Billion BiPAC 4500NZ, BiPAC 4500NZL User Manual

Download

Page 1

Last revised date: January 6, 2015

BiPAC 4500NZ(L)

4G/LTE Wireless-N (VPN) Broadband

Router

User Manual

Version release: v1.02b.rc8.dt6

Page 2

Table of Contents

Chapter1:Introduction ........................................................................................................................................ 1

IntroductiontoyourRouter ............................................................................................................................. 1

Features&Specifications ................................................................................................................................. 3

HardwareSpecifications................................................................................................................................... 6

ApplicationDiagram

......................................................................................................................................... 7

Chapter2:ProductOverview

................................................................................................................................ 8

ImportantNoteforUsingThisRouter.............................................................................................................. 8

DeviceDescription............................................................................................................................................ 9

FrontPanelLEDs

........................................................................................................................................... 9

RearPanelConnectors

............................................................................................................................... 10

Cabling ............................................................................................................................................................ 11

Chapter3:BasicInstallation............................................................................................................................... 12

NetworkConfiguration–IPv4 ........................................................................................................................ 13

ConfiguringPCinWindows7/8(IPv4)........................................................................................................ 13

ConfiguringPCinWindowsVista(IPv4) ..................................................................................................... 15

ConfiguringPCinWindowsXP(IPv4) ......................................................................................................... 17

NetworkConfiguration–IPv6 ........................................................................................................................ 18

ConfiguringPCinWindows7/8(IPv6)........................................................................................................ 18

ConfiguringPCinWindowsVista(IPv6) ..................................................................................................... 20

ConfiguringPCinWindowsXP(IPv6) ......................................................................................................... 22

DefaultSettings .............................................................................................................................................. 23

InformationfromYourISP

.............................................................................................................................. 24

Chapter4:De

viceConfiguration......................................................................................................................... 25

....................................................................................................................................... 25

Status .............................................................................................................................................................. 27

DeviceInfo .................................................................................................................................................. 28

SystemLog

.................................................................................................................................................. 30

3G/4G‐LTEStatus........................................................................................................................................ 31

Statistics...................................................................................................................................................... 32

DHCPTable ................................................................................................................................................. 36

GreStatus(4500NZonly)............................................................................................................................ 37

IPSECStatus(4500NZonly) ........................................................................................................................ 38

PPTPStatus(4500NZonly) ......................................................................................................................... 39

L2TPStatus(4500NZonly).......................................................................................................................... 40

DiskStatus .................................................................................................................................................. 41

QuickStart ...................................................................................................................................................... 42

Configuration

.................................................................................................................................................. 45

InterfaceSetup

........................................................................................................................................... 45

Internet................................................................................................................................................... 46

Page 3

LAN.......................................................................................................................................................... 51

Wireless .................................................................................................................................................. 55

WirelessMACFilter ................................................................................................................................ 64

DualWAN ................................................................................................................................................... 65

GeneralSetting ....................................................................................................................................... 65

AdvancedSetup.......................................................................................................................................... 67

Firewall ................................................................................................................................................... 68

Routing.................................................................................................................................................... 69

NAT ......................................................................................................................................................... 70

StaticDNS ............................................................................................................................................... 75

QoS.......................................................................................................................................................... 76

PortIsolation .......................................................................................................................................... 77

TimeSchedule......................................................................................................................................... 78

VPN ............................................................................................................................................................. 79

IPSECSetting........................................................................................................................................... 79

PPTPServer............................................................................................................................................. 90

PPTPClient.............................................................................................................................................. 92

L2TP ...................................................................................................................................................... 103

GRETunnel ........................................................................................................................................... 113

AccessManagement................................................................................................................................. 114

DeviceManagement............................................................................................................................. 114

SNMP .................................................................................................................................................... 115

UniversalPlug&Play............................................................................................................................ 116

DynamicDNS ........................................................................................................................................ 117

AccessControl ...................................................................................................................................... 119

PacketFilter .......................................................................................................................................... 121

CWMP(TR‐069) .................................................................................................................................... 124

ParentalControl.................................................................................................................................... 126

SAMBA&FTPServer ............................................................................................................................ 127

Maintenance............................................................................................................................................. 130

UserManagement................................................................................................................................ 130

TimeZone

............................................................................................................................................. 134

Firmware&Configuration

.................................................................................................................... 135

SystemRestart

...................................................................................................................................... 137

DiagnosticsTool

.................................................................................................................................... 138

Chapter5:Troubleshooting .............................................................................................................................. 140

ProblemswiththeRouter ........................................................................................................................ 140

ProblemwithLANInterface ..................................................................................................................... 140

RecoveryProcedures................................................................................................................................ 141

Appendix:ProductSupport&Contact.............................................................................................................. 142



Page 4

Chapter 1: Introduction

Introduction to your Router

Congratulations on your purchase of the BiPAC 4500NZ(L) (4G/LTE Wireless (VPN) Broadband Router). This router is a compact and advanced broadband router that offers flexible and multiple

Internet connection options, EWAN and embedded 4G/LTE interfaces, for home, SOHO, and office users to enjoy high-speed, high-level security Internet connection via cellular wireless and/or Ethernet WAN. With an integrated 802.11n wireless access point and 4-port Gigabit Ethernet LAN, this router enables faster wireless speed of up to 300Mbps and LAN connection 10 times faster than regular 10/100Mbps Ethernet LAN. BiPAC 4500NZ(L) provides a unique Management Center enabling users to monitor 4G/LTE signal strength, bandwidth, download speed, and many more.

4G/LTE Mobility

With 4G/LTE-based Internet connection (4G/LTE embedded module, requires an additional SIM card), you can access to the Internet through 4G/LTE whether you are seated at your desk or taking a cross-country trip.

Wireless Mobility and Security

With an integrated 802.11n Wireless Access Point, this router delivers up to 3 times the wireless coverage of a 802.11b/g network device, so that wireless access is available everywhere in the house or office. If your network requires wider coverage, the built-in Wireless Distribution System (WDS) allows you to expand your wireless network without additional wires or cables. BiPAC 4500NZ(L) also supports the Wi-Fi Protected Setup (WPS) standard and allows users to establish a secure wireless network just by pressing a button. Multiple SSIDs allow users to access different networks through a single access point. Network managers can assign different policies and functions for each SSID, increasing the flexibility and efficiency of the network infrastructure.

4G/LTE Management Center

BiPAC4500NZ(L) Mobile Management Center visually displays its current 4G/LTE signal status also

calculates the total amount of hours or data traffic used per month, allowing you to manage your 4G/LTE monthly subscriptions.

Secure VPN Connections

The BiPAC 4500NZ supports comprehensive and robust IPSec VPN (Virtual Private Network) protocols for business users to establish private encrypted tunnels over the public Internet to secure data transmission between headquarters and branch offices. It also supports VPN dial in from smart phones for secure remote Internet connection via your home broadband. With a built-in DES/3DES VPN accelerator, the router enhances IPSec VPN performance significantly.

Page 5

IPv6 Supported

Internet Protocol version 6 (IPv6) is a version of the Internet Protocol that is designed to succeed IPv4. IPv6 has a vastly larger address space than IPv4. The router is already supporting IPv6, you can use it in IPv6 environment no need to change device. The dual-stack protocol implementation in an operating system is a fundamental IPv4-to-IPv6 transition technology. It implements IPv4 and IPv6 protocol stacks either independently or in a hybrid form. The hybrid form is commonly implemented in modern operating systems supporting IPv6.

Quick Start Wizard

Support a WEB GUI page to install this device quickly. With this wizard, simple steps will get you connected to the Internet immediately.

Firmware Upgradeable

Device can be upgraded to the latest firmware through the WEB based GUI.

Page 6

Features & Specifications

• 4G/LTE for high speed mobile broadband connectivity

• Gigabit Ethernet WAN (GbE WAN) for Cable/Fiber/xDSL high WAN throughput

•

Gigabit Ethernet LAN

• IPv6 ready (IPv4/IPv6 dual stack)

• Multiple wireless SSIDs with wireless guest access and client isolation

• IEEE

802.11 b/g/n compliant Wireless Access Point with Wi-Fi Protected Setup (WPS)

•

Wi-Fi Protected Access (WPA-PSK/ WPA2-PSK) and Wired Equivalent Privacy (WEP)

• Secured IPSec VPN with powerful DES/ 3DES/ AES (BiPAC 4500NZ only)

• PPTP VPN with Pap/ Chap/ MPPE authentication (BiPAC 4500NZ only)

• L2TP VPN with Pap/Chap authentication (BiPAC 4500NZ only)

• GRE Tunnel (BiPAC 4500NZ only)

•

SOHO Firewall Security with DoS Preventing and Packet Filtering

•

Quality of Service Control for traffic prioritization management

•

Universal Plug and Play (UPnP) Compliance

• Voice over IP compliant with SIP standard

• Two FXS ports for connecting to regular analog telephones

• Call Waiting, Conference Call

• Speed Dial, Return Call, Redial

• Don’t Disturb

• Ease of Use with Quick Installation Wizard

• One

USB port for NAS (FTP/ SAMBA server)

• Ideal for SOHO, office, and home users

Network Protocols and Features

•

IPv4, IPv6 or IPv4 / IPv6 Dual Stack

•

NAT, static (v4/v6) routing and RIP-1 / 2

•

DHCPv4 / v6

•

Universal Plug and Play (UPnP) Compliant

•

Dynamic Domain Name System (DDNS)

•

Virtual Server and DMZ

•

SNTP, DNS proxy

•

IGMP snooping and IGMP proxy

•

MLD snooping and MLD proxy

Page 7

Firewall

•

Built-in NAT Firewall

•

Stateful Packet Inspection (SPI)

