User Guide
Page 3
Contents Overview Contents Overview User's Guide ...13 Introduction ...15 The WPS Button ...21 ZyXEL NetUSB Share Center Utility ...23 Introducing the Web Configurator ...29 Monitor and Summary ...33 NBG5715 Modes ...39 Easy Mode ...41 Router Mode ...51 Tutorials ...57 Technical Reference ...65 WAN ...67 Wireless LAN ...75 LAN ...91 DHCP Server ...95 NAT ...99 Dynamic DNS ...109 Static Route ...111 Firewall ...115 IPSec VPN ...121 Bandwidth Management ...143 Remote Management ...149 Universal Plug-and-Play (UPnP) ...153 Maintenance ...159 Troubleshooting ...167 NBG5715 User's Guide 3
Contents Overview Contents Overview User's Guide ...13 Introduction ...15 The WPS Button ...21 ZyXEL NetUSB Share Center Utility ...23 Introducing the Web Configurator ...29 Monitor and Summary ...33 NBG5715 Modes ...39 Easy Mode ...41 Router Mode ...51 Tutorials ...57 Technical Reference ...65 WAN ...67 Wireless LAN ...75 LAN ...91 DHCP Server ...95 NAT ...99 Dynamic DNS ...109 Static Route ...111 Firewall ...115 IPSec VPN ...121 Bandwidth Management ...143 Remote Management ...149 Universal Plug-and-Play (UPnP) ...153 Maintenance ...159 Troubleshooting ...167 NBG5715 User's Guide 3
User Guide
Page 6
... You Can Do in this Chapter ...33 5.3 The Log Screen ...33 5.3.1 View Log ...34 5.4 DHCP Table ...34 5.5 Packet Statistics ...35 5.6 VPN Monitor ...36 5.7 WLAN_2.4G/5G Station Status ...37 Chapter 6 NBG5715 Modes ...39 6.1 Overview ...39 6.1.1 Web Configurator Modes ...39 Chapter 7 Easy Mode ...41 7.1 Overview ...41 7.2 What You Can Do in this Chapter... 7.5.7 WPS ...48 7.6 Status Screen in Easy Mode ...49 Chapter 8 Router Mode...51 8.1 Overview ...51 8.2 Router Mode Status Screen ...51 8.2.1 Navigation Panel ...54 Chapter 9 Tutorials ...57 6 NBG5715 User's Guide
... You Can Do in this Chapter ...33 5.3 The Log Screen ...33 5.3.1 View Log ...34 5.4 DHCP Table ...34 5.5 Packet Statistics ...35 5.6 VPN Monitor ...36 5.7 WLAN_2.4G/5G Station Status ...37 Chapter 6 NBG5715 Modes ...39 6.1 Overview ...39 6.1.1 Web Configurator Modes ...39 Chapter 7 Easy Mode ...41 7.1 Overview ...41 7.2 What You Can Do in this Chapter... 7.5.7 WPS ...48 7.6 Status Screen in Easy Mode ...49 Chapter 8 Router Mode...51 8.1 Overview ...51 8.2 Router Mode Status Screen ...51 8.2.1 Navigation Panel ...54 Chapter 9 Tutorials ...57 6 NBG5715 User's Guide
User Guide
Page 9
...(IKE Phase 1) Overview 122 18.3.2 IPSec SA (IKE Phase 2) Overview 123 18.4 The General Screen ...123 18.5 Edit VPN Rule ...124 18.5.1 IKEKey Setup ...125 18.5.2 Manual Key Setup ...130 18.5.3 Configuring Manual Key ...131 18.6 The SA......136 18.7.2 Encapsulation ...136 18.7.3 IKE Phases ...137 18.7.4 Negotiation Mode ...138 18.7.5 IPSec and NAT ...139 18.7.6 VPN, NAT, and NAT Traversal 139 18.7.7 ID Type and Content ...140 18.7.8 Pre-Shared Key ...141 18.7.9 Diffie-Hellman ....5 Advance Screen ...144 19.5.1 Rule Configuration: User Defined Service Rule Configuration 146 NBG5715 User's Guide 9
...(IKE Phase 1) Overview 122 18.3.2 IPSec SA (IKE Phase 2) Overview 123 18.4 The General Screen ...123 18.5 Edit VPN Rule ...124 18.5.1 IKEKey Setup ...125 18.5.2 Manual Key Setup ...130 18.5.3 Configuring Manual Key ...131 18.6 The SA......136 18.7.2 Encapsulation ...136 18.7.3 IKE Phases ...137 18.7.4 Negotiation Mode ...138 18.7.5 IPSec and NAT ...139 18.7.6 VPN, NAT, and NAT Traversal 139 18.7.7 ID Type and Content ...140 18.7.8 Pre-Shared Key ...141 18.7.9 Diffie-Hellman ....5 Advance Screen ...144 19.5.1 Rule Configuration: User Defined Service Rule Configuration 146 NBG5715 User's Guide 9
User Guide
Page 33
... the Summary table of the Status screen to view the bandwidth consumed, packets sent/received as well as the status of clients connected to the NBG5715. 5.2 What You Can Do in this Chapter • Use the Log screens to see the logs for the activity on the... view the active VPN connections (Section 5.6 on page 36). • Use the WLAN_2.4G/5G Station Status screen to view the 2.4G wireless stations that are currently associated to the NBG5715 (Section 5.7 on page 37). 5.3 The Log Screen The Web Configurator allows you to look at all of the NBG5715. NBG5715 User's Guide 33...
