Billion Electric Company BIPAC 7402NX User Manual

Download

BiPAC 7402NX(L)

802.11n 3G/ADSL2+

(VPN) Firewall Router

User’s Manual

Last Revision Date: 28-05-2008

TTaabbllee ooff CCoonntteennttss

CHAPTER 1: INTRODUCTION ............................................................................................................. 3

INTRODUCTION TO YOUR ROUTER................................................................................................. 3

FEATURES .............................................................................................................................................. 3

CHAPTER 2: INSTALLING THE ROUTER ......................................................................................... 6

IMPORTANT NOTE FOR USING THIS ROUTER ............................................................................... 6

PACKAGE CONTENTS.......................................................................................................................... 6

THE FRONT LEDS ................................................................................................................................. 7

THE REAR PORTS.................................................................................................................................. 8

CABLING ................................................................................................................................................ 9

CHAPTER 3: BASIC INSTALLATION ................................................................................................ 10

CONNECTING YOUR ROUTER..........................................................................................................11

FACTORY DEFAULT SETTINGS........................................................................................................ 16

Web Interface (Username and Password) .......................................................................................... 16

Device LAN IP settings....................................................................................................................... 16

ISP setting in WAN site ....................................................................................................................... 16

DHCP server ...................................................................................................................................... 16

LAN and WAN Port Addresses............................................................................................................ 16

INFORMATION FROM YOUR ISP ..................................................................................................... 17

CONFIGURING WITH YOUR WEB BROWSER............................................................................... 18

CHAPTER 4: CONFIGURATION ......................................................................................................... 19

STATUS .................................................................................................................................................. 20

ADSL Status........................................................................................................................................ 20

3G Status............................................................................................................................................. 20

ARP Table ........................................................................................................................................... 21

DHCP Table........................................................................................................................................ 21

Routing Table...................................................................................................................................... 22

NAT Sessions ...................................................................................................................................... 23

UPnP Portmap ................................................................................................................................... 23

PPTP Status........................................................................................................................................ 23

IPSec Status ........................................................................................................................................ 24

L2TP Status......................................................................................................................................... 24

Email Status........................................................................................................................................ 25

Event Log............................................................................................................................................ 25

Error Log............................................................................................................................................ 25

Diagnostic........................................................................................................................................... 26

QUICK START ...................................................................................................................................... 26

CONFIGURATION................................................................................................................................ 29

LAN - Local Area Network ................................................................................................................. 29

Bridge Interface .............................................................................................................................. 29

Ethernet........................................................................................................................................... 30

IP Alias............................................................................................................................................ 31

Ethernet Client Filter ...................................................................................................................... 32

Wireless .......................................................................................................................................... 33

Wireless Security (Wireless Router only) ...................................................................................... 35

Wireless Client / MAC Address Filter............................................................................................ 37

WPS................................................................................................................................................ 38

Port Setting ..................................................................................................................................... 38

Table of Contents i

DHCP Server .................................................................................................................................. 39

WAN - Wide Area Network.................................................................................................................. 40

WAN Interface................................................................................................................................ 40

WAN Profile ................................................................................................................................... 42

ADSL Mode.................................................................................................................................... 48

System ................................................................................................................................................. 49

Time Zone....................................................................................................................................... 49

Remote Access................................................................................................................................ 50

Firmware Upgrade.......................................................................................................................... 50

Backup / Restore............................................................................................................................. 51

Restart Router................................................................................................................................. 52

User Management........................................................................................................................... 53

Firewall and Access Control .............................................................................................................. 54

General Settings.............................................................................................................................. 55

(Changed the format only.) ............................................................................................................. 56

Packet Filter.................................................................................................................................... 57

Intrusion Detection ......................................................................................................................... 64

URL Filter....................................................................................................................................... 67

IM / P2P Blocking .......................................................................................................................... 69

Firewall Log ................................................................................................................................... 70

VPN - Virtual Private Networks ......................................................................................................... 71

PPTP (Point-to-Point Tunneling Protocol) ..................................................................................... 71

IPSec (IP Security Protocol)........................................................................................................... 79

L2TP (Layer Two Tunneling Protocol) .......................................................................................... 88

QoS - Quality of Service ................................................................................................................... 100

Prioritization ................................................................................................................................. 100

Outbound IP Throttling (LAN to WAN)....................................................................................... 102

Inbound IP Throttling (WAN to LAN) ......................................................................................... 103

Virtual Server (known as Port Forwarding)..................................................................................... 109

Add Virtual Server .........................................................................................................................110

Edit DMZ Host ..............................................................................................................................111

Edit DMZ Host ..............................................................................................................................112

Edit One-to-One NAT (Network Address Translation) .................................................................113

Time Schedule....................................................................................................................................116

Configuration of Time Schedule ...................................................................................................117

Advanced ...........................................................................................................................................118

Static Route....................................................................................................................................118

Dynamic DNS ...............................................................................................................................119

Check Email ................................................................................................................................. 120

Device Management..................................................................................................................... 121

IGMP ............................................................................................................................................ 124

VLAN Bridge ............................................................................................................................... 124

LOGOUT.............................................................................................................................................. 125

CHAPTER 5: TROUBLESHOOTING ................................................................................................ 126

PROBLEMS STARTING UP THE ROUTER ..................................................................................... 126

PROBLEMS WITH THE WAN INTERFACE .................................................................................... 126

PROBLEMS WITH THE LAN INTERFACE ..................................................................................... 126

APPENDIX A: PRODUCT SUPPORT AND CONTACT INFORMATION .................................... 127

Table of Contents iii

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 1: Introduction

Introduction to your Router

Welcome to the BiPAC 7402NX(L) 802.11n 3G/ ADSL2+ (VPN) Firewall Router. The router is an “all-in-one” ADSL router, combining an ADSL modem, ADSL router and Ethernet network switch functionalities, providing everything you need to get the machines on your network connected to the Internet over your ADSL broadband connection. With features such as an ADSL Quick-Start wizard and DHCP Server, you can be online in no time at all and with a minimum of fuss and configuration, catering for first-time users to the guru requiring advanced features and control over their Internet connection and network.

Features

Express Internet Access

This router complies with worldwide ADSL standards. It supports downstream rates of up to 12/24 Mbps with ADSL2/2+, 8 Mbps with ADSL, and upstream rates of up to 1 Mbps. With this technology, users enjoy not only high-speed ADSL service but also broadband multimedia applications such as interactive gaming, video streaming and real-time audio much more quickly and easily than ever. In particular, by doubling the upstream data rate, the Annex M standard included in the BiPAC 7402NX model supports the latest ADSL2/2+ for higher upload speeds.

Virtual Private Network (VPN) (BiPAC 7402NX only)

It allows user to make a tunnel with a remote site directly to secure the data transmission among the connection. User can use embedded PPTP and L2TP client/server, IKE and IPSec which are supported by this router to make a VPN connection or users can run the PPTP client in PC and the router already provides IPSec and PPTP pass through function to establish a VPN connection if the user likes to run the PPTP client in his local computer.

802.11n Wireless AP with WPA Support With an integrated 802.11n Wireless Access Point in the router, the device delivers up to 6 times faster speeds and 3 times farther range than an 802.11b/g wireless network. It offers a quick yet easily accessible and mobile to the users among wired network, wireless network, broadband connection (ADSL). In addition to having a 300Mbps. data rate, it is also backward compatible with existing 802.11b/11g equipments. The supported features of Wireless Protected Access (WPA-PSK/ WPA2-PSK) and Wireless Encryption Protocol (WEP) enhance the security level of data protection and access control via Wireless LAN.

Fast Ethernet Switch

A 4-port 10/100/1000Mbps fast Ethernet switch is built in with automatic switching between MDI and MDI-X for 10Base-T, 100Base-TX and 1000Base-TX ports. An Ethernet straight or crossover cable can be used directly for auto detection.

Multi-Protocol to Establish a Connection

It supports PPPoA (RFC 2364 - PPP over ATM Adaptation Layer 5), RFC 1483 encapsulation over ATM (bridged or routed), PPP over Ethernet (RFC 2516), and IPoA (RFC1577) to establish a connection with the ISP. The product also supports VC-based and LLC-based multiplexing.

Quick Installation Wizard

It supports a WEB GUI page to install this device quickly. With this wizard, end users can enter the information easily which they get from their ISP, then surf the Internet immediately.

Universal Plug and Play (UPnP) and UPnP NAT Traversal

Chapter 1: Introduction

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

This protocol is used to enable simple and robust connectivity among stand-alone devices and PCs from many different vendors. It makes network simple and affordable for users. UPnP architecture leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices. With this feature enabled, users can now connect to Net meeting or MSN Messenger seamlessly.

Network Address Translation (NAT)

Allows multi-users to access outside resources such as the Internet simultaneously with one IP address/one Internet access account. Many application layer gateway (ALG) are supported such as web browser, ICQ, FTP, Telnet, E-mail, News, Net2phone, Ping, NetMeeting, IP phone and others.

SOHO Firewall Security with DoS and SPI

Along with the built-in NAT natural firewall feature, the router also provides advanced hacker pattern-filtering protection. It can automatically detect and block Denial of Service (DoS) attacks. The router is built with Stateful Packet Inspection (SPI) to determine if a data packet is allowed through the firewall to the private LAN.

Domain Name System (DNS) Relay

It provides an easy way to map the domain name (a friendly name for users such as www.yahoo.com) and IP address. When a local machine sets its DNS server with this router’s IP address, every DNS conversion request packet from the PC to this router will be forwarded to the real DNS in the outside network.

Dynamic Domain Name System (DDNS)

The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname. This dynamic IP address is the WAN IP address. For example, to use the service, you must first apply for an account from a DDNS service like http://www.dyndns.org/. More than 5 DDNS servers are supported.

Quality of Service (QoS)

QoS gives you full control over which types of outgoing data traffic should be given priority by the router, ensuring important data like gaming packets, customer information, or management information move through the router ay lightning speed, even under heavy load. The QoS features are configurable by source IP address, destination IP address, protocol, and port. You can throttle the speed at which different types of outgoing data pass through the router, to ensure P2P users don’t saturate upload bandwidth, or office browsing doesn’t bring client web serving to a halt. In addition, or alternatively, you can simply change the priority of different types of upload data and let the router sort out the actual speeds.

Virtual Server (“port forwarding”)

Users can specify some services to be visible from outside users. The router can detect incoming service requests and forward either a single port or a range of ports to the specific local computer to handle it. For example, a user can assign a PC in the LAN acting as a WEB server inside and expose it to the outside network. Outside users can browse inside web servers directly while it is protected by NAT. A DMZ host setting is also provided to a local computer exposed to the outside network, Internet.

Rich Packet Filtering

Not only filters the packet based on IP address, but also based on Port numbers. It will filter packets from and to the Internet, and also provides a higher level of security control.

Dynamic Host Configuration Protocol (DHCP) Client and Server

In the WAN site, the DHCP client can get an IP address from the Internet Service Provider (ISP) automatically. In the LAN site, the DHCP server can allocate a range of client IP addresses and distribute them including IP address, subnet mask as well as DNS IP address to local computers. It provides an easy way to manage the local IP network.

Chapter 1: Introduction

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Static and RIP1/2 Routing

It has routing capability and supports easy static routing table or RIP1/2 routing protocol.

Simple Network Management Protocol (SNMP)

It is an easy way to remotely manage the router via SNMP.

Web based GUI

It supports web based GUI for configuration and management. It is user-friendly and comes with on-line help. It also supports remote management capability for remote users to configure and manage this product.

Firmware Upgradeable

Device can be upgraded to the latest firmware through the WEB based GUI.

Rich Management Interfaces

It supports flexible management interfaces with local console port, LAN port, and WAN port. Users can use terminal applications through the console port to configure and manage the device, or Telnet, WEB GUI, and SNMP through LAN or WAN ports to configure and manage the device.

Chapter 1: Introduction

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Do not use this router

under

high humidity or high temperatures.

Warning

Attention

Important note for using this router

Package Contents



 Do not use the same power source for this router as other

equipment.

 Do not open or repair the case by yourself. If this router is too

hot, turn off the power immediately and have it repaired at a qualified service center.

 Avoid using this product and all accessories outdoors.

 Place this router on a stable surface.



Only use the power adapter that comes with the package. Using a different voltage rating power adaptor may damage this router.