• DoS attack prevention including Land Attack, Ping of Death, etc

• Access control

• IP&MAC filter, URL Content Filter

• Password protection for system management

• VPN pass-through

Quality of Service Control

•

Traffic prioritization management based-on Protocol, Port Number and IP Address (IPv4/ IPv6)

IPTV Applications*2

• IGMP proxy and IGMP snooping

• MLD proxy and MLD snooping

• Interface Grouping (VLAN)

• Quality of Service (QoS)

Wireless LAN

•

Compliant with IEEE 802.11 b/ g/ n standards

•

2.4 GHz - 2.484GHz radio band for wireless

•

Up to 300 Mbps wireless operation rate

•

64 / 128 bits WEP supported for encryption

•

WPS (Wi-Fi Protected Setup) for easy setup

•

Wireless Security with WPA-PSK / WPA2-PSK support

•

WDS repeater function support

USB Application Server

•

Storage/NAS: SAMBA Server, FTP Server

Virtual Private Network (VPN) (BiPAC 4500NZ only)

• 8 IPSec VPN Tunnels

• 8 PPTP VPN Tunnels (Dial-in:4, Dial-out:4)

• 8 L2TP VPN Tunnels (Dial-in:4, Dial-out:4)

Page 8

• GRE Tunnel

Management

• Quick Installation wizard

•

Web-based GUI for remote and local management (IPv4/IPv6)

•

Firmware upgrades and configuration data upload and download via web-based GUI

•

Supports DHCP server / client / relay

• Supports

SNMP v1, v2, v3, MIB-I and MIB-II

•

TR-069*1 supports remote management

• Failover/fallback

1. On request for Telco / ISP projects

2. IPTV application may require subscription to IPTV services from a Telco / ISP.

3. Specifications on this datasheet are subject to change without prior notice.

Page 9

Hardware Specifications

Physical interface

•

4G LTE antenna: 2 external antennas

• WLAN: 2 internal PIFA antennas

•

SIM card slot: SIM card slot (for the SIM card from Telco / ISP) for mobile broadband connectivity

•

USB: USB 2.0 Type A Host port for storage service

•

Ethernet: 4-port 10 / 100 / 1000Mbps auto-crossover (MDI / MDI-X) Switch

•

EWAN: RJ-45 Gigabit Ethernet port for connecting to Cable/Fiber/xDSL modem for Broadband

connectivity.

•

Factory default reset button

• Wireless on/off and

WPS push button

•

Power jack

•

Power switch

Page 10

Application Diagram

BiPAC 4500NZ(L) is an all-in-one router, supporting 2 connection options (4/LTE and EWAN) to connect to the Internet.

4G/LTE router mode

With an embedded 4G/LTE module, the router can be used to connect to high speed mobile fixed wireless connection.

Broadband Router Mode

This router also has a Gigabits Ethernet WAN port (EWAN) to connect with your Fiber / Cable/ xDSL modem.

Page 11

Chapter 2: Product Overview

Important Note for Using This Router

 Place the router on a stable surface.  Only use the power adapter that comes with the package. Using

a different voltage rating power adaptor may damage the router.

Attention

 Do not use the router in high humidity or high temperature.  Do not use the same power source for the BiPAC 4500NZ(L)

on other equipment.

 Do not open or repair the case yourself. If the device becomes

too hot, turn off the power immediately and have it repaired at a qualified service center.

 Avoid using this product and all accessories outdoors.

Warning

Page 12

Device Description

Front Panel LEDs

LED STATUS DESCRIPTION

Green System is up and ready

Power

Red Boot failure

Lit up

BiPAC 4500NZ(L) is successfully connected with a broadband connection device.

Green Transmission speed is at Gigabit speed (1000Mbps)

Orange Transmission speed is at 10/100Mbps

EWAN

Blinking Data being transmitted/received

Green Transmission speed is at Gigabit speed (1000Mbps)

Orange Transmission speed is at 10/100Mbps

Ethernet Port LAN 1 ~ 4

Blinking Data being transmitted/received

USB

Green Connecting to a USB dongle or a hard drive.

Green Wireless connection established

Green blinking Data being transmitted / received

Wireless/WPS

Orange WPS configuration is in progress

Green RSSI greater than -69 dBm. Excellent signal condition

Green Flashing quickly

RSSI from -81 to -69 dBm. Good signal condition

Orange Flashing quickly

RSSI from -99 to -81 dBm. Fair signal condition.

Orange Flashing slowly

RSSI less than -99 dBm. Poor signal condition.

Orange No signal and the 4G_LTE module is in service

LTE (Received Signal Strength Indicator)

Off No LTE module or LTE module fails

Green IP connected and traffic is passing through the device.

Red IP request failed.

Internet

Off

BiPAC 4500NZ(L) is either in bridged mode or WAN connection not present.

Page 13

Rear Panel Connectors

PORT MEANING

1 Antenna

Screw the supplied 4G/LTE antennas onto the antenna connectors on both sides.

SIM Card Slot

Insert the mini SIM card (2FF) with the gold contact facing down. Push the mini SIM card (2FF) inwards to eject it

3 USB

The USB can set up for storage/file sharing. Connect an external USB dongle / hard drive for storage.

Gigabit LAN Ethernet (1~4)

Connect a UTP Ethernet cable (Cat-5 or Cat-5e) to one of the four LAN ports when connecting to a PC or an office/home network of 10Mbps /100Mbps /1000Mbps

5 Gigabit EWAN

Connect to Fiber/ Cable/ xDSL Modem with a RJ-45 cable

6 Reset

After the device is powered on, press it 6 seconds or above: to restore to factory

default settings (this is used when you cannot login to the router, e.g. forgot your password)

WPS & Wireless On/Off

By controlling the pressing time, users can achieve two different effects:

(1) WPS

: Press &hold the button for less than 6 seconds to trigger WPS function.

(2) Wireless ON/OFF button:

Press & hold the button for more than 6 seconds to

On/Off the wireless.

8 Power Jack

Connect the supplied Power Adapter to this jack.

4 53

Page 14

Cabling

One of the most common causes of problems is bad cabling. Make sure that all connected devices are turned on. On the front panel of the product is a bank of LEDs. Verify that the LAN Link and LEDs are lit. If they are not, verify that you are using the proper cables.

Make sure that all other devices (e.g. telephones, fax machines, analogue modems) connected to the same telephone line as your router have a line filter connected between them and the wall socket (unless you are using a Central Splitter or Central Filter installed by a qualified and licensed electrician), and that all line filters are correctly installed in a right way. If the line filter is not correctly installed and connected, it may cause problems to your connection or may result in frequent disconnections.

Page 15

Chapter 3: Basic Installation

The router can be configured with your web browser. A web browser is included as a standard application in the following operating systems: Windows 98 / NT /2000 / XP / ME / 7 / Vista, Linux, Mac OS, etc. The product provides an easy and user-friendly interface for configuration.

PCs must have an Ethernet interface installed properly and be connected to the router either directly or through an external repeater hub, and have TCP/IP installed and configured to obtain an IP address through a DHCP server or a fixed IP address that must be in the same subnet as the router. The

default IP address of the router is 192.168.1.254 and the subnet mask is 255.255.255.0 (i.e. any

attached PC must be in the same subnet, and have an IP address in the range of 192.168.1.1 to

192.168.1.253). The best and easiest way is to configure the PC to get an IP address automatically from the router using DHCP. If you encounter any problems accessing the router’s web interface it

may also be advisable to uninstall any kind of software firewall on your PCs, as they can cause

problems accessing the 192.168.1.254 IP address of the router. Users should make their own decisions on how to best protect their network.

Please follow the steps below for your PC’s network environment installation. First of all, please check your PC’s network components. The TCP/IP protocol stack and Ethernet network adapter must be installed. If not, please refer to your Windows-related or other operating system manuals.

Any TCP/IP capable workstation can be used to communicate with or

through the BiPAC 4500NZ(L). To configure other types of

workstations, please consult the manufacturer’s documentation.

Page 16

Network Configuration – IPv4

Configuring PC in Windows 7/8 (IPv4)

1. Go to St art. Click on Control Panel.

2. Then click on Network and Internet.

3. When the Network and Sharing Center window pops up, select and

click on Change adapter settings on

the left window panel.

4. Select the Local Area Connection,

and right click the icon to select

Properties.

Page 17

5. Select Internet Protocol Version 4 (TCP/IPv4) then click Properties.

6. In the TCP/IPv4 properties window, select the Obtain an IP address automatically and Obtain DNS Server address automatically radio

buttons. Then click OK to exit the

setting.

7. Click OK again in the Local Area Connection Properties window to

apply the new configuration.

Page 18

Configuring PC in Windows Vista (IPv4)

1. Go to St art. Click on Network.

2. Then click on Network and Sharing Center at the top bar.

3. When the Network and Sharing Center window pops up, select and click on Manage network connections on the left window

pane.

4. Select the Local Area Connection,

and right click the icon to select

Properties.

Page 19

5. Select Internet Protocol Version 4 (TCP/IPv4) then click Properties.

6. In the TCP/IPv4 properties window, select the Obtain an IP address automatically and Obtain DNS Server address automatically radio buttons. Then click OK to exit the setting.

7. Click OK again in the Local Area Connection Properties window to apply

the new configuration.

Page 20

Configuring PC in Windows XP (IPv4)

1. Go to Start. Click on Control Panel.

2. Then click on Network and Internet.

3. In the Local Area Connection Status window, click Properties.

4. Select Internet Protocol (TCP/IP) and click Properties.

5. Select the Obtain an IP address automatically and the Obtain DNS server address automatically radio

buttons.

6. Click OK to finish the configuration.

Page 21

Network Configuration – IPv6

Configuring PC in Windows 7/8 (IPv6)

1. Go to St art. Click on Control Panel.

2. Then click on Network and Internet.

3. When the Network and Sharing Center window pops up, select and

click on Change adapter settings on

the left window panel.

