ARRIS 224742 User Manual

Working with IP Filters and Filter Sets

To work with filters and filter sets, begin by accessing the filter set pages.

☛ NOTE:

Make sure you understand how filters work before attempting to use them. Read the section

“Packet Filter” on page 163.

The procedure for creating and maintaining filter sets is as follows:

1. Add a new filter set.

See Adding a filter set, below.

2. Create the filters for the new filter set.

See “Adding filters to a filter set” on page 172.

3. Associate the filter set with either the LAN or WAN interface.

See “Associating a Filter Set with an Interface” on page 176.

The sections below explain how to execute these steps.

Adding a filter set

You can create up to eight different custom filter sets. Each filter set can contain up to 16 output filters and
up to 16 input filters. There can be a maximum of 32 filter rules in the system.

To add a new filter set, click the Add button in the Filter Sets page. The Add Filter Set page appears.

Enter new name for the filter set, for example Filter Set 1.

To save the filter set, click the Submit button. The saved filter set is empty (contains no filters), but you
can return to it later to add filters (see “Adding filters to a filter set”).

☛ NOTE:

As you begin to build a filter set, and as you add filters, after your first entry, the Alert icon

171

Administrator’s Handbook

will appear in the upper right corner of the web page. It will remain until all of your
changes are entered and validated. You need not immediately restart the Gateway until your fil­ter set is complete. See “Associating a Filter Set with an Interface” on page 176.

Adding filters to a filter set

There are two kinds of filters you can add to a filter set: input and output. Input filters check packets
received from the Internet, destined for your network. Output filters check packets transmitted from your
network to the Internet.

packet

WAN

input filter

packet

output filter

The Motorola Netopia® Router

Packets in Netopia Embedded Software Version 7.7.4 pass through an input filter if they originate from the WAN and
through an output filter if they’re being sent out to the WAN.

The process for adding input and output filters is exactly the same. The main difference between the two
involves their reference to source and destination. From the perspective of an input filter, your local network
is the destination of the packets it checks, and the remote network is their source. From the perspective of
an output filter, your local network is the source of the packets, and the remote network is their destination.

Type of filter Source means Destination means

Input filter The remote network The local network

Output filter The local network The remote network

LAN

To add a filter, select the Filter Set Name to which you will add a filter, and click the Edit button.

172

The Filter Set page appears.

☛ Note:

There are two Add buttons in this page, one for input filters and one for output filters. In this
section, you’ll learn how to add an input filter to a filter set. Adding an output filter works
exactly the same way, providing you keep the different source and destination perspectives in
mind.

173

Administrator’s Handbook

1. To add a filter, click the Add button under Input Rules.

The Input Rule Entry page appears.

2. If you want the filter to forward packets that match its criteria to the destination IP

address, check the

If Forward is unchecked, packets matching the filter’s criteria will be discarded.

3. Enter the

You can enter a subnet or a host address.

4. Enter the

This allows you to further modify the way the filter will match on the source address. Enter 0.0.0.0 to
force the filter to match on all source IP addresses, or enter 255.255.255.255 to match the source IP
address exclusively.

5. Enter the

You can enter a subnet or a host address.

6. Enter the

This allows you to further modify the way the filter will match on the destination address. Enter 0.0.0.0
to force the filter to match on all destination IP addresses.

7. If desired, you can enter a TOS and TOS Mask value.

See “Policy-based Routing using Filtersets” on page 177 for more information.

8. Select

Source IP

Source Mask

Destination IP

Destination Mask

Protocol

Forward

checkbox.

address this filter will match on.

for the source IP address.

Address this filter will match on.

for the destination IP address.

from the pull-down menu: ICMP, TCP, UDP, Any, or the number of

another IP transport protocol (see the table on page 167).

If Protocol Type is set to TCP or UDP, the settings for port comparison will appear. These settings only
take effect if the Protocol Type is TCP or UDP.

9. From the

Source Port Compare

pull-down menu, choose a comparison method for the

filter to use on a packet’s source port number.

Then select

page 166).

10. From the Destination Port Compare pull-down menu, choose a comparison method for

Source Port

and enter the actual source port number to match on (see the table on

the filter to use on a packet’s destination port number.

Then select
on page 166).

Destination Port

and enter the actual destination port number to match on (see the table

174

11. When you are finished configuring the filter, click the Submit button to save the filter in

the filter set.

Viewing filters

To display the table of input or output filters, select the Filter Set Name in the Filter Set page and click the

Add or Edit button.

The table of filters in the filtersets appears.