Chapter 2: Installing the Router

BiPAC 7402NX(L) 802.11n 3G/ ADSL2+ (VPN) Firewall Router

CD containing the on-line manual

RJ-11 ADSL/ telephone cable

Ethernet (CAT-5 LAN) cable

Three 2dbi detachable antennas

AC-DC power adapter (15V DC, 1.6A)

PS2-RS 232 console cable

Quick Start Guide

Splitter/ Micro-filter (Optional)

Chapter 2: Installing the router

The Front LEDs

2 4 5 6 3

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

1 Power

LAN Port

3 USB

4 Wireless

1X — 4X

(RJ-45 connector)

LED Meaning

Lit when power turns ON. Lit in red means the system is failed. To restart the device or connect Billion for searching support.

Lit when one of LAN ports connected to an Ethernet device. If the speed of transmission hits 1000Mbps light will appear Green; If the speed of transmission hits 100Mbps light will appear Orange. If the speed of transmission hits 10Mbps, light will not shine. Blinking when data is Transmitted / Received.

Lit when the device connected to a USB device. Flash when the device is sending/receiving data.

Lit green when the wireless connection is established. Flashes when the device is sending/receiving data.

5 DSL

6 Internet

Lit Green when the device is successfully connected to an ADSL DSLAM.(“line synch”).

Lit red when WAN port fails to get IP address. Lit green when WAN port gets IP address successfully.

Chapter 2: Installing the router

The Rear Ports

2 4 5 6 7 8 9

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Port

Antenna Connect the detachable antenna to this port.

DSL

LAN

1X — 4X (RJ-45 connector)

USB

5 Console

6 WPS

7 RESET

Connect the supplied RJ-11 (“telephone”) cable on this port when connecting to the ADSL/telephone network.

Connect a UTP Ethernet cable (Cat-5 or Cat-5e) to one of the LAN ports when connecting to a PC or an office/home network of 10Mbps, 100Mbps or 1000Mbps.

Connect the USB cable on this port.

Console port.

Push WPS button to trigger Wi-Fi Protected Setup function.

To be sure the device is being turned on  press RESET button for:

1-3 seconds: quick reset the device. 6 seconds above, and power off, power on the device:

restore to factory default settings. (Cannot login to the router or forgot your Username/Password. Press the button for more than 6 seconds).

Caution: After pressing the RESET button for more than 6 seconds, to be sure you power cycle the device again.

Power

Power Switch

Power ON/OFF switch

Connect the supplied power adapter to this jack.

Chapter 2: Installing the router

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Cabling

One of the most common causes of problems is the bad cabling or ADSL line(s). Make sure that all connected devices are turned on. On the front of the product is a bank of LEDs. Verify that the LAN Link and ADSL line LEDs are lit. If they are not, verify that you are using the proper cables.

Ensure that all other devices connected to the same telephone line as your router (e.g. telephones, fax machines, analogue modems) have a line filter connected between them and the wall socket (unless you are using a Central Splitter or Central Filter installed by a qualified and licensed electrician), and ensure that all line filters are correctly installed and the right way around. Missing line filters or line filters installed the wrong way around can cause problems with your ADSL connection, including causing frequent disconnections.

Chapter 2: Installing the router

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Any TCP/IP

capable workstation can be used to communicate with

Chapter 3: Basic Installation

The router can be configured with your web browser. A web browser is included as a standard application in the following operating systems: Linux, Mac OS, Windows 98/NT/2000/XP/Me, etc. The product provides an easy and user-friendly interface for configuration.

Please check your PC’s network components. The TCP/IP protocol stack and Ethernet network adapter must be installed. If not, please refer to your Windows-related or other operating system manuals.

There are ways to connect with the router, either through an external repeater hub to the router or directly connecting with PCs. However, to be sure PCs have an Ethernet interface installed properly prior to connecting to the router device. You ought to configure your PCs to obtain an IP address through a DHCP server or a fixed IP address that must be in the same subnet as the router. The default IP address of the router is 192.168.1.254 and the subnet mask is 255.255.255.0 (i.e. any attached PC must be in the same subnet, and have an IP address in the range of 192.168.1.1 to 192.168.1.253). The best and easiest way is to configure the PC to get an IP address automatically from the router using DHCP. If you encounter any problem accessing the router’s web interface it may also be advisable to uninstall any kind of software firewall on your PCs, as they can cause problems accessing the 192.168.1.254 IP address of the router. Users should make their own decisions on how to best protect their network.

Please follow the steps below for your PC’s network environment installation.

or through the router. To configure other types of workstations, please consult the manufacturer’s documentation.

Chapter 3: Basic Installation

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Connecting Your Router

1. Connect this router to a LAN (Local Area Network) and the ADSL/telephone (ADSL) network.

2. Power on the device.

3. Make sure the Power is lit steadily and that the LAN LED is lit.

4. Connect RJ-11 cable to LINE Port when connecting to the telephone wall jack.

5. Connect USB 2.0 cable.

Chapter 3: Basic Installation

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring PCs in Windows in Window XP

1. Go to Start / Control Panel (in Classic View). In the Control Panel, double-click Network Connections.

2. Double-click Local Area Connection. (See Figure 3.1)

3. In the LAN Area Connection Status window, click Properties. (See Figure 3.2)

4. Select Internet Protocol (TCP/IP) and click Properties. (See Figure 3.3)

5. Select the Obtain an IP address automatically and Obtain DNS server address automatically radio buttons. (See Figure 3.4)

6. Click OK to finish the configuration.

Figure 3.1: LAN Area Connection

Figure 3.2: LAN Connection Status

Figure 3.3: TCP / IP

Figure 3.4: IP Address & DNS

Configuration

Chapter 3: Basic Installation

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring PCs in Windows 2000

Go to Start / Settings / Control Panel. In the Control Panel, double-click Network and Dial-up Connections.

Double-click Local Area (“LAN”) Connection. (See Figure

3.5)

In the LAN Area Connection Status window, click Properties. (See Figure 3.6)

Select Internet Protocol (TCP/IP) and click Properties. (See Figure 3.7)

Select the Obtain an IP address automatically and Obtain DNS server address automatically radio buttons. (See Figure 3.8)

Click OK to finish the configuration.

Figure 3.5: LAN Area Connection

Figure 3.6: LAN Connection Status

Figure 3.7: TCP / IP

Figure 3.8: IP Address & DNS

Configuration

Chapter 3: Basic Installation

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring PC in Windows 95/98/ME

1. Go to Start / Settings / Control Panel. In the Control Panel, double-click Network and choose the Configuration tab.

2. Select TCP / IP -> NE2000 Compatible, or the name of any Network Interface Card (NIC) in your PC. (See Figure 3.9)

3. Click Properties.

4. Select the IP Address tab. In this page, click the Obtain an IP address automatically radio button. (See Figure 3.10)

5. Then select the DNS Configuration tab. (See Figure 3.11)

6. Select the Disable DNS radio button and click OK to finish

the configuration.

Figure 3.9: TCP / IP

Figure 3.10: IP Address

Figure 3.11: DNS Configuration

Chapter 3: Basic Installation

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring PC in Windows NT4.0

Go to Start / Settings / Control Panel. In the Control Panel, double-click Network and choose the Protocols tab.

Select TCP/IP Protocol and click Properties. (See Figure

3.12)

Select the Obtain an IP address from a DHCP server radio button and click OK. (See Figure 3.13)

Figure 3.12: TCP / IP

Figure 3.13: IP Address

Chapter 3: Basic Installation

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Attention

If you ever forget the

username/

password to login

to the

router

, you may

Attention

Factory Default Settings

Before configuring your, you need to know the following default settings.

Web Interface (Username and Password)

Username: admin

Password: admin

The default username and password are “admin” and “admin” respectively.

Device LAN IP settings

IP Address: 192.168.1.254

Subnet Mask: 255.255.255.0

press the RESET button up to 6 seconds to restore the factory default settings.

Caution: After pressing the RESET button for more than 6 seconds, to be sure you power

cycle the device again.

ISP setting in WAN site

PPPoE

DHCP server

DHCP server is enabled.

Start IP Address: 192.168.1.100

IP pool counts: 100

LAN and WAN Port Addresses

The parameters of LAN and WAN ports are pre-set in the factory. The default values are shown below.

LAN Port WAN Port

IP address

Subnet Mask

DHCP server function

IP addresses for distribution to PCs

192.168.1.254

255.255.255.0

Enabled

100 IP addresses continuing from

192.168.1.100 through 192.168.1.199

The PPPoE function is enabled to automatically get the WAN port configuration from the ISP.

Chapter 3: Basic Installation

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Information from your ISP

Before configuring this device, you have to check with your ISP (Internet Service Provider) to find out what kind of service is provided such as DHCP (Obtain an IP Address Automatically, Static IP (Fixed IP Address) and PPPoE.

Gather the information as illustrated in the following table and keep it for reference.

VPI/VCI, VC / LLC-based multiplexing, Username, Password, Service Name,

PPPoE(RFC2516)

PPPoA(RFC2684)

and Domain Name System (DNS) IP address (it can be automatically assigned by your ISP when you connect or be set manually).

VPI/VCI, VC / LLC-based multiplexing, Username, Password and Domain Name System (DNS) IP address (it can be automatically assigned by your ISP when you connect or be set manually).

MPoA(RFC1483/RF C2684)

IPoA(RFC1577)

Pure Bridge

VPI/VCI, VC / LLC-based multiplexing, IP address, Subnet mask, Gateway address, and Domain Name System (DNS) IP address (it is a fixed IP address).

VPI/VCI, VC / LLC-based multiplexing to use Bridged Mode.

Chapter 3: Basic Installation

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring with your Web Browser

Open your web browser, enter the IP address of your router, which by default is 192.168.1.254, and click “Go”, a user name and password window prompt will appear. The default username and password are “admin” and “admin” respectively. (See Figure 3.14)

Figure 3.14: User name & Password Prompt Window

Congratulations! You are now successfully logon to the Router!

Chapter 3: Basic Installation

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

At the configuration homepage, the left navigation pane where bookmarks are provided links you directly to the desired setup page, including:

Status

- ADSL Status

- 3G Status

- ARP Table

- DHCP Table

- Routing Table

- NAT Sessions

- UPnP Portmap

- PPTP Status

- IPSec Status

- L2TP Status

- Email Status

- Event Log

- Error Log

- Diagnostic

Quick Start

Configuration

- LAN

- WAN

- System

- Firewall

- VPN

- QoS

- Virtual Server

- Time Schedule

- Advanced

Language (provides user interface in English and French languages)

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Status

ADSL Status

This section displays the ADSL overall status, which shows a number of helpful information such as DSP firmware version.

3G Status

This section displays the 3G Card’s overall status, which shows you a number of helpful information such as the current signal strength and statistics on current and total bytes transferred and received (Note: 3G card/modem does not come with the router).

Status: The current status of the 3G card.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Signal Strength: The signal strength bar indicates current 3G signal strength. Network Name: The network name that the device is connected to.

Card Name: The name of the 3G card.

Card Firmware: The current firmware for the 3G card. Current TX Bytes / Packets: The statistics of transmission, count for this call. Current RX Bytes / Packets: The statistics of receive, count for this call. Total TX Bytes / Packets: The statistics of transmission, count from system ready Total RX Bytes / Packets: The statistics of receive, count from system ready

ARP Table

This section displays the router’s ARP (Address Resolution Protocol) Table, which shows the mapping of Internet (IP) addresses to Ethernet (MAC) addresses. This is useful as a quick way of determining the MAC address of the network interface of your PCs to use with the router’s Firewall – MAC Address

Filter function. See the Firewall section of this manual for more information on this feature.

IP Address: A list of IP addresses of devices on your LAN (Local Area Network).

MAC Address: The MAC (Media Access Control) addresses for each device on your LAN.

Interface: The interface name (on the router) that this IP Address connects to.

Static: Static status of the ARP table entry:

 “no” for dynamically-generated ARP table entries.

 “yes” for static ARP table entries added by the user.

DHCP Table

Leased: The DHCP assigned IP addresses information.

Expired: The expired IP addresses information.

Permanent: The fixed host mapping information

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Leased Table

IP Address: The IP address that assigned to client.

MAC Address: The MAC address of client.

Client Host Name: The Host Name (Computer Name) of client.

Expiry: The current lease time of client.

Routing Table

Valid: It indicates a successful routing status.

Destination: The IP address of the destination network.

Netmask: The destination Netmask address.

Gateway/Interface: The IP address of the gateway or existing interface that this route will use.

Cost: The number of hops counted as the cost of the route.

RIP Routing Table

Destination: The IP address of the destination network.

Netmask: The destination Netmask address.

Gateway: The IP address of the gateway that this route will use.

Cost: The number of hops counted as the cost of the route.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

NAT Sessions

This section lists all current NAT sessions between interface of types external (WAN) and internal (LAN).

