How it Works
Billion
Loading...
810VNTX
User Manual
130 pgs4.11 Mb0

Billion 810VNTX, 810VGTX User Manual

Download
Page 1
Page 2
Table of Contents
CHAPTER 1: INTRODUCTION ..........................................................................................................................................3
Introduction to your Router ..............................................................................................................................................3
Features ..........................................................................................................................................................................3
Express Internet Access .............................................................................................................................................. 3
3G ................................................................................................................................................................................ 3
802.11n Wireless AP with WPA Support ..................................................................................................................... 3
Fast Ethernet Switch .................................................................................................................................................... 3
Multi-Protocol to Establish a Connection ..................................................................................................................... 3
Quick Installation Wizard ............................................................................................................................................. 4
Universal Plug and Play (UPnP) and UPnP NAT Traversal ........................................................................................ 4
Network Address Translation (NAT) ............................................................................................................................ 4
SOHO Firewall Security with DoS and SPI ................................................................................................................. 4
Domain Name System (DNS) Relay ........................................................................................................................... 4
Dynamic Domain Name System (DDNS) .................................................................................................................... 4
Quality of Service (QoS) .............................................................................................................................................. 4
Virtual Server (“port forwarding”) ................................................................................................................................. 4
Rich Packet Filtering .................................................................................................................................................... 5
Dynamic Host Configuration Protocol (DHCP) Client and Server ............................................................................... 5
Static and RIP1/2 Routing ........................................................................................................................................... 5
Simple Network Management Protocol (SNMP) ......................................................................................................... 5
Web based GUI ........................................................................................................................................................... 5
Firmware Upgradeable ................................................................................................................................................ 5
Rich Management Interfaces ....................................................................................................................................... 5
Virtual Private Network (VPN) ..................................................................................................................................... 5
CHAPTER 2: INSTALLING THE ROUTER ........................................................................................................................6
Package Contents ...........................................................................................................................................................6
Device Description ..........................................................................................................................................................7
The Front LEDs ........................................................................................................................................................... 7
The Rear Ports ............................................................................................................................................................ 8
Cabling ......................................................................................................................................................................... 9
CHAPTER 3: BASIC INSTALLATION ............................................................................................................................. 10
Connecting Your Router ............................................................................................................................................... 10
Network Configuration .................................................................................................................................................. 11
Configuring PC in Windows Vista/ 7 .......................................................................................................................... 11
Configuring PC in Windows XP ................................................................................................................................. 12
Configuring PC in Windows 2000 .............................................................................................................................. 13
Configuring PC in Windows 95/98/Me ....................................................................................................................... 14
Configuring PC in Windows NT4.0 ............................................................................................................................ 15
Factory Default Settings ............................................................................................................................................... 16
Information from your ISP ............................................................................................................................................ 17
Configuring with your Web Browser ............................................................................................................................. 17
Page 3
Page | 2
CHAPTER4: CONFIGURATION ...................................................................................................................................... 18
Status ........................................................................................................................................................................... 19
ADSL Status .............................................................................................................................................................. 19
3G Status ................................................................................................................................................................... 19
ARP Table .................................................................................................................................................................. 20
DHCP Table ............................................................................................................................................................... 21
Routing Table ............................................................................................................................................................. 21
NAT Sessions ............................................................................................................................................................. 22
UPnP Portmap ........................................................................................................................................................... 22
PPTP Status .............................................................................................................................................................. 23
IPSec Status .............................................................................................................................................................. 23
VoIP Status................................................................................................................................................................. 24
VoIP Call Log ............................................................................................................................................................. 25
Event Log ................................................................................................................................................................... 25
Error Log .................................................................................................................................................................... 26
Diagnostic .................................................................................................................................................................. 26
Quick Start .................................................................................................................................................................... 27
Configuration ................................................................................................................................................................ 32
LAN - Local Area Network ......................................................................................................................................... 32
WAN - Wide Area Network ......................................................................................................................................... 41
System ....................................................................................................................................................................... 52
Firewall and Access Control ...................................................................................................................................... 57
VPN - Virtual Private Networks .................................................................................................................................. 71
L2TP (Layer Two Tunneling Protocol) ........................................................................................................................ 86
VoIP - Voice over Internet Protocol ............................................................................................................................ 96
SIP Accounts .............................................................................................................................................................. 98
Phone Port ................................................................................................................................................................. 99
QoS - Quality of Service .......................................................................................................................................... 107
Virtual Server (known as Port Forwarding) .............................................................................................................. 114
Time Schedule ......................................................................................................................................................... 120
Advanced ................................................................................................................................................................. 122
Logout ...................................................................................................................................................................... 127
Chapter 5: Troubleshooting ............................................................................................................................................ 128
Problems with WAN interface
..................................................................................................................................... 128
Problem with LAN interface
........................................................................................................................................ 128
Contact Telkom ADSL Support
.................................................................................................................................. 129
Contact Modem Support
............................................................................................................................................ 129
Page 4
Page | 3
CHAPTER 1: INTRODUCTION
Introduction to your Router
Welcome to the 3G/VoIP/802.11n/ADSL2+/VPN Firewall Router. The router is an “all-in-one” ADSL router, combining an ADSL modem, ADSL router and Ethernet network switch functionalities, providing everything you need to get the machines on your network connected to the Internet over your ADSL broadband connection. With features such as an ADSL Quick-Start wizard and DHCP Server, you can be online in no time at all and with a minimum of fuss and configuration, catering for first-time users to the guru requiring advanced features and control over their Internet connection and network.
Features
Express Internet Access
The router complies with ADSL worldwide standards. It supports downstream rate up to 12/24 Mbps with ADSL2/2+, 8Mbps with ADSL. Users enjoy not only high-speed ADSL services but also broadband multimedia applications such as interactive gaming, video streaming and real-time audio much easier and faster than ever. It is compliant with Multi-Mode standard (ANSI T1.413, Issue 2; G.dmt (ITU G.992.1); G.lite (ITU G.992.2); G.hs (ITU G994.1); G.dmt.bis (ITU G.992.3); G.dmt.bis.plus (ITU G.992.5)).
3G
A 3G-based Internet connection (requires an additional 3G USB modem); with automatic fail-over to ensure an always-on Internet connection in the event that one of your Internet services fails. Secure WLAN setup is simplified by the web browser-based configuration for easy access to the Internet wherever a 3G connection is available - whether you're seated at your desk or taking a cross-country train trip.
802.11n Wireless AP with WPA Support
With integrated 802.11n Wireless Access Point in the router, the device offers a quick and easy access among wired network, wireless network and broadband connection (ADSL) with single device simplicity, and as a result, mobility to the users. In addition to 300 Mbps 802.11n data rate, it also interoperates backward with existing 802.11g and 802.11b equipment. The Wireless Protected Access (WPA-PSK and WPA2-PSK) and Wireless Encryption Protocol (WEP) supported features enhance the security level of data protection and access control via Wireless LAN.
Fast Ethernet Switch
A 4-port 10/100Mbps fast Ethernet switch is built in with automatic switching between MDI and MDI-X for 10Base-T and 100Base-TX ports. An Ethernet straight or crossover cable can be used directly for auto detection.
Multi-Protocol to Establish a Connection
It supports PPPoA (RFC 2364 - PPP over ATM Adaptation Layer 5), RFC 1483 encapsulation overATM (bridged or routed), PPP over Ethernet (RFC 2516), and IPoA (RFC1577) to establish a connection with the ISP. The product also supports VC-based and LLC-based multiplexing.
Page 5
Page | 4
Quick Installation Wizard
It supports a WEB GUI page to install this device quickly. With this wizard, end users can enter the information easily which they get from their ISP, then surf the Internet immediately.
Universal Plug and Play (UPnP) and UPnP NAT Traversal
This protocol is used to enable simple and robust connectivity among stand-alone devices and PCs from many different vendors. It makes network simple and affordable for users. UPnP architecture leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices. With this feature enabled, users can now connect to Net meeting or MSN Messenger seamlessly.
Network Address Translation (NAT)
Allows multi-users to access outside resources such as the Internet simultaneously with one IP address/one Internet access account. Many application layer gateways (ALG) are supported such as web browser, ICQ, FTP, Telnet, E-mail, News, Net2phone, Ping, NetMeeting, IP phone and others.
SOHO Firewall Security with DoS and SPI
Along with the built-in NAT natural firewall feature, the router also provides advanced hacker pattern-filtering protection. It can automatically detect and block Denial of Service (DoS) attacks. The router is built with Stateful Packet Inspection (SPI) to determine if a data packet is allowed through the firewall to the private LAN.
Domain Name System (DNS) Relay
It provides an easy way to map the domain name (a friendly name for users such as www.yahoo. com) and
IP address. When a local machine sets its DNS server with this router‟s IP address, every DNS conversion
request packet from the PC to this router will be forwarded to the real DNS in the outside network.
Dynamic Domain Name System (DDNS)
The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname. This dynamic IP address is the WAN IP address. For example, to use the service, you must first apply for an account from a DDNS service like http://www.dyndns.org/. More than 5 DDNS servers are supported.
Quality of Service (QoS)
QoS gives you full control over which types of outgoing data traffic should be given priority by the router, ensuring important data like gaming packets, customer information, or management information move through the router at lightning speed, even under heavy load. The QoS features are configurable by source IP address, destination IP address, protocol, and port. You can throttle the speed at which different types of
outgoing data pass through the router, to ensure P2P users don‟t saturate upload bandwidth, or office browsing doesn‟t bring client web serving to a halt. In addition, or alternatively, you can simply change the
priority of different types of upload data and let the router sort out the actual speeds.
Virtual Server (“port forwarding”)
Users can specify some services to be visible from outside users. The router can detect incoming service requests and forward either a single port or a range of ports to the specific local computer to handle it. For example, a user can assign a PC in the LAN acting as a WEB server inside and expose it to the outside network. Outside users can browse inside web servers directly while it is protected by NAT. A DMZ host setting is also provided to a local computer exposed to the outside network, Internet.
Page 6
Page | 5
Rich Packet Filtering
Not only filters the packet based on IP address, but also based on Port numbers. It will filter packets from and to the Internet, and also provides a higher level of security control.
Dynamic Host Configuration Protocol (DHCP) Client and Server
In the WAN site, the DHCP client can get an IP address from the Internet Service Provider (ISP) automatically. In the LAN site, the DHCP server can allocate a range of client IP addresses and distribute them including IP address, subnet mask as well as DNS IP address to local computers. It provides an easy way to manage the local IP network.
Static and RIP1/2 Routing
It has routing capability and supports easy static routing table or RIP1/2 routing protocol.
Simple Network Management Protocol (SNMP)
It is an easy way to remotely manage the router via SNMP.
Web based GUI
It supports web based GUI for configuration and management. It is user-friendly and comes with on-line help. It also supports remote management capability for remote users to configure and manage this product.
Firmware Upgradeable
Device can be upgraded to the latest firmware through the WEB based GUI.
Rich Management Interfaces
It supports flexible management interfaces with local console port, LAN port, and WAN port. Users can use terminal applications through the console port to configure and manage the device, or Telnet, WEB GUI, and SNMP through LAN or WAN ports to configure and manage the device.
Virtual Private Network (VPN)
It allows user to make a tunnel with a remote site directly to secure the data transmission among the connection. User can use embedded PPTP and L2TP client/server, IKE and IPSec which are supported by this router to make a VPN connection or users can run the PPTP client in PC and the router already provides IPSec and PPTP pass through function to establish a VPN connection if the user likes to run the PPTP client in his local computer.
Page 7
Page | 6
CHAPTER 2: INSTALLING THE ROUTER
Important note for using this router
Package Contents
Billion 810VNTX Router CD-ROM containing this online manual 3 x RJ-11 ADSL/telephone Cable Ethernet (CAT-5) Cable Serial to Ethernet converter Integrated surge and AC-DC power adapter (15VDC, 1.6A) 2 x detachable antennas ADSL Micro Filter ADSL Splitter Quick Start Guide
Warning
Do not use the router in high humidity or high temperatures.  Do not use the same power source for the router as other equipment.  Do not open or repair the case yourself. If the router is too hot, turn off the
power immediately and have it repaired at a qualified service center.
Avoid using this product and all accessories outdoors.
Place the router on a stable surface.  Only use the power adapter that comes with the package. Using a different
voltage rating power adaptor may damage the router.
Page 8
Page | 7
Device Description
The Front LEDs
LED
Meaning
1
Power
Both red and green LEDs lit together when power is ON. Lit red means system failure. Restart the device or contact Billion for support. Lit green when the device is ready.
2
Ethernet Port 1X 4X (RJ-45 connector)
Lit when one of LAN ports is connected to an Ethernet device. Lit green when the speed of transmission is 100Mbps; Lit orange when the speed of transmission is 10Mbps. Flashing when data is being Transmitted / Received.
3
USB
Lit green when the router is connected to a USB device. Flashing when data is received / transmitted
4
Wireless
Lit green when the wireless connection is established. Flashes when sending/receiving data.
5
Phone 1X – 2X (RJ-11 connector)
Lit green when phone is off hook.
6
LINE
Lit green when the inbound and outbound calls are transmitted through PSTN.
7
VoIP 1x-2x (RJ-11 connector)
After SIP registration is complete, the LED will light up green whenever phone 1 is off hook but will light up orange for phone 2.
Note: Orange light also means that both Phone 1 and 2 have been registered correctly at the same time.
8
DSL
Lit Green when the device is successfully connected to an ADSL DSLAM. (“line sync”).
9
Internet
Lit red when WAN port fails to get IP address. Lit green when WAN port gets IP address successfully.
Page 9
Page | 8
Ethernet port #4 can be used as a console port. You need a special
console connector which is included in the package to connect with the LAN.
The Rear Ports
LED
Meaning
1
Antenna
Connect the detachable antenna to this port.
2
DSL
Connect this port to the ADSL/telephone network with the RJ-11 cable (telephone) provided.
3
Line
Connect this port to the telephone jack on the wall with RJ-11 cable.
4
Phone 1X – 2X
(RJ-11 connector)
Connect this port to an analogue phone set with RJ-11 cable.
5
USB
Connect the USB cable to this port.