Modifying filters

To modify a filter, select a filter from the table and click the Edit button. The Rule Entry page appears. The
parameters in this page are set in the same way as the ones in the original Rule Entry page (see “Adding fil-

ters to a filter set” on page 172).

Deleting filters

To delete a filter, select a filter from the table and click the Delete button.

Moving filters

To reorganize the filters in a filter set, select a filter from the table and click the Move Up or Move Down
button to place the filter in the desired priority position.

Deleting a filter set

If you delete a filter set, all of the filters it contains are deleted as well. To reuse any of these filters in
another set, before deleting the current filter set you’ll have to note their configuration and then recreate
them.

To delete a filter set, select the filter set from the Filter Sets list and click the Delete button.

175

Administrator’s Handbook

Associating a Filter Set with an Interface

Once you have created a filter set, you must associate it with an interface in order for it to be effective.
Depending on its application, you can associate it with either the WAN (usually the Internet) interface or the
LAN.

To associate an filter set with the LAN, return to the Filter Sets page.

Click the Ethernet 100BT link.

The Ethernet 100BT page appears.

From the pull-down menu, select the filter set to associate with this
interface.

Click the Submit button. The Alert icon will appear in the upper right

corner of the page.

Click the Alert icon to go to the validation page, where you can save your configuration.

You can repeat this process for both the WAN and LAN interfaces, to associate your filter sets.

When you return to the Filter Sets page, it will display
your interface associations.

176

Policy-based Routing using Filtersets

Netopia Embedded Software Version 7.7.4 offers the ability to route IP packets using criteria other than the
destination IP address. This is called policy-based routing.

You specify the routing criteria and routing information by using IP filtersets to determine the forwarding
action of a particular filter.

You specify a gateway IP address, and each packet matching the filter is routed according to that gateway
address, rather than by means of the global routing table.

In addition, the classifier list in a filter includes the TOS field. This allows you to filter on TOS field settings
in the IP packet, if you want.

To use the policy-based routing feature, you create a filter that
forwards the traffic.

•Check the Forward checkbox. This will display the Force Rout-

ing options.

•Check the Force Route checkbox.

•Enter the Gateway IP address in standard dotted-quad nota-

tion to which the traffic should be forwarded.

•You can enter Source and Destination IP Address(es) and

Mask(s), Protocol Type, and Source and Destination Port
ID(s) for the filter, if desired.

TOS field matching

Netopia Embedded Software Version 7.7.4 includes two
parameters for an IP filter: TOS and TOS Mask. Both fields
accept values in the range 0 – 255.

Certain types of IP packets, such as voice or multimedia
packets, are sensitive to latency introduced by the network. A
delay-sensitive packet is one that has the low-latency bit set in
the TOS field of the IP header. This means that if such packets
are not received rapidly, the quality of service degrades. If you
expect to route significant amounts of such traffic you can
configure your router to route this type of traffic to a gateway

other than your normal gateway using this feature.

The TOS field matching check is consistent with source and destination address matching.

If you check the Idle Reset checkbox, a match on this rule will keep the WAN connection alive by resetting
the idle-timeout status.

The Idle Reset setting is used to determine if a packet which matches the filter will cause an “instant-on”
link to connect, if it is down; or reset its idle timer, if it is already up. For example, if you wanted ping traffic
not to keep the link up, you would create a filter which forwards a ping, but with the Idle Reset checkbox
unchecked.

177

Administrator’s Handbook

Example: You want packets with the TOS low latency bit to go
through VC 2 (via gateway 127.0.0.3 – the Motorola Netopia®
Gateway will use 127.0.0.x, where x is the WAN port + 1) instead
of your normal gateway.

You would set up the filter as shown here.

☛ NOTE:

Default Forwarding Filter

If you create one or more filters that have a matching action of forward, then action on a
packet matching none of the filters is to block any traffic.

Therefore, if the behavior you want is to force the routing of a cer tain type of packet and pass
all others through the normal routing mechanism, you must configure one filter to match the
first type of packet and apply Force Routing. A subsequent filter is required to match and for­ward all other packets.

Management IP traffic

If the Force Routing filter is applied to source IP addresses, it may inadver tently block commu­nication with the router itself. You can avoid this by preceding the Force Routing filter with a fil­ter that matches the destination IP address of the Gateway itself.

178

Link: Security Log

Security Monitoring is a keyed feature. See page 187 for information concerning installing Motorola Neto­pia® Software Feature Keys.

Security Monitoring detects security-related events, including common types of malicious attacks, and
writes them to the security log file.

Using the Security Monitoring Log

You can view the Security Log at any time. Use the following steps:

1. Click the Security

2. Click the Security Log link.

3. Click the Show link from the Security Log tool bar.

4. An example of the Security Log is shown on the next page.

5. When a new security event is detected, you will see the Alert button.

toolbar button.