UPnP Portmap

The section lists all port-mapping established using UPnP (Universal Plug and Play. See Advanced section of this manual for more details on UPnP and the router’s UPnP configuration options.

PPTP Status

This shows details of your configured PPTP VPN Connections.

Name: The name you assigned to the particular PPTP connection in your VPN configuration.

Type: The type of connection (dial-in/dial-out).

Enable: Whether the connection is currently enabled.

Active: Whether the connection is currently active.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Tunnel Connected: Whether the VPN Tunnel is currently connected.

Call Connected: If the Call for this VPN entry is currently connected.

Encryption: The encryption type used for this VPN connection.

IPSec Status

This shows details of your configured IPSec VPN Connections.

Name: The name you assigned to the particular VPN entry.

Active: Whether the VPN Connection is currently Active.

Connection State: Whether the VPN is Connected or Disconnected.

Statistics: Statistics for this VPN Connection.

Local Subnet: The local IP Address or Subnet used.

Remote Subnet: The Subnet of the remote site.

Remote Gateway: The Remote Gateway IP address.

SA: The Security Association for this VPN entry.

L2TP Status

This shows details of your configured L2TP VPN Connections.

Name: The name you assigned to the particular L2TP connection in your VPN configuration.

Type: The type of connection (dial-in/dial-out).

Enable: Whether the connection is currently enabled.

Active: Whether the connection is currently active.

Tunnel Connected: Whether the VPN Tunnel is currently connected.

Call Connected: If the Call for this VPN entry is currently connected.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Encryption: The encryption type used for this VPN connection.

Email Status

Details and status for the Email Account you have configured the router to check. Please see the

Advanced section of this manual for details on this function.

Event Log

This page displays the router’s Event Log entries. Major events are logged to this window, such as when the router’s ADSL connection is disconnected, as well as Firewall events when you have enabled Intrusion or Blocking Logging in the Configuration – Firewall section of the interface. Please see the

Firewall section of this manual for more details on how to enable Firewall logging.

Error Log

Any errors encountered by the router (e.g. invalid names given to entries) are logged to this window.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Diagnostic

It tests the connection to computer(s) which is connected to LAN ports and also the WAN Internet connection. If PING www.google.com is shown FAIL and the rest is PASS, you ought to check your PC’s DNS settings is set correctly.

Quick Start

1. Click Quick Start. Select the connect mode you want. There are two options you can

choose, ADSL and 3G. Select ADSL from Connect Mode drop-down menu, and click Continue.

2. If your ADSL line is not ready, you need to check your ADSL line has been set or not.

3. If your ADSL line is ready, the screen appears ADSL Line is Ready. Choose Auto radio button and

click Apply. It will automatically scan the recommended mode for you. Manually mode makes you to set the ADSL line by manual.

(If you choose Manually, you will directly go to step 5.)

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

4. The list below has different mode applied for your choice. Choose 0/33/PPPoE(Recommended) and

click Apply.

5. Please enter “Username” and “Password” as supplied by your ISP(Internet Service Provider) and

click Apply to continue.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Profile Port: Select the connection mode. There are ADSL and 3G.

Encapsulation: Select the encapsulation mode. The default mode is PPPoE.

VPI/VCI: Enter the VPI and VCI information provided by your ISP.

Username:

Enter the username provided by your ISP.

Password: Enter the password provided by your ISP.

Service Name: This item is for identification purposes. If it is required, your ISP provides you the

information.

Authentication Protocol: Default is Auto. Your ISP advises on using Chap or Pap.

IP Address: Your WAN IP address. Leave this at 0.0.0.0 to obtain automatically an IP address

from your ISP.

6. Configure the Wireless LAN setting.

WLAN Service: Default setting is set to Enable. If you want to use wireless, 802.11n, 802.11g and 802.11b device in your network, you can select Enable. ESSID: The ESSID is the unique name of a wireless access point (AP) to be distinguished from

another. For security propose, change to a unique ID name to the AP which is already built-in to the router’s wireless interface. It is case sensitive and must not excess 32 characters. Make sure your wireless clients have exactly the ESSID as the device, in order to get connected to your network. ESSID Broadcast: It is function in which transmits its ESSID to the air so that when wireless client searches for a network, router can then be discovered and recognized. Default setting is Enable.

 Enable: When Enable is selected, you can allow anybody with a wireless client to be

able to locate the Access Point (AP) of your router.

 Disable: Select Disable if you do not want broadcast your ESSID. When select Disable,

no one will be able to locate the Access Point (AP) of your router.

Channel ID: Select the ID channel that you would like to use.

Security Mode: You can disable or enable with WPA or WEP for protecting wireless network.

The default mode of wireless security is Disable.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

7. Wait for the configuration.

If connection is successful the following image will be shown

Configuration

When you click this item, you get following sub-items to configure the ADSL router.

- LAN, WAN, System, Firewall, VPN, QoS, Virtual Server, Time Schedule and Advanced

These functions are described below in the following sections.

LAN - Local Area Network

Here are the items within the LAN section: Bridge Interface, Ethernet, IP Alias, Ethernet Client Filter,

Wireless, Wireless Security, Wireless Client Filter, WPS, Port Setting and DHCP Server.

Bridge Interface

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

You can setup member ports for each VLAN group under Bridge Interface section. From the example, two VLAN groups need to be created.

Ethernet: P1 and P2 (Port 1, 2).

Ethernet1: P3, P4 and Wireless (Port 3, 4, Wireless). Uncheck P3, P4 and Wireless from Ethernet VLAN port first.

Note: You should setup each VLAN group with caution. Each Bridge Interface is arranged in this order.

Bridge Interface VLAN Port (Always starts with)

ethernet P1 / P2 / P3 / P4 / Wireless ethernet1 P2 / P3 / P4 / Wireless ethernet2 P3 / P4 / Wireless ethernet3 P4 / Wireless ethernet4 Wireless

Management Interface: To specify which VLAN group has possibility to do device management, like doing web management.

Note: NAT/NAPT can be applied to management interface only

Ethernet

Primary IP Address

IP Address: The default IP on this router.

Subnet Mask: The default subnet mask on this router.

RIP: RIP v1, RIP v2, and RIP v2 Multicast. Check to enable RIP function.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

IP Alias

This function creates multiple virtual IP interfaces on this router. It helps to connect two or more local networks to the ISP or remote node. In this case, an internal router is not required.

IP Address: Specify an IP address on this virtual interface.

SubNetmask: Specify a subnet mask on this virtual interface.

Security Interface: Specify the firewall setting on this virtual interface.

Internal: The network is behind NAT. All traffic will do network address translation when sending out to

Internet if NAT is enabled.

External: There is no NAT on this IP interface and connected to the Internet directly. Mostly it will be used when providing multiple public IP addresses by ISP. In this case, you can use public IP address in local network which gateway IP address point to the IP address on this interface.

DMZ: Specify this network to DMZ area. There is no NAT on this interface.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Ethernet Client Filter

The Ethernet Client Filter supports up to 16 Ethernet network machines that helps you to manage your network control to accept traffic from specific authorized machines or can restrict unwanted machine(s) to access your LAN.

There are no pre-define Ethernet MAC address filter rules; you can add the filter rules to meet your requirements.

Ethernet Client Filter: Default setting is set Disable.

 Allowed: check to authorize specific device accessing your LAN by insert the MAC Address in

the space provided or click . Make sure your PC’s MAC is listed.

 Blocked: check to prevent unwanted device accessing your LAN by insert the MAC Address in

the space provided or click . Make sure your PC’s MAC is not listed.

The maximum client is 16. The MAC addresses are 6 bytes long; they are presented only in hexadecimal characters. The number 0 - 9 and letters a - f are acceptable.

Note: Follow the MAC Address Format xx:xx:xx:xx:xx:xx. Semicolon ( : ) must be included.

Candidates: automatically detects devices connected to the router through the Ethernet. .

→ Active PC in LAN

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Active PC in LAN displays a list of individual Ethernet device’s IP Address & MAC Address which connecting to the router.

You can easily by checking the box next to the IP address to be blocked or allowed. Then, Add to insert to the Ethernet Client Filter table. The maximum Ethernet client is 16.

Wireless

Chapter 4: Configuration

Parameters

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

WLAN Service: Default setting is set to Enable. If you do not have any wireless,

and 802.11b

, device in your network, select Disable.

802.11n, 802.11g

Mode: The default setting is 802.11b+g+n (Mixed mode). If you do not know or have both 11g and 11n devices in your network, then keep the default in mixed mode. From the drop-down manual, you can select 802.11g if you have only 11g card. If you have only 11b card, then select 802.11b. If you have only 11n card, then select 802.11n.

ESSID: The ESSID is the unique name of a wireless access point (AP) to be distinguished from another. For security purpose, change the default wlan-ap to a unique ID name to the AP which is already built-in to the router’s wireless interface. It is case sensitive and must not excess 32 characters. Make sure your wireless clients have exactly the ESSID as the device, in order to get connected to your network.

Note: It is case sensitive and must not excess 32 characters.

ESSID Broadcast: It is function in which transmits its ESSID to the air so that when wireless client searches for a network, router can then be discovered and recognized. Default setting is Enabled.

 Disable: If you do not want broadcast your ESSID. Any client uses “any” wireless setting cannot discover the Access Point (AP) of your router.

 Enable: Any client that using the “any” setting can discover the Access Point (AP) in

Regulation Domain: There are seven Regulation Domains for you to choose from, including North

America (N.America), Europe, France, etc. The Channel ID will be different based on this setting.

Channel Wdith: Select either 20 MHz or 20/40 MHz for the channel bandwidth. The higher the bandwidth the better the performance will be.

Channel ID: Select the wireless connection ID channel that you would like to use.

Note: Wireless performance may degrade if select ID channel is already being occupied by other AP(s).

TX PowerLevel: It is a function that enhances the wireless transmitting signal strength. User may

adjust this power level from minimum 1 up to maximum 100.

Note: The Power Level maybe different in each access network user premises environment and choose the most suitable level for your network.

Connected: Representing in true or false. That it is the connection status between the system and the build-in wireless card.

AP MAC Address: It is a unique hardware address of the Access Point.

AP Firmware Version: The Access Point firmware version.

Wireless Distribution System (WDS)

It is a wireless access point mode that enables wireless link and communication with other access point. It is easy to be installed simply to define peer’s MAC address of the connected AP. WDS takes advantages of cost saving and flexibility which no extra wireless client device is required to bridge between two access points and extending an existing wired or wireless infrastructure network to create a larger network. It can connect up to 4 wireless APs for extending cover range at the same time.

In addition, WDS enhances its link connection security in WEP mode, WEP key encryption must be the same for both access points.

WDS Service: The default setting is Disabled. Check Enable radio button to activate this function.

1. Peer WDS MAC Address: It is the associated AP’s MAC Address. It is important that your peer’s AP

must include your MAC address in order to acknowledge and communicate with each other.

2. Peer WDS MAC Address: It is the second associated AP’s MAC Address.

3. Peer WDS MAC Address: It is the third associated AP’s MAC Address.

4. Peer WDS MAC Address: It is the fourth associated AP’s MAC Address.

Note: For MAC Address, Semicolon ( : ) must be included.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Wireless Security (Wireless Router only)

You can disable or enable with WPA or WEP for protecting wireless network. The default mode of wireless security is disabled.

WPA-PSK / WPA2-PSK

Security Mode: You can disable or enable with WPA or WEP for protecting wireless network. The default mode of wireless security is Disable.

WPA Algorithms: There are two types of the WPA-PSK, and WPA2-PSK. The WPA-PSK adapts the TKIP (Temporal Key Integrity Protocol) encrypted algorithms, which incorporates Message Integrity Code (MIC) to provide protection against hackers. The WPA2-PSK adapts CCMP (Cipher Block Chaining Message Authentication Code Protocol) of the AES (Advanced Encryption Security) algorithms.

WPA Shared Key: The key for network authentication. The input format is in character style and key size should be in the range between 8 and 63 characters.

Group Key Renewal: The period of renewal time for changing the security key automatically between wireless client and Access Point (AP). Default value is 600 seconds.

Chapter 4: Configuration

WEP

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

WEP Authentication:

the network, the router offers secure data encryption, known as WEP. If you require high security for transmissions, there are two options to select from: Open System, Share key.

WEP Encryption: To prevent unauthorized wireless stations from accessing data transmitted over the network, the router offers highly secure data encryption, known as WEP. If you require high security for transmissions, there are two alternatives to select from: WEP 64 and WEP 128. WEP 128 will offer increased security over WEP 64. The encryption can either be HEX or ASCII.

