Billion Electric Company BiGuard 30 User Manual
BiGuard 30
iBusiness Security Gateway SMB
User’s Manual
Version Release 7.01 (FW:1.06p)
BiGuard 30 User’s Manual
(Updated March 28, 2007)
Copyright Information
© 2007 Billion Electric Corporation, Ltd.
The contents of this publication may not be reproduced in whole or in part,
transcribed, stored, translated, or transmitted in any form or any means, without
the prior written consent of Billion Electric Corporation.
Published by Billion Electric Corporation. All rights reserved.
Disclaimer
Billion does not assume any liability arising out of the application of use of any
products or software described herein. Neither does it convey any license under its
patent rights nor the patent rights of others. Billion reserves the right to make
changes in any products described herein without notice. This publication is subject
to change without notice.
Trademarks
Mac OS is a registered trademark of Apple Computer, Inc.
Windows 98, Windows NT, Windows 2000, Windows Me and Windows XP are
registered trademarks of Microsoft Corporation.
2
Safety Warnings
Your BiGuard 30 is built for reliability and long service life. For your safety,
be sure to read and follow the following safety warnings.
• Read this installation guide thoroughly before attempting to set up your BiGuard
30.
• Your BiGuard 30 is a complex electronic device. DO NOT open or attempt to
repair it yourself. Opening or removing the covers can expose you to high
voltage and other risks. In the case of malfunction, turn off the power
immediately and have it repaired at a qualified service center. Contact your
vendor for details.
• Connect the power cord to the correct supply voltage.
• Carefully place connecting cables to avoid people from stepping or tripping on
them. DO NOT allow anything to rest on the power cord and DO NOT place the
power cord in an area where it can be stepped on.
• DO NOT use BiGuard 30 in environments with high humidity or high
temperatures.
• DO NOT use the same power source for BiGuard 30 as other equipment.
• DO NOT use your BiGuard 30 and any accessories outdoors.
• If you wall mount your BiGuard 30, make sure that no electrical, water or gas
pipes will be damaged during installation.
• DO NOT install or use your BiGuard 30 during a thunderstorm.
• DO NOT expose your BiGuard 30 to dampness, dust, or corrosive liquids.
• DO NOT use your BiGuard 30 near water.
• Be sure to connect the cables to the correct ports.
• DO NOT obstruct the ventilation slots on your BiGuard 30 or expose it to direct
sunlight or other heat sources. Excessive temperatures may damage your
device.
• DO NOT store anything on top of your BiGuard 30.
• Only connect suitable accessories to your BiGuard 30.
• Keep packaging out of the reach of children.
• If disposing of the device, please follow your local regulations for the safe
disposal of electronic products to protect the environment.
3
Table of Contents
Chapter 1: Introduction
1.1 Overview
1.2 Product Highlights
1.2.1 Increased Bandwidth, Scalability and Resilience
1.2.2 Virtual Private Network Support
1.2.3 Advanced Firewall Security
1.2.4 Intelligent Bandwidth Management
1.3 Package Contents
1.3.1 Front Panel
1.3.2 Rear Panel
1.3.3 Rack Mounting
1.3.4 Cabling
Chapter 2: Router Applications
2.1 Overview
2.2 Bandwidth Management with QoS
2.2.1 QoS Technology
2.2.2 QoS Policies for Different Applications
2.2.3 Guaranteed / Maximum Bandwidth