The Security Alert remains until you view the information. Clicking the Alert button will take you directly
to a page showing the log.

179

Administrator’s Handbook

Your Netopia Gateway has detected and successfully blocked an event that could have

compromised the security of your network.

Please refer to your customer documentation for a description of the logged event.

Number of security log entries : 5

Security alert type : Port Scan
Protocol type : TCP
IP source address : 143.137.137.14
Time at last attempt : Fri May 21 15:17:40 2004 (UTC)
Number of ports that were scanned : 9
Highest port : 1167
Lowest port : 1094
1102 1108 1094 1099 1166 1167 1151 1160 1164

Security alert type : Excessive Pings
IP source address : 143.137.137.92
IP destination address : 143.137.199.8
Number of attempts : 90
Time at last attempt : Fri May 21 17:52:22 2004 (UTC)

Security alert type : Port Scan
Protocol type : TCP
IP source address : 143.137.50.2
Time at last attempt : Fri May 21 17:51:37 2004 (UTC)
Number of ports that were scanned : 241
Highest port : 5302
Lowest port : 73
111 473 602 863 817 1994 805 395 5302 1670
(Only the first 10 ports are recorded.)

Security alert type : Port Scan
Protocol type : UDP
IP source address : 143.137.50.2
Time at last attempt : Fri May 21 17:52:43 2004 (UTC)
Number of ports that were scanned : 162
Highest port : 5236
Lowest port : 1
583 1 1471 444 4133 811 5236 650 776 1492
(Only the first 10 ports are recorded.)

Security alert type : Illegal Packet Size (Ping of Death)
IP source address : 192.168.1.3
IP destination address : 143.137.199.8
Number of attempts : 5
Time at last attempt : Fri May 21 18:05:33 2004 (UTC)
Illegal packet size : 65740

The capacity of the security log is 100 security alert messages. When the log reaches capacity, subsequent
messages are not captured, but they are noted in the log entr y count.

To reset this log, select

Reset from the Security Monitor tool bar.

The following message is displayed.

The security log has been reset.

180

When the Security Log contains no entries, this is the response:

The security log is empty.

Timestamp Background

During bootup, to provide better log information and to suppor t improved troubleshooting, a Motorola Neto­pia® Gateway acquires the National Institute of Standards and Technology (NIST) Universal Coordinated
Time (UTC) reference signal, and then adjusts it for your local time zone.

Once per hour, the Gateway attempts to re-acquire the NIST reference, for re-synchronization or initial acqui­sition of the UTC information. Once acquired, all subsequent log entries display this date and time informa­tion. UTC provides the equivalent of Greenwich Mean Time (GMT) information.

If the WAN connection is not enabled (or NTP has been disabled), the internal clocking function of the Gate­way provides log timestamps based on “uptime” of the unit.

181

Administrator’s Handbook

Install

Button: Install

From the Install toolbar button you can Install new Operating System Software and Feature Keys as
updates become available.

On selected models, you can install a Secure Sockets Layer (SSL V3.0) certificate from a trusted Cer tifica­tion Authority (CA) for authentication purposes. If this feature is available on your Gateway, the Install Cer-

tificate link will appear in the Install page as shown. Otherwise, it will not appear.

182

Link: Install Software

(This link is not available on the 3342/3352 models, since firmware updates must be upgraded via the
USB host driver. 3342N/3352N models are upgradeable by this procedsure.)

This page allows you to install an updated release of the Motorola Netopia® Firmware.

Updating Your Gateway’s Motorola Netopia® Firmware Version. You install a new operat-

ing system image in your unit from the Install Operating System Software page. For this process, the com­puter you are using to connect to the Motorola Netopia® Gateway must be on the same local area network
as the Motorola Netopia® Gateway.

Step 1: Required Files

Upgrading Netopia Embedded Software Version 7.7.4 requires a Motorola Netopia® firmware image file.

Background

Firmware upgrade image files are posted periodically on the Motorola Netopia® website. You can download
the latest operating system software for your Gateway by accessing the following URL:

http://www.netopia.com/support/hardware/

Be sure to download the correct file for your par ticular Gateway. Different Gateway models have different
firmware files. Also, be sure your ISP suppor ts the version of firmware you want to use.

183

Administrator’s Handbook

When you download your firmware upgrade from the Motorola Netopia® website, be sure to download the
latest User Guide PDF files. These are also posted on the Motorola Netopia® website in the Documentation
Center.