Passphrase: This is used to generate WEP keys automatically based upon the input string and a pre-defined algorithm in WEP64 or WEP128. You can input the same string in both the AP and Client card settings to generate the same WEP keys. Please note that you do not have to enter Key (1-4) as below when the Passphrase is enabled. Passphrase will convert an inputted string into the HEX format which will automatically fill the input space for Key 1 to Key 4.

Default Used WEP Key: Select the encryption key ID. There are 4 keys to choose from so that you will not have to re-create a key every time you decide to have it as something different. You can just have 4 sets of keys to rotate instead of jus having 1 key. Please refer to Key (1~4) below.

Key (1-4): Enter the key to encrypt wireless data this can be in ASCII or HEX depending on the WEP Encryption that you have selected above. To allow encrypted data transmission, the WEP Encryption Key values on all wireless stations must be the same as the router. There are four keys for your selection. The input format is in HEX (10 and 26 HEX codes) or ASCII style (5 and 13 ASCII codes) are required for WEP64 and WEP128 respectively no any separator is included.

To prevent unauthorized wireless stations from accessing data transmitted over

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Wireless Client / MAC Address Filter

The MAC Address supports up to 16 wireless network machines and helps you manage your network control to accept traffic from specific authorized machines or to restrict unwanted machine(s) to access your LAN.

There are no pre-define MAC Address filter rules; you can add the filter rules to meet your requirements.

Wireless Client Filter: Default setting is set to Disable.

 Allowed: To authorize specific device accessing your LAN by insert the MAC Address in the

space provided or click . Make sure your PC’s MAC is listed.

 Blocked: To prevent unwanted device accessing the LAN by insert the MAC Address in the

space provided or click . Make sure your PC’s MAC is not listed.

The maximum client is 16. The MAC addresses are 6 bytes long; they are presented only in hexadecimal characters. The number 0 - 9 and letters a - f are acceptable.

Note: Follow the MAC Address Format xx:xx:xx:xx:xx:xx. Semicolon ( : ) must be included.

Candidates: it automatically detects devices connected to the router through the Wireless. .

→

Associated Wireless Clients

Associate Wireless Client displays a list of individual wireless device’s MAC Address that currently connects to the router.

You can easily by checking the box next to the MAC address to be blocked or allowed. Then, Add to insert to the Wireless Client (MAC Address) Filter table. The maximum Wireless client is 16.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

WPS

WPS feature is follow Wi-Fi Alliance WPS standard and it easily set up security-enabled Wi-Fi networks in the home and small office environment. It reduces half the user steps to configure a network and supports two methods that are familiar to most consumers to configure a network and enable security.

Port Setting

This section allows you to configure the settings for the router’s Ethernet ports to solve some of the compatibility problems that may be encountered while connecting to the Internet, as well allowing users to tweak the performance of their network.

Port # Connection Type: There are Six options to choose from: Auto, 10M half-duplex, 10M full-duplex, 100M half-duplex, 100M full-duplex, 1000M full-duplex and Disable. Sometimes, there are Ethernet compatibility problems with legacy Ethernet devices, and you can configure different types to solve compatibility issues. The default is Auto, which users should keep unless there are specific problems with PCs not being able to access your LAN.

IPv4 TOS priority Control (Advanced users): TOS, Type of Services, is the 2nd octet of an IP packet. Bits 6-7 of this octet are reserved and bit 0-5 are used to specify the priority of the packet.

This feature uses bits 0-5 to classify the packet’s priority. If the packet is high priority, it will flow first and will not be constrained by the Rate Limit. Therefore, when this feature is enabled, the router’s Ethernet switch will check the 2 in the table (0 to 63), this packet will be treated as high priority.

octet of each IP packet. If the value in the TOS field matches the checked values

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

DHCP Server

You can disable or enable the DHCP (Dynamic Host Configuration Protocol) server or enable the router’s DHCP relay functions. The DHCP protocol allows your router to dynamically assign IP addresses to PCs on your network if they are configured to obtain IP addresses automatically.

To disable the router’s DHCP Server, check Disabled and click Next, then click Apply. When the DHCP Server is disabled you will need to manually assign a fixed IP address to each PCs on your network, and set the default gateway for each PCs to the IP address of the router (by default this is 192.168.1.254).

To configure the router’s DHCP Server, check DHCP Server and click Next. You can then configure parameters of the DHCP Server including the IP pool (starting IP address and ending IP address to be allocated to PCs on your network), lease time for each assigned IP address (the period of time the IP address assigned will be valid), DNS IP address and the gateway IP address. These details are sent to the DHCP client (i.e. your PC) when it requests an IP address from the DHCP server. Click Apply to enable this function. If you check “Use Router as a DNS Server”, the ADSL Router will perform the domain name lookup, find the IP address from the outside network automatically and forward it back to the requesting PC in the LAN (your Local Area Network).

If you check DHCP Relay Agent and click Next, then you will have to enter the IP address of the DHCP server which will assign an IP address back to the DHCP client in the LAN. Use this function only if advised to do so by your network administrator or ISP.

Click Apply to enable this function.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

WAN - Wide Area Network

WAN refers to your Wide Area Network connection, i.e. your router’s connection to your ISP and the Internet. Here are the items within the WAN section: WAN Interface, WAN Profile and ADSL Mode.

WAN Interface

The factory default has the Connection Mode as ADSL and the Protocol as PPPoE.

WAN Connection-ADSL Mode

Main Port: User can select either “ADSL” or “3G” mode. Failover / Failback: Set Enable to trigger ADSL / 3G failover / failback function ready.

Note: If 3G is set for main port, then there can be no option for failover/failback.

Backup Port: It links to backup port configuration page. It is necessary to configure it when

Failover/Failback be set.

Connectivity Decision: Set how many times of probing failed to switch backup port. Failover Probe Cycle: Set the time duration for the Failover Probe Cycle to determine when

the router will switch to the backup connection (backup port) once the main connection (main port) fails.

Note: The time set is for each probe cycle, but the decision to change to the backup port is

determined by Probe Cycle duration multiplied by connection Decision amount (e.g. From the image above it will be 12 seconds multiplied by 5 consecutive fails).

Failback Probe Cycle: Set the time duration for the Failback Probe Cycle to determine when the router will switch back to the main connection (main port) from the backup connection (backup port) once the main connection is communicating again.

Note: The time set is for each probe cycle, but the decision to change to the backup port is

determined by Probe Cycle duration multiplied by Connection Decision amount (e.g. From the image above it will be 3 seconds multiplied by 5 consecutive fails).

Detect Rule: Rule 1. ADSL Down Rule 2. Ping Fail

 No Ping: It will not send any ping packet to determine the connection. It means to disable

the ping fail detection.

 Ping Gateway: It will send ping packet to gateway and wait response from gateway in

every “Probe Cycle”.

 Ping Host: It will send ping packet to specific host and wait response in every “Probe

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Cycle”. The host must be an IP address.

WAN Connection-3G Mode

In the ADSL mode, as the ADSL is not available(failover/failback), it will turn to 3G mode for supporting WAN Connection. However, in the 3G Mode, the ADSL can not support WAN Connection when 3G Mode is unavailable (Note: 3G card/modem does not come with the router).

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

WAN Profile

PPPoE Connection

PPPoE (PPP over Ethernet) provides access control in a manner which is similar to dial-up services using PPP.

Profile Port: Select the profile port either ADSL or 3G.

Protocol:

Description: A given name for the connection.

VPI/VCI: Enter the information provided by your ISP.

ATM Class: The Quality of Service for ATM layer.

The ATM protocol will be used in the device.

Username: Enter the username provided by your ISP. You can input up to 128 alphanumeric characters (case sensitive). This is in the format of “username@ispname” instead of simply “username”.

Password: Enter the password provided by your ISP. You can input up to 128 alphanumeric characters (case sensitive). Service Name: This item is for identification purposes. If it is required, your ISP provides you the information. Maximum input is 15 alphanumeric characters.

NAT: The NAT (Network Address Translation) feature allows multiple users to access the Internet through a single IP account, sharing the single IP address. If users on your LAN have public IP addresses and can access the Internet directly, the NAT function can be disabled.

IP (0.0.0.0:Auto):

Your WAN IP address. Leave this at 0.0.0.0 to obtain automatically an IP

address from your ISP.

Auth. Protocol: Default is Auto. Your ISP should advises you on whether to use Chap or Pap.

Connection:

 Always on: If you want the router to establish a PPP session when starting up and to

automatically re-establish the PPP session when disconnected by the ISP.

 Connect on Demand: If you want to establish a PPP session only when there is a packet

requesting access to the Internet (i.e. when a program on your computer attempts to access the

Internet).

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Idle Timeout: Auto-disconnect the broadband firewall gateway when there is no activity on the line for a

predetermined period of time.

 Detail: You can define the destination port and packet type (TCP/UDP) without checking by

timer. It allows you to set which outgoing traffic will not trigger and reset the idle timer.

MTU: Maximum Transmission Unit. The size of the largest datagram (excluding media-specific headers) that IP will attempt to send through the interface.

RIP: RIP v1, RIP v2, and RIP v2 Multicast. Check to enable RIP function.

TCP MSS Clamp: This option helps to discover the optimal MTU size automatically. Default is enabled.

MAC Spoofing: This option is required by some service providers. You must fill in the MAC address that

specify by service provider when it is required. Default is disabled.

Obtain DNS: A Domain Name System (DNS) contains a mapping table for domain name and IP addresses. DNS helps to find the IP address for the specific domain name. Check the checkbox to obtain DNS automatically.

Primary DNS: Enter the primary DNS.

Secondary DNS: Enter the secondary DNS

PPPoA Connection

Profile Port: Select the profile port either ADSL or 3G.

Protocol:

Description: A given name for the connection.

VPI/VCI: Enter the information provided by your ISP.

ATM Class: The Quality of Service for ATM layer.

The ATM protocol will be used in the device..

Username: Enter the username provided by your ISP. You can input up to 128 alphanumeric characters (case sensitive). This is in the format of “username@ispname” instead of simply “username”.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

NAT: The NAT (Network Address Translation) feature allows multiple users to access the Internet through

a single IP account, sharing the single IP address. If users on your LAN have public IP addresses and can access the Internet directly, the NAT function can be disabled.

IP (0.0.0.0:Auto):

Your WAN IP address. Leave this at 0.0.0.0 to obtain automatically an IP

address from your ISP.

Auth. Protocol: Default is Auto. Your ISP should advises you on whether to use Chap or Pap.

Connection:

 Always on: If you want the router to establish a PPP session when starting up and to

automatically re-establish the PPP session when disconnected by the ISP.

 Connect on Demand: If you want to establish a PPP session only when there is a packet

requesting access to the Internet (i.e. when a program on your computer attempts to access the

Internet).

Idle Timeout: Auto-disconnect the broadband firewall gateway when there is no activity on the line for a predetermined period of time.

 Detail: You can define the destination port and packet type (TCP/UDP) without checking by

timer. It allows you to set which outgoing traffic will not trigger and reset the idle timer.

MTU: Maximum Transmission Unit. The size of the largest datagram (excluding media-specific headers) that IP will attempt to send through the interface.

RIP: RIP v1, RIP v2, and RIP v2 Multicast. Check to enable RIP function.

TCP MSS Clamp: This option helps to discover the optimal MTU size automatically. Default is enabled.

Obtain DNS: A Domain Name System (DNS) contains a mapping table for domain name and IP

addresses. DNS helps to find the IP address for the specific domain name. Check the checkbox to obtain DNS automatically.

Primary DNS: Enter the primary DNS.

Secondary DNS: Enter the secondary DNS.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

MPoA Connection

Profile Port: Select the profile port either ADSL or 3G.

Protocol:

Description: A given name for the connection.

VPI/VCI: Enter the information provided by your ISP.

ATM Class: The Quality of Service for ATM layer.

NAT: The NAT (Network Address Translation) feature allows multiple users to access the Internet through

a single IP account, sharing a single IP address. If users on your LAN have public IP addresses and can access the Internet directly, the NAT function can be disabled.

The ATM protocol will be used in the device.

Encap. mode: Choose whether you want the packets in WAN interface as bridged packet or routed packet.

MTU: Maximum Transmission Unit. The size of the largest datagram (excluding media-specific headers) that IP will attempt to send through the interface.

IP (0.0.0.0:Auto):

Your WAN IP address. Leave this at 0.0.0.0 to obtain automatically an IP

address from your ISP.

Netmask: The default is 0.0.0.0. User can change it to other such as 255.255.255.128. Type the subnet mask assigned to you by your ISP (if given).

Gateway: Enter the IP address of the default gateway (if given).