... the Summary table of the Status screen to view the bandwidth consumed, packets sent/received as well as the status of clients connected to the NBG5715. 5.2 What You Can Do in this Chapter • Use the Log screens to see the logs for the activity on the... view the active VPN connections (Section 5.6 on page 36). • Use the WLAN_2.4G/5G Station Status screen to view the 2.4G wireless stations that are currently associated to the NBG5715 (Section 5.7 on page 37). 5.3 The Log Screen The Web Configurator allows you to look at all of the NBG5715. NBG5715 User's Guide 33...
User Guide
Page 36
... per second on this port. This is the group of transmitted packets on . A Security Association (SA) is the total time the NBG5715 has been on this port. Chapter 5 Monitor and Summary The following table describes the labels in the Status screen. This displays the transmission...or PPTP encapsulation. Click Stop to update the screen. Figure 17 Summary: Security Associations 36 NBG5715 User's Guide This is disabled. This screen displays read-only information about the active VPN connections. This field displays Down when the line is the number of received packets on this ...
... per second on this port. This is the group of transmitted packets on . A Security Association (SA) is the total time the NBG5715 has been on this port. Chapter 5 Monitor and Summary The following table describes the labels in the Status screen. This displays the transmission...or PPTP encapsulation. Click Stop to update the screen. Figure 17 Summary: Security Associations 36 NBG5715 User's Guide This is disabled. This screen displays read-only information about the active VPN connections. This field displays Down when the line is the number of received packets on this ...
User Guide
Page 37
... the Association List. Connection Name Remote Gateway This field displays the identification name for example, your network or computer with the NBG5715's WLAN network. Figure 18 Summary: Wireless Association List The following table describes the labels in this button to the AP ...static WAN IP address or URL of an associated wireless station. Table 12 Summary: Security Associations LABEL Status DESCRIPTION This field displays whether the VPN connection is up (a yellow bulb) or down (a gray bulb). Refresh Click this screen. Association Time This field displays the time a ...
... the Association List. Connection Name Remote Gateway This field displays the identification name for example, your network or computer with the NBG5715's WLAN network. Figure 18 Summary: Wireless Association List The following table describes the labels in this button to the AP ...static WAN IP address or URL of an associated wireless station. Table 12 Summary: Security Associations LABEL Status DESCRIPTION This field displays whether the VPN connection is up (a yellow bulb) or down (a gray bulb). Refresh Click this screen. Association Time This field displays the time a ...
User Guide
Page 54
... disconnected. Figure 34 Navigation Panel: Router Mode 54 NBG5715 User's Guide Click Details... Click Details... Use this screen to the Monitor > WLAN_5G Station Status screen (Section 5.7 on page 35). Click Details... to go to the Monitor > VPN Monitor screen (Section 5.4 on page 37). This ...Station Status screen (Section 5.7 on page 34). Use this screen to view the active VPN connections. 8.2.1 Navigation Panel Use the sub-menus on the navigation panel to the NBG5715. For the LAN ports, this screen to view the wireless stations that are currently associated...
... disconnected. Figure 34 Navigation Panel: Router Mode 54 NBG5715 User's Guide Click Details... Click Details... Use this screen to the Monitor > WLAN_5G Station Status screen (Section 5.7 on page 35). Click Details... to go to the Monitor > VPN Monitor screen (Section 5.4 on page 37). This ...Station Status screen (Section 5.7 on page 34). Use this screen to view the active VPN connections. 8.2.1 Navigation Panel Use the sub-menus on the navigation panel to the NBG5715. For the LAN ports, this screen to view the wireless stations that are currently associated...
User Guide
Page 55
... Alias Use this screen to create LAN subnets. Packet Statistics Use this screen to have the NBG5715 apply IP alias to view port status and packet specific statistics. VPN Monitor Use this screen to view the active VPN connections. CONFIGURATION Network WAN Broadband This screen allows you to prioritize wireless traffic according to...
... Alias Use this screen to create LAN subnets. Packet Statistics Use this screen to have the NBG5715 apply IP alias to view port status and packet specific statistics. VPN Monitor Use this screen to view the active VPN connections. CONFIGURATION Network WAN Broadband This screen allows you to prioritize wireless traffic according to...
User Guide
Page 56
...MGMT General Advance Use this screen to display and manage active VPN connections. Language Language This screen allows you to select the language you to the server(s) on the NBG5715. IPSec VPN General Use this screen to activate/deactivate the firewall. Firmware ...Upgrade Firmware Upgrade Use this screen to upload firmware to manage the NBG5715. Security Firewall General Use this screen to display and manage the NBG5715's VPN rules (tunnels). Telnet Use this screen to configure through which interface(s) and from which...
...MGMT General Advance Use this screen to display and manage active VPN connections. Language Language This screen allows you to select the language you to the server(s) on the NBG5715. IPSec VPN General Use this screen to activate/deactivate the firewall. Firmware ...Upgrade Firmware Upgrade Use this screen to upload firmware to manage the NBG5715. Security Firewall General Use this screen to display and manage the NBG5715's VPN rules (tunnels). Telnet Use this screen to configure through which interface(s) and from which...
User Guide
Page 121
... a number of tunneling, encryption, authentication, access control and auditing. Figure 76 IPSec VPN: Overview VPN Tunnel X Y The VPN tunnel connects the NBG5715 (X) and the remote IPSec router (Y). IPSec is a standards-based VPN that uses TCP/IP for secure data communications across a public network like the Internet.....2 What You Can Do in this Chapter • Use the General screen to display and manage the NBG5715's VPN rules (tunnels) (Section 18.4 on page 135). NBG5715 User's Guide 121 The following figure provides one perspective of leased site-to display and manage active...
... a number of tunneling, encryption, authentication, access control and auditing. Figure 76 IPSec VPN: Overview VPN Tunnel X Y The VPN tunnel connects the NBG5715 (X) and the remote IPSec router (Y). IPSec is a standards-based VPN that uses TCP/IP for secure data communications across a public network like the Internet.....2 What You Can Do in this Chapter • Use the General screen to display and manage the NBG5715's VPN rules (tunnels) (Section 18.4 on page 135). NBG5715 User's Guide 121 The following figure provides one perspective of leased site-to display and manage active...
User Guide
Page 122
...Both routers must use . The first phase establishes an Internet Key Exchange (IKE) SA between the NBG5715 and remote IPSec router. The second phase uses the IKE SA to establish an IKE SA. Figure 77 VPN: IKE SA and IPSec SA IPSec SA X Y IKE SA In this . Inside networks A ...established first. 18.3.1 IKE SA (IKE Phase 1) Overview The IKE SA provides a secure connection between the NBG5715 and remote IPSec router. Chapter 18 IPSec VPN 18.3 What You Need To Know A VPN tunnel is faster. You can send data between computers on page 138. It takes several steps to securely establish...
...Both routers must use . The first phase establishes an Internet Key Exchange (IKE) SA between the NBG5715 and remote IPSec router. The second phase uses the IKE SA to establish an IKE SA. Figure 77 VPN: IKE SA and IPSec SA IPSec SA X Y IKE SA In this . Inside networks A ...established first. 18.3.1 IKE SA (IKE Phase 1) Overview The IKE SA provides a secure connection between the NBG5715 and remote IPSec router. Chapter 18 IPSec VPN 18.3 What You Need To Know A VPN tunnel is faster. You can send data between computers on page 138. It takes several steps to securely establish...
