading cell again to reverse the sort order.

Ta ble 35 Monitor > VPN Monitor > L2TP over IPSec

LABEL DESCRIPTION

Disconnect Select a co nnection and click this button to disconnect i t.

# This is the index number of a current L2TP VPN session.

User Name This field displays the remote user’s user name.

Hostname This field displays the name of the computer that has this L2TP VPN connection

with the ZyWALL.

Assigned IP This field displays the IP address that the ZyWALL assigned for the remote user’s

computer to use within the L2TP VPN tunnel.

Public IP This field displays the public IP address that the remote user is using to conn ect to

the Internet.

Refresh Click Refresh to update this screen.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide 101

Figure 72 Monitor > Log

The following table describes the labels in this screen.

Ta ble 36 Monitor > Log

LABEL DESCRIPTION

Show Filt er / Hide Filter Click this button to show or hide the filter settings.

If the filter settings are hidden, the Display, Email Log Now , Refresh, and Clear

Log fields are available.

If the filter settings are shown, the Display, Priority, Source Address,

Destination Address, Service, Keyword, and Search fields are available.

Display Select the category of log message(s) you want to view . You can also view All Logs

at one time, or you can view the Debug Log.

Priority This displays when you show the filter. Select the priority of log messages to

display. The log displays the log messages with this pri o rity or higher. Choices are:

any, emerg, alert, crit, error, warn, notice, and info, from highest priority to

lowest priority. This field is read-only if the Category is Debug Log.

Source Address This displays when you show the fi lter. Type the source IP address of the incoming

packet that generated the log message. Do not include the port in this filter.

Destination Address This displays when you show the filter. Type the IP address of the destination of the

incoming packet when the log message was generated. Do not include the port in

this filter.

Source Interface This displays when you show the filter. Select the source interface of the packet that

generated the log message.

Destination Interface This displays when you show the filter. Select the destination inte rface of the packet

that generated the log message.

Service This displays when you show the filt er. Select the service whose log messages you

would like to see. The Web Configurator uses the protocol and destination port

number(s) of the servi ce to select which log messages you see.

Keyword This displays when you show the filter. Type a keyword to look for in the Message,

Source, Destination and Note fields. If a match is found in any field, the log

message is displayed. You can use up to 63 alphanumeric characters and the

underscore, as well as punctuation marks ()’ ,:;?! +-*/= #$% @ ; the period,

double quotes, and brackets are not allowed.

Protocol This displays when you show the filter. Select a service protocol whose log

messages you would like to see.

Search This displays when you show the filter. Click this button to update the log using the

current filter settings.

Chapter 6 Monitor

ZyWALL 110/310/1100 Series User’s Guide

102

The Web Configurator saves the filter settings if you leave the View Log screen and return to it

later.

Email Log Now Clic k this button to se nd lo g message( s) t o th e Active e-mail address(es) specified

in the Send Log To field on the Log Settings page (see Section 38.3.2 on page

478).

Clear Log Click this button to clear the whole log, regardless of what is currently displayed on

the screen.

#This field is a sequential value, and it is not associated with a specific log messag e.

Time This field displays the time the log message was recorded.

Priority This field displays the priority of the log message. It has the same range of values

as the Priority field above.

Category This field displays the log that generated the log mess age. It is the same v alue used

in the Display and (other) Category fields.

Message This field displa ys the reason the log message was generated. The text “[count=x]”,

where x is a number, appears at the end of the Message field if log consolidation is

turned on (see Log Consolidation in Table 196 on page 479). and multiple entries

were aggregated to generate into this one.

Source This field displays the source IP address and the port number in the event that

generated the log message.

Destination This field displays the destination IP address and the port number of the event that

generated the log message.

Note This field displays any additional information about the log message.

Ta ble 36 Monitor > Log (continued)

LABEL DESCRIPTION

ZyWALL 110/310/1100 Series User’s Guide 103

CHAPTER 7

Interfaces

7.1 Interface Overview

Use the Interface screens to configure the ZyWALL’s interfaces. You can also create interfaces on

top of other interfaces.

•Ports are the physical ports to which you connect cables.

•Interfaces are used within the system operationally. You use them in configuring various

features. An interface also describes a network that is directly connected to the ZyWALL. For

example, You connect the LAN network to the LAN interface.

•Zones are groups of interfaces used to ease security policy configurati on.

7.1.1 What You Can Do in this Chapter

•Use the Port Role screen (Section 7.2 on page 108) to create port groups and to assign ph ysical

ports and port groups to Ethernet interfaces.

•Use the Ethernet screens (Section 7.3 on page 109) to configure the Ethernet interfaces.

Ethernet interfaces are the foundation for defining other interfaces and network policies. RIP and

OSPF are also configured in these interfaces.

•Use the PPP screens (Section 7.4 on page 125) for PPPoE or PPTP Internet connections.

•Use the Cellular screens (Section 7.5 on page 132) to configure settings for interfaces for

Internet connections through an installed 3G card.

•Use the Tunnel screens (Section 7.6 on page 14 0) to configure tunnel interfaces to be used in

Generic Routing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels.

•Use the VLAN screens (Section 7.7 on page 147) to divide the physical network into multiple

logical networks. VLAN interfaces receive and send tagged frames. The ZyWALL automatically

adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet

interface.

•Use the Bridge screens (Section 7.8 on page 159) to combine two or more network segments

into a single network.

•Use the Virtual Interface screen (Section 7.9.1 on page 171) to create virtual interfaces on top

of Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet

interfaces, virtual VLAN interfaces, and virtual bridge interfaces.

•Use the Trunk screens (Chapter 8 on page 176) to configure load balancing.

7.1.2 What You Need to Know

Interface Characteristics

Interfaces generally have the following characteristics (although not all characteristics apply to each

type of interface ).

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

104

• An interface is a logical entity through which (layer-3) packets pass.

• An interface is bound to a physical port or another interface.

• Many interfaces can share the same physical port.

• An interface belongs to at most one zone.

• Many interfaces can belong to the same zone.

• Layer-3 virtualization (IP alias, for example) is a kind of interface.

Types of Interfaces

You can create several types of interfaces in the ZyWALL.

• Setting interfaces to the same port role forms a port group. Port groups create a hardware

connection between ph ysical ports at the layer-2 (data link, MAC address) level. Port groups are

created when you use the Interface > Port Roles screen to set multiple physical ports to be

part of the same interface.

•Ethernet interfaces are the foundation for defining other interfaces and network po licies . RIP

and OSPF are also configured in these interfaces.

•Tunnel interfaces send IPv4 or IPv6 packets from one network to a specific network through

the Internet or a public network.

•VLAN interfaces receive and send tagged frames. The ZyWALL automatically adds or removes

the tags as needed. Each VLAN can only be associated with one Ethernet interface.

•Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the

layer-2 (data link, MAC address) level. Unlike port groups, bridge interfaces can take advantage

of some security features in the Zy WALL. You can also assign an IP address and subnet mask to

the bridge.

•PPP interfaces support Point-to-P oint Protocols (PPP). ISP accounts are required for PPPoE/PPTP

interfaces.

•Cellular interfaces are for 3G WAN connections via a connected 3G device.

•Virtual interfaces provide additional routing information in the Z yW ALL. There are three types:

virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.

•Trunk interfaces manage load balancing between interfaces.

Port groups and trunks have a lot of characteristics that are specific to each type of interface. The

other types of interfaces--Ethernet, PPP, cellular, VLAN, bridge, and virtual--have a lot of similar

characteristics. These characteristics are listed in the following table and discussed in more detail

below.

Ta ble 37 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics

CHARACTERISTICS ETHERNET ETHERNET PPP CELLULAR VLAN BRIDGE VIRTUAL

Name* wan1 lan1, lan2,

dmz pppxcellularx vlanxbrx**

Configurable Zone No No Yes Yes Yes Yes No

IP Address Assignment

Static IP address Yes Yes Yes Yes Yes Yes Yes

DHCP client Yes No Yes Yes Yes Yes No

Routing metric Yes Yes Yes Yes Yes Yes Yes

Interface Parameters

Bandwidth

restrictions Yes Yes Yes Yes Yes Yes Yes

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 105

- * The format of interface names other than the Ethernet and ppp interface names is strict. Each nam e consists of 2-4

letters (interface type), followed by a number ( x). For most interfaces, x is limited by the maximum number of the

type of interface. For VLAN interfaces, x is defined by the number you enter in the VLAN name field. For example,

Ethernet interface names are wan1, wan2, lan1, lan2, dmz; VLAN interfaces are vlan0, vlan1, vlan2, ...; and so on.

** - The names of virtual interfaces are derived from the interfaces on which they are created. For example, virtual

interfaces created on Ethernet interface wan1 are called wan1:1, wan1:2, and so on. Virtual interfaces created on

VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the

Web Configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up

a virtual interface.

Relationships Between Interfaces

In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces

are created directly on top of the physical ports or port groups. The relationships between

interfaces are explained in the following table.

Packet size (MTU) Yes Yes Yes Yes Yes Yes No

DHCP

DHCP server No Yes No No Yes Yes No

DHCP relay No Yes No No Yes Yes No

Connectivity Check Yes No Yes Yes Yes Yes No

Ta ble 38 Relationships Between Different Types of Interfaces

INTERFACE REQUIRED PORT / INTERFACE

port group physical port

Ethernet interface physical port

port group

VLAN interface Ethernet interface

bridge interface Ethernet interface*

VLAN interface*

PPP interface Ethernet interface*

VLAN interface*

bridge interface

WAN1, WAN2, OPT*

virtual interface

(virtual Ethernet interface)

(virtual VLAN interface)

(virtual bridge interface)

Ethernet interface*

VLAN interface*

bridge interface

trunk Ethernet interface

Cellular inte rface

VLAN interface

bridge interface

PPP interface

Ta ble 37 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics (continued)

CHARACTERISTICS ETHERNET ETHERNET PPP CELLULAR VLAN BRIDGE VIRTUAL

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

106

* - You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a

member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member

interface has a virtual interface or PPP interface on top of it.

IPv6 Overview

IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The

increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 1038 IP

addresses.

IPv6 Addressing

The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This

is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.

IPv6 addresses can be abbreviated in two ways:

• Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can

be written as 2001:db8:1a2b:15:0:0:1a2f:0.

• Any number of consecutiv e blocks of zeros can be replaced by a double colon. A double colon can

only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be

written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015,

2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.

Prefix and Prefix Length

Similar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address. An

IPv6 prefix length specifies how many most significant bits (start from the left) in the address

compose the network address. The prefix length is written as “/x” where x is a number. For

example,

2001:db8:1a2b:15::1a2f:0/32

means that the first 32 bits (2001:db8) from the left is the network prefix.

Link-local Address

A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a

“private IP address” in IPv4. You can have the same link-local address on multiple interfaces on a

device. A link-local unicast address has a predefined prefix of fe80::/10. The link-local unicast

address format is as follows.

Ta ble 39 Link-local Unicast Address Format

Subnet Masking

Both an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided

into eight 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each

character (1 ~ 10, A ~ F). Each block’s 16 bits are then represented by four hexadecimal

characters. For example, FFFF:FFFF:FFFF:FFFF:FC00:0 000:0000:0000.

1111 1110 10 0 Interface ID

10 bits 54 bits 64 bits

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 107

Stateless Autoconfiguration

With stateless autoconfiguration in IPv6, addresses can be uniquely and automatically generated.

Unlike DHCPv6 (Dynamic Host Configuration Protocol version six) which is used in IPv6 stateful

autoconfiguration, the owner and status of addresses don’t need to be maintained by a DHCP

server. Every IPv6 device is able to generate its own and unique IP address automatically when

IPv6 is initiated on its interface. It combines the prefix and the interface ID (generated from its own

Ethernet MAC address) to form a complete IPv6 address.

When IPv6 is enabled on a device, its interface automatically generates a link-local address

(beginning with fe80).

When the ZyWALL’s WAN interface is connected to an ISP with a router and the ZyWALL is set to

automatically obtain an IPv6 network prefix from the router for the interface, it generates 1another

address which combines its interface ID and global and subnet information advertised from the

router. This is a routable global IP address.

Prefix Delegation

Prefix delegation enables an IPv6 router (the ZyWALL) to use the IPv6 prefix (network address)

received from the ISP (or a connected uplink router) for its LAN. The ZyWALL uses the received

IPv6 prefix (for example, 2001:db2::/48) to generate its LAN IP address. Through sending Router

Advertisements (RAs) regularly by multicast, the router passes the IPv6 prefix information to its

LAN hosts. The hosts then can use the prefix to generate their IPv6 addresses.

IPv6 Router Advertisement

An IPv6 router sends router advertisement messages periodically to advertise its presence and

other parameters to the hosts in the same network.

DHCPv6

The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, RFC 3315) is a server-client protocol

that allows a DHCP server to assign and pass IPv6 network addresses, prefixes and other

configuration information to DHCP clients. DHCPv6 servers and clients exchange DHCP messages

using UDP.

Each DHCP client and server has a unique DHCP Unique IDentifier (DUID), which is used for

identification when they are exchanging DHCPv6 messages. The DUID is generated from the MAC

address, time, vendor assigned ID and/or the vendor's private enterprise number registered with

the IANA. It should not change over time even after you reboot the device.

Finding Out More

•See Section 7.10 on page 172 for background information on interfaces.

•See Chapter 8 on page 176 to configure load balancing using trunks.

1. In IPv6, all network interfaces can be associated with several addresses.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

108

7.1.3 What You Need to Do First

For IPv6 settings, go to the Configuration > System > IPv6 screen to enable IPv6 support on the

ZyWALL first.

7.2 Port Role Screen

To access this screen, click Configuration > Network > Interface > Port Role. Use the Port

Role screen to set the ZyWALL’s flexible ports as part of the lan1, lan2, ext-wlan or dmz

interfaces. This creates a hardware connection between the physical ports at the la yer-2 (data link,

MAC address) level. This provides wire-speed throughput but no security.

See Section 1.1 on page 18 to see which ZyWALL models support port role.

Note the following if you are configuring from a computer connected to a lan1, lan2, ext-wlan or

dmz port and change the port's role:

• A port's IP address varies as its role changes, make sure your computer's IP address is in the

same subnet as the ZyWALL's lan1, lan2, ext-wlan or dmz IP address.

• Use the appropriate lan1, lan2, ext-wlan or dmz IP address to access the ZyWALL.