RIP: RIP v1, RIP v2, and RIP v2 Multicast. Check to enable RIP function.

TCP MSS Clamp: This option helps to discover the optimal MTU size automatically. Default is enabled.

MAC Spoofing: This option is required by some service providers. You must fill in the MAC address that

specify by service provider when it is required. Default is disabled.

Primary DNS: Enter the primary DNS.

Secondary DNS: Enter the secondary DNS.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

IPoA Routed Connection

Profile Port: Select the profile port either ADSL or 3G.

Protocol:

Description: A given name for the connection.

VPI/VCI: Enter the information provided by your ISP.

ATM Class: The Quality of Service for ATM layer.

NAT: The NAT (Network Address Translation) feature allows multiple users to access the Internet through

a single IP account, sharing a single IP address. If users on your LAN have public IP addresses and can access the Internet directly, the NAT function can be disabled.

MTU: Maximum Transmission Unit. The size of the largest datagram (excluding media-specific headers) that IP will attempt to send through the interface.

IP (0.0.0.0:Auto):

The ATM protocol will be used in the device.

Your WAN IP address. Leave this at 0.0.0.0 to obtain automatically an IP

address from your ISP.

Netmask: The default is 0.0.0.0. User can change it to other such as 255.255.128. Type the subnet mask assigned to you by your ISP (if given).

Gateway: Enter the IP address of the default gateway (if given).

RIP: RIP v1, RIP v2, and RIP v2 Multicast. Check to enable RIP function.

TCP MSS Clamp: This option helps to discover the optimal MTU size automatically. Default is enabled.

Obtain DNS: A Domain Name System (DNS) contains a mapping table for domain name and IP

addresses. DNS helps to find the IP address for the specific domain name. Check the checkbox to obtain DNS automatically.

Primary DNS: Enter the primary DNS.

Secondary DNS: Enter the secondary DNS.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Pure Bridge

Profile Port: Select the profile port either ADSL or 3G.

Protocol:

Description: A given name for this connection.

VPI/VCI: Enter the information provided by your ISP.

ATM Class: The Quality of Service for ATM layer.

The ATM protocol will be used in the device.

Encap. mode: Choose whether you want the packets in WAN interface as LLC bridged packet or VcMux bridged packet..

Acceptable Frame Type: Specify which kind of traffic goes through this connection, all traffic or only VLAN tagged.

Filter Type: Specify the type of ethernet filtering performed by the named bridge interface.

All Ip Pppoe

Obtain DNS: A Domain Name System (DNS) contains a mapping table for domain name and IP

addresses. DNS helps to find the IP address for the specific domain name. Check the checkbox to obtain DNS automatically.

Primary DNS: Enter the primary DNS.

Secondary DNS: Enter the secondary DNS.

Allows all types of ethernet packets through the port. Allows only IP/ARP types of ethernet packets through the port. Allows only PPPoE types of ethernet packets through the port.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

ADSL Mode

Connect Mode: This mode will automatically detect your ADSL line code, ADSL2+, ADSL2, AnnexM2 and AnnexM2+, ADSL, All. Please keep the factory setting unless ADSL is detected as the symptom

of synchronization problem. Modulation: It will automatically detect capability of your ADSL line mode. Please keep the factory

setting unless ADSL is detected as the symptom of synchronization problem. Profile Type: Please keep the factory settings unless ADSL is detected as the symptom of low link rate

or unstable problems. You may need to change the profile setting to reach the best ADSL line rate, it depends on the different DSLAM and location.

Activate Line: Aborting (false) your ADSL line and making it active (true) again for taking effect with setting of Connect Mode.

Coding Gain: It reduces router’s transmit power which will effect to router’s downstream performance. Higher the gain will increase the downstream rate but it sometimes causes unstable ADSL line. The configurable ADSL coding gain is from 0 dB to 7dB, or automatic.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

System

Here are the items within the System section: Time Zone, Remote Access, Firmware Upgrade,

Backup/Restore, Restart and User Management.

Time Zone

The router does not have a real time clock on board; instead, it uses the Simple Network Time Protocol (SNTP) to get the current time from an SNTP server outside your network. Choose your local time zone, click Enable and click the Apply button. After a successful connection to the Internet, the router will retrieve the correct local time from the SNTP server you have specified. If you prefer to specify an SNTP server other than those in the list, simply enter its IP address as shown above. Your ISP may provide an SNTP server for you to use.

Daylight Saving is also known as Summer Time Period. Many places in the world adapt it during summer time to move one hour of daylight from morning to the evening in local standard time. Check

Automatic box to auto set your local time.

Resync Period (in minutes) is the periodic interval the router will wait before it re-synchronizes the

router’s time with that of the specified SNTP server. In order to avoid unnecessarily increasing the load on your specified SNTP server you should keep the poll interval as high as possible – at the absolute minimum every few hours or even days.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Remote Access

To temporarily permit remote administration of the router (i.e. from outside your LAN), select a time period the router will permit remote access for and click Enable. You may change other configuration options for the web administration interface using Device Management options in the Advanced section of the GUI.

If you wish to permanently enable remote access, choose a time period of 0 minute.

Firmware Upgrade

Your router’s “firmware” is the software that allows it to operate and provides all its functionality. Think of your router as a dedicated computer, and the firmware as the software it runs. Over time this software may be improved and revised, and your router allows you to upgrade the software it runs to take advantage of these changes.

Clicking on Browse will allow you to select the new firmware image file you have downloaded to your PC. Once the correct file is selected, click Upgrade to update the firmware in your router.

DO NOT power down the router or interrupt the firmware upgrading while it is still in process. Improper operation could damage the router.

Chapter 4: Configuration

Backup / Restore

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

These functions allow you to save and backup your router’s current settings to a file on your PC, or to restore a previously saved backup. This is useful if you wish to experiment with different settings, knowing that you have a backup handy in the case of any mistakes. It is advisable to backup your router’s settings before making any significant changes to your router’s configuration.

Press Backup to select where on your local PC to save the settings file. You may also change the name of the file when saving if you wish to keep multiple backups.

Press Browse to select a file from your PC to restore. You should only restore settings files that have been generated by the Backup function, and that were created when using the current version of the router’s firmware. Settings files saved to your PC should not be manually edited in any way.

After selecting the settings file you wish to use, pressing Restore will load those settings into the router.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Restart Router

Click Restart with option Current Settings to reboot your router (and restore your last saved configuration).

If you wish to restart the router using the factory default settings (for example, after a firmware upgrade or if you have saved an incorrect configuration), select Factory Default Settings to reset to factory default settings.

You may also reset your router to factory settings by holding the small Reset pinhole button more than 6 seconds on the back of your router.

Caution: After pressing the RESET button for more than 6 seconds, to be sure you power cycle the device again.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

User Management

In order to prevent unauthorized access to your router’s configuration interface, it requires all users to login with a password. You can set up multiple user accounts, each with their own password.

You are able to Edit existing users and Add new users who are able to access the device’s configuration interface. Once you have clicked on Edit, you are shown the following options:

You can change the user’s password, whether their account is active and valid, as well as add a comment to each user account. Click Edit/Delete button to save your revise. You cannot delete the default admin account, if you do you will be log out. However, you can delete any other created accounts by clicking Delete when editing the user. You are strongly advised to change the password on the default “admin” account when you receive your router, and any time you reset your configuration to Factory Defaults.

When you create a user account, you check Valid to fill in the blank with User, Comment, Password and Confirm Password. Later, click Add button to add your new user account.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

For deleting the user account, you choose Delete option. In the end, you click Edit/Delete button to delete the chosen user account.

Firewall and Access Control

Your router includes a full SPI (Stateful Packet Inspection) firewall for controlling Internet access from your LAN, as well as helping to prevent attacks from hackers. Besides, when using NAT, the router acts as a “natural” Internet firewall, as all PCs on your LAN will use private IP addresses that cannot be directly accessed from the Internet.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

When using Virtual Servers your PCs will be exposed to the degree

Firewall: Prevents access from outside your network. The router provides three levels of security

support:

NAT natural firewall: This masks LAN users’ IP addresses which is invisible to outside users on the Internet, making it much more difficult for a hacker to target a machine on your network. This natural firewall is on when NAT function is enabled.

specified in your Virtual Server settings provided the ports specified are opened in your firewall packet filter settings.

Firewall Security and Policy (General Settings): Inbound direction of Packet Filter rules to prevent

unauthorized computers or applications accessing your local network from the Internet.

Intrusion Detection: Enable Intrusion Detection to detect, prevent and log malicious attacks.

Access Control: Prevents access from PCs on your local network:

Firewall Security and Policy (General Settings): Outbound direction of Packet Filter rules to prevent

unauthorized computers or applications accessing the Internet.

URL Filter: To block PCs on your local network from unwanted websites.

Here are the items within the Firewall section: General Settings, Packet Filter, Intrusion Detection,

URL Filter, IM/P2P Blocking and Firewall Log.

General Settings

You can choose not to enable Firewall and still able to access to URL Filter and IM/P2P Blocking or enable the Firewall using preset filter rules and modify the port filter rules as required. The Packet Filter is used to filter packets based-on Applications (Port) or IP addresses.

There are four options when you enable the Firewall, they are:

 All blocked/User-defined: no pre-defined port or address filter rules by default, meaning that

all inbound (Internet to LAN) and outbound (LAN to Internet) packets will be blocked. Users have to

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Any remote user who is attempting to perform this

action may result in

add their own filter rules for further access to the Internet.

 High/Medium/Low security level: the predefined port filter rules for High, Medium and Low

security are displayed in Port Filters of Packet Filter.

Select either High, Medium or Low security level to enable the Firewall. The only difference between these three security levels is the preset port filter rules in the Packet Filter. Firewall functionality is the same for all levels; it is only the list of preset port filters that changes between each setting. For more detailed on level of preset port filter information, refer to Table 1: Predefined Port Filter.

If you choose of the preset security levels and add custom filters, this level of filter rules will be saved even and do not need to re-configure the rules again if you disable or switch to other firewall level.

The “Block WAN Request” is a stand-alone function and not relate to whether security enable or disable. Mostly it is for preventing any scan tools from WAN site by hacker.

(Changed the format only.)

blocking all the accesses to configure and manage of the device from the Internet.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Packet Filter

This function is only available when the Firewall is enabled and one of these four security levels is chosen (All blocked, High, Medium and Low). The preset port filter rules in the Packet Filter must modify accordingly to the level of Firewall, which is selected. See Table1: Predefined Port Filter for more detail information.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

News

Example: Predefined Port Filters Rules

The predefined port filter rules for High, Medium and Low security levels are listed. See Table 1.

Note: Firewall – All Blocked/User-defined, you must define and create the port filter rules yourself. No predefined rule is being preconfigured.

Table 1: Predefined Port Filter

Port Number Firewall - Low Firewall - Medium

Firewall – High

Application Protocol

Start End Inbound Outbound Inbound Outbound Inbound Outbound

HTTP(80) TCP(6) 80 80 NO YES NO YES NO YES

DNS (53) UDP(17) 53 53 NO YES NO YES NO YES

DNS (53) TCP(6) 53 53 NO YES NO YES NO YES

FTP(21) TCP(6) 21 21 NO YES NO YES NO NO

Telnet(23) TCP(6) 23 23 NO YES NO YES NO NO

SMTP(25) TCP(6) 25 25 NO YES NO YES NO YES

POP3(110) TCP(6) 110 110 NO YES NO YES NO YES

NEWS(NNTP)

(Network Transfer Protocol)

TCP(6) 119 119 NO YES NO YES NO NO

RealAudio/ RealVideo

UDP(17) 7070 7070

YES YES YES YES NO NO

(7070)

PING ICMP(1) N/A N/A NO YES NO YES NO YES

H.323(1720) TCP(6) 1720 1720

T.120(1503) TCP(6) 1503 1503

YES YES NO YES NO NO

SSH(22) TCP(6) 22 22 NO YES NO YES NO NO

NTP /SNTP UDP(17) 123 123 NO YES NO YES NO YES

HTTP/HTTP Proxy

TCP(6) 8080 8080

NO YES NO NO NO NO

(8080)

HTTPS(443) TCP(6) 443 443 NO YES NO YES N/A N/A

ICQ (5190) TCP(6) 5190 5190

MSN (1863) TCP(6) 1863 1863

Chapter 4: Configuration

YES YES N/A N/A N/A N/A

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

MSN VEDIO

MSN (7001) UDP(17) 7001 7001 YES YES N/A N/A N/A N/A

(9000)

Inbound: Internet to LAN ; Outbound: LAN to Internet. YES: Allowed ; NO: Blocked ; N/A: Not Applicable

TCP(6) 9000 9000 NO YES N/A N/A N/A N/A

Packet Filter – Add TCP/UDP Filter

Rule Name: Users-define description to identify this entry or click “Select” drop-down menu to select existing predefined rules. The maximum name length is 32 characters.