Confirm Motorola Netopia® Firmware Image Files

The Motorola Netopia® firmware Image file is specific to the model and the product identification number.

1. Confirm that you have received the appropriate Motorola Netopia® Firmware Image file.

2. Save the Motorola Netopia® Firmware image file to a convenient location on your PC.

Step 2: Motorola Netopia® firmware Image File

Install the Motorola Netopia® firmware Image

To install the Motorola Netopia® firmware in your Motorola Netopia® Gateway from the Home Page use
the following steps:

1. Open a web connection to your Motorola Netopia® Gateway from the computer on your

LAN.

2. Click the Install Software button on the Motorola Netopia® Gateway

The Install Operating System Software window opens.

3. Enter the filename into the text box by using one of these techniques:

The Motorola Netopia® firmware file name begins with a shor tened form of the version number and
ends with the suffix “.bin” (for “binary”). Example: nta760.bin

a. Click the Browse button, select the file you want, and click Open.

-or­b. Enter the name and path of the software image you want to install in the text field.

4. Click the Install Software button.

The Motorola Netopia® Gateway copies the image file from your computer and installs it into its memor y
storage. You see a progress bar appear on your screen as the image is copied and installed.

Home

page.

184

When the image has been installed, a success message displays.

5. When the success message appears, click the Restart button and confirm the Restart

when you are prompted.

Your Motorola Netopia® Gateway restarts with its new image.

Verify the Motorola Netopia® Firmware Release

To verify that the Motorola Netopia® firmware image has loaded successfully, use the following steps:

1. Open a web connection to your Motorola Netopia® Gateway from the computer on your

LAN and return to the Home page.

185

Administrator’s Handbook

2. Verify your Motorola Netopia® firmware release, as shown on the Home Page.

This completes the upgrade process.

186

Link: Install Key

You can obtain advanced product functionality by employing a software Feature Key. Software feature keys
are specific to a Gateway's serial number. Once the feature key is installed and the Gateway is restarted,
the new feature's functionality becomes enabled.

Use Motorola Netopia® Software Feature Keys

Motorola Netopia® Gateway users obtain advanced product functionality by installing a software feature
key. This concept utilizes a specially constructed and distributed keycode (referred to as a feature key) to

enable additional capability within the unit.

Software feature key proper ties are specific to a unit’s serial number; they will not be accepted on a plat­form with another serial number.

Once installed, and the Gateway restarted, the new feature’s functionality becomes available. This allows
full access to configuration, operation, maintenance and administration of the new enhancement.

Obtaining Software Feature Keys

Contact Motorola or your Service Provider to acquire a Software Feature Key.

Procedure - Install a New Feature Key File

With the appropriate feature keycode, use the steps listed below to enable a new function.

1. From the Home page, click the Install toolbar button.

2. Click Install Keys

The Install Key File page appears.

3. Enter the feature keycode in the input Text Box.

Type the full keycode in the Text Box.

187

Administrator’s Handbook

4. Click the Install Key button.

5. Click the Restart toolbar button.

The Confirmation screen appears.

188

6. Click the Restart the Gateway link to confirm.

To check your installed features:

7. Click the Install toolbar button.

8. Click the list of features link.

The System Status page appears with the information from the features link displayed below. You can
check that the feature you just installed is enabled.

189

Administrator’s Handbook

Link: Install Certificate

Secure Sockets Layer (SSL) is a protocol for transmitting private information over the Internet. SSL uses
two keys to encrypt data: a public key known to everyone and a private or secret key known only to the
recipient of the message.

Netopia Embedded Software Version 7.7.4 uses SSL certificates for TR-069 suppor t.

SSL certificates are issued by trusted Cer tification Authorities (CAs). The CA digitally signs each cer tificate.
Each client contains a list of trusted CAs. When an SSL handshake between a ser ver and your Gateway
occurs, the client verifies that the server certificate was issued by a trusted CA. If the CA is not trusted, a
warning will appear. Certificates installed in your Gateway and ser vers to which it connects verify to each
other that communications between them are encrypted and private.

Certificates are purchased from an issuing Cer tificate Authority, usually by your corporate IT department or
other service provider, and provided to users for secure communications.

You must obtain a certificate file before you can install it.

1. To install an SSL certificate, click the Install Certificate link.

190

The Install Certificate page appears.

2. Browse to the location where you have saved your certificate and select the file, or type

the full path.

3. Click the Install Certificate button.

4. Restart your Gateway.

191

Administrator’s Handbook

192

CHAPTER 4 Basic Troubleshooting

This section gives some simple suggestions for troubleshooting problems with your Gateway’s initial config­uration.