Figure 73 Configuration > Network > Interface > Port Role (ZyWALL 110)

The physical Ethernet ports are shown at the top and the Ethernet interfaces and zones are shown

at the bottom of the screen. Use the radio buttons to select for which interface (network) you w ant

to use each physical port. For example, select a port’s LAN radio button to use the port as part of

the LAN interface. The port will use the ZyWALL’s LAN IP address and MAC address.

When you assign more than one physical port to a network, you create a port group. Port groups

have the following characteristics:

• There is a layer-2 Ethernet switch between physical ports in the port group. This provides wire-

speed throughput but no security.

• It can increase the bandwidth betw ee n the port grou p and othe r interfaces .

• The port group uses a single MAC address.

Physical Ports

Interfaces

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 109

Click Apply to save your changes and apply them to the ZyWALL.

Click Reset to change the port groups to their current configuration (last-saved values).

7.3 Ethernet Summary Screen

This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces.

If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure

Ethernet interfaces used for your IPv6 networks on this screen. To access this screen, click

Configuration > Network > Interface > Ethernet.

Unlike other types of interfaces, you cannot create new Ethernet interfaces nor can you delete any

of them. If an Ethernet interface does not have any physical ports assigned to it, the Ethernet

interface is effectively removed from the ZyWALL, but you can still configure it.

Ethernet interfaces are similar to other types of interfaces in many ways. They have an IP address,

subnet mask, and gateway used to make routing decisions. They restrict the amount of bandwidth

and packet size. They can provide DHCP services, and they can verify the gateway is available.

Use Ethernet interfaces to control which physical ports exchange routing information with other

routers and how much information is exchanged thr ough each one. The more routing information is

exchanged, the more efficient the routers should be. However, the routers also generate more

network traffic, and some routing protocols require a significant amount of configuration and

management. The Z yWALL supports two routing protocols, RIP and OSPF. See Chapter 10 on page

197 for background information about these routing protocols.

Figure 74 Configuration > Network > Interface > Ethernet

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

110

Each field is described in the following table.

7.3.1 Ethernet Edit

The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP

settings, OSPF settings, DHCP settings, connectivity check, and MAC address settings. To access

this screen, click an Edit icon in the Ethernet Summary screen. (See Section 7.3 on page 109.)

Note: If you create IP address objects based on an interface’s IP address, subnet, or

gateway, the ZyWALL automatically updates every rule or setting that uses the

object whenever the interface’s IP address settings change. For example, if you

change the LAN’ s IP address, the Zy WALL aut omatically updates the corresponding

interface-based, LAN subnet address object.

With RIP, you can use Ethernet interfaces to do the following things.

• Enable and disable RIP in the underlying physical port or port group.

Ta ble 40 Configuration > Network > Interf ace > Ethernet

LABEL DESCRIPTION

Configur ation / IPv6

Configuration Use the Configuration section for IPv4 network settings. Use the IPv6

Configuration section for IPv6 network settings if you connect your ZyWALL to an

IPv6 network. Both sections have similar fields as described below.

Edit Double-click an entry or select it and click Edit to open a screen where y ou can modify

the entry’s settings.

Remove To remove a virtual interface, select it and click Remove. The ZyWALL confirms you

want to remove it before doing so.

Activate To turn on an interface, select it and click Activate.

Inactivate To turn off an interface, select it and click Inactivate.

Create Virtual

Interface To open the screen where you can create a virtual Ethernet interface, select an

Ethernet interface and click Create Virtual Interface.

Object References Select an entry and click Object Reference to open a screen that shows which

settings use the entry. Se e Section 7.3.2 on page 122 for an example.

# This field is a sequential value, and it is not associated with any interface.

Status This icon is lit when the entry is active and dimmed when the entry is inactive.

Name This field displays the name of the interface.

IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0 (in

the IPv4 network) or :: (in the IPv6 network), the interface does not have an IP

address yet.

In the IPv4 network, this screen also shows whether the IP address is a static IP

address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in

virtual interfaces.

In the IPv6 network, this screen also shows whether the IP address is a static IP

address (STATIC), link-local IP address (LINK LOCAL), dynamically assigned

(DHCP), or an IPv6 StateLess Address AutoConfiguration IP address (SLAAC). See

Section 7.1.2 on page 103 for more information about IPv6.

Mask This field displays the interface’s subnet mask in dot decimal notation.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 111

• Select which direction(s) routing information is exchanged - The ZyWALL can receive routing

information, send routing information, or do both.

• Select which version of RIP to support in each direction - The Z yW ALL supports RIP-1, RIP-2, and

both versions.

• Select the broadcasting method used by RIP-2 packets - The ZyWALL can use subnet

broadcasting or multicasting.

With OSPF, you can use Ethernet interfaces to do the following things.

• Enable and disable OSPF in the underlying physical port or port group.

• Select the area to which the interface belongs.

• Override the default link cost and authentication method for the selected area.

• Select in which direction(s) routing information is exchanged - The ZyWALL can receive routing

information, send routing information, or do both.

• Set the priority used to identify the DR or BDR if one does not exist.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

112

Figure 75 Configuration > Network > Interface > Ethernet > Edit (External Type)

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 113

Figure 76 Configuration > Network > Interface > Ethernet > Edit (Internal Type)

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

114

Figure 77 Configuration > Network > Interface > Ethernet > Edit (OPT)

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 115

This screen’s fields are described in the table below.

Ta ble 41 Configuration > Network > Interface > Ethernet > Edit

LABEL DESCRIPTION

IPv4/IPv6 View /

IPv4 View / IPv6

View

Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration

fields.

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use

for the DHCPv6 settings in this screen.

General Settings

Enable Interface Select this to enable this interface. Clear this to disable this interface.

General IPv6

Setting

Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.

Interface Properties

Interface Type This field is configurable for the OPT interface only. Select to which type of network

you will connect t h is interface. When you select internal or external the rest of the

screen’s options automatically adjust to correspond. The ZyWALL automatically adds

default route and SNAT settings for traffic it routes from internal interfaces to external

interfaces; for example LAN to WAN traffic.

internal is fo r connecting to a local n e twork. Other corresponding configuration

options: DHCP server and DHCP relay. The ZyWALL automatically adds default SNAT

settings for traffic flowing from this interface to an external interface.

external is for connecting to an external network (like the Internet). The ZyWALL

automatically adds this interface to the default WAN trunk.

For general, the rest of the screen’s options do not automatically adjust and you must

manually configure a policy route to add routing and SNAT settings for the interface.

Interface Name Specify a name for the interface. It can use alphanumeric characters, hyphens, and

underscores, and it can be up to 11 characters long.

Port This is the name of the Ethernet interface’s physical port.

Zone Select the zon e to which this interface is to belong. You use zones to apply security

settings such as firewall, remote management.

MAC Address This field is read-only. This is the MAC address that the Ethernet interface uses.

Description Enter a description of this interface. It is not used elsewhere. You can use

alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 char acters

long.

IP Address

Assignment These IP address fields config ure an IPv4 IP address on the interface itself. If you

change this IP address on the interface, you may also need to change a related

address object for th e network con nected to the in terface. F or e xample, if you use this

screen to change the IP addres s of your LAN interface, you should also change the

corresponding LAN subnet address object.

Get

Automatically This option appears when Interface Type is external or general. Select this to make

the interface a DHCP client and automatically get the IP address, subnet mask, and

gateway address from a DHCP server.

You should not select this if the interface is assigned to a VRRP group. See Chapter 26

on page 349.

Use Fixed IP

Address This option appears when Interface Type is external or general. Select this if you

want to specify the IP address, subnet mask, and gateway manually.

IP Address Enter the IP address for this interface.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

116

Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask

indicates what part of the IP address is the same for all computers in the network.

Gateway This option appears when Interface Type is external or general. Enter the IP

address of the gateway. The ZyWALL sends packets to the gateway when it does not

know how to route the packet to its destination. The gateway should be on the same

network as the i nterface.

Metric This option appears when Interface Type is external or general. Enter the priority

of the gateway (if any) on this interface. The ZyWALL decides which gateway to use

based on this priority. The lower the number, the higher the priority. If two or more

gateways have the same priority, the ZyWALL uses the one that was configured first.

IPv6 Address

Assignment These IP address fields confi gure an IPv6 IP address on the interface itself.

Enable Stateless

Address Auto-

configuration

(SLAAC)

Select this to enable IPv6 stateless auto-configuration on this interface. The interface

will generat e an IPv6 IP address itself from a prefix obtained from an IPv6 router in the

network.

Link-Local

address This displays the IPv6 link-local address and the network prefix that the ZyWALL

generates itself for the interface.

IPv6 Address/

Prefix Length Enter th e IPv6 address and the prefix length for this interface if you want to use a

static IP address. This field is optional.

The prefix length indicates wh at the left -mos t part of the IP address is the same for all

computers in the network, that is, the network address.

Gateway Enter the IPv6 address of the default outgoin g gateway using colon (:) hexadecimal

notation.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which

gateway to use based on this priority. The lower the number, the higher the priority. If

two or more gateways have the same priority, t he ZyWALL uses the one that was

configured first.

Address from

DHCPv6 Prefix

Delegation

Use this table to h ave the ZyWALL obtain an IPv6 prefix from the ISP or a connected

uplink router for an internal network, such as the LAN or DMZ. Y ou have to also enter a

suffix address which is appended to the delegated prefix to form an address for this

interface. See Prefix Delegation on page 107 for more information.

To use prefix delegation, you must:

• Create at least one DHCPv6 request object before configuring this table.

• The external interface must be a DHCPv6 client. You must configure the DHCPv6

request options using a DHCPv6 request object with the type of prefix-delegation.

• Assign the prefix delegation to an internal interface and enable router

advertisement on that interface.

Add Click this to create an entry.

Edit Select an entry and click this to change the settings.

Remove Select an entry and click this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use from the drop-down list.

Suffix

Address Enter the ending part of the IPv6 address, a slash (/), a nd the prefix length. The

ZyWALL will append it to the delegated prefix.

For e xample, you got a delegated prefix of 2003:1234:5 678/48. You want to configure

an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter

::1111:0:0:0:1/128 in this field.

Ta ble 41 Configuration > Netwo rk > Interface > Ethernet > Edit (con tinued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 117

Address This field displays the combined IPv6 IP address for this interface.

Note: This field displays the combined address after you click OK and reopen this

screen.

DHCPv6 Setting

DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique

and used for identification purposes when the interface is exchanging DHCPv6

messages with others. See DHCPv6 on page 107 for more information.

DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address.

Customized

DUID If you want to use a customized DUID, enter it here for the interface.

Enable Rapid

Commit Select this to shorten the DHCPv6 message exchange process from four to two steps.

This function helps reduce heavy network traffic load.

Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit

work.

Information

Refresh Time Enter the number of seconds a DHCPv6 client should wait before refreshing information

retrieved from DHCPv6.

Request Address This field is available if you set this interface to DHCPv6 Client. Select this to get an

IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP

address information through DHCPv6.

DHCPv6 Request

Options /

DHCPv6 Lease

Options

If this interface is a DHCPv6 client, use this section to configure DHCPv6 request

settings that determine what additional information to get from the DHCPv6 server. If

the interface is a DHCPv6 server, use this section to configure DHCPv6 lease settings

that determine what additional information to offer to the DHCPv6 clients.

Add Cli ck this to create an entry in this table. See Section 7.3.3 on page 123 for more

information.

Remove Select an entry and click this to delete it from this table.

Object

Reference Select an entry and click Object Reference to open a screen that shows which

settings use the entry. Se e Section 7.3.2 on page 122 for an example.

# This field is a sequential value, and it is not associated with any entry.

Name This field displays the name of the DHCPv6 request or lease object.

Type This field displays the type of the ob ject.

Value This field displays the IPv6 prefix that the ZyWALL obtained from an uplink router

(Server is selected) or will advertise to its clients (Client is selected).

Interface When Relay is se lected, select this check box and an inte rface from the drop-down list

if you want to use it as the relay server.

Relay Server When Relay is selected, select thi s check box and enter the IP address of a DHCPv6

server as the relay server.

IPv6 Router

Setting

Enable Router

Advertisement Select this to enable this interface to send route r advertisement messages periodically.

See IPv6 Router Advertisement on page 107 for more information.

Advertised Hosts

Get Network

Configuration

From DHCPv6

Select this to have t he ZyWALL indicate to hosts to obtain network settings (such as

prefix and DNS settings) through DHCPv6.

Clear this to have the ZyWALL indicate to hosts that DHCPv6 is not available and they

should use the prefix in the router advertisement message.

Ta ble 41 Configuration > Netwo rk > Interface > Ethernet > Edit (con tinued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

118

Advertised Hosts

Get Other

Configuration

From DHCPv6

Select this to have t he ZyWALL indicate to hosts to obtain DNS information through

DHCPv6.

Clear this to have the ZyW ALL indicate to hosts that DNS information is not av ailable i n

this network.

Router

Preference Select the router preferenc e (Low, Medium or High) for the interface. The interface

sends this preference in the router advertisements t o tell hosts what preference they

should use for the ZyWALL. This helps hosts to choose their default router especially

when there are multiple IPv6 router in the network.

Note: Make sure the hosts also support router preference to make this function work.

MTU The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in

bytes, that can move through this interface. If a larger packet arrives, the ZyWALL

discards the packet and sends an error message to the sender to inform this.

Hop Limit Enter the maximum number of network segments that a packet can cross before

reaching the destination. When forwarding an IPv6 packet, IPv6 routers are required to

decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0.

Advertised

Prefix Table Configure this table only if you want the ZyWALL to advertise a fixed prefix to the

network.

Add Click this to create an IPv6 prefix address.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

IPv6

Address/

Prefix Length

Enter the IPv6 network prefix address and the prefix length.

The prefix length indicates wh at the left -mos t part of the IP address is the same for all

computers in the network, that is, the network address.

Advertised

Prefix from

DHCPv6 Prefix

Delegation

This table is available when the Interface Type is internal. Use this table to

configure the network prefix if you want to use a delegated prefix as the beginning part

of the network prefix.

Add Cli ck this to create an entry in this table.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use for generating the network prefix for the

network.

Suffix

Address Enter the ending part of the IPv6 network address plus a slash (/) and the prefix

length. The ZyWALL will append it to the selected delegated prefix. The combined

address is the network prefix for the network.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it

into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for

another interface. You can use ::1111/64 and ::2222/64 for the suffix address

respectively. But if you do not want to divide the delegated prefix into subnetworks,

enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.

Address This is the final network prefix combined by the delegated prefix and the suffix.

Note: This field displays the combined address after you click OK and reopen this

screen.

Interface

Parameters

Ta ble 41 Configuration > Netwo rk > Interface > Ethernet > Edit (con tinued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 119

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send

through the interface to the network. Allowed values are 0 - 1048576.