6
Ethernet 1X 4X (RJ-45 connector)
Connect a UTP Ethernet cable (Cat-5 or Cat-5e) to one of the LAN ports when connecting to a PC or an office/home network of 10Mbps or 100Mbps.
Caution: Port 4 can either be LAN or Console port but not both at the same time.
7
RESET
After the device is powered on, press it to reset the device or restore to factory default settings. 1-3 seconds: reset the device 6 - 8 seconds: restore to factory default settings (this is useful when you have forgotten the router‟s administrative password).
Note: If the reset button is pressed for more than 10 seconds the device will need to be power cycled before normal operation can be resumed.
8
WPS
Push WPS button to trigger Wi-Fi Protected Setup function.
Page 10
Page | 9
Cabling
One of the most common causes of problems is bad cabling or ADSL line(s). Make sure that all connected devices are turned on. On the front panel of your router is a bank of LEDs. Verify that the LAN Link and ADSL line LEDs are lit. If they are not, verify if you are using the proper cables.
Make sure that all devices (e.g. telephones, fax machines, analogue modems) connected to the same telephone line as your router have a line filter connected between them and the wall outlet (unless you are using a Central Splitter or Central Filter installed by a qualified and licensed electrician), and that all line filters are correctly installed in a right way. If line filter is not installed and connected properly, it may cause problem to your ADSL connection or may result in frequent disconnections.
Page 11
Billion 810VNTX Router
Page | 10
Any TCP/IP capable workstation can be used to communicate with or
through this router. To configure other types of workstations, please consult your manufacturer documentation.
CHAPTER 3: BASIC INSTALLATION
The router can be configured through your web browser. A web browser is included as a standard application in the following operating systems: Linux, Mac OS, Windows 98/NT/2000/XP/Me/Vista/7, etc. The product provides an easy and user-friendly interface for configuration.
Please check your PC network components. The TCP/IP protocol stack and Ethernet network adapter must be installed. If not, please refer to your Windows-related or other operating system manuals.
There are various ways to connect the router, either through an external repeater/hub or connect directly to your PC. However, make sure that your PC has an Ethernet interface properly installed prior to connecting the router. You must configure your PC to obtain an IP address through a DHCP server or a fixed IP address that must be in the same subnet as the router. The default IP address of the router is 10.0.0.2 and the subnet mask is
255.255.255.0 (i.e. any attached PC must be in the same subnet, and have an IP address in the range of 10.0.0.100 to 10.0.0199). The best and easiest way is to configure the PC to get an IP address automatically from the router using DHCP. If you encounter any problems accessing the router web interface it is advisable to uninstall your firewall program on your PC, as these tend to cause problems accessing the IP address of the router. Users should make their own decisions on what is best to protect their network.
Please follow the following steps to configure your network environment.
Connecting Your Router
1. Connect the power adapter as illustrated below
and power on the device, m
ake sure that the Power LED is
lit
steadily.
2.
Connect your network or computer to the router using the LAN (Local Area Network)
cable.
3.
Connect the ADSL/telephone (
ADSL)
cable to the router‟s DSL port as illustrated below
4.
Connect an RJ11 cable to VoIP port when connecting to an analogue phone set. Refer to figure below.
5. Connect RJ-11 cable to LINE Port when connecting to the telephone wall jack/PSTN network. Refer to figure below.
Page 12
Billion 810VNTX Router
Page | 11
Network Configuration
Configuring PC in Windows Vista/ 7
1. Go to Start. Click on Network.
2. Then click on Network and Sharing Center at the top bar.
3. When the Network and Sharing Center Window pops up, select and click on Manage Network connections on the left window column.
4. Select the Local Area Connection, and right click the icon to select Properties.
5. Select Internet Protocol Version 4 (TCP/IP) then Click Next.
6. In the TCP/IPv4 properties window, select the Obtain an IP address automatically and Obtain DNS Server address automatically radio buttons. Then click OK to exit the setting.
7. Click OK again in the Local Area Connection Properties window to apply the new configuration.
Page 13
Page | 12
Configuring PC in Windows XP
1. Go to Start / Control Panel (in Classic View). In the Control Panel, double-click Network Connections.
2. Double-click Local Area Connection.
3. In the LAN Area Connection Status window, click Properties.
4. Select Internet Protocol (TCP/IP) and click Properties.
5. Select the Obtain an IP address automatically and Obtain DNS server address automatically radio buttons.
6. Click OK to finish the configuration.
Page 14
Page | 13
Configuring PC in Windows 2000
1. Go to Start / Settings / Control Panel. In the Control Panel, double­click Network and Dial-up Connections.
2. Double-click Local Area Connection (“LAN”)
3. In the Local Area Connection status window, click Properties.
4. Select Internet Protocol (TCP/IP) and click Properties.
5. Select the Obtain an IP address automatically and Obtain DNS server address automatically radio buttons.
6. Click OK to finish the configuration.
.
Page 15
Page | 14
Configuring PC in Windows 95/98/Me
1. Go to Start / Settings / Control Panel. In the Control Panel, double­click Network and choose the Configuration tab.
2. Select TCP / IP -> NE2000 Compatible, or the name of any Network Interface Card (NIC) in your PC.
3. Select the IP Address tab. In this page, click the Obtain an IP address automatically radio button.
4. Then select the DNS Configuration tab.
5. Select the Disable DNS radio button and click OK to finish the configuration.
Page 16
Page | 15
Configuring PC in Windows NT4.0
1. Go to Start / Settings / Control Panel. In the Control Panel, double-click Network and choose the Protocols tab
2. Select TCP/IP Protocol and click Properties.
3. Select the Obtain an IP address from a DHCP server radio button and click OK.
Page 17
Page | 16
If you ever forget the login password, please press and hold the reset
button for longer than 6 seconds to restore the factory default settings.
Factory Default Settings
Before configuring your router, you need to know the following default settings.
Web Interface (Username and Password)
Username: admin
Password: admin
A
Attention
The default username and password are “admin” and “admin” respectively.
Device LAN IP settings
IP Address: 10.0.0.2 Subnet Mask: 255.255.255.0
ISP setting in WAN site
PPPoE
DHCP server
DHCP server is enabled.
Start IP Address: 10.0.0.100
IP pool counts: 100
LAN and WAN Port Addresses
The parameters of LAN and WAN ports are pre-set in the factory. The default values are shown in
the tale.
LAN Port
WAN Port
IP address
http://10.0.0.2
The PPPoE function is enabled to automatically get the WAN port configuration from the ISP, but you have to set the username and password first.
Subnet Mask
255.255.255.0
DHCP server function
Enabled
IP addresses for distribution to PCs
100 IP addresses continuing from
10.0.0.100 through 10.0.0.199
Page 18
Page | 17
Information from your ISP
Telkom ADSL connections use PPPoE, and automatically assign a WAN IP address to your router. The following information is provided should you wish to connect to an alternative ISP. Gather the information as illustrated in the following table and keep it for reference.
PPPoE
VPI/VCI, VC / LLC-based multiplexing, Username, Password, Service Name, and Domain Name System (DNS) IP address (this is automatically set by the Telkom network but be set manually should this be required).
PPPoE (Multisession)
VPI/VCI, VC / LLC-based multiplexing, Username, Password, Service Name, Domain Name System (DNS) IP address and multiple-sessions on the same PVC.
PPPoE / PPPoE with Pass-through
VPI/VCI, VC / LLC-based multiplexing, Username, Password, Service Name, and Domain Name System (DNS) IP address (this is automatically set by the Telkom
network
but be set manually should this be required). In addition,
additional WAN address can be assigned using PPPoE dialler.
PPPoA
VPI/VCI, VC / LLC-based multiplexing, Username, Password and Domain Name System (DNS) IP address (it can be automatically assigned by your ISP when you connect or be set manually).
RFC 1483 Bridged
VPI/VCI, VC / LLC-based multiplexing to use Bridged Mode.
RFC 1483 Routed
VPI/VCI, VC / LLC-based multiplexing, IP address, Subnet mask, Gateway address, and Domain Name System (DNS) IP address (it is a fixed IP address).
IPoA Routed
VPI/VCI, VC / LLC-based multiplexing, IP address, Subnet mask, Gateway address, and Domain Name System (DNS) IP address (it is a fixed IP address).
Configuring with your Web Browser
Open your web browser, enter the IP address of your router, which by default is 10.0.0.2, and click “Go”, a user name and password window prompt will appear. The default username and password are “admin” and “admin” respectively. (See Figure below)
Figure: User name & Password Prompt Window
Congratulations! You are now successfully logged onto your Router!
Page 19
Page | 18
CHAPTER4: CONFIGURATION
At the configuration homepage, the left navigation column provides you the link to each configuration page. The category of each configuration page is listed as below.
Status
ADSL Table 3G Status ARP Table DHCP Table Routing Table NAT Sessions UpnP Portmap PPTP Status IPSec Status L2TP Status Email Status VoIP Status VoIP Call Log Event Log Error Log Diagnostic
Quick Start
Configuration
LAN WAN System Firewall VPN VoIP QoS Virtual Server Time Schedule Advanced
Page 20
Page | 19
Status
ADSL Status
This section displays the overall status of ADSL, such as DSP firmware version, Operational mode, Upstream/downstream rate, SNR margin, Line Attenuation, CRC Errors and Latency rate.
3G Status
This section displays the 3G Card overall status with information such as the current signal strength, statistics of current data transmission and total data transmission.
Page 21
Page | 20
Status: The current status of the 3G card. Signal Strength: The signal strength bar indicates the current 3G signal strength. Network Name: The network name that the device is connected to. Card Name: The name of the 3G card. Card Firmware: The current firmware of the 3G card. Current TX Bytes / Packets: The statistics of data transmission in bytes / packets during a call. Current RX Bytes / Packets: The statistics of data received in bytes / packets during a call. Total TX Bytes / Packets: The statistics of total data transmission in bytes / packets since system ready. Total RX Bytes / Packets: The statistics of total data received in bytes / packets since system ready.
ARP Table
This section displays the router ARP (Address Resolution Protocol) Table which shows the mapping of Internet (IP) addresses to Ethernet (MAC) addresses. This is a quick way of determining the MAC address of the network interface of your PCs that use the Firewall – MAC Address Filter function. See the Firewall section of this manual for more information on this feature.
IP Address: Shows a list of IP addresses of devices on your LAN (Local Area Network). MAC Address: Shows the MAC (Media Access Control) addresses of each device on your LAN. Interface: Shows the interface name (on the router) that this IP Address connects to. Static: Static status of the ARP table entry:
no” for dynamically-generated ARP table entries. yes” for static ARP table entries added by the user.
Page 22
Page | 21
DHCP Table
Leased: Shows the information of the DHCP assigned IP addresses.
Expired: Shows the information of all expired IP addresses.
Permanent: Shows the fixed host mapping information.
Leased Table
IP Address: Shows the IP address that is assigned to each client. MAC Address: Shows the MAC address of each client. Client Host Name: Shows the Host Name (Computer Name) of the client. Expiry: Shows the current lease time of each client.
Routing Table
Routing Table
Valid: A check mark indicates a successful routing status. Destination: Shows the IP address of the destination network. Netmask: Shows the destination Netmask address. Gateway/Interface: Shows the IP address of the gateway or the existing interface that this route will use. Cost: The number of hops counted as the cost of the route.
Page 23
Page | 22
RIP Routing Table
Destination: Shows the IP address of the destination network. Netmask: Shows the destination Netmask address. Gateway: Shows the IP address of the gateway that this route will use. Cost: The number of hops counted as the cost of the route.
NAT Sessions
This section lists all the current NAT sessions between external (WAN) and internal (LAN) interface.
UPnP Portmap
This section lists all the established port-mapping using UPnP (Universal Plug and Play). See the Advanced section of this manual for more details on UPnP and the router UPnP configuration options.
Page 24
Page | 23
PPTP Status
This shows details of your configured PPTP VPN Connections.
Name: Shows the name you assign to a particular PPTP connection in your VPN configuration. Type: Shows the type of connection (dial-in/dial-out). Enable: Shows whether the connection is currently enabled. Active: Shows whether the connection is currently active. Tunnel Connected: Shows whether the VPN Tunnel is currently connected. Call Connected: Shows whether the Call for this VPN entry is currently connected. Encryption: Shows the encryption type used for this VPN connection.
IPSec Status
This shows the details of your configured IPSec VPN Connections.
Name: Shows the name you assign to a particular VPN entry. Active: Shows whether the VPN Connection is currently Active. Connection State: Shows the connection status of VPN. Statistics: Shows the statistics of your VPN Connection. Local Subnet: Shows the local IP Address or Subnet that is being used. Remote Subnet: Shows the Subnet of the remote site. Remote Gateway: Shows the Remote Gateway IP address.
SA: Shows the Security Association of this VPN entry.
Page 25
Page | 24
L2TP Status
This shows the details of your configured L2TP VPN Connections.
Name: Shows the name you assign to a particular L2TP connection in your VPN configuration. Type: Shows the type of connection (dial-in/dial-out). Enable: Shows whether the connection is currently enabled. Active: Shows whether the connection is currently active. Tunnel Connected: Shows the current connection status of the VPN Tunnel. Call Connected: Shows the current connection status of a particular VPN entry call. Encryption: Shows the encryption type used for this VPN connection.
VoIP Status
This table shows the status of the phone ports when VoIP feature has been activated. It displays information such as domain name, display name & phone number of the VoIP device.
Page 26
Page | 25
VoIP Call Log
The call log records the data from your VoIP devices such as the date / time of dial out calls, the duration of the calls, information about the missed calls and also incoming calls.
Event Log
This page displays all the event Log entries of the router such as when the ADSL gets disconnected and during Firewall triggered events like Intrusion or Blocking Logging. Please see the Firewall section of this manual for more details on how to enable Firewall logging.
Page 27
Page | 26
Error Log
Any errors encountered by the router (e.g. invalid names given to entries) are logged to this window.
Diagnostic
It tests the connection to computer(s) which is connected to the LAN ports and also the WAN Internet connection. If PING
www.google.com is shown as FAIL and the rest is shown as PASS, you should check if your PCs DNS settings are
correct.