Before troubleshooting, make sure you have

• read the Quickstart Guide;

• plugged in all the necessar y cables; and

• set your PC’s TCP/IP controls to obtain an IP address automatically.

193

Administrator’s Handbook

Status Indicator Lights

The first step in troubleshooting is to check the status indicator lights (LEDs) in the order outlined below.

Motorola Netopia® Gateway 2210 status indicator lights

Power Ethernet DSL Internet

LED Action

Power

Ethernet

DSL

Internet

Green when power is on. Red if device malfunctions. Flashes Red

when new embedded software is being installed.

Solid green when connected. Flash green when there is activity on
the LAN.

Solid green when trained. Blinking green when no line is attached or
when training.

Solid green when Broadband device is connected. Flashes green for
activity on the WAN port. If the physical link comes up, but PPP or
DHCP fail, the LED turns red.

194

Motorola Netopia® Gateway 2240N/2241N status indicator lights

Power Ethernet DSLUSB Internet

LED Action

Power

Ethernet

USB

(Model 2241N only)

DSL

Internet

Green when power is on. Red if device malfunctions. Flashes Red

when new embedded software is being installed.

Solid green when connected. Flash green when there is activity on
the LAN.

Solid green when connected. Flash green when there is activity on
the LAN.

Solid green when trained. Blinking green when no line is attached or
when training.

Solid green when Broadband device is connected. Flashes green for
activity on the WAN port. If the physical link comes up, but PPP or
DHCP fail, the LED turns red.

195

Administrator’s Handbook

Motorola Netopia® Gateway 2246N status indicator lights

Power Ethernet 1, 2, 3, 4 DSL Internet

LED Action

Power

Ethernet 1, 2, 3, 4

DSL

Internet

Green when power is on. Red if device malfunctions. Flashes Red

when new embedded software is being installed.

Solid green when connected. Flash green when there is activity on
the LAN.

Solid green when trained. Blinking green when no line is attached or
when training.

Solid green when Broadband device is connected. Flashes green for
activity on the WAN port. If the physical link comes up, but PPP or
DHCP fail, the LED turns red.

196

Motorola Netopia® Gateway 2247NWG status indicator lights

Power Ethernet 1, 2, 3, 4 DSLWireless Internet

LED Action

Power

Ethernet 1, 2, 3, 4

Wireless

DSL

Internet

Green when power is on. Red if device malfunctions. Flashes Red

when new embedded software is being installed.

Solid green when connected. Flash green when there is activity on
the LAN.

Flashes green when there is activity on the wireless LAN. Of f if driver
fails to initialize, or if wireless is disabled.

Solid green when trained. Blinking green when no line is attached or
when training.

Solid green when Broadband device is connected. Flashes green for
activity on the WAN port. If the physical link comes up, but PPP or
DHCP fail, the LED turns red.

197

Administrator’s Handbook

Motorola Netopia® Gateway 3340(N), 3341(N), 3351(N) status indicator lights

LED Action

Ethernet Link

Ethernet Traffic

DSL Traffic

DSL Sync

USB Active

(Model 3341N only)

PPPoE Active

(Model 3340N only)

Power

PowerUSB ActiveDSL Traffic DSL SyncEthernet TrafficEthernet Link

Solid green when connected.

Flashes green when there is activity on the LAN.

Blinks green when traffic is sent/received over the WAN.

Blinking green with no line attached or training, solid green when
trained with the DSL line.

Solid green when connected; otherwise, not lit.

Solid green when PPPoE is negotiated; otherwise, not lit.

Green when power is on. Red if device malfunctions. Flashes Red

when new embedded software is being installed.

198

Motorola Netopia® Gateway 3342/3342N, 3352/3352N status indicator lights

USB:

Solid green when USB is connected
otherwise, not lit

DSL:

Blinking green with no line attached or training,
solid green when trained with the DSL line.

☛ Special patterns:

• Both LEDs are off during boot (power on boot or warm reboot).

• When the 3342/3352 successfully boots up, both LEDs flash green once.

• Both LEDs are off when the Host OS suspends the device, (e.g. Windows standby/reboot,
device disabled, driver uninstalled, etc.)

199

Administrator’s Handbook

Motorola Netopia® Gateway 3346(N), 3356(N) status indicator lights

LED Action

Power

DSL Sync

LAN 1, 2, 3, 4

Green when power is on. Red if device malfunctions. Flashes Red

when new embedded software is being installed.

Blinking green with no line attached or training, solid green when
trained with the DSL line.

Solid green when connected; Flash green when there is activity on the
LAN.

PowerDSL SyncLAN 1, 2, 3, 4

200