4. Select the Local Area Connection,

and right click the icon to select

Properties.

Page 22

5. Select Internet Protocol Version 6 (TCP/IPv6) then click Properties.

6. In the TCP/IPv6 properties window, select the Obtain an IPv6 address automatically and Obtain DNS Server address automatically radio

buttons. Then click OK to exit the

setting.

7. Click OK again in the Local Area Connection Properties window to

apply the new configuration.

Page 23

Configuring PC in Windows Vista (IPv6)

1. Go to St art. Click on Network.

2. Then click on Network and Sharing Center at the top bar.

3. When the Network and Sharing Center window pops up, select and click on Manage network connections on the left window

pane.

4. Select the Local Area Connection,

and right click the icon to select

Properties.

Page 24

5. Select Internet Protocol Version 6 (TCP/IPv6) then click Properties.

6. In the TCP/IPv6 properties window, select the Obtain an IP address automatically and Obtain DNS Server address automatically radio buttons. Then click OK to exit the setting.

7. Click OK again in the Local Area Connection Properties window to

apply the new configuration.

Page 25

Configuring PC in Windows XP (IPv6)

IPv6 is supported by Windows XP, but you need to install it first.

Please follow the steps to install IPv6:

1. On the Desktop, Click Start > Run, type cmd, then press Enter key in the keyboard, the following

screen appears.

2. Key in command ipv6 install

Installation of IPv6 is now completed. Please test it to see if it works or not. .

Page 26

Default Settings

Before configuring the router, you need to know the following default settings.

Web Interface: (Username and Password)

Username: admin Password: admin

The default username and password are “admin” and “admin” respectively.

Device LAN IP Settings

IP Address: 192.168.1.254 Subnet Mask: 255.255.255.0

DHCP Server:

DHCP server is enabled. Start IP Address: 192.168.1.100 IP pool counts: 20

Attention

If you ever forget the username/password to login to the router, you may

press the RESET button up to 6 seconds then release it to restore the factory default settings.

Caution: After pressing the RESET button for more than 6 seconds then

release it, to be sure you power cycle the device again.

Page 27

Information from Your ISP

Before configuring this device, you have to check with your ISP (Internet Service Provider) what kind

of service is provided such as EWAN ((Dynamic IP address, Static IP address, PPPoE, Bridge Mode).

Gather the information as illustrated in the following table and keep it for reference.

PPPoE

Username, Password, Service Name, and Domain Name

System (DNS) IP address (it can be automatically assigned by

your ISP when you connect or be set manually).

Dynamic IP Address

DHCP Client (it can be automatically assigned by your ISP when

you connect or be set manually).

Static IP Address

IP address, Subnet mask, Gateway address, and Domain Name

System (DNS) IP address (it is fixed IP address).

Bridge Mode

Pure Bridge

Page 28

Chapter 4: Device Configuration

Open your web browser, enter the IP address of your router, which by default is 192.168.1.254, and click “Go”, a user name and password window prompt appears.

The default username and password is “admin” and “admin” respectively for the Administrator.

NOTE: This username / password may vary by different Internet Service Providers.

Congratulations! You have successfully logged on to your BIPAC 4500NZ(L) !

Page 29

Once you have logged on to your BIPAC 4500NZ(L) via your web browser, you can begin to set it up according to your requirements. On the configuration homepage, the left navigation pane links you directly to the setup page, which includes:

Status(Device Info, System Log, 3G/4G LTE Status, Statistics, DHCP Table, Gre Status, IPSEC

Status, PPTP Status, L2TP Status, Disk Status)

Quick Start (Wizard Setup) Configuration (Interface Setup, Advanced Setup, VPN, Access Management, Maintenance)

Please see the relevant sections of this manual for detailed instructions on how to configure your

gateway.

Page 30

Status

In this section, you can check the router working status, including Device Info, System Log, 3G Status, Statistics, DHCP Table, Gre Status, IPSEC Status, PPTP Status, L2TP Status, and Disk Status.

Page 31

Device Info

It contains basic information of the device.

Device Information

Model Name: Show model name of the router Firmware Version: This is the Firmware version MAC Address: This is the MAC Address Date Time: The current date and time. System Up Time: The duration since system is up.

Physical Port Status

Here the page shows the status of physical port of Ethernet and Wireless.

WAN

Interface: The WAN interface, "EWAN" and "3G/4G-LTE ". Protocol: The protocol in use. Connection: The status of the link. IP Address: The WAN interface IP address obtained. Default Gateway: The default gateway address.

Page 32

LAN

IP Address: LAN IP address. Subnet Mask/Prefix Length: Subnet mask for IPv4 and Prefix length for IPv6 on LAN.. DHCP Server: LAN port DHCP information.

Wireless

Mode: The wireless mode in use. SSID: The SSID. Channel: The current channel. Security: The wireless security setting, authentication type.

Page 33

System Log

In system log, you can check the operations status and any glitches to the router.

Refresh: Press this button to refresh the statistics.

Page 34

3G/4G-LTE Status

This page contains 3G/4G-LTE connection information.

Status: The current status of the 3G/4G-LTE connection. Signal Strength: The signal strength bar and dBm value indicates the current 3G/4G-LTE signal

strength. The front panel 3G/4G-LTE Signal Strength LED indicates the signal strength as well.

Signal Information: Shows important LTE signal parameters such as RSRP (Reference Signal

Receiving Power), RSRQ (Reference Signal Receiving Quality), SINR (Signal to Interference plus Noise Ratio).

 RSRP (Reference Signal Receiving Power): is the average power of all resource elements which

carry cell-specified reference signals over the entire bandwidth.

 RSRQ (Reference Signal Receiving Quality): measures the signal strength and is calculated

based on both RSRP and RSSI.

 RSSI (Received Signal Strength Indicator): parameter which provides information about total

received wide-band power (measure in all symbols) including all interference and thermal noise.

 SINR (Signal to Interference plus Noise Ratio): is also a measure of signal quality as well. It is

widely used by the operators as it provides a clear relationship between RF conditions and throughput. NOTE: Some LTE modules do not provide this information.

Network Name: The name of the LTE network the router is connecting to. Cell ID: The ID of base station that the device is connected to. Card IMEI: The unique identification number that is used to identify the 3G/4G-LTE module. Card IMSI: The international mobile subscriber identity used to uniquely identify the user of a celluar

network – a number provisioned in the SIM card..

Network Mode: Show the using network mode. Network Band: Show the using network band. Refresh: Press this button to refresh the statistics.

Page 35

Statistics

 Ethernet

Interface: List all available network interfaces in the router. You are currently checking on the physical status of the Ethernet port.

Transmit Frames: This field displays the number of frames transmitted until the latest second. Transmit Multicast Frames: This field displays the number of multicast frames transmitted until the

latest second. Transmit Total Bytes: This field displays the number of bytes transmitted until the latest second. Transmit Collision: This is the number of collisions on this port. Transmit Error Frames: This field displays the number of error packets on this port. Receive Frames: This field displays the number of frames received until the latest second. Receive Multicast Frames: This field displays the number of multicast frames received until the

latest second. Receive Total Bytes: This field displays the number of bytes received until the latest second. Receive CRC Errors: This field displays the number of error packets on this port. Receive Under-size Frames: This field displays the number of under-size frames received until the

latest second. Refresh: Press this button to refresh the statistics.

Page 36

 Wireless

Interface: List

all available network interfaces in the router. You are currently checking on the physical

status of the Wireless. Transmit Frames: This field displays the number of frames transmitted until the latest second. Transmit Error Frames: This field displays the number of error frames transmitted until the latest

second.

Transmit Drop Frames: This field displays the number of drop frames transmitted until the latest

second.

Receive Frames: This field displays the number of frames received until the latest second. Receive Error Frames: This field displays the number of error frames received until the latest

second.

Receive Drop Frames: This field displays the number of drop frames received until the latest second. Refresh: Press this button to refresh the statistics.

Page 37

 EWAN

Interface: List all available network interfaces in the router. You are currently checking on the physical status of the EWAN port.

Transmit Frames: This field displays the total number of frames transmitted until the latest second. Transmit Multicast Frames: This field displays the total number of multicast frames transmitted till

the latest second. Transmit Total Bytes: This field displays the total number of bytes transmitted until the latest second. Transmit Collision: This is the number of collisions on this port. Transmit Error Frames: This field displays the number of error packets on this port. Receive Frames: This field displays the number of frames received until the latest second. Receive Multicast Frames: This field displays the number of multicast frames received until the

latest second. Refresh: Press this button to refresh the statistics.

Page 38

 3G/4G-LTE

Interface: List all available network interfaces in the router. You are currently checking on the physical status of 3G/4G-LTE interface.

Transmit Frames of Current Connection: This field displays the total number of 3G/4G-LTE frames transmitted until the latest second for the current connection.

Transmit Bytes of Current Connection: This field shows the total bytes transmitted till the latest second for the current connection for the current connection.

Transmit Total Frames: The field displays the total number of frames transmitted till the latest second since system is up.

Transmit Total Bytes: This field displays the total number of bytes transmitted until the latest second since system is up.

Receive Frames of Current Connection: This field displays the number of frames received until the

latest second for the current connection.

Receive Bytes of Current Connection: This field shows the total bytes received till the latest second for the current connection.

Receive Total Frames: This field displays the total number of frames received until the latest second since system is up.

Receive T ot al Bytes: This field displays the total frames received till the latest second since system is up.

Page 39

DHCP Table

DHCP table displays the devices connected to the router with clear information.

#: The index identifying the connected devices. Host Name: Show the hostname of the PC. IP Address: The IP allocated to the device. MAC Address: The MAC of the connected device. Expire Time: The total remaining interval since the IP assignment to the PC.

Page 40

Gre Status (BiPAC 4500NZ only)

Name: The GRE connection name. Active: Display the connection status with icons. Status: The connection status. Remote Gateway: The IP of remote gateway.

Page 41

IPSEC Status (BiPAC 4500NZ only)

#: The IPSec entry index number. Connection Name: User-defined IPSEC VPN connection name. Remote Gateway: The IP of the remote gateway. Local Address: The IP and netmask of local access range. Remote address: The IP and netmask of remote access range. Connected: Show the connecting status. Rx/Tx: Display the upstream/downstream traffic per session in KB. The value clears when session

disconnects.

Action: Connect or Drop the connection.

Page 42

PPTP Status (BiPAC 4500NZ only)

PPTP Client

User: Four users(sessions) for client sessions. Here shows the using user. Connection Name: Show user-defined PPTP VPN connection name. Active: Show if the tunnel is active for connection. Connection Type: Remote Access or LAN to LAN. Server IP: Show the IP of VPN Server. Peer Network IP: Display the remote network(server side) and subnet mask in LAN to LAN PPTP

connection.

NetmasK: Show the netmask of peer network. Connected: Show the connecting status.

PPTP Server

User: Four users(sessions) for server sessions. Here shows the using user. Connection Name: Show user-defined PPTP VPN connection name. Active: Show if the tunnel is active for connection. Connection Type: Remote Access or LAN to LAN. Assigned IP: Show the IP assigned to the client by PPTP Server. Peer Network IP: Display the remote(client side) network and subnet mask in LAN to LAN PPTP

connection.

NetmasK: Show the netmask of peer network. Connected: Show the connecting status. Refresh: Click this button to refresh the connection status.

Page 43

L2TP Status (BiPAC 4500NZ only)

Name: Display the user-defined L2TP connection name. Type: The VPN mode: dialin or dialout. Connect: The connecting status. Active: Show if the L2TP tunnel is active for connection. Username: The user assigned to client (dialout use) or the user set for client to connect in (dialin use)

Page 44

Disk Status

Partition: Display the USB storage partition. Disk Space (KB): Display the total storage space of the NAS in Kbytes unit. Free Space (KB): Display the available space in Kbytes unit.

Page 45

Quick Start

This is a useful and easy utility to help you to setup the router quickly and to connect to your ISP (Internet Service Provider) with only a few steps. It will guide you step by step to setup time zone and WAN settings of your device. The Quick Start Wizard is a helpful guide for the first-time users to the device.

For detailed instructions on configuring WAN settings, see refer to the Interface Setup section.

Click NEXT to move on to Step 1.

Step 1 – Password

Set new password of the “admin” account to access for router management. The default is “admin”.

Once changed, please use this new password next time when accessing to the router. Click NEXT to continue.

Step 2 – Time Zone

Choose your time zone. Click NEXT to continue.

Page 46

Step 3 – Wireless

Set up your wireless connection if you want to connect to the Internet wirelessly on your PCs. Click

NEXT to continue.

Step 4 – ISP Connection Type

Set up your Internet connection.

4.1 Select an appropriate WAN connection protocol then click NEXT to continue.

4.2 If selected 3G/4G-LTE

Input all relevant 3G/4G-LTE parameters from your ISP.

Click Next to save changes.

Page 47

4.2 If selected EWAN / PPPoE, please enter PPPoE account information provided by your ISP. Click

NEXT to continue.

Step 5 – Quick Start Completed

The Setup Wizard has completed. Click on BACK to modify changes or mistakes. Click NEXT to save

the current settings.

Step 6 – Quick Start Completed

Page 48

Configuration

Click to access and configure the available features in the following: Interface Setup, Dual WAN, Advanced Setup, VPN, Access Management, and Maintenance.

These functions are described in the following sections.

Interface Setup

Here are the features under Interface Setup: Internet, LAN, Wireless and Wireless MAC Filter.

Page 49

Internet

 EWAN

Status: Select whether to enable the service.

IPv4/IPv6

IP Version: Choose IPv4, IPv4/IPv6, IPv6 based on your environment. If you don’t know which one to

choose from, please choose IPv4/IPv6

instead.

Page 50

ISP Connection Type:

ISP: Select the encapsulation type your ISP uses.

 Dynamic IP: Select this option if your ISP provides you an IP address automatically.  Static IP: Select this option to set static IP information. You will need to enter in the Connection

type, IP address, subnet mask, and gateway address, provided to you by your ISP. Each IP address entered in the fields must be in the appropriate IP form. IP address from by four IP octets separated by a dot (xx.xx.xx.xx). The Router will not accept the IP address if it is not in this format.

 PPPoE: Select this option if your ISP requires you to use a PPPoE connection.  Bridge: Select this mode if you want to use this device as an OSI Layer 2 device like a switch.

802.1q Options

802.1q: When activated, please enter a VLAN ID.

VLAN ID: It is a parameter to specify the VLAN which the frame belongs. Enter the VLAN ID

identification, tagged: 0-4095.

PPPoE (If selected PPPoE as WAN Connection Type; otherwise, skip this part)

Username: Enter the user name provided by your ISP. Password: Enter the password provided by your ISP. Bridge Interface for PPPoE: When “Activated”, the device will gain WAN IP from your ISP with the

PPPoE account. But if your PC is connected to the router working as a DHCP client, in this mode, the device acts as a NAT router; while if you dial up with the account within your PC, the device will then work as a bridge forwarding the PPPoE information to the PPPoE server and send the response to your PC, thus your PC gets a WAN IP working in the internet.

Connection Setting

Connection:

 Always On: Click on Always On to establish a PPPoE session during start up and to

automatically re-establish the PPPoE session when disconnected by the ISP.

 Connect Manually: Select Connect Manually when you don't want the connection up all the

time.

TCP MSS Option: Enter the maximum size of the data that TCP can send in a segment. Maximum

Segment Size (MSS).

IP Options

Default Route: Select Yes to use this interface as default route interface. TCP MTU Option: Enter the maximum packet that can be transmitted. Default MTU is set to 1492.

Page 51

IPv4 Options

Get IP Address: Choose Static or Dynamic Static IP Address: If Static is selected in the above field, please enter the specific IP address you get

from ISP and the following IP subnet mask and gateway address.

IP Subnet Mask: The default is 0.0.0.0. User can change it to other such as 255.255.255.0.Type the

subnet mask assigned to you by your ISP (if given).

Gateway: Enter the specific gateway IP address you get from ISP. NAT: Select Enable if you use this router to hold a group of PCs to get access to the internet. Dynamic Route:

 RIP Version: (Routing Information protocol) Select this option to specify the RIP version,

including RIP-1, RIP-2.

 RIP Direction: Select this option to specify the RIP direction.

- None is for disabling the RIP function.

- Both means the router will periodically send routing information and accept routing information then incorporate into routing table.

- IN only means the router will only accept but will not send RIP packet.

- OUT only means the router will only send but will not accept RIP packet.

TCP MTU Option: Maximum Transmission Unit, the maximum is 1500. IGMP Proxy: IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish

membership in a Multicast group. Choose whether enable IGMP proxy.

IPv6 options (only when choose IPv4/IPv6 or just IPv6 in IP version field above):

IPv6 Address: Type the WAN IPv6 address from your ISP. Obtain IPv6 DNS: Choose if you want to obtain DNS automatically. Primary/Secondary: if you choose Disable in the Obtain IPv6 DNS field, please type the exactly

primary and secondary DNS.

MLD Proxy: MLD (Multicast Listener Discovery Protocol) is to IPv6 just as IGMP to IPv4. It is a

Multicast Management protocol for IPv6 multicast packets.

When router’s Internet configuration is finished successfully, you can go to status to get the connection information.

Page 52

 3G/4G-LTE

Status: Choose Activated to enable the 3G/4G-LTE connection. Network Mode: There are 8 options of service standards: “Automatic”, “UMTS 3G only”, “GSM 2G

Only”, “UMTS 3G Preferred”, “GSM 2G Preferred”, “GSM and UMTS Only”, “LTE Only”, “GSM, UMTS,

LTE”. If you are not sure which mode to use, you may select Automatic to auto detect the best mode

for you.

TEL No.: The dial string to make a GPRS / 3G/4G-LTE user internetworking call. It may provide by

your mobile service provider.

Dual APN: BiPAC 6 can support up to two(2) APNs. Select Single or Dual. APN: An APN is similar to a URL on the WWW, it is what the unit makes a GPRS / UMTS call. The

service provider is able to attach anything to an APN to create a data connection, requirements for APNs varies between different service providers. Most service providers have an internet portal which they use to connect to a DHCP Server, thus giving you access to the internet i.e. some 3G operators use the APN ‘internet’ for their portal. The default value is “internet”.

Username/Password: Enter the username and password provided by your service provider. The

username and password are case sensitive.

PIN: PIN stands for Personal Identification Number. A PIN code is a numeric value used in certain

systems as a password to gain access, and authenticate. In mobile phones a PIN code locks the SIM card until you enter the correct code. If you enter the PIN code incorrectly into the phone 3 times in a row, then the SIM card will be blocked and you will require a PUK code from your network/service

provider.

Connection: Default set to Always on to keep an always-on 3G/4G-LTE connection. Keep Alive: Select Yes to keep the 3G/4G-LTE connection always on. Keep Alive IP: Enter the IP address whic is used for “ping”, and router will ping the IP to find whether

the connection is on or not, if not, router will recover the connection.

Default Route: Select Yes to use this interface as default route interface.

Page 53

NAT: Select this option to Disabled/Enable the NAT (Network Address Translation) function. Enable

NAT to grant multiples devices in LAN to access to the Internet through a single WAN IP.

Page 54

LAN

A Local Area Network (LAN) is a shared communication system to which many computers are attached and is limited to the immediate area, usually the same building or floor of a building.

IPv4 Parameters

IP Address: Enter the IP address of Router in dotted decimal notation, for example, 192.168.1.254 (factory default).