2.2.4 Policy Based Traffic Shaping
2.2.5 Priority Bandwidth Utilization
2.2.6 Management by IP or MAC address
2.2.7 DiffServ (DSCP Marking)
2.2.7 DSCP (Matching)
2.3 Outbound Traffic
2.3.1 Outbound Fail Over
2.3.2 Outbound Load Balancing
2.4 Inbound Traffic
2.4.1 Inbound Fail Over
2.4.2 Inbound Load Balancing
2.5 DNS Inbound
2.5.1 DNS Inbound Fail Over
2.5.2 DNS Inbound Load Balancing
2.6 Virtual Private Networking
4
2.6.1 General VPN Setup
2.6.2 VPN Planning - Fail Over
2.6.3 Concentrator
Chapter 3: Getting Started
3.1 Overview
3.2 Before You Begin
3.3 Connecting Your Router
3.4 Configuring PCs for TCP/IP Networking
3.4.1 Overview
3.4.2 Windows XP
3.4.2.1 Configuring
3.4.2.2 Verifying Settings
3.4.3 Windows 2000
3.4.3.1 Configuring
3.4.3.2 Verifying Settings
3.4.4 Windows 98 / ME
3.4.4.1 Installing Components
3.4.4.2 Configuring
3.4.4.3 Verifying Settings
3.5 Factory Default Settings
3.5.1 Username and Password
3.5.2 LAN and WAN Port Addresses
3.6 Information From Your ISP
3.6.1 Protocols
3.6.2 Configuration Information
3.6.2.1 Windows
3.7 Web Configuration Interface
Chapter 4: Router Configuration
4.1 Overview
4.2 Status
4.2.1 ARP Table
4.2.2 Routing Table
4.2.3 Session Table
4.2.4 DHCP Table
5
4.2.5 IPSec Status
4.2.6 PPTP Status
4.2.7 Traffic Statistics
4.2.8 System Log
4.2.9 IPSec Log
4.3 Quick Start
4.3.1 DHCP
4.3.2 Static IP
4.3.3 PPPoE
4.3.4 PPTP
4.3.5 Big Pond
4.4 Configuration
4.4.1 LAN
4.4.1.1 Ethernet
4.4.1.2 DHCP Server
4.4.1.3 LAN Address Mapping
4.4.2 WAN
4.4.2.1 ISP Settings
4.4.2.1.1 DHCP
4.4.2.1.2 Static IP
4.4.2.1.3 PPPoE
4.4.2.1.4 PPTP
4.4.2.1.5 Big Pond
4.4.2.2 Bandwidth Settings
4.4.2.3 WAN IP Alias
4.4.3 Dual WAN
4.4.3.1 General Settings
4.4.3.2 Outbound Load Balance
4.4.3.3 Inbound Load Balance
4.4.3.4 Protocol Binding
4.4.4 System
4.4.4.1 Time Zone
4.4.4.2 Remote Access
4.4.4.3 Firmware Upgrade
4.4.4.4 Backup / Restore
4.4.4.5 Restart
4.4.4.6 Password
4.4.4.7 System Log Server
6
4.4.4.8 Email Alert
4.4.5 Firewall
4.4.5.1 Packet Filter
4.4.5.2 URL Filter
4.4.5.3 LAN MAC Filter
4.4.5.4 Block WAN Request
4.4.5.5 Intrusion Detection
4.4.6 VPN
4.4.6.1 IPSec
4.4.6.1.1 IPSec Wizard
4.4.6.1.2 IPSec Policy
4.4.6.2 PPTP
4.4.7 QoS
4.4.8 Virtual Server
4.4.8.1 DMZ
4.4.8.2 Port Forwarding Table
4.4.9 Advanced
4.4.9.1 Static Route
4.4.9.2 Dynamic DNS
4.4.9.3 Device Management
4.4.9.4 IGMP
4.4.9.5 VLAN Bridge
4.5 Save Configuration To Flash
4.6 Logout
Chapter 5: Troubleshooting
5.1 Basic Functionality
5.1.1 Router Won’t Turn On
5.1.2 LEDs Never Turn Off
5.1.3 LAN or Internet Port Not On
5.1.4 Forgot My Password
5.2 LAN Interface
5.2.1 Can’t Access Router from the LAN
5.2.2 Can’t Ping Any PC on the LAN
5.2.3 Can’t Access Web Configuration Interface
5.2.3.1 Pop-up Windows
5.2.3.2 Javascripts
7
5.2.3.3 Java Permissions
5.3 WAN Interface
5.3.1 Can’t Get WAN IP Address from the ISP
5.4 ISP Connection
5.5 Problems with Date and Time
5.6 Restoring Factory Defaults
Appendix A: Product Specifications
Appendix B: Customer Support
Appendix C: FCC Interference Statement
Appendix D: Network, Routing, and Firewall Basics
D.1 Network Basics
D.1.1 IP Addresses
D.1.1.1 Netmask
D.1.1.2 Subnet Addressing
D.1.1.3 Private IP Addresses
D.1.2 Network Address Translation (NAT)
D.1.3 Dynamic Host Configuration Protocol (DHCP)
D.2 Router Basics
D.2.1 Why use a Router?
D.2.2 What is a Router?
D.2.3 Routing Information Protocol (RIP)
D.3 Firewall Basics
D.3.1 What is a Firewall?
D.3.2.1 Stateful Packet Inspection
D.3.2.2 Denial of Service (DoS) Attack
D.3.2 Why Use a Firewall?
Appendix E: Virtual Private Networking
E.1 What is a VPN?
E.1.1 VPN Applications
8
E.2 What is IPSec?
E.2.1 IPSec Security Components
E.2.1.1 Authentication Header (AH)
E.2.1.2 Encapsulating Security Payload (ESP)
E.2.1.3 Security Associations (SA)
E.2.2 IPSec Modes
9
E.2.3 Tunnel Mode AH
E.2.4 Tunnel Mode ESP
E.2.5 Internet Key Exchange (IKE)
Appendix F: IPSec Logs and Events
F.1 IPSec Log Event Categories
F.2 IPSec Log Event Table
Appendix G: Bandwidth Management with QoS
G.1 Overview
G.2 What is Quality of Service?
G.3 How Does QoS Work?
G.4 Who Needs QoS?
G.4.1 Home Users
G.4.2 Office Users
Appendix H: Router Setup Examples
H.1 Outbound Fail Over
H.2 Outbound Load Balancing
H.3 Inbound Fail Over
H.4 DNS Inbound Fail Over
H.5 DNS Inbound Load Balancing
H.6 Dynamic DNS Inbound Load Balancing
H.7 VPN Configuration
H.7.1 LAN to LAN
H.7.2 Host to LAN
H.8 IPSec Fail Over (Gateway to Gateway)
H.9 VPN Concentrator
H.10 Protocol Binding
H.11 Intrusion Detection
H.12 PPTP Remote Access by Windows XP
H.13 PPTP Remote Access by BiGuard
10
Chapter 1: Introduction
1.1 Overview
Congratulations on purchasing BiGuard 30 Router from Billion. Combining a router
with an Ethernet network switch, BiGuard 30 is a state-of-the-art device that
provides everything you need to get your network connected to the Internet over
your Cable or DSL connection quickly and easily. The Quick Start Wizard and DHCP
Server will get first-time users up and running with minimal fuss and configuration,
while sophisticated Quality of Service (QoS) and Load Balancing features grant
advanced users total control over their network and Internet connection.
This manual illustrates the many features and functions of BiGuard 30, and even
takes you through the various ways you can apply this versatile device to your home
or office. Take the time now to familiarize yourself with BiGuard 30.
1.2 Product Highlights
1.2.1 Increased Bandwidth, Scalability and Resilience
With integrated Dual WAN ports, BiGuard 30 combines two broadband lines such as
DSL or Cable into one Internet connection, providing optimal bandwidth sharing for
multiple PCs on your network, or allowing maximum reliability with network
redundancy. Load Balancing enables BiGuard 30 to efficiently balance network
traffic across two connections, ideal for small-to-medium businesses that require
increased bandwidth, network scalability, and resilience for mission-critical network
and Internet applications. Auto failover can also be configured to ensure smooth,
continuous service should one connection fail, providing maximum business uptime
and productivity, plus uninterrupted service for you and your customers.
1.2.2 Virtual Private Network Support
BiGuard 30 supports comprehensive IPSec & PPTP VPN protocols for businesses to
establish private encrypted tunnels over the Internet to ensure data transmission
security among multiple sites, such as a branch office or dial-up connection. IPSec
VPN is up to 30 simultaneous IPSec VPN connections are possible on BiGuard 30,
with performance of up to 30Mbps. PPTP VPN is up to 4 simultaneous PPTP VPN
11
connections are possible on BiGuard 30, with performance of up to 10Mbps.
1.2.3 Advanced Firewall Security
Aside from intelligent broadband sharing, BiGuard 30 offers integrated firewall
protection with advanced features to secure your network from outside attacks.
Stateful Packet Inspection (SPI) determines if a data packet is permitted to enter
the private LAN. Denial of Service (DoS) prevents hackers from interrupting
network services via malicious attacks. In addition, BiGuard 30 firewall can be
configured to alert you via email should your network come under fire, offering both
tight network security and peace of mind.
1.2.4 Intelligent Bandwidth Management
BiGuard 30 utilizes Quality of Service (QoS) to give you full control over the priority
of both incoming and outgoing data, ensuring that critical data such as customer
information moves through your network, even while under a heavy load.