Page 28
Page | 27
Quick Start
1. Click Quick Start. Select the connect mode you want. There are 3 options to choose from: ADSL, EWAN
or 3G.
Select ADSL mode from the drop down menu and click Continue.
2. If your ADSL line is not ready, you need to check your ADSL line has been set or not.
3. If your ADSL line is ready, the ADSL Line is Ready screen will appear. Choose the Auto radio button and click Apply. It will automatically scan the recommended mode for you. If you choose to configure it manually then you must up the ADSL line settings manually.
Page 29
Page | 28
4. Please enter your “Username” and “Password” as supplied by your ISP (Internet Service Provider)
and click
Apply to continue.
Profile Port: Select the connection mode. Protocol: Select the protocol mode. The default mode is PPPoE. VPI/VCI: Enter the VPI and VCI information provided by your ISP. Username: Enter the username provided by your ISP. Password: Enter the password provided by your ISP. Service Name: This item is for identification purposes. If it is required, your ISP provides you the information. Authentication Protocol: Default is Auto. Your ISP advises on using Chap or Pap. IP Address: Your WAN IP address. Leave this at 0.0.0.0 to obtain an IP address automatically from your ISP. Obtain DNS automatically: Click to activate DNS and to enable the system to automatically detect DNS. Primary DNS / Secondary DNS: Enter the IP addresses of the DNS servers. The DNS servers are passed to the
DHCP clients along with the IP address and the netmask.
Page 30
Page | 29
5.
Configure the Wireless LAN setting.
WLAN Service: Default setting is set to Enable. If you want to use wireless. ESSID: The ESSID is the unique name of a wireless access point (AP). For security proposes, change the SSID to an ID
other than the default ID set on the Access Point (AP). It is case sensitive and must not exceed 32 characters. Make sure your wireless clients have the correct ESSID, in order to connect to your network.
ESSID Broadcast: It is function in which the ESSID will not be broadcast. A wireless client will not be able to view your wireless network unless they enter your ESSID manually. Default setting is Enable.
Enable: When Enable is selected, anybody with a wireless network adapter will be able to view your wireless network.
Disable: Select Disable if you do not want to broadcast your ESSID. When Disable is selected, no
one will
be able to view your wireless network.
Regulation Domain: There are seven Regulation Domains for you to choose from, including North America (N. America), Europe, France, etc. The Channel ID will be different based on these settings.
Channel ID: Select the channel ID that you would like to use. Security Mode: You can disable or enable with WPA or WEP for protecting your wireless network. The
default mode for
wireless security is Enable.
Page 31
Page | 30
6. Set up VoIP.
SIP: To use VoIP SIP as VoIP call signaling protocol. Default is set to Disable. Region: This selection is a drop-down box, which allows user to select the country for which the VoIP device must work.
When a country is selected, the country parameters are automatically loaded. SIP Service Provider: This section allows you to select the service provider. When the selection is done, respective
parameters below are automatically displayed.
Phone Number: This parameter holds the registration ID of the user within the VoIP SIP registrar. Username: If the username is the same as the Phone Number, leave it blank. Otherwise, fill in the space with your
username given by your VoIP provider.
Password: This parameter holds the password used for authentication within VoIP SIP registrar. Display Name: This parameter will be displayed on Caller ID.
7. Wait for the configuration to save.
Page 32
Page | 31
8. When the ADSL line has synchronized, a “check” mark will appear next to the ADSL Port.
Page 33
Page | 32
Configuration
When you click configuration, the column will expand to display the sub-items that will allow you to further configure your ADSL router.
LAN, WAN, System, Firewall, VoIP, QoS, Virtual Server, Time Schedule and Advanced
The function of each sub-item is described in the following sections.
LAN - Local Area Network
Here are the items within the LAN section: Bridge Interface, Ethernet, IP Alias, Ethernet Client Filter, Wireless, Wireless Security, Wireless Client Filter, WPS, Port Setting and DHCP Server.
Bridge Interface
You can setup member ports for each VLAN group under Bridge Interface section. Ethernet: P1 & P2 (Port 1, 2) Ethernet1: P3, P4 & Wireless (Port 3, 4 & wireless). Uncheck P3, P4 & Wireless from Ethernet VLAN port first. Note: You should setup each VLAN group with caution. Each Bridge Interface is arranged in this order.
Bridge Interface
VLAN Port (Always starts with)
Ethernet
P1 / P2 / P3 / P4
Ethernet1
P2 / P3 / P4
Ethernet2
P3 / P4
Ethernet3
P4
Management Interface: To specify which VLAN group is able to perform device management, for e.g.: web management.
NAT/NAPT can be applied to management interfaces only
Page 34
Page | 33
Ethernet
The router supports more than one Ethernet IP address. The LAN allows multiple PC‟s to access the internet at the same time. Users usually only have one subnet in their LAN. The default IP address for the router is 10.0.0.2.
Primary IP Address:
IP Address: The default IP on this router. Subnet Mask: The default subnet mask on this router. RIP: RIP v1, RIP v2, and RIP v2 Multicast. Check to enable RIP function.
IP Alias
This function enables the creation of multiple virtual IP interfaces for this router. It helps to connect two or more local networks to the ISP or remote node. In this case, an internal router is not required.
IP Address: Specify an IP address for this virtual interface. Netmask: Specify a subnet mask for this virtual interface. Security Interface: Specify the firewall setting for this virtual interface.
Internal: This means the network is behind NAT. All traffic will do network address translation
when sending out
data to the Internet if NAT is enabled. External: This means there is no NAT on this IP interface and it is connected directly to the Internet. This
function is mostly used when you are provided with multiple public IP addresses by the ISP. In this case, you can use the public IP address in the local network whose gateway IP address points to the IP address on this interface.
DMZ: Specify this network to a DMZ area. There is no NAT on this interface.
Page 35
Page | 34
Ethernet Client Filter
The Ethernet Client Filter can support up to 16 Ethernet network computers. It enables you to accept traffic from specific authorized computers or to restrict unwanted computer(s) from accessing your LAN.
There are no pre-defined Ethernet MAC address filter rules; you can add the filter rules to meet your requirements.
Ethernet Client Filter: Default setting is set to Disable.
Allowed: Check to enable a specific PC to access your LAN by inserting the MAC Address in the space
provided or click the Candidate button. Make sure your PC‟s MAC is listed.
Blocked: Check to prevent an unwanted PC from accessing your LAN by inserting the MAC Address in the space provided or click the Candidate button. Make sure your PC‟s MAC is not listed.
The maximum number of clients is 16. The MAC addresses should be 6 bytes long and are represented only in hexadecimal characters. Only numbers (0 - 9) and letters (a - f) are acceptable.
Note: Follow the MAC Address Format xx:xx:xx:xx:xx:xx. Colons ( : ) must be included.
Candidates: automatically detects devices that are connected to the router through the Ethernet. Click the Candidate button to access the Active PC in LAN window.
Active PC in LAN: Active PC in LAN window displays a list of IP Address & MAC Addresses of Ethernet devices which are currently connected to the router.
You can check the checkbox next to the IP address to block or to allow the PC from accessing the LAN. Then, click Add to insert the IP to the Ethernet Client Filter table. The maximum number of supported Ethernet clients is 16.
Page 36
Page | 35
Wireless
Parameters
WLAN Service: Default setting is set to Enable. If you do not have any wireless devices, select Disable. Mode: The default setting is 802.11b+g+n (Mixed mode). If you do not know or you have both 11g and 11b devices on
your network, then keep the setting in mixed mode. From the drop-down menu, you can select 802.11g if you know that there are only 802.11g cards. You may do the same for 802.11b as well as 802.11n.
ESSID: The ESSID is the unique name given to a wireless access point (AP) used to distinguish one access point from another. For security purposes, please change the default wlan-ap to a unique ID. It is case sensitive and must not exceed 32 characters. Make sure your wireless clients have the same ESSID as the device in order to connect to your network.
Note: It is case sensitive and must not exceed 32 characters. ESSID Broadcast: It is used to broadcast the routers ESSID over the network so that when a wireless client searches
for a network, the router can be discovered and recognized. Default setting is set to „Enable.
Enable: When enabled, you allow anybody with a wireless client to locate the Access Point (AP) of your router. Disable: When disabled, you do not broadcast your ESSID. Therefore, no one will be able to
locate the Access
Point (AP) of your router.
Regulation Domain: There are seven Regulation Domains for you to choose from, including North America (N. America), Europe, France, etc. The Channel ID will be different based on this setting.
Page 37
Page | 36
Channel ID: Select the wireless channel ID that you would like to use. Note: Wireless performance may degrade if the selected channel ID is already being occupied by other AP(s). TX Power Level: It is a function that enhances the wireless transmission signal strength. Users may adjust this power
level from minimum 1 up to maximum 100 or 127 depending on the models used. Please refer to the note table for the appropriate power level range of your model.
Note: The Power Level may be different in each access network user premises environment, so choose the most suitable level for your network.
Connected: Displayed either as true or false. This is the connection status between the system and the built-in wireless card.
AP MAC Address: It is a unique hardware address for the Access Point. AP Firmware Version: The Access Point firmware version.
Wireless Distribution System (WDS) WDS is a wireless access point mode that enables a wireless link and communication with other access points. It is
easy to install simply by defining the peers MAC address of the connected AP. WDS takes advantage of the cost saving and flexibility, because no extra wireless client device is required to bridge between two access points, and extending an existing wired or wireless infrastructure network to create a larger network. It can connect up to 4 wireless APs for extended coverage at the same time.
In addition, WDS also enhances its link connection security mode. Key encryption and channel must be the same for both access points.
WDS Service: The default setting is Disabled. Check Enable radio button to activate this function.
1. Peer WDS MAC Address: It is the associated AP MAC Address. It is important that your peer‟s AP include your MAC
address in order to acknowledge and communicate with each other.
2. Peer WDS MAC Address: It is the second associated AP MAC Address.
3. Peer WDS MAC Address: It is the third associated AP MAC Address.
4.
Peer WDS MAC Address: It is the fourth associated AP MAC Address.
Note: For MAC Address, Colons ( : ) must be included.
Wireless Security
You can disable or enable the wireless security function using WPA or WEP for wireless network protection. The default mode of wireless security is set to „Disabled‟.
Page 38
Page | 37
WPA-PSK / WPA2-PSK
Security Mode: You can disable or enable security mode with WPA or WEP for protecting your wireless network. The default mode of wireless security is set to Disable.
WPA Shared Key: The key for network authentication. The input format is in character style and key size should be between 8 and 63 characters.
Group Key Renewal: The period of renewal time for changing the security key automatically between wireless client and Access Point (AP). Default value is 600 seconds.
WEP
WEP Authentication: To prevent unauthorized wireless stations from accessing data transmitted over the network, the router offers secure data encryption, known as WEP. If you require high security for transmissions, there are two options to select from: Open System and Share key.
WEP Encryption: To prevent unauthorized wireless stations from accessing data transmitted over the network, the router offers highly secured data encryption, known as WEP. If you require high security for transmissions, there are two settings to select from: WEP 64 and WEP 128. WEP 128 will offer higher security over WEP 64.
Passphrase: This is used to generate WEP keys automatically based on the input string and a pre-defined algorithm in WEP64 or WEP128.
Default Used WEP Key: Select the encryption key ID; please refer to Key (1~4) below. Key (1-4): Enter the key to encrypt wireless data. To allow encrypted data transmission, the WEP Encryption Key values
on all wireless stations must be the same as the router. There are four keys for you to select from. The input format is in HEX style, 10 and 26 HEX codes are required for WEP64 and WEP128 respectively.
Wireless Client / MAC Address Filter
Page 39
Page | 38
The MAC Address filter supports up to 16 wireless network clients. It allows you to manage your network to allow traffic from authorized clients or to restrict unwanted clients from accessing your Wireless network.
There are no pre-defined MAC Address filter rules; you can add the filter rules to meet your requirements.
Wireless Client Filter: Default setting is set to Disable.
Allowed: To authorize devices to access your network by inserting the MAC Address in the space provided
or by clicking on the Candidate button. Make sure your PC‟s MAC is listed. Blocked: To prevent unwanted devices from accessing network by inserting the MAC Address in the space
provided or by clicking on the Candidate button. Make sure your PC‟s MAC is not listed.
The maximum number of clients is 16. The MAC addresses are 6 bytes long; they are represented only in hexadecimal characters. The numbers 0 - 9 and letters a - f are acceptable.
Note: Follow the MAC Address Format xx:xx:xx:xx:xx:xx. Colons ( : ) must be included. Candidates: It automatically detects devices that are connected to the router through the Wireless access point (AP).Click
the Candidate button to access the Associated Wireless Clients window.
Associate Wireless Client: Displays a list of MAC addresses of all wireless devices that are currently connected to the router.
You can check the checkbox next to the MAC address to block or allow the wireless client to access the network. Then click Add to insert the Wireless Clients MAC Address into the Filter table. The maximum number of Wireless clients is
16.
Page 40
Page | 39
WPS
The WPS (Wi-Fi Protected Setup) feature is a standard protocol created by Wi-Fi Alliance. This protocol is used to build a Wi-Fi network within a home / small office environment in an easy and secured manner. This feature thus provides a much simplified method to configure Wi-Fi Protected Access to those who know very little about wireless security.
Port Setting
This section allows you to configure the settings for the routers Ethernet ports to solve some compatibility problems that may be encountered while connecting to the Internet, as well as allowing users to tweak the performance of their network.
Port # Connection Type: There are six options to choose from: Auto, disable, 10M half-duplex, 10M full-duplex, 100M half-duplex, 100M full-duplex and Disable. Sometimes, there are Ethernet compatibility problems with legacy Ethernet devices, and you can configure different types to solve compatibility issues. The default is Auto, which users should keep unless they have specific problems with PCs not being able to access your network.
IPv4 TOS priority Control (Advanced users): TOS, Type of Services, is the 2nd octet of an IP packet. Bits 6-7 of this octet are reserved and bit 0-5 are used to specify the priority of the packet.
This feature uses bits 0-5 to classify the packet‟s priority. If the packet priority is set as high, its transmission will be given the first priority and will not be constrained by the Rate Limit. Therefore, when this feature is enabled, the router‟s
Ethernet switch will first check the 2
nd
octet of each IP packet. If the value in the TOS field matches the values checked
in the table (0 to 63), this packet will be treated as high priority.