IP Subnet Mask: The default is 255.255.255.0. User can change it to other such as 255.255.255.128. Alias IP Address: This is for local networks virtual IP interface. Specify an IP address on this virtual

interface.

Alias IP Subnet Mask: Specify a subnet mask on this virtual interface. IGMP Snooping: Select Activated to enable IGMP Snooping function, Without IGMP snooping,

multicast traffic is treated in the same manner as broadcast traffic - that is, it is forwarded to all ports. With IGMP snooping, multicast traffic of a group is only forwarded to ports that have members of that

Page 55

group.

Dynamic Route: Select the RIP version from RIP1 or RIP2.

DHCPv4 Server

DHCP (Dynamic Host Configuration Protocol) allows individual clients to obtain TCP/IP configuration at start-up from a server.

DHCPv4 Server: If set to Enabled, your BiPAC 4500NZ(L) can assign IP addresses, default gateway

and DNS servers to the DHCP client.

 If set to Disabled, the DHCP server will be disabled.  If set to Relay, the BiPAC 4500NZ(L) acts as a surrogate DHCP server and relays DHCP

requests and responses between the remote server and the clients. Enter the IP address of the actual, remote DHCP server in the Remote DHCP Server field in this case.

 When DHCP is used, the following items need to be set.

Start I P: This field specifies the first of the contiguous addresses in the IP address pool. IP Pool Count: This field specifies the count of the IP address pool. Lease Time: The current lease time of client. DNS Relay Select Automatically obtained or Manually set (if selected. Please set the exactly

information).

Primary DNS Server: Enter the IP addresses of the DNS servers. The DNS servers are passed to the

DHCP clients along with the IP address and the subnet mask.

Secondary DNS Server: Enter the IP addresses of the DNS servers. The DNS servers are passed to

the DHCP clients along with the IP address and the subnet mask.

Fixed Host

In this field, users can map the specific IP (must in the DHCP IP pool) for some specific MAC, and this information can be listed in the following table.

IP Address: Enter the specific IP. For example: 192.168.1.110. MAC Address: Enter the responding MAC. For example: 00:0A:F7:45:6D:ED

When added, you can see the ones listed as showed below:

Page 56

IPv6 parameters

The IPv6 address composes of two parts, thus, the prefix and the interface ID.

Interface Address / Prefix Length: Enter a static LAN IPv6 address. If you are not sure what to do

with this field, please leave it empty as if contains false information it could result in LAN devices not being able to access other IPv6 device. Router will take the same WAN’s prefix to LAN side if the field is empty.

MLD Snooping: Similar to IGMP Snooping, but applicable for IPv6.

DHCPv6 Server

There are two methods to dynamically configure IPv6 address on hosts, Stateless and Stateful. Stateless auto-configuration requires no manual configuration of hosts, minimal (if any)

configuration of routers, and no additional servers. The stateless mechanism allows a host to generate its own addresses using a combination of locally available information (MAC address) and information (prefix) advertised by routers. Routers advertise prefixes that identify the subnet(s) associated with a link, while hosts generate an "interface identifier" that uniquely identifies an interface on a subnet. An address is formed by combining the two. When using stateless configuration, you needn’t configure

anything on the client. Stateful configuration, for example using DHCPv6 (which resembles its counterpart DHCP in IPv4.)

In the stateful auto configuration model, hosts obtain interface addresses and/or configuration information and parameters from a DHCPv6 server. The Server maintains a database that keeps track of which addresses have been assigned to which hosts.

DHCPv6 Server: Check whether to enable DHCPv6 server. DHCPv6 Server Type: Select Stateless or Stateful. When DHCPv6 is enabled, this parameter is

available.

 Stateless: If selected, the PCs in LAN are configured through RA mode, thus, the PCs in LAN

are configured through RA mode, to obtain the prefix message and generate an address using a combination of locally available information (MAC address) and information (prefix) advertised by routers, but they can obtain such information like DNS from DHCPv6 Server.

 Stateful: If selected, the PCs in LAN will be configured like in IPv4 mode, thus obtain addresses

and DNS information from DHCPv6 server.

Start interface ID: enter the start interface ID. The IPv6 address composed of two parts, thus, the

Page 57

prefix and the interface ID. Interface is like the Host ID compared to IPv4.

End interface ID: enter the end interface ID. Leased Time (hour): the leased time, similar to leased time in DHCPv4, is a time limit assigned to

clients, when expires, the assigned ID will be recycled and reassigned.

Router Advertisement: Check to Enable or Disable the Issue Router Advertisement feature. This

feature is to send Router Advertisement messages periodically which would multicast the IPv6 Prefix information (similar to v4 network number 192.168.1.0) to all LAN devices if the field is enabled. We suggest enabling this field.

Page 58

Wireless

This section introduces the wireless LAN and some basic configurations. Wireless LANs can be as complex as a number of computers with wireless LAN cards communicating through access points which bridge network traffic to the wired LAN.

Access Point Settings

Access Point: Default setting is set to Activated. If you want to close the wireless interface, select Deactivated.

Page 59

AP MAC Address: The MAC address of wireless AP. Wireless Mode: The default setting is 802.11b+g+n (Mixed mode). If you do not know or have both

11g and 11b devices in your network, then keep the default in mixed mode. From the drop-down manual, you can select 802.11g if you have only 11g card. If you have only 11b card, then select

802.11b and if you only have 802.11n then select 802.11n. Channel: The range of radio frequencies used by IEEE 802.11b/g/n wireless devices is called a

channel. There are Regulation Domains and Channel ID in this field. The Channel ID will be different based on Regulation Domains. Select a channel from the drop-down list box.

Beacon interval: The Beacon Interval value indicates the frequency interval of the beacon. Enter a

value between 20 and 1000. A beacon is a packet broadcast by the Router to synchronize the wireless

network. RTS/CTS Threshold: The RTS (Request To Send) threshold (number of bytes) for enabling RTS/CTS

handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Enter

a value between 1500 and 2347.

Fragmentation Threshold: The threshold (number of bytes) for the fragmentation boundary for

directed messages. It is the maximum data fragment size that can be sent. Enter a value between 256 and 2346, even number only.

DTIM Interval: This value, between 1 and 255, indicates the interval of the Delivery Traffic Indication

Message (DTIM).

TX Power: The transmission power of the antennas, ranging from 1-100, the higher the more powerful

of the transmission performance.

IGMP Snooping: Enable or disable the IGMP Snooping function for wireless. Without IGMP snooping,

11n Settings

Channel Bandwidth: Select either 20 MHz , 40HZ or 20/40 MHz for the channel bandwidth. The

wider the Channel bandwidth the better the performance will be.

Guard Interval: Select either Auto or 800nsec for the guard interval. The guard interval is here to

ensure that data transmission do not interfere with each other. It also prevents propagation delays, echoing and reflections. The shorter the Guard Interval, the better the performance will be. We recommend users to select Auto.

MCS: There are options 0~15 and AUTO to select for the Modulation and Coding Scheme. W

recommend users selecting AUTO.

SSID Settings

Available SSID: User can determine how many virtual SSIDs to be used. Default is 1, maximum is 4. SSID Index: Select the number of SSIDs you want to use; up to 4 SSIDs are available in the list. SSID: The SSID is the unique name of a wireless access point (AP) to be distinguished from another.

For security propose, change the default wlan-ap to a unique ID name to the AP which is already

built-in to the router’s wireless interface. Make sure your wireless clients have exactly the SSID as the device, in order to get connected to your network.

Broadcast SSID: Select Yes to make the SSID visible so a station can obtain the SSID through passive scanning. Select No to hide the SSID in so a station cannot obtain the SSID through passive

Page 60

scanning.

Clients Isolation: This parameter is to control access between two wireless clients. If you enabled this

function, then each of your wireless clients will not be able to communicate with the other.

SSID Activated: Select the time period during which the SSID is active. Default is always which

means the SSID will be active all the time without time control. See Time Schedule to set the timeslot to flexibly control when the SSID functions.

WPS Settings

WPS (Wi-Fi Protected Setup) feature is a standard protocol created by Wi-Fi Alliance. This feature greatly simplifies the steps needed to create a Wi-Fi network for a residential or an office setting. WPS

supports 2 types of configuration methods which are commonly known among consumers: PIN

Method & PBC Method.

Use WPS: Enable this feature by choosing the ”YES” radiobutton. WPS State: Display whether the WPS is configured or unconfigured. WPS Mode: Select the mode which to start WPS, choose between PIN Code and PBC (Push Button).

Selecting Pin Code mode will require you to know the enrollee PIN code. To future understand the two modes of configuration; please refer to the example of the Wi-Fi

Protected Setup.

Security Settings

Security Type: You can disable or enable wireless security for protecting wireless network. The

default type of wireless security is OPEN and to allow all wireless stations to communicate with the access points without any data encryption. To prevent unauthorized wireless stations from accessing data transmitted over the network, the router offers secure data encryption, known as WEP and WPA. There are five alternatives to select from: WEP 64-bit, WEP 128-bit, WPA-PSK, WPA2-PSK, and Mixed WPA/WPA2-PSK. If you require high security for transmissions, please select WPA-PSK, WPA2-PSK or WPA/WPA2-PSK.

 WEP

WEP Authentication Method: WEP authentication method, there are two methods of authentication

used, Open System authentication (OPENWEB) and Share Key authentication (SHAREDWEB). We suggest you select OPENWEB.

Key 1 to Key 4: Enter the key to encrypt wireless data. To allow encrypted data transmission, the

WEP Encryption Key values on all wireless stations must be the same as the router. There are four keys for your selection. The input format is in HEX style, 5 and 13 HEX codes are required for 64-bitWEP and 128-bitWEP respectively.

Page 61

If you chose WEP 64-bit, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9",

"A-F").

If you chose WEP 128-bit, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9",

"A-F").

You must configure all four keys, but only one key can be activated at any one time. The default key is key 1.

Note: When you enable WPS function, this WEP function will be invalid. And if you select one of

WEP-64Bits/ WEP-128Bits, the following prompt box will appear to notice you.

 WPA-PSK & WPA2-PSK

WPA Algorithms: TKIP (Temporal Key Integrity Protocol) or AES (Advanced Encryption System)

utilizes a stronger encryption method and incorporates Message Integrity Code (MIC) to provide protection against hackers.

Pre-Shared key: The key for network authentication. The input format should be 8-63 ASKII

characters or 64 hexadecimal characters

Key Renewal Interval: The time interval for changing the security key automatically between wireless

client and AP.

WDS Settings

WDS (Wireless distributed system) is a wireless access point mode that enables wireless link and communication with other access point. It is easy to be installed, just define the peer’s MAC of the connected AP.

WDS Mode: select Activated to enable WDS feature and Deactivated to disable this feature. MAC Address: Enter the AP MAC addresses (in XX:XX:XX:XX:XX:XX format) of the peer connected

AP.

Page 62

Wi-Fi Protected Setup (WPS) Example I:

PIN Method: Configure AP as Registrar

1. Jot down the client’s Pin (e.g. 04640776).

2. Enter the Enrollee (Client) PIN code and then press Start WPS.

Page 63

3. Launch the wireless client’s WPS utility (e.g. Ralink Utility). Set the Config Mode as Enrollee, press the WPS button on the top bar, select the AP (e.g. Billion_AP) from the WPS AP List column. Then press the PIN button located on the middle left of the page to run the scan.

4. The client’s SSID and security setting will now be configured to match the SSID and security setting of the registrar (router).

Page 64

Wi-Fi Protected Setup (WPS) Example II:

PIN Method: Configure AP as Enrollee

1. Jot down the WPS PIN (e.g. 03454435). Press Start WPS.

2. Launch the wireless client’s WPS utility (e.g. Ralink Utility). Set the Config Mode as Registrar. Enter the PIN number in the PIN Code column then choose the correct AP (e.g. Billion_AP) from the WPS AP List before pressing the PIN button to run the scan.

Page 65

3. The router’s (AP’s) SSID and security setting will now be configured to match the SSID and security setting of the registrar (client).

4. Now to make sure that the setup is correctly done, cross check to see if the SSID and the security setting of the registrar setting match with the parameters found on both Wireless Configuration and Wireless Security Configuration page.

Page 66

Wi-Fi Protected Setup (WPS) Example III:

PBC Method:

1. Press the PBC radio button, Then Start WPS.

2. Launch the wireless client’s WPS Utility (e.g. Ralink Utility). Set the Config Mode as Enrollee. Then press the WPS button and choose the correct AP (e.g. Billion_AP) from the WPS AP List section before pressing the PBC button to run the scan.

3. When the PBC button is pushed, a wireless communication will be established between your router and the PC. The client’s SSID and security setting will now be configured to match the SSID and security setting of the router.

Page 67

Wireless MAC Filter

The MAC filter screen allows you to configure the router to give exclusive access to up to 8 devices (Allow Association) or exclude up to 8 devices from accessing the router (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:AA:BB:00:00:02.

You need to know the MAC address of the devices you wish to filter.

SSID Index: Select the targeted SSID you want the MAC filter rules to apply to. Active: Select Activated to enable MAC address filtering. Action: Define the filter action for the list of MAC addresses in the MAC address filter table.

Select Deny to block access to the AP, MAC addresses not listed will be allowed to access the router. Select Allow to permit access to the router, MAC addresses not listed will be denied access to the

router.

MAC Address: Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless station that

are allowed or denied access to the specified in these address fields.

Page 68

Dual WAN

Dual WAN is specially designed to offer users failover/fallback.

Auto failover/failback is to ensure an always-on internet connection. Users can set a WAN1 (main WAN) and WAN 2 (backup WAN), and when WAN1 fails, it will switch to WAN2, and when WAN1 restores, it will switch to WAN1 again.

Load balance provides optimal bandwidth sharing for multiple PCs on your network, or allows maximum reliability with network redundancy. Load balance supported by BiPAC 7600NX(L) balance network bandwidth for network traffic through two WAN connections, ideal for small-to-medium business that requires increased bandwidth, network scalability, and resilience for mission-critical network and internet applications.

General Setting

Select Failover to enable the failover/failback feature to keep WAN always on.

 Failover

WAN Port Service Detection Policy

WAN1: Select “EWAN” or “3G/4G LTE” for WAN1 (The main WAN). WAN2: Select the “EWAN” for WAN2 as backup port if you select “3G/4G LTE” as WAN1. Keep Backup Interface Connected: Select if to keep backup WAN interface connected. Connectivity Decision: Set how many times of probing failure to switch to backup port. Probe Cycle: Set the time duration for the Probe Cycle to determine when the router will switch to the

backup connection (backup port) once the main connection (main port) fails. For example, when set to 30 seconds, the probe will be conducted every 30 seconds.

Page 69

Note:

1) The time set is for each probe cycle, but the decision to change to the backup port is determined by Probe Cycle multiplied by connection Decision amount (e.g. From the image above it will be 30

seconds multiplied by 3 consecutive fails, the router will determine failover to WAN2 (backup port)).

2).The failback setting follow the same decision policy as the failover. For example, according to settings above in the screenshot, the connection probe will be carried out every 30 seconds, and 3 consecutive times of probe success is found, the router will determine failback to WAN1 (main WAN).

Probe WAN 1: Choose the probe policy, to probe gateway or host (users decide themselves)

 Gateway: It will send ping packets to gateway of Wan1 interface and wait for response from it

in every “Probe Cycle” to check the connectivity of the gateway of WAN1 interface.

 Host: It will send ping packets to specific host and wait for response in every “Probe Cycle”.

The host must be an IP address.

Page 70

Advanced Setup

Advanced Step provides advanced features including Firewall, Routing, NAT, Static DNS, QoS, Port Isolation and Time Schedule for advanced users.

Page 71

Firewall

Your router includes a firewall for helping to prevent attacks from hackers. In addition to this, when using NAT (Network Address Translation) the router acts as a “natural” Internet firewall, since all PCs on your LAN use private IP addresses that cannot be directly accessed from the Internet.

Firewall: To automatically detect and block Denial of Service (DoS) attacks, such as Ping of Death,

SYN Flood, Port Scan and Land Attack.

 Enabled: It activates your firewall function.  Disabled: It disables the firewall function.

SPI: If you enabled SPI, all traffics initiated from WAN would be blocked, including DMZ, Virtual Server,

and ACL WAN side.

 Enabled: It activates your SPI function.  Disabled: It disables the SPI function.

Page 72

Routing

This is static route feature. You are equipped with the capability to control the routing of all the traffic across your network. With each routing rule created, user can specifically assign the destination where the traffic will be routed to.

#: Item number Destination IP Address: IP address of the destination network Subnet Mask: The subnet mask of destination network. Gateway IP Address: IP address of the gateway or existing interface that this route uses. Metric: It represents the cost of transmission for routing purposes. The number need not be precise,

but it must be between 1 and 15.

Interface: Media/channel selected to append the route. Edit: Edit the route; this icon is not shown for system default route. Drop: Drop the route; this icon is not shown for system default route.

Add Route

Destination IP Address: This is the destination subnet IP address.

Destination Subnet Mask: The subnet mask of destination network.

Gateway IP Address/Interface: This is the gateway IP address or existing interface to which packets are to be forwarded.

Metric: It represents the cost of transmission for routing purposes. The number need not be precise, but it must be between 1 and 15.

Page 73

NAT

The NAT (Network Address Translation) feature transforms a private IP into a public IP, allowing

multiple users to access the internet through a single IP account, sharing the single IP address. NAT break the originally envisioned model of IP end-to-end connectivity across the internet so NAT can cause problems where IPSec/ PPTP encryption is applied or some application layer protocols such as SIP phones are located behind a NAT. And NAT makes it difficult for systems behind a NAT to accept incoming communications.

In this session, there are “VPN Passthrough”, “SIP ALG”, “DMZ” and “Virtual Server” provided to solve these nasty problems.

NAT Status: Enabled. It depends on ISP Connection Type in Internet settings. VPN Passthrough: VPN pass-through is a feature of routers which allows VPN client on a private

network to establish outbound VPNs unhindered. SIP ALG: Enable the SIP ALG when SIP phone needs ALG to pass through the NAT. Disable the SIP

ALG when SIP phone includes NAT-Traversal algorithm.

Interface: Select to set DMZ/Virtual Server for “EWAN”, or. “3G/4G-LTE” Service Index: Associated to EWAN interface marking each EWAN service (0-7), to select which

EWAN service the DMZ and Virtual server are applied to.

Click DMZ or Virtual Server to move on to set the DMZ or Virtual Server

parameters, which are represented in the following scenario.

Page 74

DMZ

NOTE: This feature disables automatically if WAN connection is in BRIDGE mode.

The DMZ Host is a local computer exposed to the Internet. When setting a particular internal IP address as the DMZ Host, all incoming packets will be checked by the Firewall and NAT algorithms then passed to the DMZ host, when a packet received does not use a port number used by any other

Virtual Server entries.

DMZ for: Indicate the related WAN interface which allows outside network to connect in and communicate.

DMZ:

 Enabled: It activates your DMZ function.  Disabled: It disables the DMZ function.

DMZ Host IP Address: Give a static IP address to the DMZ Host when Enabled radio button is

checked. Be aware that this IP will be exposed to the WAN/Internet.

Select the Save button to apply your changes.

Page 75

Virtual Server

NOTE: This feature disables automatically if WAN connection is in BRIDGE mode.

In TCP/IP networks, a port is a 16-bit number used to identify which application program (usually a server) incoming connections should be delivered to. Some ports have numbers that are pre-assigned to them by the IANA (the Internet Assigned Numbers Authority), and these are referred to as “well-known ports”. Servers follow the well-known port assignments so clients can locate them.

If you wish to run a server on your network that can be accessed from the WAN (i.e. from other machines on the Internet that are outside your local network), or any application that can accept incoming connections (e.g. Peer-to-peer/P2P software such as instant messaging applications and P2P file-sharing applications) and are using NAT (Network Address Translation), then you will usually need to configure your router to forward these incoming connection attempts using specific ports to the PC on your network running the application. You will also need to use port forwarding if you want to host an online game server.

The reason for this is that when using NAT, your publicly accessible IP address will be used by and point to your router, which then needs to deliver all traffic to the private IP addresses used by your PCs.

Please see the WAN configuration section of this manual for more information on NAT.

The device can be configured as a virtual server so that remote users accessing services such as Web or FTP services via the public (WAN) IP address can be automatically redirected to local servers in the LAN network. Depending on the requested service (TCP/UDP port number), the device redirects the external service request to the appropriate server within the LAN network.

Virtual Server for: Indicate the related WAN interface which allows outside network to connect in and communicate.

Protocol: Choose the application protocol. Start / End Port Number: Enter a port or port range you want to forward.

(Example: Start / End: 1000 or Start: 1000, End: 2000).

Page 76

The starting greater than zero (0) and the ending port must be the same or larger than the starting port.

Local IP Address: Enter your server IP address in this field. Start / End Port Number (Local): Enter the start / end port number of the local application (service).

Examples of well-known and registered port numbers are shown below. For further information, please see IANA’s website at http://www.iana.org/assignments/port-numbers

Well-known and Registered Ports

Port Number Protocol Description

21 TCP FTP Control 22 TCP & UDP SSH Remote Login Protocol 23 TCP Telnet 25 TCP SMTP (Simple Mail Transfer Protocol) 53 TCP & UDP DNS (Domain Name Server) 69 UDP TFTP (Trivial File Transfer Protocol) 80 TCP World Wide Web HTTP 110 TCP POP3 (Post Office Protocol Version 3) 443 TCP & UDP HTTPS 1503 TCP T.120 1720 TCP H.323 7070 UDP RealAudio

Using port forwarding does have security implications, as outside users will be able to connect to PCs on your network. For this reason you are advised to use specific Virtual Server entries just for the ports your application requires, instead of using DMZ. As doing so will result in all connections from the WAN attempt to access to your public IP of the DMZ PC specified.

If you have disabled the NAT option in the WAN-ISP section, the Virtual Server function will hence be invalid. If the DHCP server option is enabled, you have to be very careful in assigning the IP addresses of the virtual servers in order to avoid conflicts. The easiest way of configuring Virtual Servers is to manually assign static IP address to each virtual server PC, with an address that does not fall into the range of IP addresses that are to be issued by the DHCP server. You can configure the virtual server IP address manually, but it must still be in the same subnet as the router.

Attention

Page 77

Example : How to setup Port Forwarding for port 21 (FTP server)

If you have a FTP server in your LAN network and want others to access it through WAN.

Step 1: Assign a static IP to your local computer that is hosting the FTP server.

Step 2: Login to the Gateway and go to Configuration / Advanced Setup / NAT / Virtual Server.

FTP server uses TCP protocol with port 21.

Enter ”21” to Start and End Port Number. BiPAC 4500NZ(L) will accept port 21 requests from WAN side.

Eneter the static IP assiged to the local PC that is hosting the FTP server. Ex: 192.168.1.102

Enter ”21” to Local Start and End Port number. BiPAC 4500NZ(L) will forward port 21 request from WAN to the specific LAN PC (ex:192.168.1.102) in the network.

Step 3: Click Save to save settings.

Page 78

Static DNS

The Domain Name System (DNS) is a hierarchical naming system built on a distributed database for computers, services, or any resource connected to the Internet or a private network associates various information with domain names assigned to each of the participating entities. Most importantly, it translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.

An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com can be translated into the addresses 192.0.32.10 (IPv4).

Static DNS is a concept relative to Dynamic DNS, in static DNS system, the IP mapped is static without change.

IP Address: The IP address you are going to give a specific domain name. Domain Name: The friendly domain name for the IP address. Press Save button to apply your settings.

Page 79

QoS

QoS helps you control the upload traffic of each application from LAN (Ethernet and/or Wireless) to WAN (Internet).

It facilitates you the features to control the quality of throughput for each application. This is useful when there on certain types of data you want giver higher priority to, such as voice data packets given higher priority than web data packets.

Click SETTING to add QoS rules (up to 16 QoS rules).

Rule Index: Index marking for each rule up to maixmum of 16. Active: Select whether to activate the rule. Destination IPv4/IPv6: Set the IPv4/IPv6 address that you want to filter on destination side. Destination Subnet Mask / IPv6 Prefix: Specify the Destination Subnet Mask for IPv4 or prefix for

IPv6.

Destination Port Range: Set the port range value that you want to filter on destination side. Source IPv4/IPv6 Address: Set the IP address value that you want to filter on source side in IPv4 or

IPv6.

Source Subnet Mask / IPv6 Prefix: Specify the Source Subnet Mask for IPv4 or prefix for IPv6. Source Port Range: Set the port range value that you want to filter on source side. Protocol ID: Set the protocol ID type of packets that you want to filter (TCP, UDP, ICMP, and IGMP). Priority: Select to prioritize the traffic which the rule categorizes, High or Low.

Page 80

Port Isolation

Port isolation is a mechanism to allow or block devices in one port (indicates the LAN1 - LAN3 and WLAN1 - WLAN4, need to enable multiple SSID in wireless section) to access other devices in other ports. By default, all ports (LAN port and WLAN port) are sharing one group, and devices in all these ports can have access to each other.

The most typical one example is to isolate all port from each other shown below. Each port has its own group, under this circumstance, devices connected to each port have no access to other devices connected to other ports. This is a special example, and users can change the settings to determine how the ports are belonged to the group.

Page 81

Time Schedule

The Time Schedule supports up to 16 timeslots which helps you to manage your Internet connection.

In each time profile, you may schedule specific day(s) i.e. Monday through Sunday to restrict or allowing the usage of the Internet by users or applications. This Time Schedule correlates closely with router’s time, since router does not have a real time clock on board; it uses the Simple Network Time Protocol (SNTP) to get the current time from an SNTP server from the Internet.

Time Index: The rule index (0-15) for identifying each timeslot. Name: User-defined identification for each time period. Day of Week: Mon. to Sun. Specify the time interval for each timeslot from “Day of Week”. For

example, user can add a timeslot named “TimeSlot1” which features a period from 9:00 of Monday to 18:00 of Tuesday.

Another TimeSlot2 spanning from 09:00 to 18:00 of Friday

Page 82

VPN (BiPAC 4500NZ only)

A Virtual Private Network (VPN) is a private network that interconnects remote (and often

geographically separate) networks through primarily public communication infrastructures such as the Internet. VPNs provide security through tunneling protocols and security procedures such as encryption. For example, a VPN could be used to securely connect the branch offices of an organization to a head office network through the public Internet.

IPSEC Setting

Internet Protocol Security (IPSec) is a protocol suite for securing Internet Protocol (IP)

communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

It can be used in protecting data flows between a pair of security gateways (network-to-network), o

between a security gateway and a host (network-to-host).

A total of 8 IPSec tunnels can be added.

NAT Traversal: This directly enables use of the NAT-Traversal IPsec extension (NAT-T). NAT-T

allows one or both peers to reside behind a NAT gateway (i.e., doing address- or port-translation).

Page 83

Click Add New Connection to create IPSec connections.

VPN Connection Setting

Active: Select Yes to activate the tunnel. Connection Name: A given name for the connection (e.g. “connection to office”). Interface: Select the set used interface for the IPSec connection, when you select EWAN interface,

the IPSec tunnel would transmit data via this interface to connect to the remote peer.

Remote Gateway IP: The WAN IP address of the remote VPN gateway that is to be connected,

establishing a VPN tunnel.

Local Access Range: Set the IP address or subnet of the local network.

 Single IP: The IP address of the local host, for establishing an IPSec connection between a

security gateway and a host (network-to-host).



Subnet: The subnet of the local network, for establishing an IPSec tunnel between

a pair of

security gateways (network-to-network)

Remote Access Range: Set the IP address or subnet of the remote network.



Single IP: The IP address of the local host, for establishing an IPSec connection between a

security gateway and a host (network-to-host). If the remote peer is a host, select Single Address.



Subnet: The subnet of the local network, for establishing an IPSec tunnel between a pair of

security gateways (network-to-network), If the remote peer is a network, select Subnet.

IKE Mode: IKE, Internet Key Exchange, is the mechanism to negotiate and exchange parameters

and keys between IPSec peers to establish security associations(SA). Select Main or Aggressive mode.

Pre-Shared Key: This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128

Page 84

characters. Both sides should use the same key. IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require a key. Before any IPSec traffic can be passed, each router must be able to verify the identity of its peer. This can be done by manually entering the pre-shared key into both sides (router or hosts).

Local ID Type and Remote ID Type: When the mode of IKE is aggressive, Local and Remote peers

can be identified by other IDs.

IDContent: Enter IDContent the name you want to identify when the Local and Remote Type are

Domain Name; Enter IDContent IP address you want to identify when the Local and Remote Type are IP addresses (IPv4 and IPv6 supported).

Encryption Algorithm: Select the encryption algorithm from the drop-down menu. There are several

options: DES and AES (128, 192 and 256). 3DES and AES are more powerful but increase latency.

 DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method.  3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption

method.

 AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as

encryption method.

Authentication Algorithm: Authentication establishes the integrity of the datagram and ensures it is

not tampered with in transmission. There are 3 options: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA1, SHA256). SHA1 is more resistant to brute-force attacks than MD5. However, it is slower.

 MD5: A one-way hashing algorithm that produces a 128−bit hash.  SHA1: A one-way hashing algorithm that produces a 160−bit hash.

Diffle-Hellman Group: It is a public-key cryptography protocol that allows two parties to establish a

shared secret over an unsecured communication channel (i.e. over the Internet). MODP stands for Modular Exponentiation Groups.

IPSec Proposal: Select the IPSec security method. There are two methods of verifying the

authentication information, AH(Authentication Header) and ESP(Encapsulating Security Payload). Use ESP for greater security so that data will be encrypted and the data origin be authenticated but using AH data origin will only be authenticated but not encrypted.

Authentication Algorithm: Authentication establishes the integrity of the datagram and ensures it is

not tampered with in transmission. There are 3 options: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA1, SHA256). SHA1 is more resistant to brute-force attacks than MD5. However, it is slower.

 MD5: A one-way hashing algorithm that produces a 128−bit hash.  SHA1: A one-way hashing algorithm that produces a 160−bit hash.

Encryption Algorithm: Select the encryption algorithm from the drop-down menu. There are several

options: DES and AES (128, 192 and 256). 3DES and AES are more powerful but increase latency.

 DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method.  3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption

method.

 AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as

encryption method.

SA Lifetime: Specify the number of minutes that a Security Association (SA) will stay active before

new encryption and authentication key will be exchanged. There are two kinds of SAs, IKE and IPSec.

Page 85

IKE negotiates and establishes SA on behalf of IPSec, an IKE SA is used by IKE.

 Phase 1 (IKE): To issue an initial connection request for a new VPN tunnel. The range can be

from 5 to 15,000 minutes, and the default is 480 minutes.

 Phase 2 (IPSec): To negotiate and establish secure authentication. The range can be from 5 to

15,000 minutes, and the default is 60 minutes. A short SA time increases security by forcing the two parties to update the keys. However, every time the VPN tunnel re-negotiates, access through the tunnel will be temporarily disconnected.

PING for Keep Alive:

 None: The default setting is None. To this mode, it will not detect the remote IPSec peer has

been lost or not. It only follows the policy of Disconnection time after no traffic, which the remote IPSec will be disconnected after the time you set in this function.

 PING: This mode will detect the remote IPSec peer has lost or not by pinging specify IP

address.

 DPD: Dead peer detection (DPD) is a keeping alive mechanism that enables the router to be

detected lively when the connection between the router and a remote IPSec peer has lost. Please be noted, it must be enabled on the both sites.

PING to the IP: It is able to IP Ping the remote PC with the specified IP address and alert when the

connection fails. Once alter message is received, Router will drop this tunnel connection. Reestablish of this connection is required. Default setting is 0.0.0.0 which disables the function

Interval: This sets the time interval between Pings to the IP function to monitor the connection status.

Default interval setting is 10 seconds. Time interval can be set from 0 to 3600 second, 0 second disables the function.

Ping to the IP Interval (sec) Ping to the IP Action

0.0.0.0 0 No

0.0.0.0 2000 No xxx.xxx.xxx.xxx (A valid IP Address) 0 No

xxx.xxx.xxx.xxx(A valid IP Address) 2000

Yes, activate it in every 2000 second.

Disconnection Time after no traffic: It is the NO Response time clock. When no traffic stage time is

beyond the Disconnection time set, Router will automatically halt the tunnel connection and re-establish it base on the Reconnection Time set. 180 seconds is minimum time interval for this function.

Reconnection Time: It is the reconnecting time interval after NO TRAFFIC is initiated. 3 minutes is

minimum time interval for this function.

Click SAVE to submit the settings.

Page 86

Examples: How to establish an IPSec Tunnel

1. LAN-to-LAN connection

Two BiPAC 4500NZs want to setup a secure IPSec VPN tunnel

Note: The IPSec Settings shall be consistent between the two routers.

Page 87

Head Office Side:

Setup details:

Item Function Description

Connection Name H-to-B Give a name for IPSec

connection

Local Network

Subnet

Select Subnet

IP Address 192.168.1.0

Netmask 255.255.255.0

Head Office network

Secure Gateway Address(Hostanm e)

69.121.1.30

IP address of the Branch office router (on WAN side)

Remote Network

Subnet Select Subnet

IP Address 192.168.0.0

Netmask 255.255.255.0

Branch office network

Proposal

Method ESP

Authentication MD5

Encryption 3DES Prefer Forward

Security

MODP 1024(group2)

Pre-shared Key 123456

Security Plan

Page 88

Page 89

Branch Office Side:

Setup details: the same operation as done in Head Office side

Item Function Description

Connection Name B-to-H Give a name for IPSec

connection

Local Network

Subnet Select Subnet

IP Address 192.168.0.0

Netmask 255.255.255.0

Branch Office network

Remote Secure Gateway Address(Hostanm e)

69.121.1.3

IP address of the Head office router (on WAN side)

Remote Network

Subnet Select Subnet

IP Address 192.168.1.0

Netmask 255.255.255.0

Head office network

Proposal

Method ESP

Authentication MD5

Encryption 3DES Prefer Forward

Security

MODP 1024(group2)

Pre-shared Key 123456

Security Plan

Page 90

Page 91

2. Host to LAN

Router servers as VPN server, and host should install the IPSec client to connect to head office through IPSec VPN.

Item

Function

Description

1 Connection Name

Host-to-Headoff Give a name for IPSec

connection

Local Network

Subnet Select Subnet

IP Address 192.168.1.0

Netmask 255.255.255.0

Head Office network

Remote Secure Gateway (Hostanme)

69.121.1.30

IP address of the Branch office router (on WAN side)

Remote Network

Single Address 69.121.1.30 Host Proposal

Method ESP

Authentication MD5

Encryption 3DES Prefer Forward

Security

MODP 1024(group2)

Pre-shared Key 123456

Security Plan

Page 92

Page 93

PPTP Server

The Point-to-Point Tunneling Protocol (PPTP) is a Layer2 tunneling protocol for implementing

virtual private networks through IP network. PPTP uses an enhanced GRE (Generic Routing Encapsulation) mechanism to provide a flow- and congestion-controlled encapsulated datagram service for carrying PPP packets.

In the Microsoft implementation, the tunneled PPP traffic can be authenticated with PAP, CHAP, and Microsoft CHAP V1/V2 . The PPP payload is encrypted using Microsoft Point-to-Point Encryption (MPPE) when using MSCHAPv1/v2.

Note: 4 sessions for Client and 4 sessions for Server respectively.

In PPTP session, users can set the basaic parameters(authentication, encyption, peer address, etc) for PPTP Server and then set the accounts, and 4 accounts or connections are to be set for PPTP Server.

Enable: Select Yes to activate PPTP Server. No to deactivate PPTP Server. WAN Interface: Select the exact WAN interface configured for the tunnel. Select Default to use the

now-working WAN interface for the tunnel. Auth. Type: The authentication type, Pap or Chap, and MPPE 128bit Encryption. When using PAP,

the password is sent unencrypted, whilst CHAP encrypts the password before sending, and also allows for challenges at different periods to ensure that an intruder has not replaced the client. When

passed the authentication with MS-CHAPv2, the MPPE encryption is supported.

MS-DNS: Directly set the IP of DNS server or let the 192.168.1.254(the router by default) be the MS-DNS server.

User select: 4 sessions for server by default, user1 stands for the first session, and so does user2,

etc.

Connection Name: User-defined name for the PPTP connection. Active: Select Enable to activate the account. PPTP server is waiting for the client to connect to this

account.

Username: Please input the username for this account.

Page 94

Password: Please input the password for this account. Connection Type: Select Remote Access for single user, Select LAN to LAN for remote gateway. Private IP Address Assigned to Dialin user: Specify the private IP address to be assigned to dialin

clients, and the IP should be in the same subnet as local LAN, but not occupied.

Peer Network IP: Please input the subnet IP for remote network. Peer Netmask: Please input the Netmask for remote network.

Page 95

PPTP Client

PPTP client can help you dial-in the PPTP server to establish PPTP tunnel over Internet. A total of 4 sessions can be created for PPTP client.

User select: 4 sessions for client connection by default, user1 stands for the first session, and so does

user2, etc.

Connection Name: user-defined name for identification. Auth. Type: The authentication type, Pap or Chap, and MPPE 128bit Encryption. When using PAP,

the password is sent unencrypted, whilst CHAP encrypts the password before sending, and also allows for challenges at different periods to ensure that an intruder has not replaced the client. When

passed the authentication with MS-CHAPv2, the MPPE encryption is supported. Set the same authentication type as set in the server side.

Active: Select Yes to enable the connection to the VPN server. Username: Enter the username provided by your VPN Server. Password: Enter the password provided by your VPN Server. Connection Type: Select Remote Access for single user, Select LAN to LAN for remote gateway. PPTP Server Address: Enter the WAN IP address of the PPTP server. Peer Network IP: Please input the subnet IP for Server peer. Peer Netmask: Please input the Netmask for server peer.

Click SET button to save your changes.

Page 96

Example: PPTP Remote Access with Windows7

(Note: inside test with 172.16.1.233, just an example for illustration)

Server Side:

1. Please move to Configuration > PPTP Server, Enable the PPTP Server and add an account as “test”. The exact setting can be found in the screenshot shown below.

Page 97

Client Side:

1. In Windows7 click Start > Control Panel> Network and Sharing Center, Click Set up a new connection or network.

Page 98

2. Click Connect to a workplace, and press Next.

3. Select Use my Internet connection (VPN) and press Next.

Page 99

4. Input Internet address and Destination name for this connection and press Next.

Page 100

5. Input the account (user name and password) and press Create.