User Guide
Page 123
... IPSec router and may be static. In this case, you can no longer manage the NBG5715. 18.4 The General Screen The following figure helps explain the main fields in the web configurator. Edit a VPN rule by clicking the Edit icon. Sometimes, you might not know the IP address of ... forward all access attempts (to the local network, the Internet or even the NBG5715) to display the Summary screen. Figure 78 IPSec Fields Summary Local Network Remote Network Remote IPSec Router Local IP Address VPN Tunnel Remote IP Address Local and remote IP addresses must be called the remote ...
... IPSec router and may be static. In this case, you can no longer manage the NBG5715. 18.4 The General Screen The following figure helps explain the main fields in the web configurator. Edit a VPN rule by clicking the Edit icon. Sometimes, you might not know the IP address of ... forward all access attempts (to the local network, the Internet or even the NBG5715) to display the Summary screen. Figure 78 IPSec Fields Summary Local Network Remote Network Remote IPSec Router Local IP Address VPN Tunnel Remote IP Address Local and remote IP addresses must be called the remote ...
User Guide
Page 124
... or a (static) IP address and a subnet mask of computer(s) on a policy's Edit icon in the IPSec VPN > General screen to the NBG5715. This field displays 0.0.0.0 when you can initiate the VPN. Select this screen afresh. 18.5 Edit VPN Rule Click on your local network behind the remote IPSec router. This is the default selection...
... or a (static) IP address and a subnet mask of computer(s) on a policy's Edit icon in the IPSec VPN > General screen to the NBG5715. This field displays 0.0.0.0 when you can initiate the VPN. Select this screen afresh. 18.5 Edit VPN Rule Click on your local network behind the remote IPSec router. This is the default selection...
User Guide
Page 125
You only configure VPN manual key when you select IKE in the IPSec Keying Mode field on the IPSec VPN > General > Edit screen. Figure 80 Security > IPSec VPN > General > Edit: IKE NBG5715 User's Guide 125 Chapter 18 IPSec VPN Note: The NBG5715 uses the system default gateway interface¡¦s WAN IP address as its WAN IP address to set up a VPN tunnel. 18.5.1 IKEKey Setup IKEprovides more protection so it is generally recommended.
You only configure VPN manual key when you select IKE in the IPSec Keying Mode field on the IPSec VPN > General > Edit screen. Figure 80 Security > IPSec VPN > General > Edit: IKE NBG5715 User's Guide 125 Chapter 18 IPSec VPN Note: The NBG5715 uses the system default gateway interface¡¦s WAN IP address as its WAN IP address to set up a VPN tunnel. 18.5.1 IKEKey Setup IKEprovides more protection so it is generally recommended.
User Guide
Page 126
...the Secure Gateway Address field set the NAT router to forward UDP ports 500 and 4500 to the IPSec router behind your NBG5715. Table 55 Security > IPSec VPN > General > Edit: IKE LABEL Property Propert Keep Alive NAT Traversal DESCRIPTION Select Enable to activate this feature to work..., enter the end (static) IP address, in a range of local addresses. Select this screen. The NBG5715 assigns this additional DNS server to the NBG5715's DHCP clients that services the VPN, type its IP address here. Two active SAs can configure multiple SAs between the two IPSec routers. Local...
...the Secure Gateway Address field set the NAT router to forward UDP ports 500 and 4500 to the IPSec router behind your NBG5715. Table 55 Security > IPSec VPN > General > Edit: IKE LABEL Property Propert Keep Alive NAT Traversal DESCRIPTION Select Enable to activate this feature to work..., enter the end (static) IP address, in a range of local addresses. Select this screen. The NBG5715 assigns this additional DNS server to the NBG5715's DHCP clients that services the VPN, type its IP address here. Two active SAs can configure multiple SAs between the two IPSec routers. Local...
User Guide
Page 127
...IP addresses on the network behind the remote IPSec router. When the remote IP address is configured to identify this NBG5715 by a domain name. Otherwise, you can initiate the VPN. For a single IP address, enter a (static) IP address on a network by its current WAN IP address... dynamic domain name's IP address. Authentication Method My IP Address Enter the NBG5715's static WAN IP address (if it a second time here. In this field as 0.0.0.0. Chapter 18 IPSec VPN Table 55 Security > IPSec VPN > General > Edit: IKE (continued) LABEL Remote Policy DESCRIPTION Remote IP...
...IP addresses on the network behind the remote IPSec router. When the remote IP address is configured to identify this NBG5715 by a domain name. Otherwise, you can initiate the VPN. For a single IP address, enter a (static) IP address on a network by its current WAN IP address... dynamic domain name's IP address. Authentication Method My IP Address Enter the NBG5715's static WAN IP address (if it a second time here. In this field as 0.0.0.0. Chapter 18 IPSec VPN Table 55 Security > IPSec VPN > General > Edit: IKE (continued) LABEL Remote Policy DESCRIPTION Remote IP...
User Guide
Page 128
...IP address (the IPSec Keying Mode field must be able to distinguish between VPN connection requests that you 're making the VPN connection. Set this NBG5715 in the Local Content field. Chapter 18 IPSec VPN Table 55 Security > IPSec VPN > General > Edit: IKE (continued) LABEL Local Content DESCRIPTION When you... secure gateway has a dynamic WAN IP address and is recommended that come in from IPSec routers with dynamic WAN IP addresses. The NBG5715 automatically uses the IP address in the Local Content field. When there is for identification purposes only and can also enter a remote ...
...IP address (the IPSec Keying Mode field must be able to distinguish between VPN connection requests that you 're making the VPN connection. Set this NBG5715 in the Local Content field. Chapter 18 IPSec VPN Table 55 Security > IPSec VPN > General > Edit: IKE (continued) LABEL Local Content DESCRIPTION When you... secure gateway has a dynamic WAN IP address and is recommended that come in from IPSec routers with dynamic WAN IP addresses. The NBG5715 automatically uses the IP address in the Local Content field. When there is for identification purposes only and can also enter a remote ...
User Guide
Page 129
... in this field. Define the length of time before you type an IP address other than MD5, but it blank, the NBG5715 will use the same pre-shared key. Select Main or Aggressive from remote IPSec routers with which hash algorithm to use the same... every time the VPN tunnel renegotiates, all users accessing remote resources are truncated. Type from 8 to 31 case-sensitive ASCII characters or from 1 to 62 hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key with the DES encryption algorithm Authentication Algorithm SA Life Time The NBG5715 and the remote...
... in this field. Define the length of time before you type an IP address other than MD5, but it blank, the NBG5715 will use the same pre-shared key. Select Main or Aggressive from remote IPSec routers with which hash algorithm to use the same... every time the VPN tunnel renegotiates, all users accessing remote resources are truncated. Type from 8 to 31 case-sensitive ASCII characters or from 1 to 62 hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key with the DES encryption algorithm Authentication Algorithm SA Life Time The NBG5715 and the remote...
User Guide
Page 130
DH2 refers to the NBG5715. Encryption Algorithm If you select ESP here, you have problems with the SPI to distinguish different SAs terminating at the same destination and using the same IPSec protocol. However, every time the VPN tunnel renegotiates, all users accessing remote... remote IPSec router must choose a key group for data communications. DH1 refers to the local VPN gateway. Select the security protocols used to establish the tunnel. 130 NBG5715 User's Guide Both AH and ESP increase processing requirements and communications latency (delay). Choices are ...
DH2 refers to the NBG5715. Encryption Algorithm If you select ESP here, you have problems with the SPI to distinguish different SAs terminating at the same destination and using the same IPSec protocol. However, every time the VPN tunnel renegotiates, all users accessing remote... remote IPSec router must choose a key group for data communications. DH1 refers to the local VPN gateway. Select the security protocols used to establish the tunnel. 130 NBG5715 User's Guide Both AH and ESP increase processing requirements and communications latency (delay). Choices are ...
User Guide
Page 131
... only establish an IPSec SA. Chapter 18 IPSec VPN Current ZyXEL implementation assumes identical outgoing and incoming SPIs. 18.5.2.2 IPSec SA Using Manual Keys You might set up an IPSec SA using manual keys when you have to establish a VPN tunnel quickly, for example, for troubleshooting. There ...so you want to provide the encryption key and the authentication key the NBG5715 and remote IPSec router use the same encryption key and authentication key. 18.5.3 Configuring Manual Key You only configure VPN manual key when you can only specify one encryption algorithm and one ...
... only establish an IPSec SA. Chapter 18 IPSec VPN Current ZyXEL implementation assumes identical outgoing and incoming SPIs. 18.5.2.2 IPSec SA Using Manual Keys You might set up an IPSec SA using manual keys when you have to establish a VPN tunnel quickly, for example, for troubleshooting. There ...so you want to provide the encryption key and the authentication key the NBG5715 and remote IPSec router use the same encryption key and authentication key. 18.5.3 Configuring Manual Key You only configure VPN manual key when you can only specify one encryption algorithm and one ...