Page 41
Page | 40
DHCP Server
You can disable or enable the DHCP (Dynamic Host Configuration Protocol) server or enable the routers DHCP relay functions. The DHCP protocol allows your router to dynamically assign IP addresses to the PCs on your network if they are configured to obtain IP addresses automatically.
To disable the router DHCP Server, check Disabled and click Next, then click Apply. When the DHCP Server is disabled you will need to manually assign a fixed IP address to each PC on your network, and set the default gateway for each PC to the IP address of the router (by default this is 10.0.0.2).
To configure the router DHCP Server, check DHCP Server and click next. You can then configure parameters of the DHCP Server including the IP pool (starting IP address and ending IP address to be allocated to PCs on your network), lease time for each assigned IP address (the period of time the IP address assigned will be valid), DNS IP address and the gateway IP address. These details are sent to the DHCP client (i.e. your PC) when it requests an IP address from the DHCP server. Click Apply to enable this function. If you check Use Router as a DNS Server”, the ADSL Router will perform the domain name lookup, find the IP address from the outside network automatically and forward it back to the requesting PC in the LAN (your Local Area Network).
If you check DHCP Relay Agent and click Next, then you will have to enter the IP address of the DHCP server which will assign an IP address back to the DHCP client in the LAN. Use this function only if advised to do so by your network administrator or ISP.
Click Apply to enable this function.
Page 42
Page | 41
WAN - Wide Area Network
WAN refers to your Wide Area Network connection, i.e. your routers connection to your ISP and the Internet. Here are the items within the WAN section: WAN Interface, WAN Profile and ADSL Mode.
WAN Interface WAN Connection-ADSL Mode The default setting for Connection Mode is ADSL and the default Protocol is PPPoE.
Main Port: User can select either ADSL, 3G mode or Dual WAN. Mode: Select the radio button if you want to enable the ADLS / 3G failover / failback function. WAN1: Select the primary WAN Interface it should use. You may select ADSL or 3G. WAN2: Select the secondary or failover WAN interface. i.e. If your primary connection fails, the secondary connection
will start up and connect to the internet automatically.
Time Schedule: Select the time schedule when failover should be active. Always on is the default value. Keep Backup Interface Connected: Keeps the backup interface connected to allow seamless changeover when your
primary interface fails.
Connectivity Decision: Set how many times probing must fail in order to switch to the backup port. Failover Probe Cycle: Set the duration for the Failover Probe Cycle to determine when the router will switch to the
backup connection (backup port) once the main connection (main port) fails.
Note: The time set is for each probe cycle, but the decision to change to backup port is determined by the Probe Cycle duration multiplied by the connection Decision amount (e.g. From the image above it will be 12 seconds multiplied by 5 consecutive fails).
Page 43
Page | 42
Failback Probe Cycle: Set the duration for the Failback Probe Cycle to determine when the router will switch back to the main connection (main port) from the backup connection (backup port) once the main connection is communicating again.
Note: The time set is for each probe cycle, but the decision to change to the backup port is determined by the Probe Cycle duration multiplied by the Connection Decision amount (e.g. From the image above it will be 3 seconds multiplied by 5 consecutive fails).
Detect Rule: Rule 1. ADSL Down Rule 2. Ping Fail
No Ping: It will not send any ping packets to determine if the connection is active. It disables ping detection. Ping Gateway: It will send ping packets to the gateway and wait for a response from the gateway in every
“Probe Cycle”.
Ping Host: It will send ping packets to a specific host and wait for a response in every “Probe Cycle”.
The host
must be an IP address.
WAN Connection-3G Mode In ADSL mode, as the ADSL is not available (failover/failback), it will switch to 3G mode for WAN Connection support.
However, in 3G Mode ADSL cannot support WAN Connection when 3G Mode is unavailable.
Page 44
Page | 43
WAN Profile
PPPoE Connection PPPoE (PPP over Ethernet) provides access control in a manner which is similar to dial-up services using PPP.
Profile Port: Select the profile port as ADSL. Protocol: The PPPoE protocol will be used. Description: A given name for the connection. VPI/VCI: Enter the information provided by your ISP. ATM Class: The Quality of Service for ATM layer. Username: Enter the username provided by your ISP. You can input up to 128 alpha-numeric characters (case
sensitive). This is the format of username “username@ispname” instead of “username”.
Password: Enter the password provided by your ISP. You can input up to 128 alpha-numeric characters (case sensitive).
Service Name: This item is for identification purposes. If it is required, your ISP will provide you the information. Maximum input is 15 alpha-numeric characters.
NAT: The NAT (Network Address Translation) feature allows multiple users to access the Internet through a single ISP account, sharing a single IP address. If users on your LAN have public IP addresses and can access the Internet directly, the NAT function can be disabled.
IP (0.0.0.0: Auto): Your WAN IP address. Leave this at 0.0.0.0 to obtain an IP address automatically from your ISP. Auth. Protocol: Default is Auto. Your ISP should advise you on whether to use Chap or Pap. Connection:
Always on: If you want the router to establish a PPPoE session when starting up and to automatically re-
establish the PPPoE session when disconnected by the ISP. Connect on Demand: If you want to establish a PPPoE session only when there is a packet requesting access
to the Internet (i.e. when a program on your computer attempts to access the Internet).
Idle Timeout: Auto-disconnect the broadband firewall gateway when there is no activity on the line for a predetermined period of time.
Page 45
Page | 44
MTU: Maximum Transmission Unit. The size of the largest datagram, excluding media-specific headers, that IP will attempt to send through the interface.
RIP: RIP v1, RIP v2, and RIP v2 Multicast. Check to enable RIP function. TCP MSS Clamp: This option enables discovery of the optimal MTU size automatically. Default is enabled. MAC Spoofing: Some service providers require the configuration of this option. You must fill in the MAC address that
is specified by the service provider when it is required. Default is disabled. Obtain DNS: A Domain Name System (DNS) contains a mapping table for domain name and IP addresses. DNS
helps to find the IP address of a specific domain name. Check the checkbox to obtain DNS automatically.
Primary DNS: Enter the primary DNS. Secondary DNS: Enter the secondary DNS.
Page 46
Page | 45
PPPoA Connection
Profile Port: Select the profile port as ADSL. Protocol: The PPPoA protocol will be used. Description: A given name for the connection. VPI/VCI: Enter the information provided by your ISP. ATM Class: The Quality of Service for ATM layer. Username: Enter the username provided by your ISP. You can input up to 128 alpha-numeric characters (case
sensitive). This is the format of username “username@ispname” instead of “username”.
Password: Enter the password provided by your ISP. You can input up to 128 alpha-numeric characters (case sensitive).
Service Name: This item is for identification purposes. If it is required, your ISP will provide you the information. Maximum input is 15 alpha-numeric characters.
NAT: The NAT (Network Address Translation) feature allows multiple users to access the Internet through a single ISP account, sharing a single IP address. If users on your LAN have public IP addresses and can access the Internet directly, the NAT function can be disabled.
IP (0.0.0.0: Auto): Your WAN IP address. Leave this at 0.0.0.0 to obtain an IP address automatically from your ISP. Auth. Protocol: Default is Auto. Your ISP should advise you on whether to use Chap or Pap. Connection:
Always on: If you want the router to establish a PPPoA session when starting up and to automatically re-
establish the PPPoE session when disconnected by the ISP. Connect on Demand: If you want to establish a PPPoA session only when there is a packet requesting access
to the Internet (i.e. when a program on your computer attempts to access the Internet).
Idle Timeout: Auto-disconnect the broadband firewall gateway when there is no activity on the line for a predetermined period of time.
MTU: Maximum Transmission Unit. The size of the largest datagram, excluding media-specific headers, that IP will attempt to send through the interface.
Page 47
Page | 46
RIP: RIP v1, RIP v2, and RIP v2 Multicast. Check to enable RIP function. TCP MSS Clamp: This option enables discovery of the optimal MTU size automatically. Default is enabled. MAC Spoofing: Some service providers require the configuration of this option. You must fill in the MAC address that
is specified by the service provider when it is required. Default is disabled. Obtain DNS: A Domain Name System (DNS) contains a mapping table for domain name and IP addresses. DNS
helps to find the IP address of a specific domain name. Check the checkbox to obtain DNS automatically.
Primary DNS: Enter the primary DNS. Secondary DNS: Enter the secondary DNS.
MPoA Connection
Profile Port: Select the profile port as ADSL. Protocol: The MPoA protocol will be used. Description: A given name for the connection. VPI/VCI: Enter the information provided by your ISP. ATM Class: The Quality of Service for ATM layer. Username: Enter the username provided by your ISP. You can input up to 128 alpha-numeric characters (case
sensitive). This is the format of username “username@ispname” instead of “username”.
Password: Enter the password provided by your ISP. You can input up to 128 alpha-numeric characters (case sensitive).
Service Name: This item is for identification purposes. If it is required, your ISP will provide you the information. Maximum input is 15 alpha-numeric characters.
NAT: The NAT (Network Address Translation) feature allows multiple users to access the Internet through a single ISP account, sharing a single IP address. If users on your LAN have public IP addresses and can access the Internet directly, the NAT function can be disabled.
IP (0.0.0.0: Auto): Your WAN IP address. Leave this at 0.0.0.0 to obtain an IP address automatically from your ISP.
Page 48
Page | 47
Auth. Protocol: Default is Auto. Your ISP should advise you on whether to use Chap or Pap. Connection:
Always on: If you want the router to establish an MPoA session when starting up and to automatically re-
establish the PPPoE session when disconnected by the ISP. Connect on Demand: If you want to establish an MPoA session only when there is a packet requesting access
to the Internet (i.e. when a program on your computer attempts to access the Internet).
Idle Timeout: Auto-disconnect the broadband firewall gateway when there is no activity on the line for a predetermined period of time.
MTU: Maximum Transmission Unit. The size of the largest datagram, excluding media-specific headers, that IP will attempt to send through the interface.
RIP: RIP v1, RIP v2, and RIP v2 Multicast. Check to enable RIP function. TCP MSS Clamp: This option enables discovery of the optimal MTU size automatically. Default is enabled. MAC Spoofing: Some service providers require the configuration of this option. You must fill in the MAC address that
is specified by the service provider when it is required. Default is disabled. Obtain DNS: A Domain Name System (DNS) contains a mapping table for domain name and IP addresses. DNS
helps to find the IP address of a specific domain name. Check the checkbox to obtain DNS automatically.
Primary DNS: Enter the primary DNS. Secondary DNS: Enter the secondary DNS.
Pure Bridge
Profile Port: Select the profile port as ADSL. Protocol: The Pure Bridge protocol will be used. Description: A given name for this connection. VPI/VCI: Enter the information provided by your ISP. ATM Class: The Quality of Service for ATM layer. Encap. method: Choose whether you want the packets in the WAN interface to be bridged packets or routed packets. Acceptable Frame Type: Specify which kind of traffic goes through this connection, all traffic or only VLAN tagged.
Page 49
Page | 48
Filter Type: Specify the type of Ethernet filtering performed by the named bridge interface.
All
Allows all types of Ethernet packets through the port.
Ip
Allows only IP/ARP types of Ethernet packets through the port.
Pppoe
Allows only PPPoE types of Ethernet packets through the port.
Page 50
Page | 49
3G
TEL No.: The dial string to make a GPRS / 3G user internetworking call. It may be provided by your mobile service provider.
APN: An APN is similar to a URL; it is the unit makes a GPRS / UMTS call. The service provider is able to attach anything to an APN to create a data connection. Requirements for APN assignment varies between service providers. Most service providers have an internet portal which they connect a DHCP Server to, giving you access to the internet i.e. Some 3G operators use the APN „internet‟ for their portal. The default value of APN is “internet”.
Username: Enter the username provided by your service provider. Password: Enter the password provided by your service provider. Authentication Type: Manually specify CHAP (Challenge Handshake Authentication Protocol) or PAP (Password
Authentication Protocol) if you know which authentication type the server is using (when acting as a client), or the authentication type you want the clients to use when they are connecting to you (when acting as a server). When using PAP, the password is sent unencrypted, while CHAP encrypts the password before sending, and also allows for challenges at different periods to ensure that an intruder has not replaced the client.
MTU: Maximum Transmission Unit. The size of the largest datagram, excluding media-specific headers, that IP will attempt to send through the interface.
PIN: PIN stands for Personal Identification Number. A PIN code is a numeric value used in certain systems as a password to gain access and authentication. In mobile phones a PIN code locks the SIM card until you enter the correct code. If you enter the PIN code incorrectly into the phone 3 times in a row, then the SIM card will be blocked and a PUK code will be required from your network service provider to unlock it.
Page 51
Page | 50
Connection:
Always On: A UMTS/GPRS call will be made when the router starts up. Enabling Always On will give you the option of Keep Alive.
Keep Alive: Set Enable to allow the router to automatically reconnect the connection when the ISP
disconnects it.
Connect to Demand: If you want to make a UMTS/GPRS call only when there is a packet re- questing access to the Internet (i.e. when a program on your computer attempts to access the Internet). In this mode, you must set Idle Timeout value. Enabling Connect on Demand will give you the option of Idle Timeout.
Idle Timeout: Auto-disconnect the connection when there is no activity on this call for a pre- determined period of time. The default value is 10 seconds.
Obtain DNS Automatically: Select this check box to use DNS. Primary DNS/ Secondary DNS: Enter the IP addresses of the DNS servers. The DNS servers are passed to the DHCP
clients along with the IP address and the subnet mask. Note: If you don‟t know how to set these values then please leave them unchanged.
Page 52
Page | 51
ADSL Mode
Connect Mode: This mode will automatically detect your ADSL line code, ADSL2+, ADSL2, AnnexM2 and AnnexM2+,
ADSL, All. Please keep the factory settings unless ADSL is the reason for a synchronization problem. Modulation: It will automatically detect capability of your ADSL line mode. Please keep the factory settings unless
ADSL is reason for a synchronization problem. Profile Type: Please keep the default factory settings. If ADSL is the reason for low link rates, or making your
connection unstable then consider changing the value. You may need to change the profile setting to reach the best ADSL line rate; it depends on the DSLAM and location.