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the Zy WALL can receive

from the network through the interface. Allowed values are 0 - 1048576.

MTU Maximum Transmission Uni t. Type the m a ximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL divides it

into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.

Connectivity Check These fields appear when Interface Properties is External or General.

The interface can regularly check the connection to the gateway you specified to make

sure it is still available. You specify how often the interface checks the connection, how

long to wait for a response before the attempt is a failure, and how many consecutive

failures are required before the ZyWALL stops routing to the gateway. The ZyWALL

resumes routing to the gateway the first time the gateway passes the connectivity

check.

Enable

Connectivity

Check

Select this to turn on the connection check.

Check Method Select the method that the gateway allows.

Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure

it is still available.

Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway

you specify to make sure it is still available.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.

Check Fail

Tolerance Enter t he n umber o f con sec utive failure s before the ZyWALL stops routing through the

gateway.

Check Default

Gateway Select this to use the default gateway for the connectivity check.

Check this

address Select this to specify a domain name or IP address for the connectivity check. Enter

that domain name or IP address in the field next to it.

Check Port This field only displays when you set the Check Method to tcp. Specify the port

number to use for a TCP connectivity check.

DHCP Setting This section appears when Interface Type is internal or general.

DHCP Select what type of DHCP service the ZyWALL provides to the network. Choices are:

None - the ZyWALL does not provide any DHCP services. There is already a DHCP

server on the network.

DHCP Relay - the ZyWALL routes DHCP requests to one or more DHCP servers you

specify. The D HCP server(s) may be on another network.

DHCP Server - the ZyW ALL assigns IP addresses and provides subnet mask, gateway,

and DNS server information to the network. The ZyWALL is the DHCP server for the

network.

These fields appear if th e ZyWALL is a DHCP Relay.

Relay Server 1 Enter the IP address of a DHCP server for the network.

Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network.

These fields appear if th e ZyWALL is a DHCP Server.

Ta ble 41 Configuration > Netwo rk > Interface > Ethernet > Edit (con tinued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

120

IP Pool Start

Address Enter the IP address from which the ZyWALL begins allocating IP addresses. If you

want to assign a static IP address to a specific computer, use the Static DHCP Table.

If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL can

assign every IP address allowed by the interface’s IP address and subnet mask, except

for the first address (network address), last address (broadcast address) and the

interface’s IP address.

Poo l Size Enter the number of IP addresses to allocate. This numbe r must be at least one and is

limited by the interface’s Subnet Mask. For example, if the Subnet Mask is

255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL can allocate

10.10.10.10 to 10.10.10.254, or 245 IP addresses.

If this field is blank, the IP Pool Start Address must also be blank. In this case, the

ZyWALL can assign every IP address allowed by the interface’s IP address and subnet

mask, except for the first address (network address), last address (broadcast address)

and the interface’s IP address.

First DNS

Server, Second

DNS Server,

Third DNS

Server

Specify the IP addresses up to three DNS servers for the DHCP clients to use. Use one

of the following ways to specify these IP addresses.

Custom Defined - enter a static IP address.

From ISP - select the DNS server that another interface received from its DHCP

server.

ZyWALL - the DHCP clients use the IP address of this interface and the ZyW ALL works

as a DNS relay.

First WINS

Server, Second

WINS Server

Type the IP address of the WINS (Windows Internet Naming Service) server that you

want to send to the DHCP clients. The WINS server keeps a mapping table of the

computer names on your network and the IP addresses that they are currently using.

Default Router If you set this interface to DHCP Server, you can select to use either the interface’s IP

address or another IP address as th e default router. This default router will become the

DHCP clients’ default gateway.

To use another IP address as the default router, select Custom Defined and enter the

IP address.

Lease time Spec ify how long each computer can use the information (especially the IP address )

before it has to request the information again. Choices are:

infinite - se lect this if IP addresse s never expire.

days, hours, and minutes - select this to enter how long IP addresses are valid.

Extended

Options This table is available if you selected DHCP server.

Configure this table if you want to send more information to DHCP clients through

DHCP packets.

Add Cli ck this to create an entry in this table. See Section 7.3.4 on page 124.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

Name This is the name of the DHCP option.

Code This is the code number of the DHCP option.

Type Thi s is the type of the set value for the DHCP option.

Value This is the value set for the DHCP option.

Ta ble 41 Configuration > Netwo rk > Interface > Ethernet > Edit (con tinued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 121

Enable IP/MAC

Binding Select this option to have this interface enforce links between specific IP addresses and

specific MAC addresses. This stops anyone else from manually using a bound IP

address on another device connected to this inte rface. Use this to make use only the

intended users get to use specific IP addresses.

Enable Logs for

IP/MAC Binding

Violation

Select this option to have the ZyWALL generate a log if a device connected to this

interface attempts to use an IP address that is bound to another device’s MAC address.

Static DHCP

Table Configure a list of static IP addresses the ZyWALL assigns to computers connected to

the interface. Otherwise, the ZyWALL assigns an IP address dynamically using the

interface’s IP Pool Start Address and Pool Size.

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

# This field is a sequential value, and it is not associated with a specific entry.

IP Address Enter the IP address to assign to a device with this entry’s MAC address.

MAC Enter the MAC address to which to assign this entry’s IP address.

Description Enter a description to help identify this static DHCP entry. You can use alphanume ric

and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

RIP Setting See Section 10.2 on page 197 for more information about RIP.

Enable RIP Select this to enable RIP in this interface.

Direction This field is effective when RIP is enable d. Select th e RIP direction from the drop-down

list box.

BiDir - This interface sends and receives routing information.

In-Only - This interface receives routing information.

Out-Only - This interface sends routing information.

Send Version This field is effective when RIP is enabled. Select the RIP version(s) used for sending

RIP packets. Choices are 1, 2, and 1 and 2.

Receive Version This field is effective when RIP is enabled. Select the RIP version(s) used for receiving

RIP packets. Choices are 1, 2, and 1 and 2.

V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using

subnet broadcasting; otherwise, the ZyWALL uses multicasting.

OSPF Setting See Section 10.3 on page 199 for more information about OSPF.

Area Select the area in which this interfac e belongs. Select None to disable OSPF in this

interface.

Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a

Designated Router (DR) or Backup Designated Router (BDR). The highest-priority

interface identifies the DR, and the second-highest-priority interface identifies the

BDR. Set the priority to zero if the interface can not be the DR or BDR.

Link Cost Enter the cost (between 1 and 65,535) to route packets through this interface.

Passive

Interface Select this to stop forw arding OSPF routing information from the sele cted interface. As

a result, t h is interface only receives routing information.

Ta ble 41 Configuration > Netwo rk > Interface > Ethernet > Edit (con tinued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

122

7.3.2 Object References

When a configuration screen includes an Object Reference icon, select a configuration object and

click Object Reference to open the Object References screen. This screen displays which

configuration settings reference the selected object. The fields shown vary with the type of object.

Authentication Select an authentication method, or disable authentication. To exchange OSPF routing

information with peer border routers, you must use the same authentication method

that they use. Choices are:

Same-as-Area - use the default au thentication method in the area

None - disable authentication

Text - authenticate OSPF routing information using a plain-text password

MD5 - authenticate OSPF routing information using MD5 encryption

Text

Authentication

Key

This field is available if the Authentication is Text. Type the password for text

authentication. The key can consist of a lphanumeric characters and the undersc ore,

and it can be up to 16 characters long.

MD5

Authentication

This field is available if the Authentication is MD5. Type the ID for MD5

authentication. The ID can be between 1 and 255.

MD5

Authentication

Key

This field is available if the Authentication is MD5. Type the password for MD5

authentication. The password can consist of alphanumeric characters and the

underscore, and it can be up to 16 characters long.

MAC Address

Setting This section appears when Interface Properties is External or General. Have the

interface use either the factory assigned default MAC address, a manually specified

MAC address, or clone the MAC address of another device or computer.

Use Default MAC

Address Select this o ption to have the interface use the factory assigned default MAC address.

By default, the ZyWALL uses the factory assigned MAC address to identify itself.

Overwrite

Default MAC

Address

Select this o ption to have the interface use a different MAC address. Either enter the

MAC address in the fields or click Clone by host and enter the IP address of the device

or computer whose MAC you are cloning. Once it is successfully configured, the

address will be copied to the configuration file. It will not change unless you change the

setting or upload a different configuration file.

Related Setting

Configure

PPPoE/PPTP Click PPPoE/PPTP if this interface’s Internet connection uses PPPoE or PPTP.

Configure VLAN Click VLAN if you want to configure a VLAN interface for this Ethernet interface.

Configure WAN

TRUNK Click WAN TRUNK to go to a screen where you can set this interface to be part of a

WAN trunk for load balancing.

Configure Policy

Route Click Policy Route to go to the policy route summary screen where you can manually

associate traffic with this interface.

You must manually configure a policy route to add routing and SNAT settin gs for an

interface with the Interface Type set to general. Yo u can also configure a policy

route to override the default routing and SNAT behavior for an interface with an

Interface Type of internal or external.

OK Click OK to save your changes back to the ZyWALL.

Cancel Click Cancel to exit this scre en without saving.

Ta ble 41 Configuration > Netwo rk > Interface > Ethernet > Edit (con tinued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 123

Figure 78 Object References

The following table describes labels that can appear in this screen.

7.3.3 Add/Edit DHCPv6 Request/Release Options

When you configure an interface as a DHCPv6 server or client, you can additionally add DHCPv6

request or lease options which have the ZyWALL to add more information in the DHCPv6 packets.

To open the screen, click Configuration > Network > Interface > Ethernet > Edit, select

DHCPv6 Server or DHCPv6 Client in the DHCPv6 Setting section, and then click Add in the

DHCPv6 Request Options or DHCPv6 Lease Options table.

Figure 79 Configuration > Network > Interface > Ether net > Edit > Add DHCPv6 Request/Lease

Options

Ta ble 42 Object References

LABEL DESCRIPTION

Object Nam e This identifies the object for which the configuration settings that use it are displayed.

Click the object’s name to display the object’s configuration screen in the main window.

# This field is a sequential value, and it is not associated with any entry.

Service This is the type of setting that references the selected object. Click a service’s name to

display the service’s configuration screen in the main window.

Priority If it is applicable, this field lists the referencing configuration item’s position in its list,

otherwise N/A displays.

Name This field identifies the configuration item that references the object.

Description If the referencing configuration item has a description configured, it displays here.

Refresh Click this to update the information in this screen.

Cancel Click Cancel to close the screen.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

124

Select a DHCPv6 request or lease object in the Select one object field and click OK to save it.

Click Cancel to exit without saving the setting.

7.3.4 Add/Edit DHCP Extended Options

When you configure an interface as a DHCPv4 server, you can additionally add DHCP extended

options which have the ZyWALL to add more information in the DHCP packets. The available fields

vary depending on the DHCP option you select in this screen. To ope n the screen, click

Configuration > Network > Interface > Ethernet > Edit, select DHCP Server in the DHCP

Setting section, and then click Add or Edit in the Extended Options table.

Figure 80 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options

The following table describes labels that can appear in this screen.

Ta ble 43 Conf iguration > Network > Interface > Ethernet > Edit > A dd/Edit Extended Options

LABEL DESCRIPTION

Option Select which DHCP option that you want to add in the DHCP packets sent through the

interface. See Table 44 for more information.

Name This field displays the name of the selected DHCP option. If you selected User Defined in

the Option field, enter a descriptive name to identify the DHCP option. You can enter up

to 16 characters (“a-z”, “A-Z, “0-9”, “-”, and “_”) with no spaces allowed. The first

character must be alphabetical (a-z, A-Z).

Code This field displays the code number of the selected DHCP option. If you selected User

Defined in the Option field, enter a number for the option. This field is mandatory.

Type This is the type of the selected DHCP option. If you selected User Defined in the Option

field, select an appropriate type for the value that you will enter in the next field. Only

advanced users should configure User Defined. Misconfigura tion could result in interfac e

lockout.

Value Enter the value for the selected DHCP option. For example, if you sele cted TFTP Server

Name (66) and the type is TEXT, enter the DNS domain name of a TFTP server here. This

field is mandatory.

First IP Address,

Second IP

Address, Third IP

Address

If you selected Time Server (4), NTP Server (41), SIP Server (120), CAPWAP AC

(138), or TFTP Server (150), you have to enter at least one IP address of the

corresponding servers in these fields. The servers should be listed in order of your

preference.

First Enterprise

ID, Second

Enterprise ID

If you selected VIVC (124) or VIVS (125), you have to enter at least one vendor’s 32-

bit enterprise number in these fields. An enterprise number is a unique number that

identifies a company.

First Class,

Second Class If you selected VIVC (124), enter th e details of the hardw are configur ation of the hos t on

which the client is running, or of industry consortium compliance.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 125

The following table lists the available DHCP extended options (defined in RFCs) on the ZyW ALL. See

RFCs for more information.

7.4 PPP Interfaces

Use PPPoE/PPTP interfaces to connect to your ISP. This way, you do not have to install or manage

PPPoE/PPTP software on each computer in the network.

First

Information,

Second

Information

If you select ed VIVS (125) , enter additional information for the corresponding enterprise

number in these fields.

OK Click this to close this screen and update the settings to the previous Edit screen.

Cancel Click Cancel to close the screen.

Ta ble 44 DHCP Extended Options

OPTION NAME CODE DESCRIPTION

Time Offset 2 This option specifies the offset of the client's subnet in seconds from

Coordinated Universal Time (UTC).

Time Server 4 This option specifies a list of Time servers available to the client.

NTP Server 4 2 This option specifies a list of the NTP servers available to the client by IP

address.

TFTP Server Name 66 This option is used to identify a TFTP server when the “sname” field in the

DHCP header has been used for DHCP options. The minimum lengt h of the

valu e is 1.

Bootfile 67 This option is used to identify a bootfile when the “file” field in the DHCP

header has been used for DHCP options. The minimum length of the value is

SIP Server 120 This option carries either an IPv4 address or a DNS domain name to be used

by the SIP client to locate a SIP server.

VIVC 124 Vendor-Identifying Vendor Class option

A DHCP client may use this option to unambiguousl y identify the vendor that

manufactured the hardware on which the client is running, the software in

use, or an industry consortium to which the vendo r belongs.

VIVS 125 Vendor-Identifying Vendor-Specific option

DHCP clients and servers may use this option to exchange vendor-specific

information.