Time Schedule: It is self-defined time period. You may specify a time schedule for your prioritization policy. For setup and detail, refer to Time Schedule section

Source IP Address(es) / Destination IP Address(es): This is the Address-Filter used to allow or block traffic to/from particular IP address(es). Selecting the Subnet Mask of the IP address range you wish to allow/block the traffic to or form; set IP address and Subnet Mask to 0.0.0.0 to inactive the Address-Filter rule.

Tip: To block access, to/from a single IP address, enter that IP address as the Host IP Address and use a Host Subnet Mask of “255.255.255.255”.

Source Port: This Port or Port Ranges defines the port allowed to be used by the Remote/WAN to connect to the application. Default is set from range 0 ~ 65535. It is recommended that this option be configured by an advanced user.

Destination Port: This is the Port or Port Ranges that defines the application.

Type: It is the packet protocol type used by the application, select TCP, UDP or both TCP/UDP. Protocol Number: Insert the port number.

Inbound / Outbound: Select Allow or Block the access to the Internet (“Outbound”) or from the

Internet (“Inbound”).

Click Add button to apply your changes.

Packet Filter – Add Raw IP Filter

Go to “Type” drop-down menu, select “Use Protocol Number”.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Rule Name Helper: Users-define description to identify this entry or choosing “Select” drop-down menu to select existing predefined rules.

Time Schedule: It is self-defined time period. You may specify a time schedule for your prioritization policy. For setup and detail, refer to Time Schedule section

Protocol Number: Insert the port number, i.e. GRE 47.

Inbound / Outbound: Select Allow or Block the access to the Internet (“Outbound”) or from the

Internet (“Inbound”).

Click Add button to apply your changes.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Example: Configuring your firewall to allow a publicly accessible web server on your LAN

The predefined port filter rule for HTTP (TCP port 80) is the same no matter whether the firewall is set to a high, medium or low security level. To setup a web server located on the local network when the firewall is enabled, you have to configure the Port Filters setting for HTTP.

As you can see from the diagram below, when the firewall is enabled with one of the three presets (Low/Medium/High), inbound HTTP access is not allowed which means remote access through HTTP to your router is not allowed.

Note: Inbound indicates accessing from Internet to LAN and Outbound is from LAN to the Internet.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring Packet Filter:

1. Click Packet Filters. You will then be presented with the predefined port filter rules screen (in this

case for the low security level), shown below:

Note: You may click Edit the predefined rule instead of Delete it. This is an example to show to how you add a filter on your own.

2. Choose the radio button you want to delete the existing HTTP rule. Click Edit/Delete button to

delete the existing HTTP rule.

3. Input the Rule Name, Time Schedule, Source/Destination IP, Type, Source/Destination Port,

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Inbound and Outbound.

Example:

Application: Cindy_HTTP

Time Schedule: Always On

Source / Destination IP Address(es): 0.0.0.0 (I do not wish to active the address-filter, instead I

use the port-filter)

Type: TCP (Please refer to Table1: Predefined Port Filter)

Source Port: 0-65535 (I allow all ports to connect with the application))

Redirect Port: 80-80 (This is Port defined for HTTP)

Inbound / Outbound: Allow

4. The new port filter rule for HTTP is shown below:

5. Configure your Virtual Server (“port forwarding”) settings so that incoming HTTP requests on port 80

will be forwarded to the PC running your web server:

Note: For how to configure the HTTP in Virtual Server, go to Add Virtual Server in Virtual Server section for more details.

Chapter 4: Configuration

Intrusion Detection

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

The router’s Intrusion Detection System (IDS) is used to detect hacker attacks and intrusion attempts from the Internet. If the IDS function of the firewall is enabled, inbound packets are filtered and blocked depending on whether they are detected as possible hacker attacks, intrusion attempts or other connections that the router determines to be suspicious.

Blacklist: If the router detects a possible attack, the source IP or destination IP address will be added to the Blacklist. Any further attempts using this IP address will be blocked for the time period specified as the Block Duration. The default setting for this function is false (disabled). Some attack types are denied immediately without using the Blacklist function, such as Land attack and Echo/CharGen scan.

Intrusion Detection: If enabled, IDS will block Smurf attack attempts. Default is false.

Block Duration:

 Victim Protection Block Duration: This is the duration for blocking Smurf attacks. Default

value is 600 seconds.

 Scan Attack Block Duration: This is the duration for blocking hosts that attempt a possible

Scan attack. Scan attack types include X’mas scan, IMAP SYN/FIN scan and similar attempts.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Default value is 86400 seconds.

 DoS Attack Block Duration: This is the duration for blocking hosts that attempt a possible

Denial of Service (DoS) attack. Possible DoS attacks this attempts to block include Ascend Kill and

WinNuke. Default value is 1800 seconds.

Max TCP Open Handshaking Count: This is a threshold value to decide whether a SYN Flood attempt is occurring or not. Default value is 100 TCP SYN per seconds.

Max PING Count: This is a threshold value to decide whether an ICMP Echo Storm is occurring or not. Default value is 15 ICMP Echo Requests (PING) per second.

Max ICMP Count: This is a threshold to decide whether an ICMP flood is occurring or not. Default value is 100 ICMP packets per seconds except ICMP Echo Requests (PING).

For SYN Flood, ICMP Echo Storm and ICMP flood, IDS will just warn the user in the Event Log. It cannot protect against such attacks.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Type of Block

t 135, 137~139,

UDP Echo Port and

UDP Dst Port =

ting session

And Scan Hosts

DstPort = Net Bus

UDP, DstPort =

Max TCP Open

andshaking Count

Max ICMP Count

Table 2: Hacker attack types recognized by the IDS

Intrusion Name Detect Parameter Blacklist

Ascend Kill

WinNuke

Smurf

Land attack

Echo/CharGen Scan

Echo Scan

CharGen Scan

X’mas Tree Scan

Ascend Kill data Src IP DoS Yes Yes

TCP Por Flag: URG

ICMP type 8 Des IP is broadcast

SrcIP = DstIP Yes Yes

CharGen Port

Echo(7)

CharGen(19)

TCP Flag: X’mas Src IP Scan Yes Yes

Src IP DoS Yes Yes

Dst IP

Yes Yes

Src IP Scan Yes Yes

Duration

Victim Protection

Drop Packet Show Log

Yes Yes

IMAP SYN/FIN Scan

SYN/FIN/RST/ACK Scan

Net Bus Scan

Back Orifice Scan

SYN Flood

ICMP Flood

ICMP Echo

Src IP: Source IP Src Port: Source Port Dst Port: Destination Port Dst IP: Destination IP

TCP Flag: SYN/FIN DstPort: IMAP(143) SrcPort: 0 or 65535

TCP, No Exis

more than five.

TCP No Existing session

12345,12346, 3456

Orifice Port (31337)

H (Default 100 c/sec)

(Default 100 c/sec)

Max PING Count (Default 15 c/sec)

Src IP Scan Yes Yes

SrcIP Scan Yes Yes

Yes

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

URL Filter

URL (Uniform Resource Locator – e.g. an address in the form of http://www.abcde.com or

http://www.example.com) filter rules allow you to prevent users on your network from accessing particular

websites by their URL. There are no pre-defined URL filter rules; you can add filter rules to meet your requirements.

Enable/Disable: To enable or disable URL Filter feature.

Block Mode: A list of the modes that you can choose to check the URL filter rules. The default is set to Always On.

 Disabled: No action will be performed by the Block Mode.

 Always On: Action is enabled. URL filter rules will be monitoring and checking at all hours of

the day.

 TimeSlot1 ~ TimeSlot16: It is self-defined time period. You may specify the time period to

check the URL filter rules, i.e. during working hours. For setup and detail, refer to Time

Schedule section.

Keywords Filtering: Allows blocking by specific keywords within a particular URL rather than having to

specify a complete URL (e.g. to block any image called “advertisement.gif”). When enabled, your specified keywords list will be checked to see if any keywords are present in URLs accessed to determine if the connection attempt should be blocked. Please note that the URL filter blocks web browser (HTTP) connection attempts using port 80 only.

For example, if the URL is http://www.abc.com/abcde.html, it will be dropped as the keyword “abcde”

occurs in the URL.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Domains Filtering: This function checks the whole URL not the IP address, in URLs accessed against

your list of domains to block or allow. If it is matched, the URL request will be sent (Trusted) or dropped (Forbidden). For this function to be activated, both check-boxes must be checked. Here is the checking procedure:

1. Check the domain in the URL to determine if it is in the trusted list. If yes, the connection attempt is sent to the remote web server.

2. If not, check if it is listed in the forbidden list. If yes, then the connection attempt will be dropped.

3. If the packet does not match either of the above two items, it is sent to the remote web server.

4. Please be note that the completed URL, “www” + domain name shall be specified. For example to block traffic to www.google.com.au, enter “www.google” or “www.google.com”

In the example below, the URL request for www.abc.com will be sent to the remote web server because it is listed in the trusted list, whilst the URL request for www.google or www.google.com will be dropped, because www.google is in the forbidden list.

Example: Andy wishes to disable all WEB traffic except for ones listed in the trusted domain, which

would prevent Bobby from accessing other web sites. Andy selects both functions in the Domain Filtering and thinks that it will stop Bobby. But Bobby knows this function, Domain Filtering, ONLY disables all WEB traffic except for Trusted Domain, BUT not its IP address. If this is the situation, Block surfing by IP address function can be handy and helpful to Andy. Now, Andy can prevent Bobby from accessing other sites.

Restrict URL Features: This function enhances the restriction to your URL rules.

 Block Java Applet: This function can block Web content that includes the Java Applet. It is to

prevent someone who wants to damage your system via standard HTTP protocol.

 Block surfing by IP address: Preventing someone who uses the IP address as URL for

skipping Domains Filtering function. Activates only and if Domain Filtering enabled.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

IM / P2P Blocking

IM, short for Instant Message, is required to use client program software that allows users to communicate, in exchanging text message, with other IM users in real time over the Internet. A P2P application, known as Peer-to-peer, is group of computer users who share file to specific groups of people across the Internet. Both Instant Message and Peer-to-peer applications make communication faster and easier but your network can become increasingly insecure at the same time. Billion’s IM and P2P blocking helps users to restrict LAN PCs to access to the commonly used IM, Yahoo and MSN, and P2P, BitTorrent and eDonkey, applications over the Internet.

Instant Message Blocking: The default is set to Disabled.

 Disabled: Instant Message blocking is not triggered. No action will be performed.

 Always On: Action is enabled.

 TimeSlot1 ~ TimeSlot16: This is the self-defined time period. You may specify the time

period to trigger the blocking, i.e. during working hours. For setup and detail, refer to Time Schedule section.

Yahoo/MSN Messenger: Check the box to block either or both Yahoo or/and MSN Messenger. To be

sure you enabled the Instant Message Blocking first.

Peer to Peer Blocking: The default is set to Disabled.

 Disabled: Instant Message blocking is not triggered. No action will be performed.

 Always On: Action is enabled.

 TimeSlot1 ~ TimeSlot16: This is the self-defined time period. You may specify the time

period to trigger the blocking, i.e. during working hours. For setup and detail, refer to Time Schedule section.

BitTorrent / eDonkey: Check the box to block either or both Bit Torrent or/and eDonkey. To be sure you

enabled the Peer to Peer Blocking first.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Firewall Log

Firewall Log display log information of any unexpected action with your firewall settings.

Check the Enable box to activate the logs.

Log information can be seen in the Status – Event Log after enabling.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

VPN - Virtual Private Networks

Virtual Private Networks is ways to establish secured communication tunnels to an organization’s network via the Internet. Your router supports three main types of VPN (Virtual Private Network), PPTP, IPSec and L2TP.

PPTP (Point-to-Point Tunneling Protocol)

There are two types of PPTP VPN supported; Remote Access and LAN-to-LAN (please refer below for more information.). Click Configuration/VPN/PPTP.

Name: A given name for the connection.

Active: This function activates or deactivates the PPTP connection. Check Active checkbox if you want

the protocol of tunnel to be activated and vice versa.

Note: When the Active checkbox is checked, the function of Edit and Delete will not be available.

Connection Type: It informs your PPTP tunnel connection condition.

Type: This refers to your router operates as a client or a server, Dialout or Dialin respectively.

(BiPAC 7402NX only)

PPTP Connection - Remote Access

Name: A given name for the connection (e.g. “connection to office”).