Activate Line: Aborting (false) your ADSL line and making it active (true) again will take effect when setting the Connect Mode.
Coding Gain: It reduces the router‟s transmit power which will affect the router‟s downstream performance. Making the gain Higher will increase the downstream rate but might cause your ADSL line to be unstable. The configurable ADSL coding gain is from 0 dB to 7dB, or automatic.
Tx Attenuation: It is the amount of power that the modem (upstream) or DSLAM (downstream) is using. The lower the power the better the performance will be during modem upstream.
Page 53
Page | 52
System
Here are the items within the System section: Time Zone, Remote Access, Firmware Upgrade, Backup/Restore,
Restart and User Management.
Time Zone
The router does not have a real time clock on board; instead, it uses the Simple Network Time Protocol (SNTP) to get the current time from a SNTP server outside your network. Choose your local time zone, click Enable and click the Apply button. After a successful connection to the Internet, the router will retrieve the correct local time from the SNTP server you have specified. If you prefer to specify a SNTP server other than those in the list, simply enter its IP address as shown above. Your ISP may provide a SNTP server for you to use.
Daylight Saving is also known as Summer Time Period. Many places in the world adapt it during summer time to move one hour of daylight from morning to the evening in local standard time. Check Enable checkbox to set your local time.
Resync Period (in minutes) is the periodic interval the router will wait before it re-synchronizes the routers time with that of the specified SNTP server. In order to avoid unnecessarily increasing the load on your specified SNTP server you should keep the poll interval as high as possible – at the absolute minimum every few hours or even days.
Page 54
Page | 53
DO NOT turn off or interrupt the router during a firmware upgrade. This
could seriously damage the router.
Remote Access
This feature enables a system administrator to set the time interval where the router can be accessed for administration purpose from a remote site (i.e. from outside your LAN).
If you wish to permanently enable remote access, set the time period to 0 minute.
Firmware Upgrade
Your router firmware is the software that enables it to operate and provides all its functionality. Think of your router as a dedicated computer, and the firmware as the software it runs. Over time this software may be improved and revised, and your router allows you to upgrade the software it runs to take advantage of these changes.
Clicking on Browse will allow you to select the new firmware image file you have downloaded to your PC. Once the correct file is selected, click Upgrade to update the firmware in your router.
Warning
Page 55
Page | 54
Backup / Restore
This function allows you to save a backup of the current configuration of your router to a file on your PC, or to restore a previously saved configuration. This is very useful if you wish to customize the settings of the router, knowing in advance that you can always restore the settings if any mistakes are made. Therefore, it is advisable that you create a backup of the configuration of your router before customizing its configuration.
Create a Router Configuration Backup: To create a backup of the settings, simply click the Backup button and specify the location on your computer to save your
configuration file. You may also change the name of the file if you wish to keep multiple backups. Restoring the Router Configuration To restore the configuration of the router, click Browse to locate the configuration file on your computer. Once the file has
been located, click on the file then click on the Restore button to load the setting.
Note: You should only restore the settings with files that have been created using the Backup function with the most current firmware version. Settings files saved to your PC should not be manually edited in any way.
Restart Router
Click Restart with the option of Current Settings to reboot your router (and restore your last saved configuration).
If you wish to restart the router using the factory default settings (for example, after a firmware upgrade or if you have saved an incorrect configuration), select Factory Default Settings to reset to factory default settings.
You may also reset your router to factory settings by holding the small Reset pinhole button for longer than 6 seconds on the back of your router.
Caution: After pressing the RESET button for more than 6 seconds, be sure to power cycle the device again.
Page 56
Page | 55
User Management
In order to prevent unauthorized access to your routers configuration interface, it requires that all users login to the GUI with a password. You can set up multiple user accounts, each with their own password. You can Edit any existing user accounts and Add new user account to grant access to the device configuration interface.
Edit Account Information You can change the information of any account whether the account is active or not.
1. To edit an account, select the Edit radio button of the account to be edited. Once selected, all information of that
account will be displayed.
2. Change the information that needs to be edited.
3.
When this is done, simply click on the Edit/ Delete button to save your changes.
Note: It is recommended that you change the password immediately to prevent a security breach into your GUI.
Page 57
Page | 56
To Add an Account
1. Check the Valid checkbox, fill in all the information: User name, Comment (optional), Password, and Confirm
Password.
2.
When this is done, click the Add button.
To delete a user Account:
1. Click on the Delete radio button of the account you want to delete.
2.
Then click the Edit/Delete button to confirm the deletion.
Note: You can delete any user account except for the default admin account. Thus there is no delete radio button available for this account.
Page 58
Page | 57
When using Virtual Server, your PC will become exposed to a certain degree
to unknown users if specific ports are opened in the firewall packet filter setting. The degree of exposure depends on the parameter set in the Virtual Server setting.
Firewall and Access Control
Your router includes a full SPI (Stateful Packet Inspection) firewall to control Internet access on your network. This feature also protects your system from being attacked by hackers. When using NAT, the router acts as a “natural” Internet firewall, as all PCs on your LAN will have their own private IP address which is not directly accessible from the Internet. The router provides three levels of security support.
NAT natural firewall: This masks LAN users‟ IP addresses which are invisible to users on the Internet, thus making it more difficult for a hacker to target a machine on your network. This natural firewall is turned on when the NAT function is enabled.
Firewall Security and Policy (General Settings): Inbound direction of Packet Filter rules to prevent unauthorized computers or applications from accessing your local network from the Internet.
Intrusion Detection: Enable Intrusion Detection to detect, prevent and log malicious attacks. Access Control: Prevent access from computers on your local network: Firewall Security and Policy (General Settings): Outbound direction of Packet Filter rules to prevent unauthorized
computers or applications from accessing the Internet. URL Filter: To block computers on your local network from unwanted websites.
The items under the Firewall section are: General Settings, Packet Filter, Intrusion Detection, URL Filter, IM/P2P Blocking and Firewall Log.
Page 59
Page | 58
Any remote user attempting to perform this action may cause all access to the router
to be blocked, which will result in no configuration or managing of the device from the internet.
General Settings
You can choose to disable Firewall and still be able to access the URL Filter and IM/P2P Blocking or enable the Firewall using the preset filter rules and modify the port filter rules as required. The Packet Filter is used to filter packets based on Applications (Port) or IP addresses.
There are four policy options to choose from:
All blocked/User-defined: no predefined port or address filter rules by default, meaning that all inbound (Internet to LAN) and outbound (LAN to Internet) packets will be blocked. Users have to add their own filter rules to access the Internet.
High/Medium/Low security level: the predefined port filter rules for High, Medium and Low
security are
displayed in the Port Filters of the Packet Filter.
Select either High, Medium or Low security level to enable Firewall protection. The only difference between these three is the preset port filter rules in the Packet Filter. Firewall function is the same for all levels; it is only the list of preset port filters that changes between each setting. For more detail on level of preset port filter information, please refer to Table 1: Predefined Port Filter.
If you choose the preset security levels and add custom filters, the level of filter rules will be saved and you do not need to re-configure the rules again if you disable or switch to the other security level.
The “Block WAN Request” is a standalone function that is not affected by whether the security is enabled or disabled. This is used to prevent any scan tools that might come from hackers.
Page 60
Page | 59
Packet Filter This function is only available when Firewall is enabled with one of the four security levels selected (All blocked, High,
Medium and Low). The preset port filter rules in the Packet Filter must be modified accordingly to the security level selected. See Table1: Predefined Port Filter for more detailed information.
Page 61
Page | 60
Table 1: Predefined Port Filters Rules The predefined port filter rules for High, Medium and Low security levels are listed below.
Application
Protocol Port Number
Firewall - Low
Firewall - Medium
Firewall – High
Start
End
Inbound
Outbound
Inbound
Outbound
Inbound
Outbound
HTTP(80)
TCP(6)
80
80 NO
YES
NO
YES
NO
YES
DNS (53)
UDP(17)
53
53
NO
YES
NO
YES
NO
YES
DNS (53)
TCP(6)
53
53
NO
YES
NO
YES
NO
YES
FTP(21)
TCP(6)
21
21
NO
YES
NO
YES
NO
NO
Telnet(23)
TCP(6)
23
23
NO
YES
NO
YES
NO
NO
SMTP(25)
TCP(6)
25
25
NO YES
NO
YES
NO
YES
POP3(110)
TCP(6)
110
110
NO
YES
NO
YES
NO
YES
NEWS(NNTP) (Network News
Transfer Protocol)
TCP(6)
119
119
NO
YES
NO
YES
NO
NO
RealAudio/ RealVideo (7070)
UDP(17)
7070
7070
YES
YES
YES
YES NO
NO PING
ICMP(1)
N/A
N/A
NO YES
NO YES
NO
YES
H.323(1720)
TCP(6)
1720
1720
YES
YES
NO
YES
NO
NO
T.120(1503)
TCP(6)
1503
1503
YES
YES
NO
YES
NO
NO
SSH(22)
TCP(6)
22
22
NO
YES
NO
YES
NO
NO
NTP/SNTP
UDP(17)
123
123
NO YES
NO YES
NO
YES
HTTP/HTTP Proxy (8080)
TCP(6)
443
443
NO
YES
NO
NO
NO
NO HTTPS(443)
TCP(6)
443
443
NO
YES
NO
YES
N/A
N/A
ICQ (5190)
TCP(6)
5190
5190
YES
YES
N/A
N/A
N/A
N/A
MSN (1863)
TCP(6)
1863
1863
YES
YES
N/A
N/A
N/A
N/A
MSN (7001)
UDP(17)
7001
7001
YES
YES
N/A
N/A
N/A
N/A
MSN VEDIO (9000)
TCP(6)
9000
9000
NO
YES
N/A
N/A
N/A
N/A
Page 62
Page | 61
Inbound: Internet to LAN Outbound: LAN to Internet YES: Allowed NO: Blocked N/A: Not Applicable
Packet Filter – Add TCP/UDP Filter
Rule Name Helper: User defined description for entry identification. You may also choose from the Select drop-down menu for an existing predefined rule. The maximum name length is 32 characters.
Time Schedule: A self defined time period. You may specify a time schedule for your prioritization policy. For setup and detail, refer to Time Schedule section.
Source IP Address(es) / Destination IP Address(es): This is the Address-Filter used to allow or block traffic to/from particular IP address(es). Select the Subnet Mask of the IP address range you wish to allow/block the traffic to or from. Set the IP address and Subnet Mask to 0.0.0.0 to de-activate the Address-Filter rule.
Tip: To block access, to/from a single IP address, enter that IP address as the Host IP Address and use a Host
Subnet Mask of “255.255.255.255”.
Type: This is the packet protocol type used by the application, select TCP, UDP or both TCP/UDP. Protocol Number: Insert the port number. Source Port: This Port or Port Ranges defines the port allowed to be used by the Remote/WAN to connect to the
application. Default is set from range 0 ~ 65535. It is recommended that this option be configured by an advanced user.
Destination Port: This is the Port or Port Ranges that defines the application. Inbound / Outbound: Select Allow or Block the access to the Internet (“Outbound”) or from the Internet (“Inbound”).
When all changes are made, click Add button to apply your changes.
Page 63
Page | 62
Packet Filter – Add Raw IP Filter Go to “Type” drop-down menu, select “Use Protocol Number”.
Rule Name Helper: User defined description for entry identification. You may also choose from the Select drop-down menu for an existing predefined rule.
Time Schedule: A self-defined time period. You may specify a time schedule for your prioritization policy. For setup and detail, refer to Time Schedule section.
Source IP Address(es) / Destination IP Address(es): This is the Address-Filter used to allow or block traffic to/from particular IP address(es). Select the Subnet Mask of the IP address range you wish to allow/block the traffic to or from; set IP address and Subnet Mask to 0.0.0.0 to de-activate the Address-Filter rule.
Tip: To block access to/from a single IP address, enter that IP address as the Host IP Address and use a Host Subnet
Mask of “255.255.255.255”.
Type: It is the packet protocol type used by the application, select TCP, UDP or both TCP/UDP. Protocol Number: Insert the port number, i.e. GRE 47. Source Port: This Port or Port Ranges defines the port allowed to be used by the Remote/WAN to connect to the
application. Default is set from range 0 ~ 65535. It is recommended that this option be configured by an advanced user.
Destination Port: This is the Port or Port Ranges that defines the application. Inbound / Outbound: Select to Allow or Block access to the Internet (“Outbound”) or from the Internet (“Inbound”).
When all changes are made, click the Add button to apply your changes.
Example: Configuring your firewall to allow a publicly accessible web server on your LAN
The predefined port filter rule for HTTP (TCP port 80) is the same whether the firewall is set to a high, medium or low security level. To setup a web server located on the local network when the firewall is enabled, you have to configure the Port Filter settings for HTTP.
As you can see from the diagram below, when the firewall is enabled with one of the three preset (Low/Medium/High) security levels, inbound HTTP access is not allowed which means remote access through HTTP to your router is not allowed.
Page 64
Page | 63
Note: Inbound indicates accessing from the Internet to the LAN and Outbound is from the LAN to the Internet.
Configuring Packet Filter:
1. Click Packet Filters. You will then be presented with the predefined port filter rules screen (in
this case for the
low security level), shown below:
Note: You may choose to Edit the predefined rule instead of Deleting0 it. This is an example to show you how to add a filter on your own.
2. If you want to delete a filter rule, select the delete radio button of the HTTP rule you want to delete. Then click the Edit/Delete button to delete the rule.
Page 65
Page | 64
3. To add a new rule, Input the Rule Name, Time Schedule, Source/Destination IP, Type, Source/Destination Port, Inbound and Outbound. Then click the Add button.
Example:
Application: Cindy_HTTP Time Schedule: Always On Source / Destination IP Address (es): 0.0.0.0 (I do not wish to activate the address-filter, using the port-filter instead) Type: TCP (Please refer to Table1: Predefined Port Filter) Source Port: 0-65535 (I am allowing all ports to connect to the application) Redirect Port: 80-80 (This is the Port defined for HTTP) Inbound / Outbound: Allow
Page 66
Page | 65
For instructions on how to configure the HTTP in Virtual Server, please refer to
the Add Virtual Server sub-section under the Virtual Server section.