CAPWAP AC 138 CAPWAP Access Controller addresses option

The Control And Provisioning of Wireless Access Points Protoco l allows a

Wireless Termination Point (WTP) to use DHCP to discover the Access

Controllers to which it is to connec t. This option carries a list of IPv4

addresses indicating one or more CAPWAP ACs available to the WTP.

TFTP Server 150 The option contains one or more IPv4 addresses that the client may use. The

current use of this option is for downloading configuration from a VoIP server

via TFTP; however, the option may be used for purposes other than

contacting a VoIP configuration server.

Ta ble 43 Conf iguration > Network > Interface > Ethernet > Edit > A dd/Edit Extended Options

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

126

Figure 81 Example: PPPoE/PPTP Interfaces

PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address,

subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet

size; and they can verify the gateway is available. There are two main differences between PPPoE/

PPTP interfaces and other interfaces.

• You must also configure an ISP account object for the PPPoE/PPTP interface to use.

Each ISP account specifies the protocol (PPPoE or PPTP), as well as your ISP account information.

If you change ISPs later, you only have to create a new ISP account, not a new PPPoE/PPTP

interface. You should not have to change any network policies.

• You do not set up the subnet mask or gateway.

PPPoE/PPTP interfaces are interfaces between the ZyW ALL and only o ne computer. Therefore, the

subnet mask is always 255.255.255.255. In addition, the ZyWALL always treats the ISP as a

gateway.

7.4.1 PPP Interface Summary

This screen lists every PPPoE/PPTP interface. To access this screen, click Configuration >

Network > Interface > PPP.

Figure 82 Configuration > Network > Interface > PPP

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 127

Each field is described in the table below.

7.4.2 PPP Interface Add or Edit

Note: You have to set up an ISP account before you create a PPPoE/PPTP interface.

This screen lets you configure a PPP oE or PPTP interface. If you enabled IPv6 in the Configuration

> System > IPv6 screen, you can also configure PPP interfaces used for your IPv6 networks on

this screen. To access this screen, click the Add icon or an Edit icon in the PPP Interface screen.

Ta ble 45 Configuration > Netwo rk > Interface > PPP

LABEL DESCRIPTION

User Configuration /

System Default The ZyWALL comes with the (non-removable) System Default PPP interfaces pre-

configured. You can create (and delete) User Configuration PPP interfaces .

Add Cli ck this to create a new user-configured PPP interface.

Edit Doubl e-click an entry or select it and click Edit to open a screen where you can modify

the entry’s settings.

Remove To remove a user-configured PPP interface, select it and click Remove. The ZyWALL

confirms you want to remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Connect To connect an interface, select it and click Connect. You might use this in testing the

interface or to manually establish the connection for a Dial-on-Demand PPPoE/PPTP

interface.

Disconnect To disconnect an interface, se lect it and clic k Disconnect. Y ou might use this in testing

the interface.

Object References Select an entry and click Object Reference to open a screen that shows which

settings use the entry. Se e Section 7.3.2 on page 122 for an example.

# This field is a sequential value, and it is not associated with any interface.

Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry

is inactive.

The connect icon is lit when the interface is connected and dimmed when it is

disconnected.

Name This field displays the name of the interface.

Base Interface This field displays the interface on the top of which the PPPoE/PPTP interface is.

Account Profile This field displays the ISP account used by this PPPoE/PPTP interface.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

128

Figure 83 Configuration > Network > Interface > PPP > Add

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 129

Each field is explained in the following table.

Ta ble 46 Configuration > Netwo rk > Interface > PPP > Add

LABEL DESCRIPTION

IPv4/IPv6 View /

IPv4 View / IPv6

View

Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration

fields.

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

Create New Object Click th is button to creat e an ISP Account or a DHCPv6 request object that you may

use for the ISP or DHCPv6 settings in this screen.

General Settings

Enable Interface Select this to enable this interface. Clear this to disable this interface.

General IPv6

Setting

Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.

Interface Properties

Interface Name Specify a name for the interface. It can use alphanumeric characters, hyphens, and

underscores, and it can be up to 11 characters long.

Base Interface Select the interface upon which this PPP interfac e is built.

Note: Multiple PPP interfaces can use the same base interface.

Zone Select the zone to which this PP P interface belongs. The zone determines the security

settings the ZyWALL uses for the interface.

Description Enter a description of this interface. It is not used elsewhere. Y ou can use alphanumeric

and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

Connectivity

Nailed-Up Select this if the PPPoE/PPTP connection sho uld always be up. Clear this to have the

ZyWALL establish the PPPoE/PPTP connection only when there is traffic. You might use

this option if a lot of traffic needs to go through the interface or it does not cost extra to

keep the connection u p all the time.

Dial-on-Demand Select this to hav e the Z yW ALL establi sh the PPP oE/PPTP co nnection only when there is

traffic. You might use this opt io n if there is little traffic through the interface or if it

costs money to keep the c onnection available.

ISP Setting

Account Profile Select the ISP account that this PPPoE/PPTP interface uses. The drop-down box lists

ISP accounts by name. Use Create new Object if you need to configure a new ISP

account (see Chapter 34 on page 419 for details).

Protocol This field is read-only. It displays the protocol specified in the ISP account.

User Name This field is read-only. It displays the user name for the ISP account.

Service Name This field is read-only. It displays the PPP oE s erv ic e name spe ci fie d in t he ISP ac count.

This field is blank if the ISP account uses PPTP.

IP Address

Assignment Click Show Advanced Settin gs to display more settings. Click Hide Advanced

Settings to display fewer settings.

Get

Automatically Selec t this if this interface is a DHCP client. In this case, the DHCP server co nfigures

the IP address autom a tically. The subnet mask and gateway are always defined

automatically in PPPoE/PPTP interfaces.

Use Fixed IP

Address Select this if you want to specify the IP address manually.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

130

IP Address This field is enabled if you select Use Fixed IP Address.

Enter the IP address for this interface.

Metric Enter the priority of th e gateway (the ISP) on this interface. The Z yWALL decides which

gateway to use based on this priority. The lower the number, the higher the priority. If

two or more gateways have the same priority, t he ZyWALL uses the one that was

configured first.

IPv6 Address

Assignment These IP address fields confi gure an IPv6 IP address on the interface itself.

Enable Stateless

Address Auto-

configuration

(SLAAC)

Select this to enable IPv6 stateless auto-configuration on this interface. The interface

will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the

network.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which

gateway to use based on this priority. The lower the number, the higher the priority. If

two or more gateways have the same priority, t he ZyWALL uses the one that was

configured first.

Address from

DHCPv6 Prefix

Delegation

Use this table to h ave the ZyWALL obtain an IPv6 prefix from the ISP or a connected

uplink router for an internal network, such as the LAN or DMZ. Y ou have to also ente r a

suffix address which is appended to the delegated prefix to form an address for this

interface. See Prefix Delegation on page 107 for more information.

To use prefix delegation, you must:

• Create at least one DHCPv6 request object before configuring this table.

• The external interface must be a DHCPv6 client. You must configure the DHCPv6

request options using a DHCPv6 request object with the type of prefix-delegation.

• Assign the prefix delegation to an internal interface and enable router

advertisement on that interface.

Add Click this to create an entry.

Edit Select an entry and click this to change the settings.

Remove Select an entry and click this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use from the drop-down list.

Suffix

Address Enter the ending part of the IPv6 address, a slash (/), a nd the prefix length. The

ZyWALL will append it to the delegated prefix.

For e xample, you got a dele gated prefi x of 2003: 1234:5678/4 8. You want to configure

an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter

::1111:0:0:0:1/128 in this field.

Address This field displays the combined IPv6 IP address for this interface.

Note: This field displays the combined address after you click OK and reopen this

screen.

DHCPv6 Setting

DHCPv6 Select Client to obtain an IP address and DNS information from the service provider

for the interface. Otherwise, select N/A to diable the function.

DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique

and used for identification purposes when the interface is exchanging DHCPv6

messages with others. See DHCPv6 on page 107 for more information.

DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address.

Customized

DUID If you want to use a customized DUID, enter it here for the interface.

Ta ble 46 Co nfiguration > Net work > Interface > PP P > Add (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 131

Enable Rapid

Commit Select this to shorten the DHCPv6 message exchange process from four to two steps.

This function helps reduce heavy network traffic load.

Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit

work.

Request Address Select this to get an IPv6 IP address for this interface from the DHCP s erver. Clear this

to not get any IP address information through DHCPv6.

DHCPv6 Request

Options Use this section to configure DHCPv6 request settings that determine what additional

information to get from the DHCPv6 server.

Add Cli ck this to create an entry in this table. See Section 7.3.4 on page 124 for more

information.

Remove Select an entry and click this to delete it from this table.

Object

Reference Select an entry and click Object Reference to open a screen that shows which

settings use the entry. Se e Section 7.3.2 on page 122 for an example.

# This field is a sequential value, and it is not associated with any entry.

Name This field displays the name of the DHCPv6 request object.

Type This field displays the type of the ob ject.

Value This field displays the IPv6 prefix that the ZyWALL will advertise to its clients.

Interface

Parameters

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send

through the interface to the network. Allowed values are 0 - 1048576.

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the Zy WALL can receive

from the network through the interface. Allowed values are 0 - 1048576.

MTU Maximum Transmission Uni t. Type the m a ximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL divides it

into smaller fragments. Allowed values are 576 - 1492. Usually, this value is 1492.

Connectivity Check The interface can regularly check the connection to the gateway you specified to make

sure it is still available. Y ou specify how often the interface checks the connection, how

long to wait for a response before the attempt is a failure, and how many consecutive

failures are required before the ZyWALL stops routing to the gateway. The ZyWALL

resumes routing to the gateway the first time the gateway passes the connectivity

check.

Enable

Connectivity

Check

Select this to turn on the connection check.

Check Method Select the method that the gateway allows.

Select icmp to have the Z yWALL r egularly ping the gatewa y you specify to make sure it

is still available.

Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway

you specify to make sure it is still available.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.

Check Fail

Tolerance Enter the number of consecutive failures before the ZyWALL stops routing through the

gateway.

Check Default

Gateway Select this to use the default gateway for the connectivity check.

Ta ble 46 Co nfiguration > Net work > Interface > PP P > Add (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

132

7.5 Cellular Configuration Screen (3G)

3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is

optimized as multiple users share the same channel and bandwidth is only allocated to users when

they send data. It allows fast transfer of voice and non- voice data and provides broadband Internet

access to mobile devices.

Note: The actual data ra te you obtain varies depending on the 3G device you use, the

signal strength to the service provider’s base station, and so on.

You can configure how the ZyWALL’s 3G device connects to a network (refer to Section 7.5.1 on

page 134):

• You can set the 3G device to connect only to the home network, which is the network to which

you are originally subscribed.

• You can set the 3G device to connect to other networks if the signal strength of the home

network is too low or it is unavailable.

Check this

address Select this to specify a domain name or IP address for the connectivity check. Enter

that domain name or IP address in the field next to it.

Check Port This field only displays when you set the Check Method to tcp. Specify the port

number to use for a TCP connectivity check.

Related Setting

Configure WAN

TRUNK Click WAN TRUNK to go to a screen where you can configure the interface as part of a

WAN trunk for load balancing.

Policy Route Click Policy Route to go to the screen where you can manually configure a policy

route to associate traffic with this interface.

OK Click OK to save your changes back to the ZyWALL.

Cancel Click Cancel to exit this scre en without saving.

Ta ble 46 Co nfiguration > Net work > Interface > PP P > Add (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 133

Aside from selecting the 3G network, the 3G card may also select an available 2.5G or 2.75G

network automatically. See the following table for a comparison between 2G, 2.5G, 2.75G and 3G

of wireless technologies.

To change your 3G WAN settings, click Configuration > Network > Interface > Cellular.

Note: Install (or connect) a compatible 3G USB device to use a cellular connection.

Note: The WAN IP addresses of a ZyWALL with multiple WAN interfaces must be on

different subnets.

Table 47 2G, 2.5G, 2.75G, 3G and 3.5G Wireless Technologies

NAME TYPE MOBILE PHONE AND DATA STANDARDS DAT A

SPEED

GSM-BASED CDMA-BASED

2G Circuit-

switched GSM (Global System for Mobile

Communications), Personal Handy-

phone System (PHS), etc.

Interim Standard 95 (IS-95), the first CDMA-

based digital cellular standard pioneered by

Qualcomm. The brand name for IS-95 is

cdmaOne. IS-95 is also known as TIA-EIA-95.

Slow

Fast

2.5G Packet-

switched GPRS (General P a cke t R adio Servi ces),

High-Speed Circuit-Switched Data

(HSCSD), etc.

CDMA2000 is a hybrid 2.5G / 3G protocol of

mobile telecommunications standards that use

CDMA, a multiple access scheme for digital radio.

CDMA2000 1xRTT (1 times Radio Transmission

Technology) is the core CDMA2000 wireless air

interface standard. It is also known as 1x, 1xR TT,

or IS-2000 and consi dered t o be a 2.5G or 2 .75G

technology.

2.75G Packet-

switched Enhanced Data rates for GSM Evolution

(EDGE), Enh anced GPRS (EGPR S), etc.

3G Packet-

switched UMTS (Universal Mobile

Telecommunications System), a third-

generation (3G) wireless standard

defined in ITUA specification, is

sometimes marketed as 3GSM. The

UMTS uses GSM infrastructures and W-

CDMA (Wideband Code Division

Multiple Acce ss) as the air interface.

CDMA2000 EV-DO (Evolution-Data Optimized,

originally 1x Evolution-Data Only), also referred

to as EV-DO, EVDO, or just EV, is an evolution of

CDMA2000 1xRTT and enables high-speed

wireless connectivity. It is also denoted as IS-856

or High Data Rate (HDR).

3.5G Packet-

switched HSDPA (High-Speed Downlink Packet

Access) is a mobile telephony protoc ol,

used for UMTS-based 3G networks and

allows for higher data transfer speeds.

A. The International Telecommunication Union (ITU) is an international organization within which governments and the private se ctor

coordinate global telecom networks and services.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

134

Figure 84 Configuration > Network > Interface > Cellular

The following table describes the labels in this screen.

7.5.1 Cellular Add/Edit Screen

To change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or

Edit). In the pop-up window that displays, select the slot that contains the 3G device, then the

following screen displays.

Ta ble 48 Co nfiguration > Netwo rk > Interface > Cellular

LABEL DESCRIPTION

Add Click this to create a new cellular interface.

Edit Double-click an entry or sele ct it and click Edit to open a screen where you can modify

the entry’s settings.