Connection Type: Remote Access or LAN to LAN

Type: Check Dial Out if you want your router to operate as a client (connecting to a remote VPN server, e.g. your office server), check Dial In operates as a VPN server.

 When configuring your router as a Client, enter the remote Server IP Address (or Domain

Name) you wish to connect to.

 When configuring your router as a server, enter the Private IP Address Assigned to Dial in

User address.

Username: If you are a Dial-Out user (client), enter the username provided by your Host. If you are a

Dial-In user (server), enter your own username.

Password: If you are a Dial-Out user (client), enter the password provided by your Host. If you are a Dial-In user (server), enter your own password.

Authentication Type: Default is Auto if you want the router to determine the authentication type to use, or else manually specify CHAP (Challenge Handshake Authentication Protocol) or PAP (Password

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Authentication Protocol) if you know which type the server is using (when acting as a client), or else the authentication type you want clients connecting to you to use (when acting as a server). When using PAP, the password is sent unencrypted, whilst CHAP encrypts the password before sending, and also allows for challenges at different periods to ensure that an intruder has not replaced the client.

Data Encryption: Data sent over the VPN connection can be encrypted by an MPPE algorithm. Default is Auto, so that this setting is negotiated when establishing a connection, or else you can manually

Enable or Disable encryption.

Key Length: The data can be encrypted by MPPE algorithm with 40 bits or 128 bits. Default is Auto, it is

negotiated when establishing a connection. 128 bit keys provide stronger encryption than 40 bit keys.

Mode: You may select Stateful or Stateless mode. The key will be changed every 256 packets when you select Stateful mode. If you select Stateless mode, the key will be changed in each packet.

Active as default route: Commonly used by the Dial-out connection which all packets will route through the VPN tunnel to the Internet; therefore, active the function may degrade the Internet performance.

Click Edit/Delete button to save your changes.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Example: Configuring a Remote Access PPTP VPN Dial-out Connection

A company’s office establishes a PPTP VPN connection with a file server located at a separate location. The router is installed in the office, connected to a couple of PCs and Servers.

Dial-out

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Type

PPTP server & client will determine the value

. Refer to manual for details if

Configuring the PPTP VPN in the Office

Click Configuration/VPN/PPTP. Choose Remote Access from Connect Type drop-down menu. You can either input the IP address (69.121.1.33 in this case) or hostname to reach the server.

Item

Name VPN_PPTP Given name of PPTP connection

Connection Type Remote Access

Type Dial out Select Dial out from Type drop-down menu IP Address (or

Domain name) Username username Password 123456 Auth.Type Chap(Auto) Data Encryption Auto Key Length Auto Mode stateful

Function Description

Select Remote Access from Connection drop-down menu

69.121.1.33 An Dialed server IP

A given username & password

Keep as default value in most of the cases

automatically you want to change the setting.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

PPTP Connection - LAN to LAN

Name: A given name of the connection.

Connection Type: Remote Access or LAN to LAN.

Type: Check Dial Out if you want your router to operate as a client (connecting to a remote VPN server, e.g. your office server), check Dial In operates as a VPN server.

 When configuring your router as a Client, enter the remote Server IP Address (or Domain

name) you wish to connect to.

 When configuring your router as a server, enter the Private IP Address Assigned to Dial in

User address.

Peer Network IP: Enter Peer network IP address.

Netmask: Enter the subnet mask of peer network based on the Peer Network IP setting.

Username: If you are a Dial-Out user (client), enter the username provided by your Host. If you are a

Dial-In user (server), enter your own username.

Password: If you are a Dial-Out user (client), enter the password provided by your Host. If you are a Dial-In user (server), enter your own password.

Authentication Type: Default is Auto if you want the router to determine the authentication type to use, or else manually specify CHAP (Challenge Handshake Authentication Protocol) or PAP (Password Authentication Protocol) if you know which type the server is using (when acting as a client), or else the authentication type you want clients connecting to you to use (when acting as a server). When using PAP, the password is sent unencrypted, whilst CHAP encrypts the password before sending, and also allows for challenges at different periods to ensure that the client has not been replaced by an intruder.

Data Encryption: Data sent over the VPN connection can be encrypted by an MPPE algorithm. Default is Auto, so that this setting is negotiated when establishing a connection, or else you can manually

Enable or Disable encryption.

Key Length: The data can be encrypted by MPPE algorithm with 40 bits or 128 bits. Default is Auto, it is

negotiated when establishing a connection. 128 bit keys provide stronger encryption than 40 bit keys.

Mode: You may select Stateful or Stateless mode. The key will be changed every 256 packets when you select Stateful mode. If you select Stateless mode, the key will be changed in each packet.

Active as default route: As the connection type is LAN to LAN, this function will become to disable.

Click Edit/Delete button to save your changes.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Attention

Example: Configuring a PPTP LAN-to-LAN VPN Connection

The branch office establishes a PPTP VPN tunnel with head office to connect two private networks over the Internet. The routers are installed in the head office and branch offices accordingly.

Both office LAN networks MUST in different subnet with LAN to LAN application.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring PPTP VPN in the Head Office

The IP address 192.168.1.201 will be assigned to the router located in the branch office. Please make sure this IP is not used in the head office LAN.

Item

Name HeadOffice Given a name of PPTP connection

Connection Type LAN to LAN

Type Dial in Select Dial in from Type drop-down menu IP Address 192.168.1.200 IP address assigned to branch office network Peer Network IP 192.168.0.0 Netmask 255.255.255.0 Username username Password 123456 Auth.Type Chap(Auto) Data Encryption Auto Key Length Auto Mode stateful

Function Description

Select LAN to LAN from Connection Type drop-down menu

Branch office network

Input username & password to authenticate branch office network

Keep as default value in most of the cases, PPTP server & client will determine the value automatically. Refer to manual for details if you want to change the setting.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring PPTP VPN in the Branch Office

The IP address 69.121.1.33 is the Public IP address of the router located in head office. If you registered the DDNS (please refer to the DDNS section of this manual), you can also use the domain name instead of the IP address to reach the router.

Item

Name BranchOffice Given a name of PPTP connection

Connection Type LAN to LAN

Type Dial out Select Dial out from Type drop-down menu IP Address (or

Domain name ) Peer Network IP 192.168.1.0 Netmask 255.255.255.0 Username username Password 123456 Auth.Type Chap(Auto) Data Encryption Auto Key Length Auto Mode stateful

Function Description

Select LAN to LAN from Connection Type drop-down menu

69.121.1.33 IP address of the head office router (in WAN side)

Head office network

Input username & password to authenticate head office network

Keep as default value in most of the cases, PPTP server & client will determine the value automatically. Refer to manual for details if you want to change the setting.

Chapter 4: Configuration

IPSec (IP Security Protocol)

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Active: This function activates or deactivates the IPSec connection. Check Active checkbox if you want

the protocol of tunnel to be activated and vice versa.

Note: When the Active checkbox is checked, the function of Edit and Delete will not be available.

Name: This is a given name of the connection.

Local Subnet: Displays IP address and subnet of the local network.

Remote Subnet: Displays IP address and subnet of the remote network.

Remote Gateway: This is the IP address or Domain Name of the remote VPN device that is connected

and established a VPN tunnel.

IPSec Proposal: This is selected IPSec security method.

Chapter 4: Configuration

IPSec VPN Connection

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Name: A given name for the connection (e.g. “connection to office”).

Local Network: Set the IP address, subnet or address range of the local network.

 Single Address: The IP address of the local host.

 Subnet: The subnet of the local network. For example, IP: 192.168.1.0 with netmask

255.255.255.0 specifies one class C subnet starting from 192.168.1.1 (i.e. 192.168.1.1 through to 192.168.1.254).

 IP Range: The IP address range of the local network. For example, IP: 192.168.1.1, end IP:

192.168.1.10.

Remote Secure Gateway Address (or Domain Name): The IP address or hostname of the remote VPN device that is connected and establishes a VPN tunnel.

Remote Network: Set the IP address, subnet or address range of the remote network.

IKE (Internet key Exchange) Mode: Select IKE mode to Main mode or Aggressive mode. This IKE

provides secured key generation and key management.

Local ID:

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

 Content: Input ID’s information, like domain name www.ipsectest.com.

Remote ID:

 Identifier: Input remote ID’s information, like domain name www.ipsectest.com.

Hash Function: It is a Message Digest algorithm which coverts any length of a message into a unique

set of bits. It is widely used MD5 (Message Digest) and SHA-1 (Secure Hash Algorithm) algorithms. SHA1 is more resistant to brute-force attacks than MD5, however it is slower.

 MD5: A one-way hashing algorithm that produces a 128−bit hash.

 SHA1: A one-way hashing algorithm that produces a 160−bit hash

Encryption: Select the encryption method from the pull-down menu. There are several options, DES, 3DES and AES (128, 192 and 256). 3DES and AES are more powerful but increase latency.

 DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method.

 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption

method.

 AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as encryption method.

DH (Diffie-Hellman) Group: It is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communication channel (i.e. over the Internet). There are three modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.

IPSec Proposal: Select the IPSec security method. There are two methods of checking the authentication information, AH (authentication header) and ESP (Encapsulating Security Payload). Use ESP for greater security so that data will be encrypted and authenticated. Using AH data will be authenticated but not encrypted.

Authentication: Authentication establishes the integrity of the datagram and ensures it is not tampered with in transmit. There are three options, Message Digest 5 (MD5), Secure Hash Algorithm (SHA1) or NONE. SHA1 is more resistant to brute-force attacks than MD5, however it is slower.

 MD5: A one-way hashing algorithm that produces a 128−bit hash.

 SHA1: A one-way hashing algorithm that produces a 160−bit hash.

Encryption: Select the encryption method from the pull-down menu. There are several options, DES, 3DES, AES (128, 192 and 256) and NULL. NULL means it is a tunnel only with no encryption. 3DES and

AES are more powerful but increase latency.

 DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method.

 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption

method.

 AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as encryption method.

Perfect Forward Secrecy: Choose whether to enable PFS using Diffie-Hellman public-key cryptography to change encryption keys during the second phase of VPN negotiation. This function will provide better security, but extends the VPN negotiation time. Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communication channel (i.e. over the Internet). There are three modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.

Pre-shared Key: This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128 characters. Both sides should use the same key. IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require a key. Before any IPSec traffic can be passed, each router must be able to verify the identity of its peer. This can be done by manually entering the pre-shared key into both sides (router or hosts).

SA Lifetime: Specify the number of minutes that a Security Association (SA) will stay active before new encryption and authentication key will be exchanged. There are two kinds of SAs, IKE and IPSec. IKE

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

negotiates and establishes SA on behalf of IPSec, an IKE SA is used by IKE.

 Phase 1 (IKE): To issue an initial connection request for a new VPN tunnel. The range can be from 5 to 15,000 minutes, and the default is 480 minutes.

 Phase 2 (IPSec): To negotiate and establish secure authentication. The range can be from 5 to 15,000 minutes, and the default is 60 minutes.

A short SA time increases security by forcing the two parties to update the keys. However, every

time the VPN tunnel re-negotiates, access through the tunnel will be temporarily disconnected.

PING for Keep Alive:

None: The default setting is None. To this mode, it will not detect the remote IPSec peer has

been lost or not. It only follows the policy of Disconnection time after no traffic, which the remote IPSec will be disconnected after the time you set in this function.

PING: This mode will detect the remote IPSec peer has lost or not by pinging specify IP address.

DPD:

Dead peer detection (DPD) is a keeping alive mechanism that enables the router to be detected lively when the connection between the router and a remote IPSec peer has lost. Please be noted, it must be enabled on the both sites.

PING to the IP: It is able to IP Ping the remote PC with the specified IP address and alert when the connection fails. Once alter message is received, Router will drop this tunnel connection. Re-establish of this connection is required. Default setting is 0.0.0.0 which disables the function.

Interval: This sets the time interval between Pings to the IP function to monitor the connection status. Default interval setting is 10 seconds. Time interval can be set from 0 to 3600 second, 0 second disables the function.

Ping to the IP Interval (sec) Ping to the IP Action

0.0.0.0 0 No

0.0.0.0 2000 No

xxx.xxx.xxx.xxx (A valid IP Address) 0 No

xxx.xxx.xxx.xxx(A valid IP Address) 2000 Yes, activate it in every 2000

second.

Disconnection Time after no traffic: It is the NO Response time clock. When no traffic stage time is beyond the Disconnection time set, Router will automatically halt the tunnel connection and re-establish it base on the Reconnection Time set. 180 seconds is minimum time interval for this function.