The new port filter rule for HTTP is shown below:
1. Configure your Virtual Server (“port forwarding”) settings so that incoming HTTP requests on port 80 will be forwarded to the PC running your web server:
Page 67
Page | 66
Intrusion Detection
The router Intrusion Detection System (IDS) is used to detect hacker‟s attacks, and intrusion attempts from the Internet. If the IDS function of the firewall is enabled, inbound packets are filtered and blocked depending on whether they are detected as possible hacker attacks, intrusion attempts or other connections that the router determines to be suspicious.
Blacklist: If the router detects a possible attack, the source IP or destination IP address will be added to the Blacklist. Any further attempts to use this IP address will be blocked for the time period specified in the Block Duration. The default setting for this function is false (disabled). Some types of attacks are denied immediately without using the Blacklist function, such as Land attack and Echo/CharGen scan.
Intrusion Detection: If enabled, IDS will block Smurf attack attempts. Default is „Disable‟ Block Duration:
Victim Protection Block Duration: This is the duration for blocking Smurf attacks. Default value is 600
seconds. Scan Attack Block Duration: This is the duration for blocking hosts that attempt a possible Scan attack. Scan
attack types include X‟mas scan, IMAP SYN/FIN scan and similar attempts. Default value is 86400 seconds. DoS Attack Block Duration: This is the duration for blocking hosts that attempt a possible Denial of Service
(DoS) attack. Possible DoS attacks that are blocked include Ascend Kill and WinNuke. Default value is 1800 seconds.
Max TCP Open Handshaking Count: This is a threshold value to decide whether a SYN Flood attempt is occurring or not. Default value is 100 TCP SYN per seconds.
Max PING Count: This is a threshold value to decide whether an ICMP Echo Storm is occurring or not. Default value is 15 ICMP Echo Requests (PINGS) per second.
Max ICMP Count: This is a threshold to decide whether an ICMP flood is occurring or not. Default value is 100 ICMP packets per second except ICMP Echo Requests (PING).
For SYN Flood, ICMP Echo Storm and ICMP flood, IDS will just warn the user in the Event Log. It cannot protect against such attacks.
Page 68
Page | 67
Table 2: Hacker attack types recognized by the IDS
Intrusion Name
Detect Parameter
Blacklist
Type of Block
Duration
Drop Packet
Show Log
Ascend Kill
Ascend Kill data
Src IP
DoS
Yes
Yes
WinNuke
TCP
Port 135, 137~139, Flag:
URG
Src IP
DoS
Yes
Yes
Smurf
ICMP type 8
Des IP is broadcast
Dst IP
Victim Protection
Yes
Yes
Land attack
SrcIP = DstIP
Yes
Yes
Echo/CharGen Scan
UDP Echo Port and
CharGen Port
Yes
Yes
Echo Scan
UDP Dst Port = Echo(7)
Src IP
Scan
Yes
Yes
CharGen Scan
UDP Dst Port =
CharGen(19)
Src IP
Scan
Yes
Yes
X’mas Tree Scan
TCP Flag: X‟mas
Src IP
Scan
Yes
Yes
IMAP
SYN/FIN Scan
TCP Flag: SYN/FIN DstPort: IMAP(143) SrcPort: 0 or 65535
Src IP
Scan
Yes
Yes
SYN/FIN/RST/ACK
Scan
TCP,
No Existing session And
Scan Hosts more than
five.
Src IP
Scan
Yes
Yes
Net Bus Scan
TCP
No Existing session
DstPort = Net Bus
12345,12346, 3456
SrcIP
Scan
Yes
Yes
Back Orifice Scan
UDP, DstPort = Orifice
Port (31337)
SrcIP
Scan
Yes
Yes
SYN Flood
Max TCP Open
Handshaking Count
(Default 100 c/sec)
Yes
ICMP Flood
Max ICMP Count
(Default 100 c/sec)
Yes
ICMP Echo
Max PING Count
(Default 15 c/sec)
Yes
Page 69
Page | 68
URL Filter
URL (Uniform Resource Locator) (e.g. an address in the form of http://www.abcde.com or http:// www.example.com) filter rule allows you to prevent users on your network from accessing specific websites defined by their URL. There are no predefined URL filter rules, therefore you can add filter rules to meet your requirements.
Enable/Disable: Select to enable or disable URL Filter feature. Block Mode: A list of the modes that you can choose from to check the URL filter rules. The default is set to Always On.
Disabled: No action will be performed by the Block Mode. Always On: Action is enabled. URL filter rules will be monitoring and checking at all hours of
the day.
TimeSlot1 ~ TimeSlot16: It is a self-defined time period. You may specify the time period to check the URL filter rules, i.e. during working hours. For setup and detail, refer to Time Schedule section.
Keywords Filtering: Allow blocking against specific keywords within a particular URL rather than having to specify a complete URL (e.g. to block any image called “advertisement.gif”). When enabled, your specified keywords list will be checked to see if any keywords are present in URLs accessed to determine if the connection attempt should be blocked. Please note that the URL filter blocks web browser (HTTP) connection attempts using port 80 only.
For example, if the URL is http://www.abc.com/abcde.html, the connection will be dropped if the keyword
―abcde‖ occurs in the URL.
Page 70
Page | 69
Domains Filtering: This function checks the whole URL address but not the IP address against your list of domains to block or allow. If it is matched, the URL request will either be sent (Trusted) or dropped (Forbidden). For this function to be activated, both the enable and disable checkboxes of Domain Filtering must be checked. Here is the checking procedure:
1. Check the domain in the URL to determine if it is in the trusted list. If yes, the connection attempt is sent to the remote web server.
2. If not, check if it is listed in the forbidden list. If yes, then the connection attempt will be dropped.
3. If the packet does not match either of the above two conditions, it is sent to the remote web server.
4. Please note that the completed URL, “www” + domain name should be specific. e.g.: In order to block traffic to www.google.com.au, enter “www.google” or “www.google.com
In the example below, the URL request for www.abc.com will be sent to the remote web server because it is listed in the trusted list, whilst the URL request for www.google or www.google.com will be dropped, because www.google is in the forbidden list.
Example:
Andy wishes to disable all WEB traffic except for domains listed under the trusted domains, which would prevent Bobby from accessing other websites. Andy selects both conditions in Domain Filtering thinking that this will stop Bobby. Bobby knows the Domain Filtering function; it ONLY disables all WEB traffic to Trusted Domains, BUT not its IP address. If this is the situation, the Block surfing by IP address function can be helpful. Now, Andy can successfully prevent Bobby from accessing other websites.
Restrict URL Features: This function enhances the restrictions to your URL rules.
Block Java Applet: This function can block Web content that includes Java Applets. It
prevents someone from
damaging your system via standard HTTP protocol. Block surfing by IP address: A further restriction against someone who uses IP addresses as a URL to cheat
the Domains Filtering rule. Only activates if Domain Filtering is enabled.
Page 71
Page | 70
IM / P2P Blocking
IM, short for Instant Message, is client software that allows users to communicate & exchange text messages with other IM users in real time over the Internet. A P2P application, known as Peer- to-peer, is a group of users who share files with each other over the Internet. Both Instant Message and Peer-to-peer applications make communication faster and easier but your network may become increasingly insecure. Billions IM and P2P blocking helps users by restricting LAN PCs from accessing the commonly used IM (Yahoo and MSN), and P2P (BitTorrent and eDonkey) applications over the Internet.
Instant Message Blocking: The default is set to Disabled.
Disabled: Instant Message blocking is not enabled. No action will be taken. Always On: Instant Message blocking is enabled. IM messages will be blocked. TimeSlot1 ~ TimeSlot16: This is the self-defined time period. You may specify the time period to activate
blocking, i.e. during working hours. For setup and detail, refer to the Time Schedule section.
Yahoo/MSN Messenger: Check the checkbox to block either Yahoo or/and MSN Messenger or both. Be sure to enable the Instant Message Blocking first.
Peer to Peer Blocking: The default is set to Disabled. Disabled: Peer to Peer blocking is not enabled. No action will be taken. Always On: Peer to Peer blocking is enabled. P2P will be blocked. TimeSlot1 ~ TimeSlot16: This is the self-defined time period. You may specify the time period to activate
blocking, i.e. during working hours. For setup and detail, refer to Time Schedule section.
BitTorrent / eDonkey: Check the checkbox to block either Bit Torrent or eDonkey or both. Be sure to enable the Peer to Peer Blocking first.
Page 72
Page | 71
Firewall Log
The Firewall Log contains information of any unexpected actions that occur to your firewall. Check the Enable checkbox to activate event logging. Log information can be seen in the Status – Event Log after the feature is enabled.
VPN - Virtual Private Networks
Virtual Private Networks is a way to establish a secured communication tunnel with an organization network via the Internet. Your router supports three main types of VPN (Virtual Private Network): PPTP, IPSec and L2TP.
PPTP (Point-to-Point Tunneling Protocol)
PPTP Connection - LAN to LAN There are two types of PPTP VPN: Remote Access and LAN-to-LAN (please refer below for more information). Click
Configuration > VPN > PPTP. Choose LAN to LAN from Connection Type drop down menu.
Page 73
Page | 72
Name: A given name for the connection (e.g. “connection to office”). Connection Type: Remote Access or LAN to LAN. Type: Check Dial Out if you want your router to operate as a client (connecting to a remote VPN server, e.g. your office
server), check Dial In if it operates as a VPN server.
When configuring your router as a Client, enter the remote Server IP Address (or Domain
Name) you wish
to connect to. When configuring your router as a server, enter the Private IP Address assigned to the Dial
in User.
IP Address: Enter the IP address. Peer Network IP: Enter your peer‟s network IP address. Netmask: Enter the subnet mask of the peer network based on the Peer Network IP setting. Username: If you are a Dial-Out user (client), enter the username provided by your Host. If you are a Dial-In user
(server), enter your own username. Password: If you are a Dial-Out user (client), enter the password provided by your Host. If you are a Dial-In user
(server), enter your own password. Authentication Type: Default is Auto if you want the router to automatically determine the authentication type to use. If
you know which authentication type the server is using (when acting as a client), you may manually specify the Authentication type whether CHAP (Challenge Handshake Authentication Protocol) or PAP (Password Authentication Protocol). When acting as a server, you can set the authentication type you want the clients connecting to you to use. When using PAP, the password is sent unencrypted, while CHAP encrypts the password before sending it.
Data Encryption: Data sent over the VPN connection can be encrypted by an MPPE algorithm. Default is set to Auto, so that this setting is negotiated when establishing a connection, you can also manually Enable or Disable the encryption.
Key Length: The data can be encrypted by MPPE algorithm with 40 bits or 128 bits. Default is Auto; it is negotiated when establishing a connection. 128 bit keys provide a stronger encryption than 40 bit keys.
Mode: You may select Stateful or Stateless mode. The key will be changed every 256 packets when you select Stateful mode. If you select Stateless mode, the key will be changed in each packet.
Active as default route: Commonly used by the Dial-out connection where all packets will route through the VPN tunnel to the Internet. Therefore activating this function may degrade the Internet performance.
Click Edit/Delete button to save your changes.
Page 74
Page | 73
Both office LAN networks must be in different subnets with LAN-
LAN application
Example: Configuring a Remote Access PPTP VPN Dial-out Connection
The branch office establishes a PPTP VPN tunnel with head office to connect two private networks over the Internet. The routers are installed in the head office and branch offices accordingly.
Attention
Configuring the PPTP VPN in the Head Office The IP address 192.168.1.201 will be assigned to the router located in the branch office. Please make sure this IP is not
used in the head office LAN.
Page 75
Page | 74
Function
Description
Name
Head Office
Given name of PPTP connection
Connection type
LAN to LAN
Select LAN to LAN from the Connection Type drop-down menu
Type
Dial in
Select Dial in from the Type drop-down menu
IP Address
192.168.1.200
IP address assigned to branch office network
Peer Network IP
192.168.0.0
Branch office network
Netmask
255.255.255.0
Username
Username
A given username & password to authenticate the branch office network.
Password
123456
Auth. Type
Chap(Auto)
Keep as the default value in most cases, PPTP server & client will determine the value automatically. Refer to the manual for details if you want to change the settings.
Data Encryption
Auto
Key Length
Auto
Mode
Stateful
Configuring the PPTP VPN in the Head Office
The IP address 69.1.121.30 is the Public IP address of the router located in head office. If you registered the DDNS (please refer to the DDNS section of this manual), you can also use the domain name instead of the IP address to reach the router.
Page 76
Page | 75
Function
Description
Name
Head Office
Given name of PPTP connection
Connection type
LAN to LAN
Select LAN to LAN from the Connection Type drop-down menu
Type
Dial in
Select Dial in from the Type drop-down menu
IP Address
69.121.1.33
IP address assigned to branch office network
Peer Network IP
192.168.1.0
Head office network
Netmask
255.255.255.0
Username
Username
A given username & password to authenticate branch office network.
Password
123456
Auth. Type
Chap(Auto)
Keep as default value in most of the cases, PPTP server & client will determine the value automatically. Refer to manual for details if you want to change the setting.
Data Encryption
Auto
Key Length
Auto
Mode
Stateful
PPTP Connection - Remote Access
Name: A given name for the connection (e.g. “connection to office”). Connection Type: Remote Access or LAN to LAN. Type: Check Dial Out if you want your router to operate as a client (connecting to a remote VPN server, e.g. your office
server), check Dial In if it operates as a VPN server.
When configuring your router as a Client, enter the remote Server IP Address (or Domain
Name) you wish to
connect to. When configuring your router as a server, enter the Private IP Address assigned to the Dial
in User.
IP Address: Enter the IP address. Username: If you are a Dial-Out user (client), enter the username provided by your Host. If you are a Dial-In user
(server), enter your own username.
Page 77
Page | 76
Password: If you are a Dial-Out user (client), enter the password provided by your Host. If you are a Dial-In user (server), enter your own password.
Authentication Type: Default is Auto if you want the router to automatically determine the authentication type to use. If you know which authentication type the server is using (when acting as a client), you may manually specify the Authentication type whether CHAP (Challenge Handshake Authentication Protocol) or PAP (Password Authentication Protocol). When acting as a server, you can set the authentication type you want the clients connecting to you to use. When using PAP, the password is sent unencrypted, while CHAP encrypts the password before sending it.
Data Encryption: Data sent over the VPN connection can be encrypted by an MPPE algorithm. Default is set to Auto, so that this setting is negotiated when establishing a connection, you can also manually Enable or Disable the encryption.
Key Length: The data can be encrypted by MPPE algorithm with 40 bits or 128 bits. Default is Auto, it is negotiated when establishing a connection. 128 bit keys provide a stronger encryption than 40 bit keys.
Mode: You may select Stateful or Stateless mode. The key will be changed every 256 packets when you select Stateful mode. If you select Stateless mode, the key will be changed in each packet.
Active as default route: Commonly used by the Dial-out connection where all packets will route through the VPN tunnel to the Internet. Therefore activating this function may degrade the Internet performance.
Click Edit/Delete button to save your changes.
Example: Configuring a Remote Access PPTP VPN Dial-out Connection
An office establishes a PPTP VPN connection with a file server located at a different location. The router is installed in the office, connected to a couple of PCs and Servers.
Page 78
Page | 77
Configuring the PPTP VPN in the Office Click Configuration > VPN > PPTP. Choose Remote Access from the Connect Type drop-down menu. You can either
input the IP address (69.121.1.33 in this case) or hostname to reach the server.
Function
Description
Name
VPN PPTP
Given name of PPTP connection
Connection type
Remote Access
Select Remote Access from the Connection Type drop-down menu
Type
Dial out
Select Dial out from the Type drop-down menu
IP Address (or
Domain name)
69.121.1.33
A Dialed server IP
Username
Username
A given username & password to authenticate branch office network.
Password
123456
Auth. Type
Chap(Auto)
Keep as default value in most cases, PPTP server & client will determine the value automatically. Refer to the manual for details if you want to change the settings.
Data Encryption
Auto
Key Length
Auto
Mode
Stateful
Page 79
Page | 78
IPSec (IP Security Protocol)
IPSec VPN Connection
Name: A given name for the connection (e.g. “connection to office”). Local Network: Set the IP address, subnet or address range of the local network. Single Address: The IP address of the local host. Subnet: The subnet of the local network. For example, IP: 192.168.1.0 with netmask 255.255.255.0 specifies one class
C subnet starting from 192.168.1.1 (i.e. 192.168.1.1 through
to 10.0.0.2).
IP Range: The IP address range of the local network. For Example, IP: 192.168.1.1, end IP:
192.168.1.10.
IP Address: Enter the IP address. Remote Secure Gateway Address (or Domain Name): The IP address or hostname of the remote VPN device that is
connected and establishes a VPN tunnel.
Remote Network: Set the IP address, subnet or address range of the remote network. IKE (Internet key Exchange) Mode: Select IKE mode to Main mode or Aggressive mode. This IKE provides secured
key generation and key management.
Page 80
Page | 79
Pre-shared Key: This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128 characters. Both sides should use the same key. IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require a key. Before any IPSec traffic can be passed, each router must be able to verify the identity of its peer. This can be done by manually entering the pre-shared key into both sides (router or hosts).
Local ID:
Content: Input ID‟s information, like domain name www.ipsectest.com.
Remote ID:
Identifier: Input remote ID‟s information, like domain name ww.ipsectest.com
Hash Function: It is a Message Digest algorithm which coverts any length of a message into a unique set of bits.
It is widely used MD5 (Message Digest) and SHA-1 (Secure Hash Algorithm) algorithms. SHA1 is more resistant to brute-force attacks than MD5, however it is slower.
MD5: A one-way hashing algorithm that produces a 128−bit hash. SHA1: A one-way hashing algorithm that produces a 160bit hash
Encryption: Select the encryption method from the pull-down menu. There are several options, DES, 3DES and AES
(128, 192 and 256). 3DES and AES are more powerful but increase latency.
DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method. 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption method. AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as an encryption
method.
Diffie-Hellman Group: It is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communication channel (i.e. over the Internet). There are three modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.
IPSec Proposal: Select the IPSec security method. There are two methods of checking the authentication information, AH (authentication header) and ESP (Encapsulating Security Payload). Use ESP for greater security so that data will be encrypted and authenticated. Using AH data will be authenticated but not encrypted.
Authentication: Authentication establishes the integrity of the datagram and ensures it is not tampered with in transmit. There are three options, Message Digest 5 (MD5), Secure Hash Algorithm (SHA1) or NONE. SHA1 is more resistant to brute-force attacks than MD5, however it is slower.
MD5: A one-way hashing algorithm that produces a 128−bit hash. SHA1: A one-way hashing algorithm that produces a 160−bit hash
Encryption: Select the encryption method from the pull-down menu. There are several options, DES, 3DES, AES
(128, 192 and 256) and NULL. NULL means it is a tunnel with no encryption. 3DES and AES are more powerful but increase latency.
DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method. 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption method. AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as encryption method.
Perfect Forward Secrecy: Choose whether to enable PFS using Diffie-Hellman public-key cryptography to change
encryption keys during the second phase of VPN negotiation. This function of a cryptography protocol is to allow two parties to establish a shared secret over an unsecured communication channel (i.e. over the Internet). There are three modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.
Page 81
Page | 80
SA Lifetime: Specify the number of minutes that a Security Association (SA) will stay active before new encryption and authentication keys will be exchanged. There are two kinds of SAs, IKE and IPSec. IKE negotiates and establishes SA on behalf of IPSec; an IKE SA is used by IKE.
Phase 1 (IKE): To issue an initial connection request for a new VPN tunnel. The range can
be from 5 to
15,000 minutes, and the default is 480 minutes. Phase 2 (IPSec): To negotiate and establish secure authentication. The range can be from 5
to 15,000 minutes,
and the default is 60 minutes.
A short SA time increases security by forcing the two parties to update the keys. However, every time the VPN tunnel re-negotiates, access through the tunnel will be temporarily disconnected.
PING for Keep Alive:
None: The default setting is „None‟. In this mode, it will not detect if the remote IPSec peer has been lost or not.
It follows the policy of Disconnection time after no traffic, which the remote IPSec will be disconnected after the time you set in this function.
PING: This mode will detect if the remote IPSec peer has been lost or not by pinging the specified IP address. DPD: Dead peer detection (DPD) is a keep alive mechanism that enables the router to be detected when the
connection between the router and a remote IPSec peer has been lost. Please note, it must be enabled on both sites.
PING to the IP: It is able to Ping the remote PC with the specified IP address and alert if the connection fails. Once an alert message is received, the router will drop this tunnel connection. Re-establishment of this connection is required. Default setting is 0.0.0.0 which disables the function.
Interval: This sets the time interval between Pings to the IP function to monitor the connection status. Default interval setting is 10 seconds. Time interval can be set from 0 to 3600 second, 0 second disables the function.
Ping to the IP
Interval (sec)
Ping to the IP Action
0.0.0.0
0
No
0.0.0.0
2000
No
xxx.xxx.xxx.xxx (A valid IP Address)
0
No
xxx.xxx.xxx.xxx (A valid IP Address)
2000
Yes, active it in every 2000 seconds
Disconnection Time after no traffic: It is the NO Response time clock. When no traffic stage time is beyond the
Disconnection time set, Router will automatically halt the tunnel connection and re-establish it base on the Reconnection Time set. 180 seconds is minimum time interval for this function.
Reconnection Time: It is the reconnecting time interval after NO TRAFFIC is initiated. 3 minutes is minimum time interval for this function.
Click Edit/Delete to save your changes.
Page 82
Page | 81
Both office Networks MUST be in different subnets with the LAN-LAN
application.
Functions of Pre –shared keys, VPN Connection Type and Security
Algorithms must be identical on both sides.
Example: Configuring an IPSec LAN to LAN VPN Connection
Table 3: Network Configuration and Security Plan
Branch Office
Head Office
Local Network ID
192.168.0.0/24
192.168.0.0/24
Local Router IP
69.1.121.30
69.1.121.3
Remote Network ID
192.168.0.0/24
192.168.0.0/24
Remote Router IP
69.1.121.3
69.1.121.30
IKE Pre-shared Key
12345678
12345678
VPN Connection Type
Tunnel mode
Tunnel mode
VPN Connection Type
ESP:MD5 with AES
ESP:MD5 with AES
Attention
Page 83
Page | 82
Configuring IPSec VPN in the Head Office
Function
Description
Name
IPSec_HeadOffice
A given name for the IPSec Connection.
Local Area
Subnet
Select Subnet from the Local Network drop-down menu.
IP Address
192.168.1.0
Head office network.
Netmask
255.255.255.0
Remote Secure
Gateway IP (or
Hostname)
69.121.1.30
A given username & password to authenticate branch office network.
Remote Network
Subnet
Select Subnet from the Remote Network drop- down menu.
IP Address
192.168.1.0
Branch office network.
Netmask
255.255.255.0
Pre-shared Key
12345678
Security plan
Authentication
MD5
Encryption
3DES
Prefer Forward
Security
None
Page 84
Page | 83
Configuring IPSec VPN in the Branch Office
Function
Description
Name
IPSec_HeadOffice
A given name for the IPSec Connection.
Local Area
Subnet
Select Subnet from the Local Network drop-down menu.
IP Address
192.168.0.0
Branch office network.
Netmask
255.255.255.0
Remote Secure
Gateway IP (or
Hostname)
69.121.1.3
IP address of the head office router (in WAN side
Remote Network
Subnet
Select Subnet from the Remote Network drop- down menu.
IP Address
192.168.1.0
Head office network.
Netmask
255.255.255.0
Pre-shared Key
12345678
Security plan
Authentication
MD5
Encryption
3DES
Prefer Forward Security
None
Page 85
Page | 84
Example: Configuring an IPSec Host to LAN VPN Connection
Configuring IPSec VPN in the Office
Page 86
Page | 85
Function
Description
Name
IPSec
A given name for the IPSec Connection.
Local Area
Subnet
Select Subnet from the Local Network drop-down menu.
IP Address
192.168.1.0
Branch office network.
Netmask
255.255.255.0
Remote Secure
Gateway IP (or
Hostname)
69.121.1.30
IP address of the head office router (in WAN side
Remote Network
Subnet
Select Subnet from the Remote Network drop- down menu.
IP Address
69.121.1.30
Head office network.
Pre-shared Key
12345678
Security plan
Authentication
MD5
Encryption
3DES
Prefer Forward Security
None
Page 87
Page | 86
L2TP (Layer Two Tunneling Protocol)
Two types of L2TP VPN are supported: Remote Access and LAN-to-LAN (please refer below for more information.). Fill in the blank with the information you need and click Add to create a new VPN connection account.
L2TP Connection-Remote Access Connection Type: Remote Access or LAN to LAN
Name: A given name for the connection (e.g. “connection to office”). Connection Type: Remote Access or LAN to LAN.
Page 88
Page | 87
Type: Check Dial Out if you want your router to operate as a client (connecting to a remote VPN server, e.g. your office server), check Dial In if you want your router to operate as a VPN server.
When configuring your router as a Client, enter the remote Server IP Address (or Hostname)
you wish to
connect to.
When configuring your router as a server, enter the Private IP Address Assigned to the Dial
in User.
IP Address: Enter the IP address. Username: If you are a Dial-Out user (client), enter the username provided by your Host. If you are a Dial-In user
(server), enter your own username. Password: If you are a Dial-Out user (client), enter the password provided by your Host. If you are a Dial-In user
(server), enter your own password. Authentication Type: Default is Auto if you want the router to determine the authentication type to use, or else
manually specify CHAP (Challenge Handshake Authentication Protocol) or PAP (Password Authentication Protocol) if you know which type the server is using (when acting as a client), or else the authentication type you want clients connecting to you to use (when acting as a server). When using PAP, the password is sent unencrypted, whilst CHAP encrypts the password before sending, and also allows for challenges at different periods to ensure that an intruder has not replaced the client.
Tunnel Authentication: This enables the router to authenticate both the L2TP remote and L2TP host. This is only valid when L2TP remote supports this feature.
Secret: The secure password length should be 16 characters which may include numbers and characters. Active as default route: Commonly used by the Dial-out connection, all packets will route through the VPN tunnel to the
Internet; therefore, activating the function may degrade Internet performance. Remote Host Name (Optional): Enter the hostname of the remote VPN device. It is a tunnel identifier to check if the
Remote VPN device matches with the Remote hostname provided. If the remote hostnames match, the tunnel will be connected; otherwise, it will be dropped.
Caution: This only applies when the router is acting as a VPN server. This option should be used by advanced users only.
Local Host Name (Optional): Enter the hostname of a Local VPN device that is connected / established a VPN tunnel. By default, the router‟s default Hostname is home.gateway.
IPSec: Enable to enhance your L2TP VPN security. Authentication: Authentication establishes the integrity of the datagram and ensures it is not tampered with during
transmission. There are three options, Message Digest 5 (MD5), Secure Hash Algorithm (SHA1) or NONE. SHA1 is more resistant to brute-force attacks than MD5, however it is slower.
MD5: A one-way hashing algorithm that produces a 128−bit hash. SHA1: A one-way hashing algorithm that produces a 160−bit hash.
Encryption: Select the encryption method from the pull-down menu. There are four options, DES, 3DES, AES and
NULL. NULL means it is a tunnel with no encryption. 3DES and AES are more powerful but increase latency.
DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method. 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption method. AES: Stands for Advanced Encryption Standards, it uses 128 bits as an encryption method.
Page 89
Page | 88
Perfect Forward Secrecy: Choose whether to enable PFS using Diffie-Hellman public-key cryptography to change encryption keys during the second phase of VPN negotiation. This function will provide better security, but extends the VPN negotiation time. Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communication channel (i.e. over the Internet). There are three modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.
Pre-shared Key: This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128 characters. Both sides should use the same key. IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require a key. Before any IPSec traffic can be passed, each router must be able to verify the identity of its peer. This can be done by manually entering the pre-shared key into both sides (router or hosts).
Click Edit/Delete to save your changes. Example: Configuring a L2TP VPN - Remote Access Dial-in Connection
A remote worker establishes a L2TP VPN connection with head office using Microsoft's VPN Adapter (included with Windows XP/2000/ME, etc.). The router is installed in the head office, connected to a couple of PCs and Servers.
Page 90
Page | 89
Configuring L2TP VPN in the Office
The input IP address 192.168.1.200 will be assigned to the remote worker. Please make sure this
IP is not used in the
Office LAN.
Pre-Shared Key 12345678
Function
Description
Name
VPN_L2TP
Give a name to the L2TP Connection
Connection Type
Remote Access
Select Remote Access from the Connection Type drop-down menu
Type
Dial in
Select Dial in from the Type drop down menu
IP Address
192.168.1.200
An IP assigned to the remote client
Username
username
Enter the username and password to
authenticate a remote client
Password
123456
Auth. Type
Chap (Auto)
Keep this as the default value in most cases
IPSec
Enable
Enable this to enhance your L2TP VPN security
Authentication
MD5
Both sides should use the same value
Encryption
3DES
Prefer Forward
Security
None
Pre-Shared Key
12345678
Page 91
Page | 90
Example: Configuring a Remote Access L2TP VPN Dial-out Connection
A company‟s office establishes a L2TP VPN connection with a file server located at a separate location. The router is
installed in the office, connected to a couple of PCs and Servers.
Configuring L2TP VPN in the Office The input IP address 192.168.1.200 will be assigned to the remote worker. Please make sure this IP is not used in the
Office LAN.
Page 92
Page | 91
Function
Description
Name
VPN_L2TP
Give a name of L2TP Connection
Connection Type
Remote Access
Select Remote Access from the Connection Type drop-down menu
Type
Dial Out
Select Dial out from the Type drop down menu
IP Address (or Hostname)
69.121.1.33
A Dialed Server IP
Username
username
An assigned username and password
Password
123456
Auth. Type
Chap (Auto)
Keep this as the default value for most cases
IPSec
Enable
Enable this to enhance your L2TP VPN security
Authentication
MD5
Both sides should use the same value
Encryption
3DES
Prefer Forward
Security
None
Pre-Shared Key
12345678
Example: Configuring your Router to Dial-in to the Server
Currently, Microsoft Windows operating systems do not support L2TP incoming services. Additional software may be required to set up your L2TP incoming service.
L2TP Connection - LAN to LAN L2TP VPN Connection
Name: A given name for the connection Connection Type: Remote Access or LAN to LAN. Type: Check Dial Out if you want your router to operate as a client (connecting to a remote VPN server, e.g. your office
server), check Dial In to have it operate as a VPN server.
When configuring your router to establish a connection to a remote LAN, enter the remote
Server IP Address (or Hostname) you wish to connect to. When configuring your router as a server to accept incoming connections, enter the Private IP
Address assigned to
the Dial in User.
IP Address: Enter the IP address. Peer Network IP: Enter Peer network IP address. Netmask: Enter the subnet mask of peer network based on the Peer Network IP setting.
Page 93
Page | 92
Username: If you are a Dial-Out user (client), enter the username provided to you by your Host. If you are a Dial-In user (server), enter your own username.
Password: If you are a Dial-Out user (client), enter the password provided to you by your Host. If you are a Dial-In user (server), enter your own password.
Authentication Type: Default is Auto if you want the router to determine the authentication type to use, or else manually specify CHAP (Challenge Handshake Authentication Protocol) or PAP (Password Authentication Protocol) if you know which type the server is using (when acting as a client), or else the authentication type you want clients connecting to you to use (when acting as a server). When using PAP, the password is sent unencrypted, whilst CHAP encrypts the password before sending, and also allows for challenges at different periods to ensure that the client has not been replaced by an intruder.
Tunnel Authentication: This enables the router to authenticate both the L2TP remote and L2TP host systems. This is only valid when L2TP the remote system supports this feature.
Secret: The secure password length should be 16 characters which may include numbers and characters. Active as default route: Commonly used by the Dial-out connection. All packets will route through the VPN tunnel to the
Internet; therefore, activating the function may degrade Internet performance. Remote Host Name (Optional Enter the hostname of the remote VPN device. It is a tunnel identifier to check if the
Remote VPN device matches with the Remote hostname provided. If the remote hostnames match, the tunnel will be connected; otherwise, it will be dropped.
Caution: This only applies when the router is acting as a VPN server. This option should be used by advanced users only.
Local Host Name (Optional): Enter hostname of Local VPN device that is connected / established a VPN tunnel. By default, the router‟s default hostname is home.gateway.
IPSec: Enable to enhance your L2TP VPN security. Authentication: Authentication establishes the integrity of the datagram and ensures that it is not tampered with during
transmission. There are three options, Message Digest 5 (MD5), Secure Hash Algorithm (SHA1) or NONE. SHA1 is more resistant to brute-force attacks than MD5, however it is slower.
MD5: A one-way hashing algorithm that produces a 128−bit hash. SHA1: A one-way hashing algorithm that produces a 160−bit hash.
Encryption: Select the encryption method from the pull-down menu. There are four options, DES, 3DES, AES and
NULL. NULL means that it is a tunnel with no encryption. 3DES and AES are more powerful but increase latency.
DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method. 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption method. AES: Stands for Advanced Encryption Standards, it uses 128 bits as an encryption method.
Perfect Forward Secrecy: Choose whether to enable PFS using Diffie-Hellman public-key cryptography to change
encryption keys during the second phase of VPN negotiation. This function will provide better security, but extends the VPN negotiation time. Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communication channel (i.e. over the Internet). There are three modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.
Pre-shared Key: This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128 characters. Both sides should use the same key. IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require a key. Before any IPSec traffic can be passed, each router must be able to verify the identity of its peer. This can be done by manually entering the pre-shared key into both sides (router or hosts).
Page 94
Page | 93
Both office Networks MUST be in different subnets with the LAN-LAN
application.
Functions of Pre –shared keys, VPN Connection Type and Security
Algorithms must be identical on both sides.
Click Edit/Delete to save your changes.
Example: Configuring L2TP LAN-to-LAN VPN Connection
The branch office establishes a L2TP VPN tunnel with head office to connect two private networks over the Internet. The routers are installed in the head office and branch office accordingly.
Attention
Configuring L2TP VPN in the Head Office The IP address 192.168.1.200 will be assigned to the router located in the branch office. Please make sure this IP is not
used in the head office LAN.
Page 95
Page | 94
Function
Description
Name
Head Office
Give a name to the L2TP Connection
Connection Type
LAN to LAN
Select LAN to LAN from the Connection Type drop-down menu
Type
Dial in
Select Dial in from the Type drop down menu
IP Address
192.168.1.200
IP address assigned to the branch office network
Peer Network IP
192.168.0.0
Branch office network
Username
username
A username and password assigned to authenticate the branch office network
Password
123456
Auth. Type
Chap (Auto)
Keep this as the default value in most cases
IPSec
Enable
Enable this to enhance your L2TP VPN security
Authentication
MD5
Both sides should use the same value
Encryption
3DES
Prefer Forward
Security
None
Pre-Shared Key
12345678
Page 96
Page | 95
Configuring L2TP VPN in the Branch Office The IP address 69.1.121.30 is the Public IP address of the router located in head office. If you registered the DDNS
(please refer to the DDNS section of this manual), you can also use the domain name instead of the IP address to reach the router.
Function
Description
Name
Head Office
Give a name to the L2TP Connection
Connection Type
LAN to LAN
Select LAN to LAN from the Connection Type drop-down menu
Type
Dial in
Select Dial in from the Type drop down menu
IP Address
69.121.1.33
IP address assigned to the branch office network
Peer Network IP
192.168.1.0
Head office network
Netmask
255.255.255.0
Username
username
A username and password assigned to authenticate the branch office network
Password
123456
Auth. Type
Chap (Auto)
Keep this as the default value in most cases
IPSec
Enable
Enable this to enhance your L2TP VPN security
Authentication
MD5
Both sides should use the same value
Encryption
3DES
Prefer Forward
Security
None
Pre-Shared Key
12345678
Page 97
Page | 96
Remember to apply changes, SAVE CONFIG and restart the router after
completing your VoIP configuration. This is to ensure that your VoIP is activated.
VoIP - Voice over Internet Protocol
VoIP enables telephone calls through existing Internet connection instead of going through the PSTN (Public Switched Telephone Network). It is not only cost-effective, especially for a long distance telephone charges, but also toll-quality voice calls over the Internet.
Attention
Here are the items within the VoIP section: SIP Device Parameters, SIP Accounts, Phone Port, PSTN Dial Plan,
VoIP Dial Plan, Call Features, Speed Dial and Ring &Tone.
SIP Device Parameters
This section provides easy setup for your VoIP service. Phone port 1 and 2 can be registered to different SIP Service Providers.
SIP Device Parameters SIP: To use VoIP SIP as VoIP call signaling protocol. Default is set to Disable. Silence Suppression (VAD): Voice Activation Detection (VAD) prevents transmitting the nature silence to consume
the bandwidth. It is also known as Silence Suppression which is a software application that ensures the bandwidth is reserved only when voice activity is activated. Default is set to Enable.
Page 98
Page | 97
Echo Cancellation: G.168 echo canceller is an ITU-T standard. It is used to isolate the echo while you are on the phone. This helps you not hear your own voice on the phone while you talk. Default is set to Enable.
RTP Port: Provides the base value from the media (RTP) ports that are assigned for various endpoints and the different call sessions that may exist within an end-point. (Range from 5100 to 65535, default value is 5100)
Region: This selection is a drop-down box, which allows a user to select the country in which the VoIP device is active. When a country is selected, the country parameters are automatically loaded.
Voice QoS, DSCP Marking: Differentiated Services Code Point (DSCP), it is the first 6 bits in the ToS byte. DSCP Marking allows users to assign specific application traffic to be executed in priority by the next Router based on the DSCP value. See Table 4. The DSCP Mapping Table:
Note: Be sure that the router(s) in the backbone network have the ability to execute and check the DSCP markings through-out the QoS network.
Advanced – Parameters
VoIP through IP Interface: IP Interface decides where to send/receive the VoIP traffic; it includes: ipwan and iplan. Easy way to select the interface is to check the location of the SIP server. If it is located somewhere on the Internet then select ipwan. If the VoIP SIP server is on the local Network then select iplan.
Voice Frame Size: Frame size is available from 10ms to 60ms. Frame size meaning how many milliseconds the Voice packets will be queued and sent out. It is ideal to have the same frame size on both Caller and Receiver.
Dial Plan Priority: Define the priority between VoIP and PSTN dial plan. PSTN Auto-fallback: Whenever VoIP SIP responds with an error or an error code matching the codes in the Edit
section, the VoIP calls will automatically fallback to PSTN. In other words, the call will be made via the PSTN when VoIP SIP returns an error code.
Click Edit to add or remove response codes. Be sure that the codes are separated by a comma (,). For more information about SIP response codes, please go to this link http://voip-info.
org/wiki/view/sip+response+codes. You will get the meaning of all the SIP responses here.
T.38 Fax Relay: It allows the transfer of facsimile documents in real-time between two standard Group 3 facsimile
terminals over the Internet or other networks using IP protocols. It will only function when both sites support this feature and have it enabled.
Page 99
Page | 98
Advanced – PSTN Environment Adjustment
PSTN Environment Adjustment options will help you to adjust the onhook and offhook voltage detection values for your environment. You should use these if the default values are incorrect and result in PSTN calls not being detected properly, e.g. calls being terminated within 5 seconds of being answered. The actual levels are determined by your environment including the number and type of telephones used.
Note: ONHOOK means hung up.
To take your phone OFFHOOK, lift the receiver then press Hook/Flash until you hear your normal PSTN dial tone, and not your VoIP dial tone. Wait several seconds and then press Check Level.
You should check the OFFHOOK value for each telephone you have connected to this device. Set the OFFHOOK voltage to the lowest setting registered for all your telephones, e.g. if your telephones return values of 4, 5 and 7 then you should set your OFFHOOK voltage to 4.
Note: The detected values will not automatically be set by the Check Level function; you must enter the lowest level detected after testing all your telephones.
SIP Accounts
This section contains the basic settings of the VoIP module from the selected provider in the Wizard section. Providing the incorrect information will cause it to stop making calls through the Internet.
Profile Name: Assign a name for profile identification. Registrar Address (or Hostname): Indicate the VoIP SIP registrar IP address. Registrar Port: Specify the port of the VoIP SIP registrar on which it will listen for register requests from VoIP
devices.
Expire: This is the duration for the registration message being sent. User Domain/Realm: Set a different domain name for the VoIP SIP proxy server.
Page 100
Page | 99
Outbound Proxy Address: Indicate the VoIP SIP outbound proxy server IP address. This parameter is very useful when VoIP devices are behind a NAT.
Outbound Proxy Port: Specify the port of the VoIP SIP outbound proxy on which it will listen for messages. Phone Number: This parameter holds the registration ID of the user within the VoIP SIP registrar. Username: Same as Phone Number. Password: This parameter holds the password used for authentication within the VoIP SIP registrar. Display Name: This parameter will appear on the Caller ID. Direct in Dial: Select the ringing port when getting an incoming VoIP call.
Phone Port
This section displays the status and allows for further editing of the account information of the Phones. Click Edit to update your phone information.
Port: It allows you to change the phone port setting for a specific FXS port. *69 (Return Call): Dial *69 to return the last missed call. It is only available for VoIP call(s). *20 (Do not Disturb ON): Dial *20 to enable the No Disturb feature. Your phone will not ring if someone calls. *90x (Blind Call Transfer): Dial *90 + phone-number to transfer a call to a third party. This feature is enabled by
default. x# Speed Dial (x:2..9): Refer to the Phone Port section in the Web GUI. Set up your Speed Dial phone book first
before accessing the Speed Dial feature. This feature is enabled by default.
## Redial: Press ## to redial the last phone number. This feature is enabled by default. *74<x><number>#: Use your phone key pad to insert a phone number to the Speed Dial phone book. Or you can
update your Speed Dial phone number manually. Refer to the Phone Port section in the Web GUI for details.
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use