Remove To remove an entry, select it and click Remove. The Zy WALL confirms you want to

remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Connect To connect an interface, select it and click Connect. You might use this in testing the

interface or to ma nually establish the connecti on.

Disconnect To disconnect an interface, sele ct it and click Disconnect. You might use this in testing

the interface.

Object

References Select an entry and click Object Reference to open a screen that shows which settings

use the entry. See Section 7.3.2 on page 122 for an example.

# This field is a sequential value, and it is not associated with any interface.

Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is

inactive.

The connect icon is lit when the interface is connected and dimmed when it is

disconnected.

Name This field displays the name of the interface.

Extension Slot This field displays where the entry’s cellular card is located.

Connected

Device This field displays the name of the cellular card.

ISP Settings This field displays the profile of ISP settings that this cellular interface is set to use.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 135

Figure 85 Configuration > Network > Interface > Cellular > Add

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

136

The following table describes the labels in this screen.

Ta ble 49 Co nfiguration > Net work > Interface > Cellular > Add

LABEL DESCRIPTION

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

General Settings

Enable Interface Select this option to turn on this interface.

Interface Properties

Interface Name Select a name for the interface.

Zone Select the zone to which you want the cellular interface to belong. The zone

determines the security settings the ZyWALL uses for the interface.

Extension Slot This is the USB slot that you are configuring for use with a 3G card.

Connected

Device This displays the manufacturer and model name of your 3G card if you inserted one in

the ZyWALL. Othe rwise, it displays none.

Description Enter a desc ription of this interface. It is not used elsewhere. You can use

alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 char acters

long.

Connectivity

Nailed-Up Select this if the connection should always be up. Clear this to have the ZyWALL to

establish the connection only when there is traffic. You might not nail up the

connection if there is little traffic through the interface or if it costs money to keep the

connection available.

Idle timeout This value specifies the time in seconds (0~36 0) that elapses before the ZyWALL

automatically disconnects from the ISP’s server. Zero disables the idl e timeout.

ISP Settings

Profile Selec tion Select Device to use one of the 3G device’s profiles of device settings. Then select the

profile (use Profile 1 unless your ISP instructed you to do otherwise).

Select Custom to configure your device settings yourself.

APN This field is read-only if you se lected Device in the profile selection. Select Custom in

the profile selection to be able to manually input the APN (Access Point Name)

provided by your service provider. This field applies with a GSM or HSDPA 3G card.

Enter the APN from your service provider. Connections with different APNs may provide

different services (such as Internet access or MMS (Multi-Media Messaging Service))

and charge method.

You can enter up to 63 ASCII printable characters. Spaces are allowed.

Dial String Enter the dial string if your ISP provides a string, which would include the APN, to

initialize th e 3G card.

You can enter up to 63 ASCII printable characters. Spaces are allowed.

This field is available only when you insert a GSM 3G card.

Authentication

Type The ZyWALL supports PAP (Password Authentication Protocol) and CHAP (Challenge

Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is

readily available on more platforms.

Use the drop-down list box to select an authentication protocol for outgoing calls.

Options are:

None: No authentication for outgoing calls.

CHAP - Your ZyWALL accepts CHAP requests only.

PAP - Your ZyWALL accepts PAP requests only.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 137

User Name This field displays when you select an authentication type other than None. This field

is read-only if you selected Device in the profile selection. If this field is configurable,

enter the user name for this 3G card exactly as the service provider gave it to you.

You can use 1 ~ 64 alphanumeric and #:%-_@$./ characters. The first character must

be alphanumeric or -_@$./. Spaces are not allowed.

Password This field displays when you select an authentication type other than None. This field

is read-only if you selected Device in the profile selection and the password is included

in the 3G card’s profile. If this field is configurable, enter the password for this SIM

card exactly as the service provider gave it to you.

You can use 0 ~ 63 alphanumeric and `~!@#$%^&*()_-+={}|;:'<,>./ characters.

Spaces are not allowed .

Retype to

Confirm This field displays when you select an authenticatio n ty pe o ther than None. This field

is read-only if you selected Device in the profile selection and the password is included

in the 3G card’s profile. If this field is configurable, re-enter the password for this SIM

card exactly as the service provider gave it to you.

SIM Card Setting

PIN Code This field displays with a GSM or HSDPA 3G card. A PIN (Personal Identification

Number) code is a key to a 3G card. Without the PIN code, you cannot use the 3G

card.

Enter the 4-digit PIN code (0000 for example) provided by your ISP. If you enter the

PIN code incorrectly, the 3G card may be blocked by your ISP and you cannot use the

account to access the Internet.

If your ISP disabled PIN code authentication, enter an arbitrary number.

Retype to

Confirm Type the PIN code again to confirm it.

Interface

Parameters

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send

through the interface to the network. Allowed values are 0 - 1048576. This setting is

used in WAN load balancing and bandwidth management.

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive

from the network through the interface. Allowed values are 0 - 1048576.

MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL divides it

into smaller fragments. Allowed values are 576 - 1492. Usually, this value is 1492.

Connectivity Check The interface can regularly check the connection t o the gatewa y you spe cified to mak e

sure it is still available. Y ou specify how often the interface checks the connection, how

long to wait for a response before the attempt is a failure, and how many consecutive

failures are required before the ZyWALL stops routing to the gateway. The ZyWALL

resumes routing to the gateway the first time the gateway passes the connectivity

check.

Enable

Connectivity

Check

Select this to turn on the connection check.

Check Method Select the method that the gateway allows.

Select icmp to have the ZyWALL regularly ping the gatewa y y ou spe ci fy to make sure

it is stil l available.

Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway

you specify to make sure it is still available.

Ta ble 49 Co nfiguration > Net work > Inter face > Cellular > Add (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

138

Check Period Enter the number of seconds between connection chec k attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.

Check Fail

Tolerance Enter the n umber of cons ecuti ve failu res before the ZyWALL stops routing through the

gateway.

Check Default

Gateway Select this to use the default gateway for the connectivity check.

Check this

address Select this t o specify a domain name or IP address for the connectivity check. Enter

that domain name or IP address in the field next to it.

Check Port This field only displays when you set the Check Method to tcp. Specify the port

number to use for a TCP connectivity che ck.

Related Setting

Configure WAN

TRUNK Click WAN TRUNK to go to a screen where you can configure the interface as part of

a WAN trunk for load balancing.

Configure Policy

Route Click Policy Route to go to the policy route summary screen where you can configure

a policy route to override the default routing and SNAT behavior for the interface.

IP Address

Assignment

Get

Automatically Select this option If your ISP did not assign you a fixed IP address. This is the default

selection.

Use Fixed IP

Address Select this option If the ISP assigned a fixed IP address.

IP Address

Assignment Enter the cellular interface’s WAN IP address in this field if you selected Use Fixed IP

Address.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which

gateway to use based on this priority. The lower the number, the higher the priority. If

two or more gateways have the same priority, the ZyWALL uses the one that was

configured first.

Device Settings

Network

Selection This field appears if you selected a 3G device that allows you to select the type of

network to use. Select the type of 3G service for your 3G connection. If you are unsure

what to select, check with your 3G service provider to find the 3G service available to

you in your region.

Select auto to have the card conn ect to an availa ble network. Choose this option if you

do not know what networks are available.

You may want to manually specify the type of network to use if you are charged

differently for different types of network or you only have one type of network

available to you.

Select GPRS / EDGE (GSM) only to have this interface only use a 2.5G or 2.75G

network (respectively). If you only have a GSM network available to you, you may

want to select this so the ZyWALL does not spend time looking for a WCDMA network.

Select UMTS / HSDPA (WCDMA) only to have this interface only use a 3G or 3. 5G

network (respectively). You may want to do this if you want to make sure the interface

does not use the GSM network.

Ta ble 49 Co nfiguration > Net work > Inter face > Cellular > Add (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 139

Network

Selection Home network is the network to which you are originally subscribed.

Select Home to have the 3G device connect only to the home network. If the home

network is down, the ZyWALL’s 3G Internet connection is also unavailable.

Select Auto (Default) to all ow the 3G device to connect t o a networ k to whic h y ou are

not subscribed when necessary, for ex ample when the home network is down or

another 3G base station's signal is stronger. This is recommended if you need

continuo us Inte rnet co nnecti vity. If you select th is, y ou ma y be ch arge d usin g the r at e

of a different network.

Budget Setup

Enable Budget

Control Select this to se t a mon thl y lim it for the use r accoun t of t he i nstalle d 3G card. You can

set a limit on th e total traffic and/or call time. The ZyWALL takes the actions you

specified when a li mit is exceeded during the m onth.

Time Budget Select this and specify the amount of time (in hours) that the 3G connection can be

used within one month. If you change the value after you configure and enable budget

control, the ZyWALL resets the statistics.

Data Budget Select this and specify how much downstream and/or upstream data (in Mega bytes)

can be transmitted via the 3G connection within one mo nth.

Select Download to set a limit on t he downstream traffic (from the ISP to the

ZyWALL).

Select Upload to set a limit on the upstream traffic (from the ZyWALL to the ISP).

Select Download/Upload to set a limit on the total traffic in both directions.

If you change the value after you configure and enable budget control, the ZyWALL

resets the statistics.

Reset time and

data budget

counters on

Select the date on which the ZyWALL resets the budget every month. If the date you

selected is not available in a month, such as 30th or 31st, the ZyWALL resets the

budget on the last day of the month.

Reset time and

data budget

counters

This button is available only when you enable budget control in this screen.

Click this button to reset the time and data budgets immediately. The count starts over

with the 3G connection’s full configured monthly time and data budgets. This does not

affect the normal monthly budget restart; so if you configured the time and data

budget counters to reset on the second day of the month and you use this button on

the first, the time and data budget counters will still reset on the second.

Actions when

over budget Specify the actions the ZyWALL takes when the time or data limit is exceeded.

Log Select None to not create a log, Log to create a log, or Log-alert to create an alert

log. If you select Log or Log-alert you can also select recurr ing every to have the

ZyWALL send a log or alert for thi s event periodically. Specify how often (from 1 to

65535 minutes) to send the log or alert.

New 3G

connection Select Allow to permit new 3G connections or Disallow to drop/block new 3G

connections.

Current 3G

connection Select Keep to maintain an existing 3G connection or Drop to disconnect it. You

cannot set New 3G connection to Allow and Current 3G connection to Drop at

the same time.

If you set New 3G connection to Disallow and Current 3G connection to Keep,

the ZyWALL allows you to transmit data using the current connection, but you cannot

build a new connection if the existing connection is discon nected.

Actions when over

% of time budget or

% of data budget

Specify the action s the Z yW ALL tak es when the sp ecified perc entage of time budge t or

data limit is exceeded. Enter a number from 1 to 99 in the percentage fields. If you

change the value after you configure and enable budget control, the ZyWALL resets

the statistics.

Ta ble 49 Co nfiguration > Net work > Inter face > Cellular > Add (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

140

7.6 Tunnel Interfaces

The Z yWALL uses tunnel interfaces in Generic Rou ting Encapsulation (GRE), IPv6 in IPv4, and 6to4

tunnels.

GRE Tunneling

GRE tunnels encapsulate a wide variety of network layer protocol packet types inside IP tunnels. A

GRE tunnel serves as a virtual point-to-point link between the ZyWALL and another router over an

IPv4 network. At the time of writing, the ZyWALL only supports GRE tunneling in IPv4 networks.

Figure 86 GRE Tunnel Example

IPv6 Over IPv4 Tunnels

To route traffic between two IPv6 networks over an IPv4 network, an IPv6 over IPv4 tunnel has to

be used.

Figure 87 IPv6 over IPv4 Network

On the ZyWALL, you can either set up a manual IPv6-in-IPv4 tunnel or an automatic 6to4 tunnel.

The following describes each method:

IPv6-in-IPv4 Tunneling

Use this mode on the WAN of the ZyWALL if

Log Select None to not create a log when the ZyWALL takes this action, Log to create a

log, or Log-alert to create an alert log. If you select Log or Log-alert you can also

select recurring every to have the ZyWALL send a log or alert for this event

periodically. Specify how often (from 1 to 65535 minutes) to send the log or alert.

OK Click OK to save your changes back to the ZyWALL.

Cancel Click Cancel to exit this screen without saving.

Ta ble 49 Co nfiguration > Net work > Inter face > Cellular > Add (continued)

LABEL DESCRIPTION

Internet

IPv4

IPv6 IPv6

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 141

• your ZyWALL has a public IPv4 IP address given from your ISP,

and

• you want to transmit your IPv6 packets to one and only one remote site whose LAN network is

also an IPv6 network.

With this mode, the Zy WALL encapsulates IPv6 packets within IPv4 packets across the Internet.

You must know the WAN IP address of the remote gateway device. This mode is normally used for

a site-to-site application such as two branch offices.

Figure 88 IPv6-in-IPv4 Tunnel

In the Z yW ALL, you must also manu ally configure a policy route for an IPv6-in-IPv 4 tunnel to make

the tunnel work.

6to4 Tunneling

This mode also enables IPv6 packets to cross IPv4 networks. Unlik e IPv6-in-IPv4 tunn eling, you do

not need to configure a policy route for a 6to4 tunnel. Through your properly pre-configuring the

destination router’s IP address in the IP address assignments to hosts, the ZyWALL can

automatically forward 6to4 packets to the destination they want to go. A 6to4 relay router is

required to route 6to4 packets to a native IPv6 network if the packet’s destination do not match

your specified criteria.

In this mode, the ZyWALL should get a pu blic IPv4 address for the WAN. The ZyWALL adds an IPv4

IP header to an IPv6 packet when transmitting the packet to the Internet. In reverse, the ZyWALL

removes the IPv4 header from an IPv6 packet when receiving it from the Internet.

An IPv6 address using the 6to4 mode consists of an IPv4 address, the format is as the following:

2002:[a public IPv4 address in hexadecimal]::/48

For example,

A public IPv4 address is 202.156.30.41. The converted hexadecimal IP string is ca.9c.1E.29. The

IPv6 address prefix becomes 2002:ca9c:1e29::/48.

IPv6

IPv4

IPv6

Internet

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

142

Figure 89 6to4 Tunnel

7.6.1 Configuring a Tunnel

This screen lists the Z yW A LL’ s configured tunn el interfaces. To access this screen, click Network >

Interface > Tunnel.

Figure 90 Network > Interface > Tunnel

Each field is explained in the following table.

Internet

IPv6

IPv4

IPv6

Ta ble 50 Network > Interface > Tunnel

LABEL DESCRIPTION

Add Click this to create a new GRE tunnel interface.

Edit Double- click an entry or selec t it and click Edit to open a screen where you can modify

the entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to

remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Object References Select an entry and click Object Reference to open a screen that shows which

settings use the entry. Se e Section 7.3.2 on page 122 for an example.

# This field is a sequential value, and it is not associated with any interface.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 143

7.6.2 Tunnel Add or Edit Screen

This screen lets you configure a tunnel interface. Click Configuration > Network > Interface >

Tunnel > Add (or Edit) to open the following screen.

Status The activate (light bu lb) icon is lit wh en the en try is ac tive an d dimmed when the entry

is inactive.

Name This field displays the name of the interface.

IP Address This is the IP address of the interface. If the interface is active (and connected), the

Z yW ALL tu nnels loc al tr affic se nt to this IP address to the Remote Gateway Address.

Tunn el Mode This is the tunnel mode of the interface (GRE, IPv6-in-IPv4 or 6to4). This field also

displays the interface’s IPv4 IP address and subnet mask if it is a GRE tunnel.

Otherwise, it displays the interface’s IPv6 IP address and prefix length.

My Address This is the in terface or IP address uses to identify itself to the remote gateway. The

ZyWALL uses this as the source for the packets it tunnels to the remote gateway.

Remote Gateway

Address This is the IP address or domain name of the remote gateway to which this inte rface

tunnels traffic.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to beg in configuring this screen afresh.

Ta ble 50 Network > Interface > Tunnel (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

144

Figure 91 Network > Interface > Tunnel > Add/Edit

Each field is explained in the following table.

Ta ble 51 Network > Interface > Tunnel > Add/Edit

LABEL DESCRIPTION

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

General Settings

Enable Select this to enable this interface. Clear this to disable this interface.

Interface Properties

Interface Name This field is read-only if you are editing an existing tunnel interface. Enter the name of

the tunnel interface. The format is tunnelx, where x is 0 - 3. For example, tunnel0.

Zone Use this field to select the zone to which this interface belongs. This controls what

security settings the ZyWALL applies to this interface.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 145

Tunnel Mode Select the tunneling protocol of the interface (GRE, IPv6-in-IPv4 or 6to4). See

Section 7.6 on page 140 for more information.

IP Address

Assignment This section is available if you are configuring a GRE tunnel.

IP Address Enter the IP address for this interface.

Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask

indicates what part of the IP address is the same for all computers in the network.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which

gateway to use based on this priority. The lower the number, the higher the priority. If

two or more gateways have the same priority, t he ZyWALL uses the one that was

configured first.

IPv6 Address

Assignment This section is available if you are configuring an IPv6-in-IPv4 or a 6to4 tunnel.

IPv6 Address/

Prefix Length Enter the IPv6 address and the prefix le ngth for this interface if y ou want to use a static

IP address. This field is optional.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which

gateway to use based on this priority. The lower the number, the higher the priority. If

two or more gateways have the same priority, t he ZyWALL uses the one that was

configured first.

6to4 Tunnel

Parameter This section is available if y ou are configuring a 6to4 tunnel which encapsulates IPv6 to

IPv4 packets.

6to4 Prefix Enter the IPv6 prefix of a destination network. The ZyWALL forwards IPv6 packets to

the hosts in the matched network.

If you enter a prefix starting with 2002, the ZyWALL will forward the matched packets

to the IPv4 IP address converted from the packets’ destination address. The IPv4 IP

address can be converted from the next 32 bits after the prefix you specified in this

field. See 6to4 Tunneling on page 141 for an example. The ZyWALL forwards the

unmatched packets to the specified Relay Router.

Relay Ro uter Enter the IP v4 add ress of a 6to4 relay router which helps forward packets between

6to4 networks and native IPv6 networks.

Remote

Gateway Prefix Enter the IPv4 network address and network bits of a remote 6to4 gateway, for

example, 14.15.0.0/16.

This field works if you enter a 6to4 Prefix not starting with 2002 (2003 for example).

The ZyWALL forwards the matched packets to a remote gateway with the network

address you specify here, and the bits converted after the 6to4 Prefix in the packets.

For example, you configure the 6to4 prefix to 2003:A0B::/32 and the remote gateway

prefix to 14.15.0.0/16. If a packet’s destination is 2003:A0B:1011:5::8, the ZyWALL

forwards the packet to 14.15.16.17, where the network address is 14.15.0.0 and the

host address is the remain bits converted from 1011 after the packet’s 6to4 prefix

(2003:A0B).

Gateway Settings

My Address Specify the interface or IP address to use as the source address for the packets this

interface tunnels to the remote gateway. The remote gateway sends traffic to this

interface or IP address.

Remote

Gateway

Address

Enter the IP address or domain name of the remote gateway to which this interface

tunnels traffic.

Automatic displays in this field if you are configuring a 6to4 tunnel. It means the 6to4

tunnel w ill help forw ard pack ets to the co rresponding remote gateway automatically by

looking at the packet’s destination address.

Ta ble 51 Network > Interface > Tunnel > Add/Edit (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

146

Interface

Parameters

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send

through the interface to the network. Allowed values are 0 - 1048576. This setting is

used in WAN load balancing and bandwidth management.

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the Zy WALL can receive

from the network through the interface. Allowed values are 0 - 1048576.

MTU Maximum Transmission Uni t. Type the m a ximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL divides it

into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.

Connectivity Check This section is available if you are con figuring a GRE tunnel .

The interface can regularly check the connection to the gateway you specified to make

sure it is still available. Y ou specify how often the interface checks the connection, how

long to wait for a response before the attempt is a failure, and how many consecutive

failures are required before the ZyWALL stops routing to the gateway. The ZyWALL

resumes routing to the gateway the first time the gateway passes the connectivity

check.

Enable

Connectivity

Check

Select this to turn on the connection check.

Check Method Select the method that the gateway allows.

Select icmp to have the Z yWALL r egularly ping the gatewa y you specify to make sure it

is still available.

Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway

you specify to make sure it is still available.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.

Check Fail

Tolerance Enter the number of consecutive failures before the ZyWALL stops routing through the

gateway.

Check Default

Gateway Select this to use the default gateway for the connectivity check.

Check this

address Select this to specify a domain name or IP address for the connectivity check. Enter

that domain name or IP address in the field next to it.

Check Port This field displays when you set the Check Method to tcp. Specify the port number to

use for a TCP connectivity check.

Related Setting

WAN TRUNK Click this link to go to a screen where you can configure WAN trunk load balancing.

Policy Route Click this link to go to the screen where you can manually configure a policy route to

associate traffic with this interface.

OK Click OK to save your changes back to the ZyWALL.

Cancel Click Cancel to exit this scre en without saving.

Ta ble 51 Network > Interface > Tunnel > Add/Edit (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 147

7.7 VLAN Interfaces

A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The

standard is defined in IEEE 802.1q.

Figure 92 Example: Before VLAN

In this example, there are two physical networks and three departments A, B, and C. The physical

networks are connected to hubs, and the hubs are connected to the router.

Alternatively, you can divide the physical networks into three VLANs.

Figure 93 Example: After VLAN

Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each

VLAN also has a unique identification number (ID). The ID is a 12-bit value that is stored in the

MAC header. The VLANs are connected to switches, and the switches are connected to the router.

(If one switch has enough connections for the entire network, the network does not need switches

A and B.)

• Traffic inside each VLAN is layer -2 communication (data link lay er, MAC addresses). It is handled

by the switches. As a result, the new switch is required to handle traffic inside VLAN 2. Traffic is

only broadcast inside each VLAN, not each physical network.

• Traffic between VLANs (or between a VLAN and another type of network) is layer-3

communication (network layer, IP addresses). It is handled by the router.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

148

This approach provides a few advantages.

• Increased performance - In VLAN 2, the extra switch should route traffic inside the sales

department faster than the router does. In addition, broadcasts are limited to smaller, more

logical groups of users.

• Higher security - If each computer has a separate physical connection to the switch, then

broadcast traffic in each VLAN is never sent to computers in another VLAN.

• Better manageability - You can align network policies more appropriately for users. For example,

you can set different bandwidth limits for each VLAN. These rules are also independent of the

physical network, so you can change the physical network without changing policies.

In this example, the new switch handles the following types of traffic:

•Inside VLAN 2.

• Between the router and VLAN 1.

• Between the router and VLAN 2.

• Between the router and VLAN 3.

VLAN Interfaces Overview

In the ZyWALL, each VLAN is called a VLAN interface. As a router, the ZyWALL routes traffic

between VLAN interfaces, but it does not route traffic within a VLAN interface. All traffic for each

VLAN interface can go through only one Ethernet interface, though each Ethernet interface can

have one or more VLAN interfaces.

Note: Each VLAN interface is created on top of only one Ethernet interface.

Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address,

subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet

size. They can provide DHCP services, and they can verify the gateway is available.

7.7.1 VLAN Summary Screen

This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. If you

enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure VLAN

interfaces used for your IPv6 networks on this screen. To access this screen, click Configuration >

Network > Interface > VLAN.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 149

Figure 94 Configuration > Network > Interface > VLAN

Each field is explained in the following table.

Ta ble 52 Co nfiguration > Netwo rk > Interface > VLAN

LABEL DESCRIPTION

Configuratio

n / IPv6

Configuratio

Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration

section for IPv6 network settings if you connect your ZyWALL to an IPv6 network. Both

sections have similar fields as described below.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify the

entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWA LL confirms you want to remove it

before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Create

Virtual

Interface

To open the screen where you can create a virtual interf ace, select an interface and click

Create Virtual Interface.

Object

References Select an entry and click Object Reference to open a screen that shows which settings use

the entry. See Section 7.3.2 on page 122 for an example.

# This field is a sequential value, and it is not associated with any interface.

Status This ico n is lit when the entry is active and dimmed when the entry is inactive.

Name This field displays the name of the interface.

Port/VID For VLAN interfaces, this field displays

• the Ethernet interface on which the VLAN interface is created

• the VLAN ID

For virtual interfaces, this field is blank.

IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the

interface does not have an IP address yet.

This screen also shows whether the I P address is a static IP address (STATIC) or dynamically

assigned (DHCP). IP addresses are always static in virtual interfaces.

Mask This field displays the interface’s subnet mask in dot decimal notation.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

150

7.7.2 VLAN Add/Edit

This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP

settings, and connectivity check for each VLAN interface. To access this screen, click the Create

Virtual Interface icon in the VLAN Summary screen. The following screen appears.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Ta ble 52 Configuration > Netwo rk > Interface > VLAN (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 151

Figure 95 Configuration > Network > Interface > VLAN > Create Virtual Interface

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

152

Each field is explained in the following table.

Ta ble 53 Configuration > Netwo rk > Interface > VLAN > Create Virtual Interface

LABEL DESCRIPTION

IPv4/IPv6 View /

IPv4 View / IPv6

View

Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration

fields.

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

Create New Object Click this button to c reate a DHCPv6 lease or DHCPv6 request object that you may use

for the DHCPv6 settings in this screen.

General Settings

Enable Interface Select this to turn this interface on. Clear this to disable this interface.

General IPv6

Setting

Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.

Interface Properties

Interface Type Select one of the following option depending on the type of network to which the

ZyWALL is connected or if you want to additionally manually configure some related

settings.

internal is fo r connecting to a local n e twork. Other corresponding configuration

options: DHCP server and DHCP relay. The ZyWALL automatically adds default SNAT

settings for traffic flowing from this interface to an external interface.

external is for connecting to an external network (like the Internet). The ZyWALL

automatically adds this interface to the default WAN trunk.

For general, the rest of th e screen’s options do not automatical ly adjust an d you must

manually configure a policy route to add routing and SNAT settings for the interface.

Interface Name This field is read-only if you are editing an existing VLAN interfac e. Enter the number of

the VLAN interface. You can use a number from 0~4094. For example, vlan0, vlan8,

and so on. The total number of VLANs you can configure on the ZyWALL depends on

the model.

Zone Select the zone to which the VLAN interface belongs.

Base Port Select the Ethernet interface on which the VLAN interface runs.

VLAN ID Enter the VLA N ID. This 12-bit number uniquely identifies each VLAN. Allowed values

are 1 - 4094. (0 and 4095 are reserved.)

Description Enter a description of this interface. It is not used elsewhere. Y ou can use alphanumeric

and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

IP Address

Assignment

Get

Automatically Selec t this if this interface is a DHCP client. In this case, the DHCP server co nfigures

the IP address, subnet mask, and gateway automatically.

You should not select this if the interface is assigned to a VRRP group.

Use Fixed IP

Address Select this if you want to specify the IP address, subnet mask, and gateway ma nually.

IP Address This field is enabled if you select Use Fixed IP Address.

Enter the IP address for this interface.

Subnet Mask This field is enabled if yo u select Use Fixed IP Address.

Enter the subnet mask of this interface in dot decimal notation. The subnet mask

indicates what part of the IP address is the same for all computers in the network.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 153

Gateway This field is enabled if you select Use Fixe d IP Address.

Enter the IP address of the gateway . The Z yWALL sends packets to the gateway when it

does not know how to route the packet to its destination. The gateway should be on the

same network as the interface.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which

gateway to use based on this priority. The lower the number, the higher the priority. If

two or more gateways have the same priority, t he ZyWALL uses the one that was

configured first.

IPv6 Address

Assignment These IP address fields confi gure an IPv6 IP address on the interface itself.

Enable Stateless

Address Auto-

configuration

(SLAAC)

Select this to enable IPv6 stateless auto-configuration on this interface. The interface

will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the

network.

Link-Local

address This displays the IPv6 link-local address and the network prefix that the ZyWALL

generates itself for the interface.

IPv6 Address/

Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to configure a

static IP address for this interface. This field is optional.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Gateway Enter the IPv6 address of the default outgoin g gateway using colon (:) hexadecimal

notation.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which

gateway to use based on this priority. The lower the number, the higher the priority. If

two or more gateways have the same priority, t he ZyWALL uses the one that was

configured first.

Address from

DHCPv6 Prefix

Delegation

Use this table to h ave the ZyWALL obtain an IPv6 prefix from the ISP or a connected

uplink router for an internal network, such as the LAN or DMZ. Y ou have to also ente r a

suffix address which is appended to the delegated prefix to form an address for this

interface. See Prefix Delegation on page 107 for more information.

To use prefix delegation, you must:

• Create at least one DHCPv6 request object before configuring this table.

• The external interface must be a DHCPv6 client. You must configure the DHCPv6

request options using a DHCPv6 request object with the type of prefix-delegation.

• Assign the prefix delegation to an internal interface and enable router

advertisement on that interface.

Add Click this to create an entry.

Edit Select an entry and click this to change the settings.

Remove Select an entry and click this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use from the drop-down list.

Suffix

Address Enter the ending part of the IPv6 address, a slash (/), a nd the prefix length. The

ZyWALL will append it to the delegated prefix.

For e xample, you got a dele gated prefi x of 2003: 1234:5678/4 8. You want to configure

an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter

::1111:0:0:0:1/128 in this field.

Address This field displays the combined IPv6 IP address for this interface.

Note: This field displays the combined address after you click OK and reopen this

screen.

Ta ble 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

154

DHCPv6 Setting

DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique

and used for identification purposes when the interface is exchanging DHCPv6

messages with others. See DHCPv6 on page 107 for more information.

DUID as MAC Select this to have the DUID generated from the interface’s default MAC address.

Customized

DUID If you want to use a customized DUID, enter it here for the interface.

Enable Rapid

Commit Select this to shorten the DHCPv6 message exchange process from four to two steps.

This function helps reduce heavy network traffic load.

Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit

work.

Information

Refresh Time Enter the number of seconds a DHCPv6 client should wait before refreshing information

retrieved from DHCPv6.

Request Address This field is available if you set this interface to DHCPv6 Client. Select this to get an

IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP

address information through DHCPv6.

DHCPv6 Request

Options /

DHCPv6 Lease

Options

If this interface is a DHCPv6 client, use this section to configure DHCPv6 request

settings that determine what additional information to get from the DHCPv6 server.

If this interface is a DHCP v6 server, use this section to configure DHCPv6 lease settings

that determine what to offer to the DHCPv6 clients.

Add Click this to create an entry in this table. See Section 7.3.3 on page 123 for more

information.

Remove Select an entry and click this to change the settings.

Object

Reference Select an entry and cl ick this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Name This field displays the name of the DHCPv6 request or lease object.

Type This field displays the type of the ob ject.

Value This field displays the IPv6 prefix that the ZyWALL obtained from an uplink router

(Server is selected) or will advertise to its clients (Client is selected).

Interface When Relay is selected, select this check box and an interface from the drop-down list

if you want to use it as the relay server.

Relay Server When Relay is selected, select thi s check box and enter the IP address of a DHCPv6

server as the relay server.

IPv6 Router

Setting

Enable Router

Advertisement Select this to enable this interface to send router advertisement messages periodically.

See IPv6 Router Advertisement on page 107 for more information.

Advertised Hosts

Get Network

Configuration

From DHCPv6

Select this to have t he ZyWALL indicate to hosts to obtain network settings (such as

prefix and DNS settings) through DHCPv6.

Clear this to have the ZyWALL indicate to hosts that DHCPv6 is not available and they

should use the prefix in the router advertisement message.

Advertised Hosts

Get Other

Configuration

From DHCPv6

Select this to have t he ZyWALL indicate to hosts to obtain DNS information through

DHCPv6.

Clear this to h ave th e Z yW ALL indicate to hosts that DN S information i s not a vail able in

this network.

Ta ble 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 155

Router

Preference Select the router preferenc e (Low, Medium or High) for the interface. The interface

sends this preference in the router advertisements t o tell hosts what preference they

should use for the ZyWALL. This helps hosts to choose their default router especially

when there are multiple IPv6 router in the network.

Note: Make sure the hosts also support router preference to make this function work.

MTU The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in

bytes, that can move through this interface. If a larger packet arrives, the ZyWALL

divides it into smaller fragments.

Hop Limit Enter the maximum number of network segments that a packet can cross before

reaching the destinati on. When forw arding an IPv6 p acket, IPv6 r outers are req uired to

decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0.

Advertised

Prefix Table Configure this table only if you want the ZyWALL to advertise a fixed prefix to the

network.

Add Click this to create an IPv6 prefix address.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

IPv6

Address/

Prefix Length

Enter the IPv6 network prefix address and the prefix length.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Advertised

Prefix from

DHCPv6 Prefix

Delegation

Use this table to c onfigure the network prefix if you want to use a delegated prefix as

the beginning part of the network prefix.

Add Cli ck this to create an entry in this table.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use for generating the network prefix for the

network.

Suffix

Address Enter the ending part of the IPv6 network address plus a slash (/) and the prefix

length. The ZyWALL will append it to the selected delegated prefix. The combined

address is the network prefix for the network.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it

into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for

another interface. You can use ::1111/64 and ::2222/64 for the suffix address

respectively. But if you do not want to divide the delegated prefix into subnetworks,

enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.

Address This is the final network prefix combined by the delegated prefix and the suffix.

Note: This field displays the combined address after you click OK and reopen this

screen.

Interface

Parameters

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send

through the interface to the network. Allowed values are 0 - 1048576.

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the Zy WALL can receive

from the network through the interface. Allowed values are 0 - 1048576.

Ta ble 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

156

MTU Maximum Transmission Uni t. Type the m a ximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL divides it

into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.

Connectivity Check The ZyWALL can regularly check the connection to the gateway you specified to make

sure it is still available. Y ou specify how often to check the connection, how long to wait

for a response before the attempt is a failure, and how many consecutive failures are

required before the ZyW ALL stops routing to the gateway. The ZyW ALL resumes routing

to the gateway the first time the gateway passes the connectivity check.

Enable

Connectivity

Check

Select this to turn on the connection check.

Check Method Select the method that the gateway allows.

Select icmp to have the Z yWALL r egularly ping the gatewa y you specify to make sure it

is still available.

Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway

you specify to make sure it is still available.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.

Check Fail

Tolerance Enter the number of consecutive failures before the ZyWALL stops routing through the

gateway.

Check Default

Gateway Select this to use the default gateway for the connectivity check.

Check this

address Select this to specify a domain name or IP address for the connectivity check. Enter

that domain name or IP address in the field next to it.

Check Port This field only displays when you set the Check Method to tcp. Specify the port

number to use for a TCP connectivity check.

DHCP Setting The DHCP settings are available for the OPT, LAN and DMZ interfaces.

DHCP Select what type of DHCP service the ZyWALL provides to the network. Choices are:

None - the ZyWALL does not provide any DHCP services. There is already a DHCP

server on the network.

DHCP Relay - the ZyWALL routes DHCP requests to one or more DHCP servers you

specify. The D HCP server(s) may be on another network.

DHCP Server - the ZyWALL assigns IP addresses and provides subnet mask, gateway,

and DNS server information to the network. The ZyWALL is the DHCP server for the

network.

These fields appear if th e ZyWALL is a DHCP Relay.

Relay Server 1 Enter the IP address of a DHCP server for the network.

Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network.

These fields appear if th e ZyWALL is a DHCP Server.

IP Pool Start

Address Enter the IP address from which the ZyWALL begins allocating IP addresses. If you

want to assign a static IP address to a specific computer, click Add Static DHCP.

If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL can

assign every IP address allowed by the interface’ s IP address and subnet mask , ex cept

for the first address (network address), last address (broadcast address) and the

interface’s IP address.

Ta ble 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 157

Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is

limited by the interface’s Subnet Mask. For example, if the Subnet Mask is

255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL can allocate

10.10.10.10 to 10.10.10.254, or 245 IP addresses.

If this field is blank, the IP Pool Start Address must also be blank. In this case, the

ZyWALL can assign every IP address allowed by the interface’s IP address and subnet

mask, except for the first address (network address), last address (broadcast address)

and the interface’s IP address.

First DNS Server

Second DNS

Server

Third DNS

Server

Specify the IP addresses up to three DNS servers for the DHCP clients to use. Use one

of the following ways to specify these IP addresses.

Custom Defined - enter a static IP address.

From ISP - select the DNS server that anoth er interface received from its DHCP server.

ZyWALL - the DHCP clients use the IP address of this interface and the Z yW ALL works

as a DNS relay.

First WINS

Server, Second

WINS Server

Type the IP address of the WINS (Windows Internet Naming Service) server that you

want to send to the DHCP clients. The WINS server keeps a mapping table of the

computer names on your network and the IP addresses that they are currently using.

Default Router If you set this interface to DHCP Server, you can select to use either the interface’s IP

address or another IP address as the default router. This default router will become the

DHCP clients’ default gateway.

To use another IP address as the default router, select Custom Defined and enter the

IP address.

Lease time Spec ify how long each computer can use the information (especially the IP address )

before it has to request the information again. Choices are:

infinite - se lect this if IP addresses never expire

days, hours, and minutes - select this to enter how long IP addresses are valid.

Extended

Options This table is available if you selected DHCP server.

Configure this table if you want to send more information to DHCP clients through

DHCP packets.

Add Cli ck this to create an entry in this table. See Section 7.3.4 on page 124.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

Name This is the option’s name.

Code This is the option’s code number.

Type Thi s is the option’s type.

Value This is the opti on’s value.

Enable IP/MAC

Binding Select this option to have the ZyWALL enforce links between specific IP addresses and

specific MAC addresses for this VLAN. This stops anyone else from manually using a

bound IP address on another device connected to this interface. Use this to make us e

only the intended users get to use specifi c IP addresses.

Enable Logs for

IP/MAC Binding

Violation

Select this option to have the ZyWALL generate a log if a device connected to this VLAN

attempts to use an IP address that is bound to another device’s MAC address.

Static DHCP

Table Configure a list of static IP addresses the ZyWALL assigns to computers connected to

the interface. Otherwise, the ZyWALL assigns an IP address dynamically using the

interface’s IP Pool Start Address and Pool Size.

Ta ble 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

158

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

# This field is a sequential value, and it is not associated with a specific entry.

IP Address Enter the IP address to assign to a device with this entry’s MAC address.

MAC Address Enter the MAC address to which to assign this entry’s IP address.

Description Enter a description to help identify this static DHCP entry. You can use alphanume ric

and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

RIP Setting See Section 10.2 on page 197 for more information about RIP.

Enable RIP Select this to enable RIP on this int erface.

Direction This field is effectiv e whe n RIP is enable d. Sel ect the R IP direct ion from t he drop-down

list box.

BiDir - This interface sends and receives routing information.

In-Only - This interface receives routing information.

Out-Only - This interface sends routing information.

Send Version This field is effective when RIP is enabled. Select the RIP version(s) used for sending

RIP packets. Choices are 1, 2, and 1 and 2.

Receive Version This field is effective when RIP is enabled. Select the RIP version(s) used for receiving

RIP packets. Choices are 1, 2, and 1 and 2.

V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using

subnet broadcasting; otherwise, the ZyWALL uses multicasting.

OSPF Setting See Section 10.3 on page 199 for more information about OSPF.

Area Select the area in which this interfac e belongs. Select None to disable OSPF in this

interface.

Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a

Designated Router (DR) or Backup Designated Router (BDR). The highest-priority

interface identifies the DR, and the second-highest-priority interface i dentifies the BDR.

Set the priority to zero if the interface can not be the DR or BDR.

Link Cost Enter the cost (between 1 and 65,535) to route packets through this interface.

Passive

Interface Select this to stop forwarding OSPF routing information from the selected interface. As

a result, t h is interface only receives routing information.

Authentication Select an authentication method, or disable authentication. To exchange OSPF routing

information with peer border routers, you must use the same authentication method

that they use. Choices are:

Same-as-Area - use the default au thentication method in the area

None - disable authentication

Text - authenticate OSPF routing information using a plain-text password

MD5 - authenticate OSPF routing information using MD5 encryption

Text

Authentication

Key

This field is available if the Authentication is Text. Type the password for text

authentication. The key can consist of a lphanumeric characters and the undersc ore,

and it can be up to 16 characters long.

MD5

Authentication

This field is available if the Authentication is MD5. Type the ID for MD5

authentication. The ID can be between 1 and 255.

Ta ble 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 159

7.8 Bridge Interfaces

This section introduces bridges and bridge interfaces and then explains the screens for bridge

interfaces.

Bridge Overview

A bridge creates a connection between two or more network segments at the layer-2 (MAC

address) level. In the follow in g ex ample, bridge X connects four network segments.

When the bridge receives a packet, the bridge records the source MAC address and the port on

which it was received in a table. It also looks up the destination MAC address in the table. If the

bridge knows on which port the destination MAC address is located, it sends the packet to that port.

If the destination MAC address is not in the table, the bridge broadcasts the packet on every port

(except the one on which it was received).

In the example abo ve, computer A se nd s a packet to computer B. Bridge X records the source

address 0A:0A:0A:0A:0A:0 A and port 2 in the table. It also looks up 0B:0B:0B:0B:0B:0B in the

table. There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4.

MD5

Authentication

Key

This field is available if the Authentication is MD5. Type the password for MD5

authentication. The password can consist of alphanumeric characters and the

underscore, and it can be up to 16 characters long.

Related Setting

Configure WAN

TRUNK Click WAN TRUNK to go to a screen where you can set this VLAN to be part of a WAN

trunk for load balancing.

Configure Policy

Route Click Policy Route to go to the screen where you can manually configure a policy

route to associate traffic with this VLAN.

OK Click OK to save your changes back to the ZyWALL.

Cancel Click Cancel to exit this scre en without saving.

Ta ble 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued)

LABEL DESCRIPTION

Ta ble 54 Example: Brid ge Table After Computer A Sends a Packet to Computer B

MAC ADDRESS PORT

0A:0A:0A:0A:0A:0A 2

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

160

If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B

and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to

port 2 accordingly.

Bridge Interface Overview

A bridge interface creates a software bridge between the members of the bridge interface. It also

becomes the ZyWALL’s interface for the resulting network.

Unlike the device-wide bridge mode in ZyNOS-based ZyWALLs, this ZyWALL can bridge traffic

between some interfaces while it routes traffic for other interfaces. The bridge interfaces also

support more functions, like interface bandwidth parameters, DHCP settings, and connectivity

check. To use the whole ZyWALL as a transparent bridge, add all of the ZyWALL’s interfaces to a

bridge interface.

A bridge interface may consist of the following members:

• Zero or one VLAN interfaces (and any associated virtual VLAN interfaces)

• Any number of Ethernet interfaces (and any associated virtual Ethernet interfaces)

When you create a bridge interface, the ZyWALL removes the members’ entries from the routing

table and adds the bridge interface’ s entries to th e routing table. For example, this table shows the

routing table before and after you create bridge interface br0 (250.250.250.0/23) between lan1

and vlan1.

In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1

is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface

when the underlying interface is added or removed.

7.8.1 Bridge Summary

This screen lists every bridge interface and virtual interface created on top of bridge interfaces. If

you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure bridge

interfaces used for your IPv6 network on this screen. To access this screen, click Configuration >

Network > Interface > Bridge.

Ta ble 55 Example: Bridge Table After Computer B Responds to Computer A

MAC ADDRESS PORT

0A:0A:0A:0A:0A:0A 2

0B:0B:0B:0B:0B:0B 4

Ta ble 56 Example: Routing Table Before and After Bridge Interface br0 Is Created

IP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATION

210.210.210.0/24 lan1 221.221.221.0/24 vlan0

210.211.1.0/24 lan1:1 230.230.230.192/26 wan

221.221.221.0/24 vlan0 241.241.241.241/32 dmz

222.222.222.0/24 vlan1 242.242.242.242/32 dmz

230.230.230.192/26 wan 250.250.250.0/23 br0

241.241.241.241/32 dmz

242.242.242.242/32 dmz

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 161

Figure 96 Configuration > Network > Interface > Bridge

Each field is described in the following table.

Ta ble 57 Configuration > Network > Interf ace > Bridge

LABEL DESCRIPTION

Configur ation / IPv6

Configuration Use the Configuration section for IPv4 network settings. Use the IPv6

Configuration section for IPv6 network settings if you connect your ZyWALL to an

IPv6 network. Both sections have similar fields as described below.

Add Click this to create a new entry.

Edit Double- click an entry or selec t it and click Edit to open a screen where you can modify

the entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to

remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Create Virtual

Interface To open the screen where you can create a virtual interface, select an interface and

click Create Virtual Interface.

Object References Select an entry and click Object Reference to open a screen that shows which

settings use the entry. Se e Section 7.3.2 on page 122 for an example.

# This field is a sequential value, and it is not associated with any interface.

Status This icon is lit when the entry is active and dimmed when the entry is inactive.

Name This field displays the name of the interface.

IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0,

the interface does not have an IP address yet.

This screen also shows whether the IP address is a static IP address (STATIC) or

dynamically assigned (DHCP). IP addresses are always static in virtual interfaces.

Member This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface.

It is blank for virtual interfaces.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

162

7.8.2 Bridge Add/Edit

This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP

settings, and connectivity check for each bridge interface. To access this screen, click the Create

Virtual Interface icon in the Bridge Summary screen. The following screen appears.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 163

Figure 97 Configuration > Network > Interface > Bridge > Create Virtual Interface

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

164

Each field is described in the table below.

Ta ble 58 Co nfiguration > Netwo rk > Interface > Bridge > Create Virtual Interface

LABEL DESCRIPTION

IPv4/IPv6 View /

IPv4 View / IPv6

View

Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration

fields.

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

Create New Object Click this button to c reate a DHCPv6 lease or DHCPv6 request object that you may use

for the DHCPv6 settings in this screen.

General Settings

Enable Interface Select this to enable this interface. Clear this to disable this interface.

General IPv6

Setting

Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.

Interface Properties

Interface Type Select one of the following option depending on the type of network to which the

ZyWALL is connected or if you want to additionally manually configure some related

settings.

internal is fo r connecting to a local n e twork. Other corresponding configuration

options: DHCP server and DHCP relay. The ZyWALL automatically adds default SNAT

settings for traffic flowing from this interface to an external interface.

external is for connecting to an external network (like the Internet). The ZyWALL

automatically adds this interface to the default WAN trunk.

For general, the rest of th e screen’s options do not automatical ly adjust an d you must

manually configure a policy route to add routing and SNAT settings for the interface.

Interface Name This field is read-only if you are editing the interface. Enter the name of the bridge

interface. The format is brx, where x is 0 - 11. For example, br0, br3, and so on.

Zone Select the zon e to which the interface is to belong. You use zones to apply security

settings such as firewall, remote management.

Description Enter a description of this interface. It is not used elsewhere. Y ou can use alphanumeric

and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

Member

Configuration

Av ailable This field displays Ethernet interfaces and VLAN interfaces that can become part of the

bridge interface. An interface is not available in the following situations:

• There is a virtual interface on top of it

• It is already used in a different bridge interface

Select one, and click the >> arrow to add it to the bridge interface. Each bridge

interface can only have one VLAN interface.

Member This field displays the interfaces that are part of the bridge interface. Select one, and

click the << arrow to remove it from the bridge interface.

IP Address

Assignment

Get

Automatically Selec t this if this interface is a DHCP client. In this case, the DHCP server co nfigures

the IP address, subnet mask, and gateway automatically.

Use Fixed IP

Address Select this if you want to specify the IP address, subnet mask, and gateway ma nually.

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 165

IP Address This field is enabled if you select Use Fixed IP Address.

Enter the IP address for this interface.

Subnet Mask This field is enabled if yo u select Use Fixed IP Address.

Enter the subnet mask of this interface in dot decimal notation. The subnet mask

indicates what part of the IP address is the same for all computers in the network.

Gateway This field is enabled if you select Use Fixe d IP Address.

Enter the IP address of the gateway . The Z yWALL sends packets to the gateway when it

does not know how to route the packet to its destination. The gateway should be on the

same network as the interface.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which

gateway to use based on this priority. The lower the number, the higher the priority. If

two or more gateways have the same priority, t he ZyWALL uses the one that was

configured first.

IPv6 Address

Assignment These IP address fields confi gure an IPv6 IP address on the interface itself.

Enable Stateless

Address Auto-

configuration

(SLAAC)

Select this to enable IPv6 stateless auto-configuration on this interface. The interface

will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the

network.

Link-Local

address This displays the IPv6 link-local address and the network prefix that the ZyWALL

generates itself for the interface.

IPv6 Address/

Prefix Length Enter the IPv6 address and the prefix le ngth for this interface if y ou want to use a static

IP address. This field is optional.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Gateway Enter the IPv6 address of the default outgoin g gateway using colon (:) hexadecimal

notation.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which

gateway to use based on this priority. The lower the number, the higher the priority. If

two or more gateways have the same priority, t he ZyWALL uses the one that was

configured first.

Address from

DHCPv6 Prefix

Delegation

Use this table to h ave the ZyWALL obtain an IPv6 prefix from the ISP or a connected

uplink router for an internal network, such as the LAN or DMZ. Y ou have to also ente r a

suffix address which is appended to the delegated prefix to form an address for this

interface. See Prefix Delegation on page 107 for more information.

To use prefix delegation, you must:

• Create at least one DHCPv6 request object before configuring this table.

• The external interface must be a DHCPv6 client. You must configure the DHCPv6

request options using a DHCPv6 request object with the type of prefix-delegation.

• Assign the prefix delegation to an internal interface and enable router

advertisement on that interface.

Add Click this to create an entry.

Edit Select an entry and click this to change the settings.

Remove Select an entry and click this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use from the drop-down list.

Ta ble 58 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

166

Suffix

Address Enter the ending part of the IPv6 address, a slash (/), a nd the prefix length. The

ZyWALL will append it to the delegated prefix.

For e xample, you got a dele gated prefi x of 2003: 1234:5678/4 8. You want to configure

an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter

::1111:0:0:0:1/128 in this field.

Address This field displays the combined IPv6 IP address for this interface.

Note: This field displays the combined address after you click OK and reopen this

screen.

DHCPv6 Setting

DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique

and used for identification purposes when the interface is exchanging DHCPv6

messages with others. See DHCPv6 on page 107 for more information.

DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address.

Customized

DUID If you want to use a customized DUID, enter it here for the interface.

Enable Rapid

Commit Select this to shorten the DHCPv6 message exchange process from four to two steps.

This function helps reduce heavy network traffic load.

Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit

work.

Information

Refresh Time Enter the number of seconds a DHCPv6 client should wait before refreshing information

retrieved from DHCPv6.

Request Address This field is available if you set this interface to DHCPv6 Client. Select this to get an

IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP

address information through DHCPv6.

DHCPv6 Request

Options /

DHCPv6 Lease

Options

If this interface is a DHCPv6 client, use this section to configure DHCPv6 request

settings that determine what additional information to get from the DHCPv6 server.

If the interface is a DHCPv6 serve r, use this section to configu re DHCPv6 l ease sett ings

that determine what to offer to the DHCPv6 clients.

Add Cli ck this to create an entry in this table. See Section 7.3.3 on page 123 for more

information.

Remove Select an entry and click this to change the settings.

Object

Reference Select an entry and cl ick this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Name This field displays the name of the DHCPv6 request or lease object.

Type This field displays the type of the ob ject.

Value This field displays the IPv6 prefix that the ZyWALL obtained from an uplink router

(Server is selected) or will advertise to its clients (Client is selected).

Interface When Relay is selected, select this check box and an interface from the drop-down list

if you want to use it as the relay server.

Relay Server When Relay is selected, select thi s check box and enter the IP address of a DHCPv6

server as the relay server.

IPv6 Router

Setting

Enable Router

Advertisement Select this to enable this interface to send router advertisement messages periodically.

See IPv6 Router Advertisement on page 107 for more information.

Ta ble 58 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 167

Advertised Hosts

Get Network

Configuration

From DHCPv6

Select this to have t he ZyWALL indicate to hosts to obtain network settings (such as

prefix and DNS settings) through DHCPv6.

Clear this to have the ZyWALL indicate to hosts that DHCPv6 is not available and they

should use the prefix in the router advertisement message.

Advertised Hosts

Get Other

Configuration

From DHCPv6

Select this to have t he ZyWALL indicate to hosts to obtain DNS information through

DHCPv6.

Clear this to h ave th e Z yW ALL indicate to hosts that DN S information i s not a vail able in

this network.

Router

Preference Select the router preferenc e (Low, Medium or High) for the interface. The interface

sends this preference in the router advertisements t o tell hosts what preference they

should use for the ZyWALL. This helps hosts to choose their default router especially

when there are multiple IPv6 router in the network.

Note: Make sure the hosts also support router preference to make this function work.

MTU The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in

bytes, that can move through this interface. If a larger packet arrives, the ZyWALL

divides it into smaller fragments.

Hop Limit Enter the maximum number of network segments that a packet can cross before

reaching the destinati on. When forw arding an IPv6 p acket, IPv6 r outers are req uired to

decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0.

Advertised

Prefix Table Configure this table only if you want the ZyWALL to advertise a fixed prefix to the

network.

Add Click this to create an IPv6 prefix address.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

IPv6

Address/

Prefix Length

Enter the IPv6 network prefix address and the prefix length.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Advertised

Prefix from

DHCPv6 Prefix

Delegation

Use this table to c onfigure the network prefix if you want to use a delegated prefix as

the beginning part of the network prefix.

Add Cli ck this to create an entry in this table.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use for generating the network prefix for the

network.

Suffix

Address Enter the ending part of the IPv6 network address plus a slash (/) and the prefix

length. The ZyWALL will append it to the selected delegated prefix. The combined

address is the network prefix for the network.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it

into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for

another interface. You can use ::1111/64 and ::2222/64 for the suffix address

respectively. But if you do not want to divide the delegated prefix into subnetworks,

enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.

Ta ble 58 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide

168

Address This is the final network prefix combined by the selecte d delegated prefix and the

suffix.

Note: This field displays the combined address after you click OK and reopen this

screen.

Interface

Parameters

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send

through the interface to the network. Allowed values are 0 - 1048576.

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the Zy WALL can receive

from the network through the interface. Allowed values are 0 - 1048576.

MTU Maximum Transmission Uni t. Type the m a ximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL divides it

into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.

DHCP Setting

DHCP Select what type of DHCP service the ZyWALL provides to the network. Choices are:

None - the ZyWALL does not provide any DHCP services. There is already a DHCP

server on the network.

DHCP Relay - the ZyWALL routes DHCP requests to one or more DHCP servers you

specify. The D HCP server(s) may be on another network.

DHCP Server - the ZyWALL assigns IP addresses and provides subnet mask, gateway,

and DNS server information to the network. The ZyWALL is the DHCP server for the

network.

These fields appear if th e ZyWALL is a DHCP Relay.

Relay Server 1 Enter the IP address of a DHCP server for the network.

Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network.

These fields appear if th e ZyWALL is a DHCP Server.

IP Pool Start

Address Enter the IP address from which the ZyWALL begins allocating IP addresses. If you

want to assign a static IP address to a specific computer, click Add Static DHCP.

If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL can

assign every IP address allowed by the interface’ s IP address and subnet mask , ex cept

for the first address (network address), last address (broadcast address) and the

interface’s IP address.

Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is

limited by the interface’s Subnet Mask. For example, if the Subnet Mask is

255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL can allocate

10.10.10.10 to 10.10.10.254, or 245 IP addresses.

If this field is blank, the IP Pool Start Address must also be blank. In this case, the

ZyWALL can assign every IP address allowed by the interface’s IP address and subnet

mask, except for the first address (network address), last address (broadcast address)

and the interface’s IP address.

First DNS Server

Second DNS

Server

Third DNS

Server

Specify the IP addresses up to three DNS servers for the DHCP clients to use. Use one

of the following ways to specify these IP addresses.

Custom Defined - enter a static IP address.

From ISP - select the DNS server that anoth er interface received from its DHCP server.

ZyWALL - the DHCP clients use the IP address of this interface and the Z yW ALL works

as a DNS relay.

Ta ble 58 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued)

LABEL DESCRIPTION

Chapter 7 Interfaces

ZyWALL 110/310/1100 Series User’s Guide 169

First WINS

Server, Second

WINS Server

Type the IP address of the WINS (Windows Internet Naming Service) server that you

want to send to the DHCP clients. The WINS server keeps a mapping table of the

computer names on your network and the IP addresses that they are currently using.

Default Router If you set this interface to DHCP Server, you can select to use either the interface’s IP

address or another IP address as the default router. This default router will become the

DHCP clients’ default gateway.

To use another IP address as the default router, select Custom Defined and enter the

IP address.

Lease time Spec ify how long each computer can use the information (especially the IP address )

before it has to request the information again. Choices are:

infinite - se lect this if IP addresses never expire

days, hours, and minutes - select this to enter how long IP addresses are valid.

Extended

Options This table is available if you selected DHCP server.

Configure this table if you want to send more information to DHCP clients through

DHCP packets.

Add Cli ck this to create an entry in this table. See Section 7.3.4 on page 124.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

Name This is the option’s name.

Code This is the option’s code number.

Type Thi s is the option’s type.

Value This is the opti on’s value.

Enable IP/MAC

Binding Select this option to have this interface enforce links between specific IP addresses and

specific MAC addresses. This stops anyone else from manually using a bound IP

address on another device connected to this inte rface. Use this to make use only the

intended users get to use specific IP addresses.

Enable Logs for

IP/MAC Binding

Violation

Select this option to have the ZyWALL generate a log if a device connected to this

interface attem pts to use an IP addres s th at is bound to another device’s MAC address.