Transmission speeds can be throttled to make sure users are not saturating
bandwidth required for mission-critical data transfers. Priority types of upload data
can also be changed, allowing BiGuard 30 to automatically sort out actual speeds for
unmatched convenience.
1.3 Package Contents
BiGuard 30 iBusiness Security Gateway SMB
Bracket x 2 (for rack-mounting)
Screw x 4 (for rack-mounting)
Getting Started CD-ROM
Quick Start Guide
AC-DC Power Adapter (12VDC, 1A)
1.3.1 Front Panel
12
LED Function
Power
Status
LAN
1 – 8
WAN1
A solid light indicates a steady connection to a power source.
A blinking light indicates the device is writing to flash memory.
Lit when connected to an Ethernet device.
10/100M : Lit green when connected at 100Mbps.
Not lit when connected at 10Mbps.
Link/ACT: Lit when device is connected.
Blinking when data is transmitting/receiving.
Lit when connected to an Ethernet device.
10/100M : Lit green when connected at 100Mbps.
Not lit when connected at 10Mbps.
Link/ACT: Lit when device is connected.
Blinking when data is transmitting/receiving.
WAN2
Lit when connected to an Ethernet device.
10/100M : Lit green when connected at 100Mbps.
Not lit when connected at 10Mbps.
Link/ACT: Lit when device is connected.
Blinking when data is transmitting/receiving.
1.3.2 Rear Panel
1
2
3
4
5
13
Port Function
To reset the device and restore factory default settings, after
1 RESET
the device is fully booted, press and hold RESET until the
Status LED begins to blink.
WAN2 10/100M Ethernet port (with auto crossover support);
2 WAN2
connect xDSL/Cable modem here.
WAN1 10/100M Ethernet port (with auto crossover support);
3 WAN1
connect xDSL/Cable modem here.
LAN
Connect a UTP Ethernet cable (Cat-5 or Cat-5e) to one of the
4
1 — 8
eight LAN ports when connecting a PC to the network.
5 DC12V Connect DC Power Adapter here. (12VDC)
1.3.3 Rack Mounting
To rack mount BiGuard 30, carefully secure the device to your rack on both sides
using the included brackets and screws. See the diagram below for a more detailed
explanation.
14
1.3.4 Cabling
Most Ethernet networks currently use unshielded twisted pair (UTP) cabling. The
UTP cable contains eight conductors, arranged in four twisted pairs, and terminated
with an RJ45 type connector.
One of the most common causes of networking problems is bad cabling. Make sure
that all connected devices are turned on. On the front panel of BiGuard 30, verify
that the LAN link and WAN line LEDs are lit. If they are not, check to see that you are
using the proper cabling.
15
Chapter 2: Router Applications
2.1 Overview
Your BiGuard 30 router is a versatile device that can be configured to not only
protect your network from malicious attackers, but also ensure optimal usage of
available bandwidth with Quality of Service (QoS) and both Inbound and Outbound
Load Balancing. Alternatively, BiGuard 30 can also be set to redirect incoming and
outgoing network traffic with the Fail Over capability, ensuring minimal downtime
and increased reliability.
The following chapter describes how BiGuard 30 can work for you.
2.2 Bandwidth Management with QoS
Quality of Service (QoS) gives you full control over which types of outgoing data
traffic should be given priority by the router. By doing so, the router can ensure that
latency-sensitive applications like voice, bandwidth-consuming data like gaming
packets, or even mission critical files efficiently move through the router even under
a heavy load. You can throttle the speed at which different types of outgoing data
pass through the router. In addition, you can simply change the priority of different
types of upload data and let the router sort out the actual speeds.
2.2.1 QoS Technology
QoS generally involves the prioritization of network traffic. QoS is comprised of
three major components: Classifier, Meter, and Scheduler. Each of these
components has a distinct role in ensuring that incoming and outgoing data is
managed according to user specifications.
The Classifier analyses incoming packets and marks each one according to
configured parameters. The Meter communicates the drop priority to the Scheduler
and measures the temporal priorities of the output stream against configured
parameters. Finally, the Scheduler schedules each packet for transmission based on
information from both the Classifier and the Meter.
16
2.2.2 QoS Policies for Different Applications
By setting different QoS policies according to the applications you are running, you
can use BiGuard 30 to optimize the bandwidth that is being used on your network.
VoIP
Normal PCs
Restricted PC
As illustrated in the diagram above, applications such as Voiceover IP (VoIP) require
17
low network latencies to function properly. If bandwidth is being used by other
applications such as an FTP server, users using VoIP will experience network lag
and/or service interruptions during use. To avoid this scenario, this network has
assigned VoIP with a guaranteed bandwidth and higher priority to ensure smooth
communications. The FTP server, on the other hand, has been given a maximum
bandwidth cap to make sure that regular service to both VoIP and normal Internet
applications is uninterrupted.
2.2.3 Guaranteed / Maximum Bandwidth
Setting a Guaranteed Bandwidth ensures that a particular service receives a
minimum percentage of bandwidth. For example, you can configure BiGuard 30 to
reserve 10% of the available bandwidth for a particular computer on the network to
transfer files.
Alternatively you can set a Maximum Bandwidth to restrict a particular application
to a fixed percentage of the total throughput. Setting a Maximum Bandwidth of 20%
for a file sharing program will ensure that no more than 20% of the available
bandwidth will be used for file sharing.
2.2.4 Policy Based Traffic Shaping
Policy Based Traffic Shaping allows you to apply specific traffic policies across a
range of IP addresses or ports. This is particularly useful for assigning different
18
policies for different PCs on the network. Policy based traffic shaping lets you better
manage your bandwidth, providing reliable Internet and network service to your
organization.
2.2.5 Priority Bandwidth Utilization
Assigning priority to a certain service allows BiGuard 30 to give either a higher or
lower priority to traffic from this particular service. Assigning a higher priority to an
application ensures that it is processed ahead of applications with a lower priority
and vice versa.
19
2.2.6 Management by IP or MAC address
BiGuard 30 can also be configured to apply traffic policies based on a particular IP or
MAC address. This allows you to quickly assign different traffic policies to a specific
computer on the network.
2.2.7 DiffServ (DSCP Marking)
20
DiffServ (a.k.a. DSCP Marking) allows you to classify traffic based on IP DSCP values.
Other interfaces can match traffic based on the DSCP markings. DSCP markings are
used to decide how packets should be treated, and is a useful tool to give
precedence to varying types of data.
2.2.8 DSCP (Matching)
Just like the DSCP Marking, DSCP is used on traffics (Both inbound rules and
outbound rules have DSCP matching). DSCP matching is used to identify traffic for
the rule. (It is just like what source IP and destination IP do). When this option of the
QoS rule is selected, the QoS rule will only be applied to the packets whose DSCP
field’s IP header matches the criteria selected. These markings can be used to identify
traffic within the network.
2.3 Outbound Traffic
This section outlines some of the ways you can use BiGuard 30 to manage outbound
traffic.
2.3.1 Outbound Fail Over
Configuring BiGuard 30 for Outbound Fail Over allows you to ensure that outgoing
traffic is uninterrupted by having BiGuard 30 default to WAN2 should WAN1 fail.
21
230.100.100.1
1st Connection
192.168.2.2
ISP
ISP
2nd connection
192.168.2.3
In the above example, PC 1 (IP_192.168.2.2) and PC 2 (IP_192.168.2.3) are
213.10.10.2
connected to the Internet via WAN1 (IP_230.100.100.1) on BiGuard 30. Should
WAN1 fail, Outbound Fail Over tells BiGuard 30 to reroute outgoing traffic to WAN2
(IP_213.10.10.2). Configuring your BiGuard 30 for Outbound Fail Over provides a
more reliable connection for your outgoing traffic.
Please refer to appendix H for example settings.
2.3.2 Outbound Load Balancing
Outbound Load Balancing allows BiGuard 30 to intelligently manage outbound
traffic based on the amount of load of each WAN connection.
192.168.2.2
230.100.100.1
ISP
192.168.2.3
213.10.10.2
22
In the above example, PC 1 (IP_192.168.2.2) and PC 2 (IP_192.168.2.3) are
connected to the Internet via WAN1 (IP_230.100.100.1) and WAN2
(IP_213.10.10.2) on BiGuard 30. You can configure BiGuard 30 to balance the load
of each WAN port with one of two mechanisms:
1. Session (by session/by traffic/weight of link capability)
2. IP Hash (by traffic/weight of link capability)
The IP Hash mechanism will ensure that the traffic from the same source IP address
and destination IP address will go through the same WAN port. This is useful for
some server applications that need to identify the source IP address of the client.
By balancing the load between WAN1 and WAN2, your BiGuard 30 can ensure that
outbound traffic is efficiently handled by making sure that both ports are equally
sharing the load, preventing situations where one port is completely saturated by
outbound traffic.
Please refer to appendix H for example settings.
2.4 Inbound Traffic
Learn how BiGuard 30 can handle inbound traffic in the following section.
2.4.1 Inbound Fail Over
Configuring BiGuard 30 for Inbound Fail Over allows you to ensure that incoming
traffic is uninterrupted by having BiGuard 30 default to WAN2 should WAN1 fail.
23
192.168.2.2
FTP
192.168.2.3
HTTP
192.168.2.2
FTP
192.168.2.3
HTTP
ftp.billion.dyndns.org
Before Fail Over
ftp.billion.dyndns.org
Remote Access from Internet
ftp ftp.billion.dydns.org
ftp ftp.billion.dydns.org
Remote Access from Internet
After Fail Over
In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server
(IP_192.168.2.3) are connected to the Internet via WAN1 (ftp.billion.dyndns.org)
on BiGuard 30. A remote computer is trying to access these servers via the Internet.
Under normal circumstances, the remote computer will gain access to the network
via WAN1. Should WAN1 fail, Inbound Fail Over tells BiGuard 30 to reroute incoming
traffic to WAN2 by using the Dynamic DNS mechanism. Configuring your BiGuard 30
for Inbound Fail Over provides a more reliable connection for your incoming traffic.
Please refer to appendix H for example settings.
2.4.2 Inbound Load Balancing
Inbound Load Balancing allows BiGuard 30 to intelligently manage inbound traffic
based on the amount of load of each WAN connection.
24
192.168.2.2
FTP
192.168.2.3
HTTP
www.billion3.dyndns.org
www.billion2.dyndns.org
www.billion3.dyndns.org
www.billion2.dyndns.org
Remote Access from Internet
In the above example, an FTP server (IP_192.168.2.2) and an HTTP server
(IP_192.168.2.3) are connected to the Internet via WAN1
(www.billion2.dyndns.org) and WAN2 (www.billion3.dyndns.org) on BiGuard 30.
Remote PCs are attempting to access the servers via the Internet. Using Inbound
Load Balancing, BiGuard 30 can direct incoming requests to the correct WAN port
based on group assignment. For example, a sales force can be directed to
www.billion2.dyndns.org, while the R&D group can access www.billion3.dyndns.org.
By balancing the load between WAN1 and WAN2, your BiGuard 30 can ensure that
inbound traffic is efficiently handled with both ports equally sharing the load,
preventing situations where service is slow because one port is completely
saturated by inbound traffic.
Please refer to appendix H for example settings.
2.5 DNS Inbound
Using DNS Inbound is a great way to intelligently direct network traffic.
25
ISP
DNS Inbound is a three step process. First, a DNS request is made to the router via
a remote PC. BiGuard 30, based on settings specified by the user, will direct the
requesting PC to the correct WAN port by replying the selected WAN IP address
through the built-in DNS server. The remote PC then accesses the network via the
specified WAN port. How BiGuard 30 directs this traffic through the built-in DNS
server depends on whether it is configured for Fail Over or Load Balancing.
ISP
Learn how to make DNS Inbound on BiGuard 30 work for you in the following
section.
2.5.1 DNS Inbound Fail Over
BiGuard 30 can be configured to reply the WAN2 IP address for the DNS domain
name request should WAN1 fail.
26
Authoritative Domain Name Server
192.168.2.2
FTP
192.168.2.3
HTTP
192.168.2.2
FTP
192.168.2.3
HTTP
Built-in DNS
Built-in DNS
200.200.200.1
1st connection
2nd connection
Before Fail Over
1st connection
nd
connection
2
100.100.100.1
www.mydomain.com
200.200.200.1
www.mydomain.com
100.100.100.1
After Fail Over
In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server
(IP_192.168.2.3) are connected to the Internet via WAN1 (IP_200.200.200.1) on
BiGuard 30. A remote computer is trying to access these servers via the Internet,
and makes a DNS request. The DNS request (www.mydomain.com
) will be sent
through WAN1 (200.200.200.1) to the built-in DNS server. The DNS server will reply
200.200.200.1 because this is the only active WAN port. Should WAN1 fail, BiGuard
30 will instead reply with WAN2’s IP address (100.100.100.1), and the remote PC
will gain access to the network via WAN2. By configuring BiGuard 30 for DNS
Inbound Fail Over, incoming requests will enjoy increased reliability when accessing
your network.
Please refer to appendix H for example settings.
2.5.2 DNS Inbound Load Balancing
DNS Inbound Load Balancing allows BiGuard 30 to intelligently manage inbound
traffic based on the amount of load of each WAN connection by assigning the IP
address with the lowest traffic load to incoming requests.
27
2
Authoritative Domain Name Server
192.168.2.2
FTP
192.168.2.3
HTTP
192.168.2.2
FTP
192.168.2.3
HTTP
WAN 1
WAN 2
Built-in DNS
Heavy load on WAN
WAN 1
WAN 2
Built-in DNS
Heavy load on WAN 1
200.200.200.1
100.100.100.1
200.200.200.1
100.100.100.1
www.mydomain.com
DNS Reply
200.200.200.1
www.mydomain.com
DNS Reply
100.100.100.1
In the above example, an FTP server (IP_192.168.2.2) and an HTTP server
(IP_192.168.2.3) are connected to the Internet via WAN1 (IP_200.200.200.1) and
WAN2 (IP_100.100.100.1) on BiGuard 30. Remote PCs are attempting to access the
servers via the Internet by making a DNS request, entering a URL
(www.mydomain.com). Using a load balancing algorithm, BiGuard 30 can direct
incoming requests to either WAN port based on the amount of load each WAN port
is currently experiencing. If WAN2 is experiencing a heavy load, BiGuard 30
responds to incoming DNS requests with WAN1. By balancing the load between
WAN1 and WAN2, your BiGuard 30 can ensure that inbound traffic is efficiently
handled, making sure that both ports are equally sharing the load and preventing
situations where service is slow because one port is completely saturated by
inbound traffic.
Please refer to appendix H for example settings.
A typical scenario of how traffic is directed with DNS Inbound Load Balancing is
illustrated below:
28
y
r
11
HTTP Repl
HTTP Request
6
WAN 1
10
7
URL Host Map
9
8
1
DNS Request
2
DNS Server
3
Bandwidth Monitor
DNS Reply
5
WAN 2
4
HTTP Serve
In the example above, the client is making a DNS request. The request is sent to the
DNS server of BiGuard 30 through WAN2 (1). WAN2 will route this request to the
embedded DNS server of BiGuard 30 (2). BiGuard 30 will analyze the bandwidth of
both WAN1 and WAN2 and decide which WAN IP to reply to the request (3). After the
decision is made, BiGuard 30 will route the DNS reply to the user through WAN2 (4).
The user will receive the DNS reply with the IP address of WAN1 (5). The browser
will initiate an HTTP request to the WAN1 IP address (6). The HTTP request will be
send to BiGuard 30’s URL Host Map (7). The Host Map will then redirect the HTTP
request to the HTTP server (8). The HTTP server will reply (9). The URL Host Map will
route the packet through WAN1 to the user (10). Finally, the client will receive an
HTTP reply packet (11).
2.6 Virtual Private Networking
A Virtual Private Network (VPN) enables you to send data between two computers
across a shared or public network in a manner that emulates the properties of a
point-to-point private link. As such, it is perfect for connecting branch offices to
headquarters across the Internet in a secure fashion.
29
The following section discusses Virtual Private Networking with BiGuard 30.
2.6.1 General VPN Setup
There are typically three different VPN scenarios. The first is a Gateway to
Gateway setup, where two remote gateways communicate over the Internet via a
secure tunnel.
100.100.100.1
192.168.2.x
Secure Tunnel
200.200.200.1
192.168.3.x
The next type of VPN setup is the Gateway to Multiple Gateway setup, where one
gateway (Headquarters) is communicating with multiple gateways (Branch Offices)
over the Internet. As with all VPNs, data is kept secure with secure tunnels.
200.200.200.1
192.168.3.x
192.168.2.x
Secure Tunnel
100.100.100.1
Secure Tunnel
201.201.201.1
192.168.4.x
The final type of VPN setup is the Client to Gateway. A good example of where this
can be applied is when a remote sales person accesses the corporate network over
a secure VPN tunnel.
100.100.100. myID.dyndns.org
192.168.2.x
Secure Tunnel
BiGuard Client
VPN provides a flexible, cost-efficient, and reliable way for companies of all sizes to
stay connected. One of the most important steps in setting up a VPN is proper
30
Loading...