Reconnection Time: It is the reconnecting time interval after NO TRAFFIC is initiated. 3 minutes is minimum time interval for this function.

Click Edit/Delete to save your changes.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Attention

Example: Configuring a IPSec LAN-to-LAN VPN Connection

Table 3: Network Configuration and Security Plan

Branch Office Head Office

Local Network ID 192.168.0.0/24 192.168.1.0/24

Local Router IP 69.121.1.30 69.121.1.3

Remote Network ID 192.168.1.0/24 192.168.0.0/24

Remote Router IP 69.1.121.3 69.1.121.30

IKE Pre-shared Key 12345678 12345678

VPN Connection Type Tunnel mode Tunnel mode

Security Algorithm ESP:MD5 with AES ESP:MD5 with AES

Both office LAN networks MUST in different subnet with LAN to LAN application.

Functions of Pre-shared Key, VPN Connection Type and Security Algorithm

MUST BE identically set up on both sides.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring IPSec VPN in the Head Office

Item

Name IPSec_HeadOffice Given a name of IPSec connection

Local Network Subnet

IP Address 192.168.1.0 Netmask 255.255.255.0 Remote Secure Gateway IP

(or Hostname)

Remote Network Subnet

IP Address 192.168.0.0 Netmask 255.255.255.0 Authentication MD5 Encryption 3DES Prefer Forward Security None Pre-shared Key 12345

Function Description

Select Subnet from Local Network drop-down menu.

Head office network

69.121.1.30

IP address of the branch office router (in WAN side)

Select Subnet from Remote Network drop-down menu

Branch office network

Security plan

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring IPSec VPN in the Branch Office

Item

Name

Local Network Subnet

IP Address 192.168.0.0 Netmask 255.255.255.0 Remote Secure Gateway IP

(or Hostname)

Remote Network Subnet

IP Address 192.168.1.0 Netmask 255.255.255.0 Authentication MD5 Encryption 3DES

Prefer Forward Security None Pre-shared Key 12345

Chapter 4: Configuration

Function Description

IPSec_Branch Office

69.121.1.3

Given a name of IPSec connection

Select Subnet from Local Network drop-down menu.

Branch office network

IP address of the head office router (in WAN side)

Select Subnet from Remote Network drop-down menu

Head office network

Security plan

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Example: Configuring a IPSec Host-to-LAN VPN Connection

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring IPSec VPN in the Office

Item

Name IPSec Given a name of IPSec connection

Local Network Subnet

IP Address 192.168.1.0 Netmask 255.255.255.0 Remote Secure Gateway IP

(or Hostname)

Remote Network Single Address

IP Address 69.121.1.30 Remote worker’s IP address Authentication MD5 Encryption 3DES Prefer Forward Security None Pre-shared Key 12345

Function Description

Select Subnet from Network drop-down menu

Head office network

69.121.1.30 Remote worker’s IP address

Select Single Address from Remote Network drop-down menu

Security plan

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

L2TP (Layer Two Tunneling Protocol)

Two types of L2TP VPN are supported Remote Access and LAN-to-LAN (please refer below for more information.). Fill in the blank with information you need and click Add to create a new VPN connection account.

Active: This function activates or deactivates the L2TP connection. Check Active checkbox if you want the protocol of tunnel to be activated and vice versa.

Note: When the Active checkbox is checked, the function of Edit and Delete will not be available.

Name: This is a given name of the connection.

Connection Type: It informs your L2TP tunnel connection condition.

Type: This refers to your router operates as a client or a server, Dialout or Dialin in respectively.

L2TP Connection - Remote Access

Connection Type: Remote Access or LAN to LAN.

Name: A given name for the connection (e.g. “connection to office”).

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Active: This function activates or deactivates the L2TP connection. Check Active checkbox if you want

the protocol of tunnel to be activated and vice versa.

Note: When the Active checkbox is checked, the function of Edit and Delete will not be available.

Type: Check Dial Out if you want your router to operate as a client (connecting to a remote VPN server, e.g. your office server), check Dial In operates as a VPN server.

 When configuring your router as a Client, enter the remote Server IP Address (or Hostname)

you wish to connection to.

 When configuring your router as a server, enter the Private IP Address Assigned to Dial in

User address.

Username: If you are a Dial-Out user (client), enter the username provided by your Host. If you are a

Dial-In user (server), enter your own username.

Password: If you are a Dial-Out user (client), enter the password provided by your Host. If you are a Dial-In user (server), enter your own password.

Tunnel Authentication: This enables router to authenticate both the L2TP remote and L2TP host. This is only valid when L2TP remote supports this feature.

Secret: The secure password length should be 16 characters which may include numbers and characters.

Remote Host Name (Optional): Enter hostname of remote VPN device. It is a tunnel identifier from the Remote VPN device matches with the Remote hostname provided. If remote hostname matches, tunnel will be connected; otherwise, it will be dropped.

Cautious: This is only when the router performs as a VPN server. This option should be used by advanced users only.

Local Host Name (Optional): Enter hostname of Local VPN device that is connected / establishes a VPN tunnel. As default, Router’s default Hostname is home.gateway.

IPSec: Enable for enhancing your L2TP VPN security.

 MD5: A one-way hashing algorithm that produces a 128−bit hash.

 SHA1: A one-way hashing algorithm that produces a 160−bit hash.

Encryption: Select the encryption method from the pull-down menu. There are four options, DES, 3DES, AES and NULL. NULL means it is a tunnel only with no encryption. 3DES and AES are more powerful but

increase latency.

 DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method.

 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption

method.

 AES: Stands for Advanced Encryption Standards, it uses 128 bits as an encryption method.

Perfect Forward Secrecy: Choose whether to enable PFS using Diffie-Hellman public-key cryptography

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

allows two parties to establish a shared secret over an unsecured communication channel (i.e. over the Internet). There are three modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.

Click Edit/Delete to save your changes..

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Example: Configuring a L2TP VPN - Remote Access Dial-in Connection

A remote worker establishes a L2TP VPN connection with the head office using Microsoft's VPN Adapter (included with Windows XP/2000/ME, etc.). The router is installed in the head office, connected to a couple of PCs and Servers.

Dial-in

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring L2TP VPN in the Office

The input IP address 192.168.1.200 will be assigned to the remote worker. Please make sure this IP is not used in the Office LAN.

Item

Name VPN_L2TP Given a name of L2TP connection

Connection Type Remote Access

Type Dial in Select Dial in from Type drop-down menu IP Address 192.168.1.200 An assigned IP address for the remote worker Username username Password 123456 Auth.Type Chap(Auto) Keep as default value in most of the cases. IPSec Enable Enable for enhancing your L2TP VPN security. Authentication MD5 Encryption 3DES Perfect Forward

Secrecy Pre-shared Key 12345678

Function Description

Select Remote Access from Connection Type drop-down menu

Input username & password to authenticate remote worker

Both sites should use the same value.

None

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Example: Configuring a Remote Access L2TP VPN Dial-out Connection

A company’s office establishes a L2TP VPN connection with a file server located at a separate location. The router is installed in the office, connected to a couple of PCs and Servers.

Dial-out

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Select Remote Access from Connection Type

Configuring the L2TP VPN in the Office

Item

Name VPN_L2TP Given name of L2TP connection

Function Description

Connection Type Remote Access

Type Dial out Select Dial out from Type drop-down menu

IP Address (or Hostname)

Username username

Password 123456

Auth.Type Chap(Auto) Keep as default value in most of the cases. IPSec Enable Enable for enhancing your L2TP VPN security. Authentication MD5 Encryption 3DES

Perfect Forward Secrecy

Pre-shared Key 12345678

69.121.1.33 An Dialed server IP

None

drop-down menu

A given username & password

Both sites should use the same value.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Example: Configuring your Router to Dial-in to the Server

Currently, Microsoft Windows operation system does not support L2TP incoming service. Additional software may be required to set up your L2TP incoming service.

L2TP Connection - LAN to LAN

L2TP VPN Connection

Name: A given name of the connection.

Connection Type: Remote Access or LAN to LAN.

Active: This function activates or deactivates the L2TP connection. Check Active checkbox if you want

the protocol of tunnel to be activated and vice versa.

Note: When the Active checkbox is checked, the function of Edit and Delete will not be available.

Type: Check Dial Out if you want your router to operate as a client (connecting to a remote VPN server, e.g. your office server), check Dial In operates as a VPN server.

 When configuring your router establish the connection to a remote LAN, enter the remote Server

IP Address (or Hostname) you wish to connection to.

 When configuring your router as a server to accept incoming connections, enter the Private IP

Address Assigned to Dial in User address.

Peer Network IP: Enter Peer network IP address.

Netmask: Enter the subnet mask of peer network based on the Peer Network IP setting.

Username: If you are a Dial-Out user (client), enter the username provided by your Host. If you are a

Dial-In user (server), enter your own username.

Password: If you are a Dial-Out user (client), enter the password provided by your Host. If you are a Dial-In user (server), enter your own password.

Tunnel Authentication: This enables router to authenticate both the L2TP remote and L2TP host. This is only valid when L2TP remote supports this feature.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Secret: The secure password length should be 16 characters which may include numbers and

characters.

Active as default route: As the connection type is LAN to LAN, this function will become to disable.

Remote Host Name (Optional): Enter hostname of remote VPN device. It is a tunnel identifier from the

Remote VPN device matches with the Remote hostname provided. If remote hostname matches, tunnel will be connected; otherwise, it will be dropped.

Cautious: This is only when the router performs as a VPN server. This option should be used by advanced users only.

Local Host Name (Optional): Enter hostname of Local VPN device that is connected / establishes a VPN tunnel. As default, Router’s default Hostname is home.gateway.

IPSec: Enable for enhancing your L2TP VPN security.

Authentication: Authentication establishes the integrity of the datagram and ensures it is not tampered with in transmit. There are three options, Message Digest 5 (MD5), Secure Hash Algorithm (SHA1) or NONE. SHA-1 is more resistant to brute-force attacks than MD5, however it is slower.

 MD5: A one-way hashing algorithm that produces a 128−bit hash.

 SHA1: A one-way hashing algorithm that produces a 160−bit hash.

increase latency.

 DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method.

 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption

method.

 AES: Stands for Advanced Encryption Standards, it uses 128 bits as an encryption method.

Perfect Forward Secrecy: Choose whether to enable PFS using Diffie-Hellman public-key cryptography

to change encryption keys during the second phase of VPN negotiation. This function will provide better security, but extends the VPN negotiation time. Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communication channel (i.e. over the Internet). There are three modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.

Click Edit/Delete to save your changes.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Example: Configuring L2TP LAN-to-LAN VPN Connection

The branch office establishes a L2TP VPN tunnel with head office to connect two private networks over the Internet. The routers are installed in the head office and branch office accordingly.

Attention

Both office LAN networks MUST in different subnet with LAN to LAN application.

Functions of Pre-shared Key, VPN Connection Type and Security Algorithm

MUST BE identically set up on both sides.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring L2TP VPN in the Head Office

The IP address 192.168.1.200 will be assigned to the router located in the branch office. Please make sure this IP is not used in the head office LAN.

Item

Function Description

Name HeadOffice Given a name of L2TP connection

Connection Type LAN to LAN

Type Dial in Select Dial in from Type drop-down menu

IP Address 192.168.1.200 IP address assigned to branch office network Peer Network IP 192.168.0.0

Netmask 255.255.255.0 Username username

Password 123456

Auth.Type Chap(Auto) Keep as default value in most of the cases. IPSec Enable Enable for enhancing your L2TP VPN security. Authentication MD5 Encryption 3DES

Perfect Forward Secrecy

Pre-shared Key 12345678

None

Select LAN to LAN from Connection Type drop-down menu

Branch office network

Input username & password to authenticate branch office network

Both sites should use the same value.

Chapter 4: Configuration

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Configuring L2TP VPN in the Branch Office

Item

Function Description

Name BranchOffice Given a name of L2TP connection

Connection Type LAN to LAN Select LAN to LAN from drop-down menu Type Dial out Select Dial out from drop-down menu

IP Address (or Hostname) 69.121.1.33 IP address of the head office router (in WAN side) Peer Network IP 192.168.1.0

Netmask 255.255.255.0 Username username

Password 123456

Auth.Type Chap(Auto) Keep as default value in most of the cases. IPSec Enable Enable for enhancing your L2TP VPN security. Authentication MD5

Encryption 3DES Perfect Forward Secrecy None Pre-shared Key 12345678

Head office network

Input username & password to authenticate head office network

Both sites should use the same value.

Chapter 4: Configuration

Billion Electric Company BIPAC 7402NX User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual