Page 1
LRE1030E
User
’s Manual
Version Release 7.02 (FW:1.xx)
Updated July 28, 2008
Page 2
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
2
Firetunnel 30 User’s Manual
(Updated July 28, 2008)
Copyright Information
© 2008 Black Box Corporation
The contents of this publication may not be reproduced in whole or in part,
transcribed, stored, translated, or transmitted in any form or any means, without
the prior written consent of Black Box Corporation.
Published by Black Box Corporation. All rights reserved.
Disclaimer
Black Box does not assume any liability arising out of the application of use of any
products or software described herein. Neither does it convey any license under its
patent rights nor the patent rights of others. Black Box reserves the right to make
changes in any products described herein without notice. This publication is subject
to change without notice.
Trademarks
Mac OS is a registered trademark of Apple Computer, Inc.
Windows 98, Windows NT, Windows 2000, Windows Me and Windows XP are
registered trademarks of Microsoft Corporation.
Page 3
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
3
Safety Warnings
Your Firetunnel 30 is built for reliability and long service life. For your
safety, be sure to read and follow the following safety warnings.
• Read this installation guide thoroughly before attempting to set up your
Firetunnel 30.
• Your Firetunnel 30 is a complex electronic device. DO NOT open or attempt to
repair it yourself. Opening or removing the covers can expose you to high
voltage and other risks. In the case of malfunction, turn off the power
immediately and have it repaired at a qualified service center. Contact your
vendor for details.
• Connect the power cord to the correct supply voltage.
• Carefully place connecting cables to avoid people from stepping or tripping on
them. DO NOT allow anything to rest on the power cord and DO NOT place the
power cord in an area where it can be stepped on.
• DO NOT use Firetunnel 30 in environments with high humidity or high
temperatures.
• DO NOT use the same power source for Firetunnel 30 as other equipment.
• DO NOT use your Firetunnel 30 and any accessories outdoors.
• If you wall mount your Firetunnel 30, make sure that no electrical, water or gas
pipes will be damaged during installation.
• DO NOT install or use your Firetunnel 30 during a thunderstorm.
• DO NOT expose your Firetunnel 30 to dampness, dust, or corrosive liquids.
• DO NOT use your Firetunnel 30 near water.
• Be sure to connect the cables to the correct ports.
• DO NOT obstruct the ventilation slots on your Firetunnel 30 or expose it to direct
sunlight or other heat sources. Excessive temperatures may damage your
device.
• DO NOT store anything on top of your Firetunnel 30.
• Only connect suitable accessories to your Firetunnel 30.
• Keep packaging out of the reach of children.
• If disposing of the device, please follow your local regulations for the safe
disposal of electronic products to protect the environment.
Page 4
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
4
Table of Contents
Chapter 1: Introduction
1.1 Overview………………………………………………………………………….. 10
1.2 Product Highlights…………………………………………………………. 10
1.2.1 Increased Bandwidth, Scalability and Resilience……………..
10
1.2.2 Virtual Private Network Support……………………………………….
10
1.2.3 Advanced Firewall Security……………………………………………….
11
1.2.4 Intelligent Bandwidth Management………………………………….
11
1.3 Package Contents………………………………………………………….. 11
1.3.1 Front Panel………………………………………………………………………..
12
1.3.2 Rear Panel………………………………………………………………………….
13
1.3.3 Rack Mounting…………………………………………………………………..
14
1.3.4 Cabling………………………………………………………………………………
14
Chapter 2: Router Applications
2.1 Overview………………………………………………………………………….. 15
2.2 Bandwidth Management with QoS……………………………… 15
2.2.1 QoS Technology…………………………………………………………………
15
2.2.2 QoS Policies for Different Applications……………………………..
16
2.2.3 Guaranteed / Maximum Bandwidth………………………………….
17
2.2.4 Policy Based Traffic Shaping……………………………………………..
18
2.2.5 Priority Bandwidth Utilization……………………………………………
19
2.2.6 Management by IP or MAC address…………………………………..
19
2.2.7 DiffServ (DSCP Marking)…………………………………………………..
20
2.2.8 DSCP (Matching)……………………………………………………………….
21
2.3 Outbound Traffic…………………………………………………………….. 21
2.3.1 Outbound Fail Over…………………………………………………………….
21
2.3.2 Outbound Load Balancing………………………………………………….
22
2.4 Inbound Traffic……………………………………………………………….. 23
2.4.1 Inbound Fail Over……………………………………………………………….
23
2.4.2 Inbound Load Balancing…………………………………………………….
24
2.5 DNS Inbound…………………………………………………………………… 25
2.5.1 DNS Inbound Fail Over……………………………………………………….
26
Page 5
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
5
2.5.2 DNS Inbound Load Balancing……………………………………………..
27
2.6 Virtual Private Networking………………………………………….. 29
2.6.1 General VPN Setup…………………………………………………………….
29
2.6.2 VPN Planning - Fail Over…………………………………………………….
30
2.6.3 Concentrator………………………………………………………………………
31
Chapter 3: Getting Started
3.1 Overview………………………………………………………………………….. 33
3.2 Before You Begin……………………………………………………………. 33
3.3 Connecting Your Router………………………………………………… 34
3.4 Configuring Your PC………………………………………………………. 35
3.5 Factory Default Settings………………………………………………. 37
3.5.1 Username and Password………………………………………………….
37
3.5.2 LAN and WAN Port Addresses………………………………………….
38
3.6 Information From Your ISP…………………………………………. 38
3.6.1 Protocols……………………………………………………………………………
38
3.6.2 Configuration Information………………………………………………..
39
3.7 Web Configuration Interface……………………………………….. 40
Chapter 4: Router Configuration
4.1 Overview………………………………………………………………………….. 41
4.2 Status……………………………………………………………………………….. 42
4.2.1 ARP Table…………………………………………………………………………..
42
4.2.2 Routing Table…………………………………………………………………….
43
4.2.3 Session Table…………………………………………………………………….
44
4.2.4 DHCP Table………………………………………………………………………..
45
4.2.5 IPSec Status………………………………………………………………………
45
4.2.6 PPTP Status……………………………………………………………………..
46
4.2.7 System Status……………………………………………………………………
46
4.2.8 System Log………………………………………………………………………..
46
4.2.9 LAN Traffic Statistics………………………………………………………….
47
4.3 Quick Start………………………………………………………………………. 48
4.3.1 DHCP………………………………………………………………………………….
48
4.3.2 Static IP……………………………………………………………………………..
48
4.3.3 PPPoE…………………………………………………………………………………
49
Page 6
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
6
4.3.4 PPTP……………………………………………………………………………………
49
4.3.5 Big Pond…………………………………………………………………………….
50
4.4 Configuration…………………………………………………………………… 51
4.4.1 LAN…………………………………………………………………………………….
51
4.4.1.1 Ethernet……………………………………………………………….
52
4.4.1.2 DHCP Server………………………………………………………..
52
4.4.1.3 LAN Address Mapping ………………………………………..
53
4.4.2 WAN…………………………………………………………………………………..
54
4.4.2.1 Settings……………………………………………………………….
55
4.4.2.1.1 DHCP…………………………………………………
56
4.4.2.1.2 Static IP…………………………………………….
57
4.4.2.1.3 PPPoE……………………………………………….
58
4.4.2.1.4 PPTP………………………………………………….
59
4.4.2.1.5 Big Pond…………………………………………..
61
4.4.2.2 Bandwidth Setting……………………………………………….
62
4.4.2.3 WAN IP Alias………………………………………………………..
62
4.4.3 Dual WAN…………………………………………………………………………..
63
4.4.3.1 General Settings………………………………………………….
64
4.4.3.2 Outbound Load Balance………………………………………
65
4.4.3.3 Inbound Load Balance………………………………………..
66
4.4.3.4 Protocol Binding…………………………………………………..
69
4.4.4 System………………………………………………………………………………
71
4.4.4.1 Time Zone……………………………………………………………
71
4.4.4.2 Remote Access…………………………………………………….
72
4.4.4.3 Firmware Upgrade……………………………………………….
73
4.4.4.4 Backup / Restore…………………………………………………
74
4.4.4.5 Restart…………………………………………………………………
75
4.4.4.6 Password……………………………………………………………..
76
4.4.4.7 Ping & Trace Route………………………………………………
76
4.4.5 Firewall………………………………………………………………………………
77
4.4.5.1 Packet Filter………………………………………………………….
77
4.4.5.2 URL Filter………………………………………………………………
79
4.4.5.3 LAN MAC Filter………………………………………………………
82
4.4.5.4 Block WAN Request……………………………………………..
84
4.4.5.5 Intrusion Detection……………………………………………..
84
4.4.6 VPN…………………………………………………………………………………….
85
4.4.6.1 IPSec……………………………………………………………………
86
Page 7
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
7
4.4.6.1.1 IPSec Wizard……………………………………
86
4.4.6.1.2 IPSec Policy……………………………………..
90
4.4.6.2 PPTP……………………………………………………………………..
95
4.4.7 QoS……………………………………………………………………………………
96
4.4.8 Virtual Server…………………………………………………………………….
100
4.4.8.1 DMZ……………………………………………………………………..
101
4.4.8.2 Port Forwarding Table………………………………………….
102
4.4.9 Advanced…………………………………………………………………………..
103
4.4.9.1 Static Route…………………………………………………………
104
4.4.9.2 Dynamic DNS………………………………………………………
105
4.4.9.3 Device Management……………………………………………
106
4.4.9.4 IGMP…………………………………………………………………….
108
4.4.9.5 VLAN Bridge………………………………………………………..
109
4.4.9.6 Schedule………………………………………………………………
110
4.5 Log & E-mail Alert.................................................... 111
4.5.1 Log Configuration……………………………………………………………..
111
4.5.2 System Log server…………………………………………………………….
111
4.5.3 E-mail Alert……………………………………………………………………….
112
4.6 Save Configuration To Flash………………………………………… 112
4.7 Logout………………………………………………………………………………. 113
Chapter 5: Troubleshooting
5.1 Basic Functionality…………………………………………………………. 114
5.1.1 Router Won’t Turn On……………………………………………………….
114
5.1.2 LEDs Never Turn Off…………………………………………………………..
114
5.1.3 LAN or Internet Port Not On…………………………………………….
114
5.1.4 Forgot My Password………………………………………………………….
115
5.2 LAN Interface………………………………………………………………….. 115
5.2.1 Can’t Access Router from the LAN…………………………………..
115
5.2.2 Can’t Ping Any PC on the LAN………………………………………….
116
5.2.3 Can’t Access Web Configuration Interface……………………….
116
5.2.3.1 Pop-up Windows………………………………………………….
117
5.2.3.2 Javascripts…………………………………………………………..
117
5.2.3.3 Java Permissions………………………………………………….
118
5.3 WAN Interface………………………………………………………………… 119
5.3.1 Can’t Get WAN IP Address from the ISP…………………………..
119
Page 8
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
8
5.4 ISP Connection………………………………………………………………… 119
5.5 Problems with Date and Time………………………………………. 121
5.6 Restoring Factory Defaults…………………………………………… 121
Page 9
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
9
Appendix A: Product Specifications
Appendix B: FCC Interference Statement
Appendix C: IPSec Logs and Events
C.1 IPSec Log Event Categories…………………………………………. 126
C.2 IPSec Log Event Table…………………………………………………… 126
Appendix D: Router Setup Examples
D.1 Outbound Fail Over………………………………………………………… 130
D.2 Outbound Load Balancing……………………………………………. 132
D.3 Inbound Fail Over………………………………………………………….. 134
D.4 DNS Inbound Fail Over…………………………………………………. 137
D.5 DNS Inbound Load Balancing……………………………………… 140
D.6 Dynamic DNS Inbound Load Balancing…………………….. 142
D.7 VPN Configuration…………………………………………………………. 147
D.7.1 LAN to LAN……………………………………………………………………..
147
D.7.2 Host to LAN…………………………………………………………………….
149
D.8 IPSec Fail Over (Gateway to Gateway)…………………….. 151
D.9 VPN Concentrator…………………………………………………………… 153
D.10 Protocol Binding…………………………………………………………….. 157
D.11 Intrusion Detection………………………………………………………. 158
D.12 PPTP Remote Access by Windows XP……………………….. 159
D.13 PPTP Remote Access by Firetunnel……………………………. 166
Page 10
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
10
Chapter 1: Introduction
1.1 Overview
Congratulations on purchasing Firetunnel 30 Router from Black Box. Combining a
router with an Ethernet network switch, Firetunnel 30 is a state-of-the-art device
that provides everything you need to get your network connected to the Internet
over your Cable or DSL connection quickly and easily. The Quick Start Wizard and
DHCP Server will get first-time users up and running with minimal fuss and
configuration, while sophisticated Quality of Service (QoS) and Load Balancing
features grant advanced users total control over their network and Internet
connection.
This manual illustrates the many features and functions of Firetunnel 30, and even
takes you through the various ways you can apply this versatile device to your home
or office. Take the time now to familiarize yourself with Firetunnel 30.
1.2 Product Highlights
1.2.1 Increased Bandwidth, Scalability and Resilience
With integrated Dual WAN ports, Firetunnel 30 combines two broadband lines such
as DSL or Cable into one Internet connection, providing optimal bandwidth sharing
for multiple PCs on your network, or allowing maximum reliability with network
redundancy. Load Balancing enables Firetunnel 30 to efficiently balance network
traffic across two connections, ideal for small-to-medium businesses that require
increased bandwidth, network scalability, and resilience for mission-critical network
and Internet applications. Auto failover can also be configured to ensure smooth,
continuous service should one connection fail, providing maximum business uptime
and productivity, plus uninterrupted service for you and your customers.
1.2.2 Virtual Private Network Support
Firetunnel 30 supports comprehensive IPSec & PPTP VPN protocols for businesses to
establish private encrypted tunnels over the Internet to ensure data transmission
security among multiple sites, such as a branch office or dial-up connection. IPSec
VPN is up to 30 simultaneous IPSec VPN connections are possible on Firetunnel 30,
Page 11
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
11
with performance of up to 30Mbps. PPTP VPN is up to 4 simultaneous PPTP VPN
connections are possible on Firetunnel 30, with performance of up to 10Mbps.
1.2.3 Advanced Firewall Security
Aside from intelligent broadband sharing, Firetunnel 30 offers integrated firewall
protection with advanced features to secure your network from outside attacks.
Stateful Packet Inspection (SPI) determines if a data packet is permitted to enter
the private LAN. Denial of Service (DoS) prevents hackers from interrupting
network services via malicious attacks. In addition, Firetunnel 30 firewall can be
configured to alert you via email should your network come under fire, offering both
tight network security and peace of mind.
1.2.4 Intelligent Bandwidth Management
Firetunnel 30 utilizes Quality of Service (QoS) to give you full control over the
priority of both incoming and outgoing data, ensuring that critical data such as
customer information moves through your network, even while under a heavy load.
Transmission speeds can be throttled to make sure users are not saturating
bandwidth required for mission-critical data transfers. Priority types of upload data
can also be changed, allowing Firetunnel 30 to automatically sort out actual speeds
for unmatched convenience.
1.3 Package Contents
Firetunnel 30 VPN Appliance
Bracket x 2 (for rack-mounting)
Screw x 4 (for rack-mounting)
Getting Started CD-ROM
Quick Start Guide
AC-DC Power Adapter (12VDC, 1A)
Page 12
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
12
1.3.1 Front Panel
LED Function
Power
A solid light indicates a steady connection to a power source.
Status
A blinking light indicates the device is writing to flash memory.
LAN
1 – 8
Lit when connected to an Ethernet device.
10/100M : Lit green when connected at 100Mbps.
Not lit when connected at 10Mbps.
Link/ACT: Lit when device is connected.
Blinking when data is transmitting/receiving.
WAN1
Lit when connected to an Ethernet device.
10/100M : Lit green when connected at 100Mbps.
Not lit when connected at 10Mbps.
Link/ACT: Lit when device is connected.
Blinking when data is transmitting/receiving.
WAN2
Lit when connected to an Ethernet device.
10/100M : Lit green when connected at 100Mbps.
Not lit when connected at 10Mbps.
Link/ACT: Lit when device is connected.
Blinking when data is transmitting/receiving.
Page 13
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
13
1.3.2 Rear Panel
Port Function
1 RESET
To reset the device and restore factory default settings, after
the device is fully booted, press and hold RESET until the
Status LED begins to blink.
2 WAN2
WAN2 10/100M Ethernet port (with auto crossover support);
connect xDSL/Cable modem here.
3 WAN1
WAN1 10/100M Ethernet port (with auto crossover support);
connect xDSL/Cable modem here.
4
LAN
1 — 8
Connect a UTP Ethernet cable (Cat-5 or Cat-5e) to one of the
eight LAN ports when connecting a PC to the network.
5 DC12V Connect DC Power Adapter here. (12VDC)
2
1
3
4
5
Page 14
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
14
1.3.3 Rack Mounting
To rack mount Firetunnel 30, carefully secure the device to your rack on both sides
using the included brackets and screws. See the diagram below for a more detailed
explanation.
1.3.4 Cabling
Most Ethernet networks currently use unshielded twisted pair (UTP) cabling. The
UTP cable contains eight conductors, arranged in four twisted pairs, and terminated
with an RJ45 type connector.
One of the most common causes of networking problems is bad cabling. Make sure
that all connected devices are turned on. On the front panel of Firetunnel 30, verify
that the LAN link and WAN line LEDs are lit. If they are not, check to see that you are
using the proper cabling.
Page 15
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
15
Chapter 2: Router Applications
2.1 Overview
Your Firetunnel 30 router is a versatile device that can be configured to not only
protect your network from malicious attackers, but also ensure optimal usage of
available bandwidth with Quality of Service (QoS) and both Inbound and Outbound
Load Balancing. Alternatively, Firetunnel 30 can also be set to redirect incoming and
outgoing network traffic with the Fail Over capability, ensuring minimal downtime
and increased reliability.
The following chapter describes how Firetunnel 30 can work for you.
2.2 Bandwidth Management with QoS
Quality of Service (QoS) gives you full control over which types of outgoing data
traffic should be given priority by the router. By doing so, the router can ensure that
latency-sensitive applications like voice, bandwidth-consuming data like gaming
packets, or even mission critical files efficiently move through the router even under
a heavy load. You can throttle the speed at which different types of outgoing data
pass through the router. In addition, you can simply change the priority of different
types of upload data and let the router sort out the actual speeds.
2.2.1 QoS Technology
QoS generally involves the prioritization of network traffic. QoS is comprised of
three major components: Classifier, Meter, and Scheduler. Each of these
components has a distinct role in ensuring that incoming and outgoing data is
managed according to user specifications.
The Classifier analyses incoming packets and marks each one according to
configured parameters. The Meter communicates the drop priority to the Scheduler
and measures the temporal priorities of the output stream against configured
parameters. Finally, the Scheduler schedules each packet for transmission based on
information from both the Classifier and the Meter.
Page 16
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
16
2.2.2 QoS Policies for Different Applications
By setting different QoS policies according to the applications you are running, you
can use Firetunnel 30 to optimize the bandwidth that is being used on your network.
Restricted PC
Normal PCs
VoIP
Page 17
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
17
As illustrated in the diagram above, applications such as Voiceover IP (VoIP) require
low network latencies to function properly. If bandwidth is being used by other
applications such as an FTP server, users using VoIP will experience network lag
and/or service interruptions during use. To avoid this scenario, this network has
assigned VoIP with a guaranteed bandwidth and higher priority to ensure smooth
communications. The FTP server, on the other hand, has been given a maximum
bandwidth cap to make sure that regular service to both VoIP and normal Internet
applications is uninterrupted.
2.2.3 Guaranteed / Maximum Bandwidth
Setting a Guaranteed Bandwidth ensures that a particular service receives a
minimum bandwidth. For example, you can configure Firetunnel 30 to reserve
10000 kbps of the available bandwidth for a particular computer on the network to
transfer files.
Alternatively you can set a Maximum Bandwidth to restrict a particular application
to a fixed percentage of the total throughput. Setting a Maximum Bandwidth of
20000 kbps for a file sharing program will ensure that no more than 20000 kbps of
the available bandwidth will be used for file sharing.
Page 18
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
18
2.2.4 Policy Based Traffic Shaping
Policy Based Traffic Shaping allows you to apply specific traffic policies across a
range of IP addresses or ports. This is particularly useful for assigning different
policies for different PCs on the network. Policy based traffic shaping lets you better
manage your bandwidth, providing reliable Internet and network service to your
organization.
Page 19
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
19
2.2.5 Priority Bandwidth Utilization
Assigning priority to a certain service allows Firetunnel 30 to give either a higher or
lower priority to traffic from this particular service. Assigning a higher priority to an
application ensures that it is processed ahead of applications with a lower priority
and vice versa.
2.2.6 Management by IP or MAC address
Firetunnel 30 can also be configured to apply traffic policies based on a particular IP
or MAC address. This allows you to quickly assign different traffic policies to a
specific computer on the network.
Page 20
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
20
2.2.7 DiffServ (DSCP Marking)
DiffServ (a.k.a. DSCP Marking) allows you to classify traffic based on IP DSCP values.
Other interfaces can match traffic based on the DSCP markings. DSCP markings are
used to decide how packets should be treated, and is a useful tool to give
precedence to varying types of data.
Page 21
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
21
2.2.8 DSCP (Matching)
Just like the DSCP Marking, DSCP is used on traffics (Both inbound rules and
outbound rules have DSCP matching). DSCP matching is used to identify traffic for
the rule. (It is just like what source IP and destination IP do). When this option of the
QoS rule is selected, the QoS rule will only be applied to the packets whose DSCP
field’s IP header matches the criteria selected. These markings can be used to
identify traffic within the network.
2.3 Outbound Traffic
This section outlines some of the ways you can use Firetunnel 30 to manage
outbound traffic.
2.3.1 Outbound Fail Over
Configuring Firetunnel 30 for Outbound Fail Over allows you to ensure that outgoing
traffic is uninterrupted by having Firetunnel 30 default to WAN2 should WAN1 fail.
In the above example, PC 1 (IP_192.168.2.2) and PC 2 (IP_192.168.2.3) are
230.100.100.1
213.10.10.2
192.168.2.3
192.168.2.2
ISP
ISP
1st Connection
2
nd
connection
Page 22
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
22
connected to the Internet via WAN1 (IP_230.100.100.1) on Firetunnel 30. Should
WAN1 fail, Outbound Fail Over tells Firetunnel 30 to reroute outgoing traffic to WAN2
(IP_213.10.10.2). Configuring your Firetunnel 30 for Outbound Fail Over provides a
more reliable connection for your outgoing traffic.
Please refer to appendix H for example settings.
2.3.2 Outbound Load Balancing
Outbound Load Balancing allows Firetunnel 30 to intelligently manage outbound
traffic based on the amount of load of each WAN connection.
In the above example, PC 1 (IP_192.168.2.2) and PC 2 (IP_192.168.2.3) are
connected to the Internet via WAN1 (IP_230.100.100.1) and WAN2
(IP_213.10.10.2) on Firetunnel 30. You can configure Firetunnel 30 to balance the
load of each WAN port with one of two mechanisms:
1. Session (by session/by traffic/weight of link capability)
2. IP Hash (by traffic/weight of link capability)
The IP Hash mechanism will ensure that the traffic from the same source IP address
and destination IP address will go through the same WAN port. This is useful for
some server applications that need to identify the source IP address of the client.
By balancing the load between WAN1 and WAN2, your Firetunnel 30 can ensure that
outbound traffic is efficiently handled by making sure that both ports are equally
sharing the load, preventing situations where one port is completely saturated by
outbound traffic.
230.100.100.1
I
SP
192.168.2.2
192.168.2.3
213.10.10.2
Page 23
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
23
Please refer to appendix H for example settings.
2.4 Inbound Traffic
Learn how Firetunnel 30 can handle inbound traffic in the following section.
2.4.1 Inbound Fail Over
Configuring Firetunnel 30 for Inbound Fail Over allows you to ensure that incoming
traffic is uninterrupted by having Firetunnel 30 default to WAN2 should WAN1 fail.
In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server
(IP_192.168.2.3) are connected to the Internet via WAN1 (ftp.xmple.dyndns.org)
on Firetunnel 30. A remote computer is trying to access these servers via the
Internet. Under normal circumstances, the remote computer will gain access to the
network via WAN1. Should WAN1 fail, Inbound Fail Over tells Firetunnel 30 to
reroute incoming traffic to WAN2 by using the Dynamic DNS mechanism.
Configuring your Firetunnel 30 for Inbound Fail Over provides a more reliable
connection for your incoming traffic.
Please refer to appendix H for example settings.
ftp.xmple.dyndns.org
Before Fail Over
192.168.2.2
192.168.2.3
ftp.xmple.dyndns.org
A
fter Fail Over
ftp ftp.xmple.dydns.org
Remote Access from Internet
ftp ftp.xmple.dydns.org
Remote Access from Internet
FTP
HTTP
192.168.2.2
192.168.2.3
FTP
HTTP
Page 24
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
24
2.4.2 Inbound Load Balancing
Inbound Load Balancing allows Firetunnel 30 to intelligently manage inbound traffic
based on the amount of load of each WAN connection.
In the above example, an FTP server (IP_192.168.2.2) and an HTTP server
(IP_192.168.2.3) are connected to the Internet via WAN1
(www.xmple2.dyndns.org) and WAN2 (www.xmple3.dyndns.org) on Firetunnel 30.
Remote PCs are attempting to access the servers via the Internet. Using Inbound
Load Balancing, Firetunnel 30 can direct incoming requests to the correct WAN port
based on group assignment. For example, a sales force can be directed to
www.xmple2.dyndns.org, while the R&D group can access www.xmple3.dyndns.org.
By balancing the load between WAN1 and WAN2, your Firetunnel 30 can ensure that
inbound traffic is efficiently handled with both ports equally sharing the load,
preventing situations where service is slow because one port is completely
saturated by inbound traffic.
Please refer to appendix H for example settings.
www.xmple3.dyndns.org
Remote Access from Internet
www.xmple2.dyndns.org
www.xmple3.dyndns.org
www.xmple2.dyndns.org
192.168.2.2
192.168.2.3
FTP
HTTP
Page 25
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
25
2.5 DNS Inbound
Using DNS Inbound is a great way to intelligently direct network traffic.
DNS Inbound is a three step process. First, a DNS request is made to the router via
a remote PC. Firetunnel 30, based on settings specified by the user, will direct the
requesting PC to the correct WAN port by replying the selected WAN IP address
through the built-in DNS server. The remote PC then accesses the network via the
specified WAN port. How Firetunnel 30 directs this traffic through the built-in DNS
server depends on whether it is configured for Fail Over or Load Balancing.
Learn how to make DNS Inbound on Firetunnel 30 work for you in the following
section.
ISP
ISP
Page 26
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
26
2.5.1 DNS Inbound Fail Over
Firetunnel 30 can be configured to reply the WAN2 IP address for the DNS domain
name request should WAN1 fail.
In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server
(IP_192.168.2.3) are connected to the Internet via WAN1 (IP_200.200.200.1) on
Firetunnel 30. A remote computer is trying to access these servers via the Internet,
and makes a DNS request. The DNS request (www.mydomain.com
) will be sent
through WAN1 (200.200.200.1) to the built-in DNS server. The DNS server will reply
200.200.200.1 because this is the only active WAN port. Should WAN1 fail,
Firetunnel 30 will instead reply with WAN2’s IP address (100.100.100.1), and the
remote PC will gain access to the network via WAN2. By configuring Firetunnel 30
for DNS Inbound Fail Over, incoming requests will enjoy increased reliability when
accessing your network.
Please refer to appendix H for example settings.
Built-in DNS
192.168.2.2
192.168.2.3
FTP
HTTP
200.200.200.1
www.mydomain.com
200.200.200.1
A
uthoritative Domain Name Server
Before Fail Over
100.100.100.1
A
fter Fail Ove
r
100.100.100.1
192.168.2.2
192.168.2.3
FTP
HTTP
1st connection
2nd connection
www.mydomain.com
Built-in DNS
1st connection
2nd connection
Page 27
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
27
2.5.2 DNS Inbound Load Balancing
DNS Inbound Load Balancing allows Firetunnel 30 to intelligently manage inbound
traffic based on the amount of load of each WAN connection by assigning the IP
address with the lowest traffic load to incoming requests.
In the above example, an FTP server (IP_192.168.2.2) and an HTTP server
(IP_192.168.2.3) are connected to the Internet via WAN1 (IP_200.200.200.1) and
WAN2 (IP_100.100.100.1) on Firetunnel 30. Remote PCs are attempting to access
the servers via the Internet by making a DNS request, entering a URL
(www.mydomain.com). Using a load balancing algorithm, Firetunnel 30 can direct
incoming requests to either WAN port based on the amount of load each WAN port
is currently experiencing. If WAN2 is experiencing a heavy load, Firetunnel 30
responds to incoming DNS requests with WAN1. By balancing the load between
WAN1 and WAN2, your Firetunnel 30 can ensure that inbound traffic is efficiently
handled, making sure that both ports are equally sharing the load and preventing
situations where service is slow because one port is completely saturated by
inbound traffic.
Please refer to appendix H for example settings.
Built-in DNS
192.168.2.2
192.168.2.3
FTP
HTTP
200.200.200.1
www.mydomain.com
200.200.200.1
A
uthoritative Domain Name Server
100.100.100.1
100.100.100.1
DNS Reply
Built-in DNS
192.168.2.2
192.168.2.3
FTP
HTTP
www.mydomain.com
DNS Reply
Heavy load on WAN
2
Heavy load on WAN 1
200.200.200.1
100.100.100.1
WAN 2
WAN 1
WAN 1
WAN 2
Page 28
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
28
A typical scenario of how traffic is directed with DNS Inbound Load Balancing is
illustrated below:
In the example above, the client is making a DNS request. The request is sent to the
DNS server of Firetunnel 30 through WAN2 (1). WAN2 will route this request to the
embedded DNS server of Firetunnel 30 (2). Firetunnel 30 will analyze the bandwidth
of both WAN1 and WAN2 and decide which WAN IP to reply to the request (3). After
the decision is made, Firetunnel 30 will route the DNS reply to the user through
WAN2 (4). The user will receive the DNS reply with the IP address of WAN1 (5). The
browser will initiate an HTTP request to the WAN1 IP address (6). The HTTP request
will be send to Firetunnel 30’s URL Host Map (7). The Host Map will then redirect the
HTTP request to the HTTP server (8). The HTTP server will reply (9). The URL Host
Map will route the packet through WAN1 to the user (10). Finally, the client will
receive an HTTP reply packet (11).
WAN 1
WAN 2
DNS Server
Bandwidth Monitor
1
2
3
4
5
6
URL Host Map
7
8
9
10
DNS Request
DNS Reply
HTTP Request
HTTP Repl
y
11
HTTP Serve
r
Page 29
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
29
2.6 Virtual Private Networking
A Virtual Private Network (VPN) enables you to send data between two computers
across a shared or public network in a manner that emulates the properties of a
point-to-point private link. As such, it is perfect for connecting branch offices to
headquarters across the Internet in a secure fashion.
The following section discusses Virtual Private Networking with Firetunnel 30.
2.6.1 General VPN Setup
There are typically three different VPN scenarios. The first is a Gateway to
Gateway setup, where two remote gateways communicate over the Internet via a
secure tunnel.
The next type of VPN setup is the Gateway to Multiple Gateway setup, where one
gateway (Headquarters) is communicating with multiple gateways (Branch Offices)
over the Internet. As with all VPNs, data is kept secure with secure tunnels.
The final type of VPN setup is the Client to Gateway. A good example of where this
100.100.100.1
200.200.200.1
192.168.2.x
192.168.3.x
Secure Tunnel
200.200.200.1
192.168.2.x
192.168.3.x
Secure Tunnel
201.201.201.1
192.168.4.x
Secure Tunnel
100.100.100.1
Page 30
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
30
can be applied is when a remote sales person accesses the corporate network over
a secure VPN tunnel.
VPN provides a flexible, cost-efficient, and reliable way for companies of all sizes to
stay connected. One of the most important steps in setting up a VPN is proper
planning. The following sections demonstrate the various ways of using Firetunnel
30 to setup your VPN.
2.6.2 VPN Planning - Fail Over
Configuring your VPN with Fail Over allows Firetunnel 30 to automatically default to
WAN2 should WAN1 fail.
Because the dynamic domain name Firetunnel.com is configured for both WAN1 and
WAN2, the active WAN port will announce the domain name through the WAN IP
address. The remote gateway will then be able to connect to the VPN through the
domain name.
In this Gateway to Gateway example, Firetunnel 30 is communicating to a remote
myID.dyndns.org
192.168.2.x
Secure Tunnel
Firetunnel
100.100.100.
Firetunnel.com
Before Fail Over
A
fter Fail Over
192.168.2.x
192.168.2.x
200.200.200.1
192.168.3.x
192.168.3.x
Firetunnel.com
Firetunnel30
Firetunnel30
Firetunnel
Firetunnel10
200.200.200.1
Page 31
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
31
gateway using WAN1 through a secure VPN tunnel. Should WAN1 fail, outbound
traffic from Firetunnel 30 will automatically be redirected to WAN2. This process is
completely transparent to the remote gateway, as Firetunnel 30 will automatically
update the domain name (Firetunnel.com) with the WAN2 IP address. Configuring a
Gateway to Multiple Gateway setup with Fail Over is similar, as shown below:
Configuring Firetunnel 30 for Fail Over provides added reliability to your VPN.
2.6.3 Concentrator
The VPN Concentrator provides an easy way for branch offices to connect to
headquarter through a VPN tunnel. All branch office traffic will be redirected to the
VPN tunnel to headquarter with the exception of LAN-side traffic. This way, all
branch offices can connect to each other through headquarter via the headquarter’s
firewall management. You can also configure Firetunnel 30 to function as a VPN
Concentrator:
Please refer to appendix H for example settings.
Firetunnel.com
Before Fail Over
192.168.2.x
100.100.100.1
192.168.3.x
Firetunnel
Firetunnel
Firetunnel
200.200.200.1
Firetunnel
200.200.200.1
Firetunnel
Firetunnel.com
192.168.2.x
192.168.4.x
100.100.100.1 192.168.3.x
Firetunnel
192.168.4.x
Page 32
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
32
100.100.100.1
200.200.200.1
192.168.2.x
201.201.201.1
192.168.4.x
Local subnet: 0.0.0.0
Local mask: 0.0.0.0
Remote subnet: 192.168.3.0
Remote mask: 255.255.255.0
Local subnet: 192.168.3.0
Local mask: 255.255.255.0
Remote subnet: 0.0.0.0
Remote mask: 0.0.0.0
Local subnet: 0.0.0.0
Local mask: 0.0.0.0
Remote subnet: 192.168.4.0
Remote mask: 255.255.255.0
Local subnet: 192.168.4.0
Local mask: 255.255.255.0
Remote subnet: 0.0.0.0
Remote mask: 0.0.0.0
Firetunnel 10
Firetunnel 10
Firetunnel
192.168.3.x
Page 33
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
33
Chapter 3: Getting Started
3.1 Overview
Firetunnel 30 is designed to be a powerful and flexible network device that is also
easy to use. With an intuitive web-based configuration, Firetunnel 30 allows you to
administer your network via virtually any Java-enabled web browser and is fully
compatible with Linux, Mac OS, and Windows 98/Me/NT/2000/XP operating
systems.
The following chapter takes you through the very first steps to configuring your
network for Firetunnel 30. Take a look and see how easy it is to get your network up
and running.
3.2 Before You Begin
Firetunnel 30 is a flexible and powerful networking device. To simplify the
configuration process and increase the efficiency of your network, consider the
following items before setting up your network for the first time:
1. Plan your network
Decide whether you are going to use one or both WAN ports. For one WAN port, you
may need a fully qualified domain name either for convenience or if you have a
dynamic IP address. If you are going to use both WAN ports, determine whether you
are going to use them in fail over mode for increased network reliability or load
balancing mode for maximum bandwidth efficiency. See Chapter 2: Router
Applications for more information.
2. Set up your accounts
Have access to the Internet and locate the Internet Service Provider (ISP)
configuration information. Each Firetunnel 30 WAN port must be configured
separately, whether you are using a separate ISP for each WAN port or are having
the traffic of both WAN ports routed through the same ISP.
3. Determine your network management approach
Firetunnel 30 is capable of remote management. However, this feature is not active
Page 34
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
34
by default. If you reset the device, remote administration must be enabled again. If
you decide to manage your network remotely, be sure to change the default
password for security reason.
4. Prepare to physically connect Firetunnel 30 to Cable or DSL modems and a
computer.
Be sure to also review the Safety Warnings located in the preface of this manual
before working with your Firetunnel 30.
3.3 Connecting Your Router
Connecting Firetunnel 30 is an easy three-step process:
1. Connect Firetunnel 30 to your LAN by connecting Ethernet cables from your
networked PCs to the LAN ports on the router. Connect Firetunnel 30 to your
broadband Internet connection via router’s WAN port.
2. Plug Firetunnel 30 to an AC outlet with the included AC Power Adapter.
3. Ensure that the Power and WAN LEDs are solidly lit, and that on any LAN port that
has an Ethernet cable plugged in the LED is also solidly lit. The Status LED will
remain solid as the device boots. Once the boot sequence is complete, the LED will
shut off, indicating that Firetunnel 30 is ready.
If the router does not power on, please refer to Chapter 5: Troubleshooting for
possible solutions.
Page 35
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
35
3.4 Configuring your PC
Now that your Firetunnel 30 is connected properly to your network, it’s time to
configure your networked PCs to access Firetunnel 30.
In order for your networked PCs to communicate with your router, they must have
the following characteristics:
1. Have a properly installed and functioning Ethernet Network Interface Card (NIC).
2. Be connected to Firetunnel 30, either directly or through an external repeater hub
via an Ethernet cable.
3. Have TCP/IP installed and configured with an IP address.
The IP address for each PC may be a fixed IP address or one that is obtained from a
DHCP server. If using a fixed IP address, it is important to remember that it must be
in the same subnet as the router. The default IP address of Firetunnel 30 is
192.168.1.254 with a subnet mask of 255.255.255.0. Using the default
configuration, networked PCs must reside in the same subnet, and have an IP
address in the range of 192.168.1.1 to 192.168.1.253. However, you’ll find that the
quickest and easiest way to configure the IP addresses for your PCs is to obtain the
IP addresses automatically by using the router as a DHCP server.
If you are unable to access the web configuration interface, check to see if you have
any software-based firewalls installed on your PCs, as they can cause problems
accessing the 192.168.1.254 IP address of Firetunnel 30.
The following operating systems are in most cases preconfigured for TCP/IP
networking by the standard setup and configuration as long as you have an Ethernet
network card:
- Windows 95/98/Me/NT/2000/XP/Vista
- Mac OS 7 and later
- Linux
- SUN Solaris
To access the web configuration site of Firetunnel 30 you need a modern Browser
like Internet Explorer or Mozilla.
Page 36
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
36
The easiest way to connect to Firetunnel 30 is by using DHCP Protocol. Check the
manual of your operating system on how to configure your system for DHCP.
In Windows you can check which IP address you have by following these steps:
Î Select “START”
Î Select “Execute”
Î Enter “cmd” in the box coming up (for Windows 95/98 enter “command”)
Î Confirm by Pressing OK
Î A new windows is coming up where you can enter commands
Î Enter “ipconfig”
Î Windows will respond:
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix: blackbox.com
IP Address . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . : 255.255.255.0
Default Gateway . . . . . : 192.168.1.254
For Linux you need to start a bash session and enter the command “ifconfig”. The
output will then be quite similar to Windows. You can clearly see the configured IP
Address.
In the example shown here a perfect matching IP Address was received by DHCP
protocol from Firetunnel 30.
Page 37
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
37
3.5 Factory Default Settings
Before configuring your Firetunnel 30, you need to know the following default
settings:
Web Interface:
Username: admin
Password: admin
LAN Device IP Settings:
IP Address: 192.168.1.254
Subnet Mask: 255.255.255.0
ISP setting in WAN site:
Obtain an IP Address automatically (DHCP Client)
DHCP server:
DHCP server is enabled.
Start IP Address: 192.168.1.100
End IP Address: 192.168.1.199
3.5.1 User Name and Password
The default user name and password are "admin" and "admin" respectively.
If you ever forget your user name and/or password, you can restore your Firetunnel
30 to its factory settings by holding the Reset button on the back of your router until
the Status LED begins to blink. Please note that doing this will also erase any
previous router settings that you have made. The Status LED will remain solid as the
device boots. Once the boot sequence is complete, the LED will shut off, indicating
that Firetunnel 30 is ready.
Page 38
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
38
3.5.2 LAN and WAN Port Addresses
The default values for LAN and WAN ports are shown below:
LAN Port WAN Port
IP address
192.168.1.254
Subnet Mask
255.255.255.0
DHCP server
function
Enabled
IP addresses for
distribution to
PCs
100 IP addresses continuing
from 192.168.1.100 through
192.168.1.199
The DHCP Client is enabled to
automatically get the WAN port
configuration from the ISP.
3.6 Information From Your ISP
3.6.1 Protocols
Before configuring this device, you have to check with your ISP (Internet Service
Pr ovider) to find o ut what kind o f service is provided such as DHCP, Static IP, PPPoE,
or PPTP. The following table outlines each of these protocols:
DHCP
Configure this WAN interface to use DHCP client protocol to get an IP
address from your ISP automatically. Your ISP provides an IP address to
the router dynamically when logging in.
Static IP
Configure this WAN interface with a specific IP address. This IP address
should be provided by your ISP.
PPPoE
PPPoE (PPP over Ethernet) is known as a dial-up DSL or cable service. It
is designed to integrate the broadband services into the current widely
deployed, easy-to-use, and low-cost dial-up-access networking
infrastructure.
Page 39
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
39
PPTP
If your ISP provides a PPTP connection, you can use the PPTP protocol to
establish a connection to your ISP.
Big Pond
The Big Pond login for Telstra cable in Australia.
If your account uses PPP over Ethernet (PPPoE), you will need to enter your login
name and password when configuring your Firetunnel 30. After the network and
firewall are configured, Firetunnel 30 will login automatically, and you will no longer
need to run the login program from your PC.
3.6.2 Configuration Information
If your ISP does not dynamically assign configuration information but instead uses
fixed configurations, you will need the following basic information from your ISP:
- An IP address and subnet mask
- A gateway IP address
- One or more domain name server (DNS) IP addresses
Depending on your ISP, a host name and domain suffix may also be provided. If any
of these items are dynamically supplied by the ISP, your Firetunnel 30 will
automatically acquire them.
Page 40
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
40
3.7 Web Configuration Interface
Firetunnel 30 includes a Web Configuration Interface for easy administration via
virtually any browser on your network. To access this interface, open your web
browser, enter the IP address of your router, which by default is 192.168.1.254, and
click Go. A user name and password window prompt will appear. Enter your user
name and password (the default user name and password are "admin" and "admin")
to access the Web Configuration Interface.
If the Web Configuration Interface appears, congratulations! You are now ready to
configure your Firetunnel 30. If you are having trouble accessing the interface,
please refer to Chapter 5: Troubleshooting for possible resolutions.
Page 41
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
41
Chapter 4: Router Configuration
4.1 Overview
The Web Configuration Interface makes it easy for you to manage your network via
any PC connected to it. On the Web Configuration homepage, you will see the
navigation pane located on the left hand side. From it, you will be able to select
various options used to configure your router.
1. Click Apply if you would like to apply the settings on the current screen to the
device. The settings will be effective immediately, however the configuration is not
saved yet and the settings will be erased if you power off or restart the device.
2. Click SAVE CONFIG to save the current settings permanently to the device.
3. Click RESTART to restart the device. There are two options to restart the device.
- Select Current Settings if would like to restart using the current configuration.
- Select Factory Default Settings if you would like to restart using the factory
default configuration.
4. To exit the router’s web interface, click LOGOUT. Please ensure that you have
saved your configuration settings before you logout. Be aware that the router is
restricted to only one PC accessing the web configuration interface at a time. Once
a PC has logged into the web interface, other PCs cannot gain access until the
current PC has logged out. If the previous PC forgets to logout, the second PC can
access the page after a user-defined period (5 minutes by default).
Page 42
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
42
The following sections will show you how to configure your router using the Web
Configuration Interface.
4.2 Status
The Status menu displays the various options that have been selected and a number
of statistics about your Firetunnel 30. In this menu, you will find the following
sections:
- ARP Table
- Routing Table
- Session Table
- DHCP Table
- IPSec Status
- PPTP Status
- System Status
- System Log
- LAN Traffic Statistics
4.2.1 ARP Table
The Address Resolution Protocol (ARP) Table shows the mapping of Internet (IP)
addresses to Ethernet (MAC) addresses. This is a quick way to determine the MAC
address of your PC’s network interface to use with the router’s Firewall – MAC
Address Filter function. See the Firewall section of this chapter for more
information on this feature.
Page 43
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
43
No.: Number of the list.
IP Address: A list of IP addresses of devices on your LAN.
MAC Address: The Media Access Control (MAC) addresses for each device on your
LAN.
Interface: The interface name (on the router) that this IP address connects to.
Static: Static status of the ARP table entry.
NO indicates dynamically-generated ARP table entries.
YES indicates static ARP table entries added by the user.
4.2.2 Routing Table
The Routing Table displays the current path for transmitted packets. Both static and
dynamic routes are displayed.
No.: Number of the list.
Destination: The IP address of the destination network.
Netmask: The destination netmask address.
Gateway/Interface: The IP address of the gateway or existing interface that this
route will use.
Cost: The number of hops counted as the cost of the route.
Page 44
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
44
4.2.3 Session Table
The NAT Session Table displays a list of current sessions for both incoming and
outgoing traffic with protocol type, source IP, source port, destination IP and
destination port, each page shows 10 sessions.
No.: Number of the list.
Protocol: Protocol type of the Session.
From IP: Source IP of the session.
From port: source port of the session.
To IP: Destination IP of the session.
To port: Destination port of the session.
Sessions:
Filter: when the presented field is filled, please click Filter button.
From IP: please input the source IP you would like to filter.
From port: please input the source port you would like to filter.
To IP: please input the destination IP you would like to filter.
To port: please input the destination port you would like to filter.
First: To the first page.
Previous: To the previous page.
Next: To the next page.
Last: To the last page.
Jump to the session: please input the session number you would like to see and
press “GO”
Page 45
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
45
4.2.4 DHCP Table
The DHCP Table displays a list of IP addresses that have been assigned to PCs on
your network via Dynamic Host Configuration Protocol (DHCP).
No.: Number of the list.
IP Address: A list of IP addresses of devices on your LAN.
Device Name: The host name (computer name) of the client.
MAC Address: The MAC address of client.
4.2.5 IPSec Status
The IPSec Status window displays the status of the IPSec Tunnels that are currently
configured on your Firetunnel 30.
Name: The name you assigned to the particular IPSec entry.
Enable: Whether the IPSec connection is currently Enable or Disable.
Status: Whether the IPSec is Active, Inactive or Disable.
Local Subnet: The local IP address or subnet used.
Remote Subnet: The subnet of the remote site.
Remote Gateway: The remote gateway IP address.
SA: The Security Association for this IPSec entry.
Action: Manually connect or drop the tunnel.
Page 46
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
46
4.2.6 PPTP Status
The PPTP Status window displays the status of the PPTP Tunnels that are currently
configured on your Firetunnel 30.
Name: The name you assigned to the particular PPTP entry.
Enable: Whether the PPTP connection is currently Enable or Disable.
Status: Whether the PPTP is Active, Inactive or Disable.
Type: Whether the Connection type is Remote Access or LAN to LAN
Peer Network: The Remote subnet for LAN to LAN as connection type.
Connect by: The remote address when connected.
Action: Manually drop the tunnel.
4.2.7 System Status
The System Status window displays both device processor’s name, usage and
system memory’s usage.
4.2.8 System Log
This window displays Firetunnel 30’s System Log entries. Major events are logged
on this window.
Page 47
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
47
Refresh: Refresh the System Log.
Clear Log: Clear the System Log.
Send Log: Send the System Log to your email account. You can set the email
address in Configuration > System > Email Alert. See the Email Alert section
for more details.
4.2.9 LAN Traffic Statistics
This page displays the router’s LAN Traffic Statistics entries. Major events are logged
to this window.
Quick Setting: There’re two shortcuts for configure Session Limit and IP Block. For
detail instruction of configuration, please refer to 4.4.5.5 Intrusion Detection and
4.4.5.1 Packet Filter.
LAN Traffic Statistics: There’re four traffic table and two session table to chose.
Page 48
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
48
4.3 Quick Start
The Quick Start menu allows you to quickly configure your network for Internet
access using the most basic settings.
Connection Method: Select your router’s connection to the Internet. Selections
include Obtain an IP Address Automatically, Static IP Settings, PPPoE
Settings, PPTP Settings, and Big Pond Settings.
4.3.1 DHCP
The following is information regarding your ISP that you will need to enter in order
to properly configure your Internet connection. If you select to Obtain an IP
Address Automatically, these will be automatically set for you, provided that your
ISP dynamically assigns an IP address.
4.3.2 Static IP
IP assigned by your ISP: Enter the assigned IP address from your IP.
IP Subnet Mask: Enter your IP subnet mask.
ISP Gateway Address: Enter your ISP gateway address.
Primary DNS: Enter your primary DNS.
Secondary DNS: Enter your secondary DNS.
Click Apply to save your changes. To reset to defaults, click Reset.
Page 49
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
49
4.3.3 PPPoE
Username: Enter your user name.
Password: Enter your password.
Retype Password: Retype your password.
Connection: Select whether the connection should Always Connect or Trigger on
Demand. If you want the router to establish a PPPoE session when starting up and
to automatically re-establish the PPPoE session when disconnected by the ISP,
select Always Connect. If you want to establish a PPPoE session only when there
is a packet requesting access to the Internet (i.e. when a program on your computer
attempts to access the Internet), select Trigger on Demand.
Idle Time: Auto-disconnect the router when there is no activity on the line for a
predetermined period of time. Select the idle time from t he dr op dow n men u. Ac t ive
if Trigger on Demand is selected.
Click Apply to save your changes. To reset to defaults, click Reset.
4.3.4 PPTP
Username: Enter your user name.
Password: Enter your password.
Retype Password: Retype your password.
Page 50
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
50
PPTP Client IP: Enter the PPTP Client IP provided by your ISP.
PPTP Client IP Netmask: Enter the PPTP Client IP Netmask provided by your ISP.
PPTP Client IP Gateway: Enter the PPTP Client IP Gateway provided by your ISP.
PPTP Server IP: Enter the PPTP Server IP provided by your ISP.
Connection: Select whether the connection should Always Connect or Trigger
on Demand. If you want the router to establish a PPTP session when starting up
and to automatically re-establish the PPTP session when disconnected by the ISP,
select Always Connect. If you want to establish a PPTP session only when there is
a packet requesting access to the Internet (i.e. when a program on your computer
attempts to access the Internet), select Trigger on Demand.
Idle Time: Auto-disconnect the router when there is no activity on the line for a
predetermined period of time. Select the idle time from t he dr op do wn men u. Ac tive
if Trigger on Demand is selected.
Click Apply to save your changes. To reset to defaults, click Reset.
4.3.5 Big Pond
Username: Enter your user name.
Password: Enter your password.
Retype Password: Retype your password.
Login Server: Enter the IP of the Login server provided by your ISP.
Click Apply to save your changes. To reset to defaults, click Reset.
For detailed instructions on configuring WAN settings, please refer to the WAN
section of this chapter.
Page 51
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
51
4.4 Configuration
The Configuration menu allows you to set many of the operating parameters of
Firetunnel 30. In this menu, you will find the following sections:
- LAN
- WAN
- Dual WAN
- System
- Firewall
- VPN
- QoS
- Virtual Server
- Advanced
These items are described below in the following sections.
4.4.1 LAN
There are three items within this section: Ethernet, DHCP Server and LAN
Address Mapping.
Page 52
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
52
4.4.1.1 Ethernet
IP Address: Enter the internal LAN IP address for Firetunnel 30 (192.168.1.254 by
default).
Subnet Mask: Enter the subnet mask (255.255.255.0 by default).
RIP: RIP v2 Broadcast and RIP v2 Multicast. Check to enable RIP.
4.4.1.2 DHCP Server
In this menu, you can disable or enable the Dynamic Host Configuration Protocol
(DHCP) server. The DHCP protocol allows your Firetunnel 30 to dynamically assign
IP addresses to PCs on your network if they are configured to automatically obtain
IP addresses.
To disable the router’s DHCP Server, select the Disable radio button, and then click
Apply. When the DHCP Server is disabled, you will need to manually assign a fixed
Page 53
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
53
IP address to each PC on your network, and set the default gateway for each PC to
the IP address of the router (192.168.1.254 by default).
To configure the router’s DHCP Server, select the Enable radio button, and then
configure parameters of the DHCP Server including the IP Pool (starting IP address
and ending IP address to be allocated to the PCs on your network), DNS Server,
WINS Server, and Domain Name. These details are sent to each DHCP client when
they request an IP address from the DHCP server. Click Apply to enable this
function.
Fixed Host allows specific computer/network clients to have a reserved IP address.
IP Address: Enter the IP address that you want to reserve for the above MAC
address.
MAC Address: Enter the MAC address of the PC or server you wish to be assigned
a reserved IP.
Candidates: You can also select the Candidates which are referred from the ARP
table for automatic input.
Click the Apply button to add the configuration into the Host Table.
4.4.1.3 LAN Address Mapping
LAN Address Mapping is a function that can support multiple subnet and also
multiple NAT, you can specify a subnet and LAN Gateway IP Address and select
associated WAN IP Address specified in WAN IP Alias in Configuration -> WAN ->
WAN IP Alias.
Page 54
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
54
Please click Create to create a LAN Address Mapping rule.
Name: Please input the name of the rule.
IP Address: Please input the LAN Gateway IP Address you would like to use.
Netmask: Please input the Netmask you would like to use.
WAN IP Address: Please click Candidates to select the WAN IP address you would
like to use from WAN Alias list.
Click the Apply button to add the configuration into the LAN Address Mapping.
4.4.2 WAN
WAN refers to your Wide Area Network connection. In most cases, this means your
router’s connection to the Internet through your ISP. Firetunnel30 features Dual
WAN capability
. There are three items within this section:
Page 55
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
55
The WAN menu contains three items: Settings, Bandwidth Settings and WAN IP
Alias.
4.4.2.1 Settings
This WAN Service Table displays the different WAN connections that are configured
on Firetunnel 30. To edit any of these connections, click Edit. You will be taken to
the following menu.
Connection Method: Select how your router will connect to the Internet.
Selections include Obtain an IP Address Automatically, Static IP Settings,
Page 56
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
56
PPPoE Settings, PPTP Settings, and Big Pond Settings. For each WAN port, the
factory default is DHCP. If your ISP does not use DHCP, select the correct connection
method and configure the connection accordingly. Configurable items will vary
depending on the connection method selected.
4.4.2.1.1 DHCP
Host Name: Some ISPs authenticate logins using this field.
MAC Address: If your ISP requires you to input a WAN Ethernet MAC, check the
checkbox and enter your MAC address in the blanks below.
Candidates: You can also select the MAC address from the list in the Candidates.
DNS: If your ISP requires you to manually setup DNS settings, check the checkbox
and enter your primary and secondary DNS.
RIP: To activate RIP, select Send, Receive, or Both from the drop down menu. To
disable RIP, select Disable from the drop down menu.
MTU: Enter the Maximum Transmission Unit (MTU) for your network.
Network Address Translation: Enables or Disables the NAT function. To apply
this interface as router mode please select Disable. Due to default firewall feature,
if you would like to use router mode, you have to input the packet filter rules you
would like to forward in Configuration -> Firewall -> Packet filter
Click Apply to save your changes. To reset to defaults, click Reset.
Page 57
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
57
4.4.2.1.2 Static IP
IP assigned by your ISP: Enter the static IP assigned by your ISP.
IP Subnet Mask: Enter the IP subnet mask provided by your ISP.
ISP Gateway Address: Enter the ISP gateway address provided by your ISP.
MAC Address: If your ISP requires you to input a WAN Ethernet MAC, check the
checkbox and enter your MAC address in the blanks below.
Candidates: You can also select the MAC address from the list in the Candidates.
Primary DNS: Enter the primary DNS provided by your ISP.
Secondary DNS: Enter the secondary DNS provided by your ISP.
RIP: To activate RIP, select Send, Receive, or Both from the drop down menu. To
disable RIP, select Disable from the drop down menu.
MTU: Enter the Maximum Transmission Unit (MTU) for your network.
Network Address Translation: Enables or Disables the NAT function. To apply
this interface as router mode please select Disable. Due to default firewall feature,
if you would like to use router mode, you have to input the packet filter rules you
would like to forward in Configuration -> Firewall -> Packet filter
Click Apply to save your changes. To reset to defaults, click Reset.
Page 58
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
58
4.4.2.1.3 PPPoE
Username: Enter your user name.
Password: Enter your password.
Retype Password: Retype your password.
Connection: Select whether the connection should Always Connect or Trigger
on Demand. If you want the router to establish a PPPoE session when starting up
and to automatically re-establish the PPPoE session when disconnected by the ISP,
select Always Connect. If you want to establish a PPPoE session only when there
is a packet requesting access to the Internet (i.e. when a program on your computer
attempts to access the Internet), select Trigger on Demand.
Idle Time: Auto-disconnect the router when there is no activity on the line for a
predetermined period of time. Select the idle time from t he dr op do wn men u. Ac tive
if Trigger on Demand is selected.
IP Assigned by your ISP: If your IP is dynamically assigned by your ISP, select the
Dynamic radio button. If your IP assigns a static IP address, select the Static radio
button, and input your IP address in the blank provided.
MAC Address: If your ISP requires you to input a WAN Ethernet MAC, check the
checkbox and enter your MAC address in the blanks below.
Candidates: You can also select the MAC address from the list in the Candidates.
DNS: If your ISP requires you to manually setup DNS settings, check the checkbox
and enter your primary and secondary DNS.
RIP: To activate RIP, select Send, Receive, or Both from the drop down menu. To
Page 59
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
59
disable RIP, select Disable from the drop down menu.
MTU: Enter the Maximum Transmission Unit (MTU) for your network.
Network Address Translation: Enables or Disables the NAT function. To apply
this interface as router mode please select Disable. Due to default firewall feature,
if you would like to use router mode, you have to input the packet filter rules you
would like to forward in Configuration -> Firewall -> Packet filter
Click Apply to save your changes. To reset to defaults, click Reset.
4.4.2.1.4 PPTP
Username: Enter your user name.
Password: Enter your password.
Retype Password: Retype your password.
PPTP Client IP: Enter the PPTP Client IP provided by your ISP.
PPTP Client IP Netmask: Enter the PPTP Client IP Netmask provided by your ISP.
PPTP Client IP Gateway: Enter the PPTP Client IP Gateway provided by your ISP.
PPTP Server IP: Enter the PPTP Server IP provided by your ISP.
Connection: Select whether the connection should Always Connect or Trigger
on Demand. If you want the router to establish a PPTP session when starting up
and to automatically re-establish the PPTP session when disconnected by the ISP,
Page 60
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
60
select Always Connect. If you want to establish a PPTP session only when there is
a packet requesting access to the Internet (i.e. when a program on your computer
attempts to access the Internet), select Trigger on Demand.
Idle Time: Auto-disconnect the router when there is no activity on the line for a
predetermined period of time. Select the idle time from t he dr op do wn men u. Ac tive
if Trigger on Demand is selected.
IP Assigned by your ISP: If your IP is dynamically assigned by your ISP, select the
Dynamic radio button. If your IP assigns a static IP address, select the Static radio
button. This will take you to another page for inputting the IP address information.
MAC Address: If your ISP requires you to input a WAN Ethernet MAC, check the
checkbox and enter your MAC address in the blanks below.
Candidates: You can also select the MAC address from the list in the Candidates.
DNS: If your ISP requires you to manually setup DNS settings, check the checkbox
and enter your primary and secondary DNS.
RIP: To activate RIP, select Send, Receive, or Both from the drop down menu. To
disable RIP, select Disable from the drop down menu.
MTU: Enter the Maximum Transmission Unit (MTU) for your network.
Network Address Translation: Enables or Disables the NAT function. To apply
this interface as router mode please select Disable. Due to default firewall feature,
if you would like to use router mode, you have to input the packet filter rules you
would like to forward in Configuration -> Firewall -> Packet filter
Click Apply to save your changes. To reset to defaults, click Reset.
Page 61
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
61
4.4.2.1.5 Big Pond
Username: Enter your user name.
Password: Enter your password.
Retype Password: Retype your password.
Login Server: Enter the IP of the Login server provided by your ISP.
MAC Address: If your ISP requires you to input a WAN Ethernet MAC, check the
checkbox and enter your MAC address in the blanks below.
Candidates: You can also select the MAC address from the list in the Candidates.
DNS: If your ISP requires you to manually setup DNS settings, check the checkbox
and enter your primary and secondary DNS.
RIP: To activate RIP, select Send, Receive, or Both from the drop down menu. To
disable RIP, select Disable from the drop down menu.
MTU: Enter the Maximum Transmission Unit (MTU) for your network.
Network Address Translation: Enables or Disables the NAT function. To apply
this interface as router mode please select Disable. Due to default firewall feature,
if you would like to use router mode, you have to input the packet filter rules you
would like to forward in Configuration -> Firewall -> Packet filter
Click Apply to save your changes. To reset to defaults, click Reset.
A simpler alternative is to select Quick Start from the main menu. Please see the
Quick Start section of this chapter for more information.
Page 62
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
62
4.4.2.2 Bandwidth Settings
Under Bandwidth Settings, you can easily configure both inbound and outbound
bandwidth for each WAN port.
WAN1: Enter your ISP inbound and outbound bandwidth for WAN1.
WAN2: Enter your ISP inbound and outbound bandwidth for WAN2.
NOTE: These values entered here are referenced by both QoS and Load Balancing
functions.
4.4.2.3 WAN IP Alias
WAN IP Alias allows you to input additional WAN IP addresses. WAN IP Alias can be
used for Multiple NAT settings, including LAN Address Mapping settings and Virtual
Server settings.
Page 63
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
63
Please click Create to create a LAN Address Mapping rule.
Name: Please input the name of the rule.
IP Address: Please input the additional WAN IP address you would like to use.
Interface: Please select the WAN Interface that you would like to add the additional
WAN IP to.
Click the Apply button to add the configuration into the WAN IP Alias.
4.4.3 Dual WAN
In this section, you can setup the fail over or load balance function, outbound load
balance or inbound load balance function, or setup specific protocol to bind with
specific WAN port. In this menu are the following sections: General Settings,
Outbound Load Balance, Inbound Load Balance, and Protocol Binding.
Page 64
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
64
4.4.3.1 General Settings
Mode: You can select Load Balance or Fail Over.
Service Detection: Enables or disables the service detection feature. For fail over,
the service detection function is enabled. For load balance, user is able to enable or
disable it.
Connectivity Decision: Establishes the number of times probing the connection
has to fail before the connection is judged as failed.
Probe Cycle: The number of seconds between each probe.
Probe WAN1: Determines if WAN1 is a gateway or host. If host is selected, please
enter the IP address.
Probe WAN2: Determines if WAN2 is a gateway or host. If host is selected, please
enter the IP address.
Fail back to WAN1 when possible: Enables or disables fail back to WAN1. This
function only applies to fail over.
Click Apply to save your changes.
Page 65
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
65
4.4.3.2 Outbound Load Balance
Outbound Load Balancing on Firetunnel 30 can be based on one of two methods:
1. By session mechanism
2. By IP address hash mechanism
Choose one by clicking the corresponding radio button.
Based on Session Mechanism: The source IP address and destination IP address
might go through WAN1 or WAN2 according to policy settings in this mechanism.
You can choose this mechanism if the applications the users use will not tell the
difference of the WAN IP addresses. (some applications in the Internet need to
identify the source IP address, e.g. Back, Forum, …)
Balance by Session (Round Robin): Balances session traffic based on a round
robin method.
Balance by Session (weight of length capacity): Balances session traffic based
on weight of length capacity.
Balance by Session weight: Balances session traffic based on a weight ratio.
Enter the desired ratio in the blanks provided.
Balance by Traffic (weight of length capacity): Balances traffic based on weight
of link capacity.
Balance by Traffic weight: Balances traffic based on a traffic weight ratio. Enter
the desired ratio into the blanks provided.
Based on IP hash mechanism: The source IP address and destination IP address
Page 66
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
66
will go through specific WAN port (WAN1 or WAN2) according to policy settings in
this mechanism. This will assure that some applications will work when it would like
to authenticate the source IP address.
Balance by weight of link capacity: Uses an IP hash to balance traffic based on
weight of link bandwidth capacity.
Balance by weight: Uses an IP hash to balance traffic based on a ratio. Enter
the desired ratio into the blanks provided.
Click Apply to save your changes.
4.4.3.3 Inbound Load Balance
Function: Used to enable or disable inbound load balancing.
DNS Server 1: DNS Server 1 settings including Host URL mappings.
DNS Server 2: DNS Server 2 settings including Host URL mappings.
To edit server settings, click Edit. The following example illustrates DNS Server 1
settings. DNS Server 2 settings follow a similar procedure.
Page 67
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
67
SOA:
Domain Name: The domain name of DNS Server 1. It is the name that you
register on DNS organization. You have to fill-out the Fully Qualified Domain
Name (FQDN) with an ending character (a dot) for this text field. (ex:abc.com.)
When you enter the following domain name, you can only input different chars
without an ending dot, its name is then added with domain name, and it
becomes FQDN.
Primary Name Server: The name assigned to the Primary Name Server.
(e.g:aaa, its FQDN is aaa.abc.com.)
Admin. Mail Box: The administrator’s email account.(e.g:admin@abc.com.)
Serial Number: It is the version number that keeps in the SOA record.
Refresh Interval: The interval refreshes are done. Denoted in seconds.
Retry Interval: The interval retries are done. Denoted in seconds.
Expiration Time: The length of time that can elapse before the zone is no
longer authoritative. Denoted in seconds.
Minimum TTL: The minimum time to live. Denoted in seconds.
NS Record
Name Server: The name of the Primary Name Server.
MX Record
Mail Exchanger: The name of the mail server.
IP Address: The mail server IP address.
Click Apply to save your changes.
Page 68
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
68
To edit the Host Mapping URL list, click Edit. This will open the Host Mapping URL
table, which lists the current Host Mapping URLs.
To add a host mapping URL to the list, click Create.
Domain Name: The domain name of the local host.
Host URL: The URL to be mapped.
Private IP Address: The IP address of the local host.
Candidates: You can also select the Candidates which are referred from the ARP
table for automatic input.
Protocol: Select which protocol you’re using.
Port Range: The port range of all incoming packets are accepted and processed by
a local host with the specified private IP address.
Helper: You could also select the application type you would like to apply for
automatic input.
Page 69
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
69
Name1: The Alias Host URL
Name2: The Alias Host URL
Click Apply to save your changes.
4.4.3.4 Protocol Binding
Protocol Binding lets you direct specific traffic to go out from a specific WAN port.
Click the Create button to create a new policy entry. Policies entered would tell
specific types of Internet traffic from a particular range of IPs to go to a particular
range of IPs with ONE WAN port, rather than using both of the WAN ports with load
balancing.
(NOTE: If any policies are added in the Protocol Binding section, please note that it
would take precedence over the settings that are already configured in the Load
Balance Setting section.)
The Protocol Binding Table lists any protocol binding that has been configured. To
add a new binding, click
Create.
Page 70
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
70
Interface: Choose which WAN port to use: WAN1, WAN2
Source IP Range:
All Source IP: Click it to specify all source IPs.
Specified Source IP: Click to specify a specific source IP address and source
IP netmask.
Source IP Address: If Specified Source IP was chosen, here’s where the IP can be
entered.
Source IP Netmask: If Specified Source IP was chosen, here’s where the subnet
mask can be entered.
Destination IP Range:
All Destination IP: Click it to specify all source IPs.
Specified Destination IP: Click to specify a specific destination IP address
and Destination IP Netmask.
Destination IP Address: If Specified Destination IP was chosen, here’s where the
IP can be entered.
Destination IP Netmask: If Specified Destination IP was chosen, here’s where the
subnet mask can be entered.
Protocol: The particular protocol of Internet traffic for the specified policy. Choose
from TCP, UDP, or Any
Port Range: The range of ports for the specified policy (if you only want to use one
port, enter the same value in both boxes).
Click Apply to save your changes.
Page 71
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
71
4.4.4 System
The System menu allows you to adjust a variety of basic router settings, upgrade
firmware, set up remote access, and more. In this menu are the following sections:
Time Zone, Remote Access, Firmware Upgrade, Backup/Restore, Restart,
Password, System Log and E-mail Alert.
4.4.4.1 Time Zone
Firetunnel does not use an onboard real time clock; instead, it uses the Network
Time Protocol (NTP) to acquire the current time from an NTP server outside your
network. Simply choose your local time zone, enter NTP Server IP Address, and click
Apply. After connecting to the Internet, Firetunnel 30 will retrieve the correct local
time from the NTP server you have specified. Your ISP may provide an NTP server
for you to use.
Time Zone: Select Enable or Disable this function.
Local Time Zone(+-GMT Time): Please select the time zone that belongs to your
area.
Page 72
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
72
NTP Server Address: Please input the NTP server address you would like to use.
Daylight Saving: To have Firetunnel 30 automatically adjust for Daylight Savings
Time, please check the Automatic checkbox.
Resync Period: Please input the resync circle of time zone update.
Click Apply to apply the rule, Click Cancel to discard the changes.
4.4.4.2 Remote Access
To allow remote users to configure and manage Firetunnel 30 through the Internet,
select the Enable radio button. To deactivate remote access, select the Disable radio
button. This function also enables you to grant access from any PC or from a specific
IP address. Click Apply to save your settings.
NOTE: When enabling remote access, please make sure to change the default
administration password for security reason.
Action: Select Enable or Disable remote access function.
HTTPS Port: Please input the remote access HTTPS port you would like to
use.(default is 443)
Click Apply to apply your settings.
Click Create to add a Remote Access Table to specify the allowed remote access
addresses.
Page 73
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
73
Allow Remote Access By:
Everyone: Please check if you allow any IP addresses for the remote user to access.
Only the PC: Please specify the IP Address that is allowed to access.
PC from the subnet: Please specify the subnet that is allowed to access.
4.4.4.3 Firmware Upgrade
Upgrading your Firetunnel 30’s firmware is a quick and easy way to enjoy increased
functionality, better reliability, and ensure trouble-free operation. To upgrade your
firmware, simply visit Black Box’s website (http://www.blackbox.com
) and
download the latest firmware image file for Firetunnel 30. Next, click Browse and
Page 74
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
74
select the newly downloaded firmware file. Click Upgrade to complete the update.
NOTE: DO NOT power down the router or interrupt the firmware upgrade while it is
still in process. Interrupting the firmware upgrade process could damage the router.
4.4.4.4 Backup / Restore
This feature allows you to save and backup your router’s current settings, or restore
a previously saved backup. This is useful if you wish to experiment with different
settings, knowing that you have a backup handy. It is advisable to backup your
router’s settings before making any significant changes to your router’s
configuration.
To backup your router’s settings, click Backup and select where to save the settings
backup file. You may also change the name of the file when saving if you wish to
keep multiple backups. Click OK to save the file.
To restore a previously saved backup file, click Browse. You will be prompted to
select a file from your PC to restore. Be sure to only restore setting files that have
been generated by the Backup function, and that were created when using the same
firmware version. Settings files saved to your PC should not be manually edited in
any way. After selecting the settings file you wish to use, clicking Restore will load
those settings into the router.
Page 75
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
75
4.4.4.5 Restart
The Restart feature allows you to easily restart Firetunnel 30. To restart with your
last saved configuration, select the Current Settings radio button and click Restart.
If you wish to restart the router using the factory default settings, select Factory
Default Settings and click Restart to reboot Firetunnel 30 with factory default
settings.
You may also reset your router to factory default settings by holding the Reset
button on the router until the Status LED begins to blink. Once Firetunnel 30
completes the boot sequence, the Status LED will stop blinking.
Page 76
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
76
4.4.4.6 Password
In order to prevent unauthorized access to your router’s configuration interface, it
requires the administrator to login with a password. You can change your password
by entering your new password in both fields. Click Apply to save your changes.
Click Reset to reset to the default administration password (admin).
4.4.4.7 Ping & Trace Route
This function allows Firetunnel 30 to test the system if it’s well connected. Type in
the IP address or domain name you want to Ping and click the PingTesting.
Page 77
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
77
Type in the IP address connected to WAN 1 or 2, and set the Max TTL value, the
default is 16. Set the wait time then click TraceTesting button.
4.4.5 Firewall
Firetunnel 30 includes a full Stateful Packet Inspection (SPI) firewall for controlling
Internet access from your LAN, and preventing attacks from hackers. Your router
also acts as a "natural" Internet firewall when using Network Address Translation
(NAT), as all PCs on your LAN will use private IP addresses that cannot be directly
accessed from the Internet. Please see the WAN configuration section for more
details.
You can find five items under the Firewall section: Packet Filter, URL Filter, LAN
MAC Filter, Block WAN Request, and Intrusion Detection.
4.4.5.1 Packet Filter
Page 78
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
78
The Packet Filter function is used to limit user access to certain sites on the Internet
or LAN. The Filter Table displays all current filter rules. If there is an entry in the
Filter Table, you can click Edit to modify the setting of this entry, click Delete to
remove this entry, or click Move to change this entry’s priority.
When the entry is upper, the priority is higher.
To create a new filter rule, click Create.
ID: This is an identify that allows you to move the rule by before or after an ID.
Rule: Enable or Disable this entry.
Action When Matched: Select to Drop or Forward the packet specified in this
filter entry.
Direction: Incoming Packet Filter rules prevent unauthorized computers or
applications accessing your local network from the Internet. Outgoing Packet Filter
rules prevent unauthorized computers or applications accessing the Internet. Select
if the new filter rule is incoming or outgoing.
Source IP: Select Any, Subnet, IP Range or Single Address.
Starting IP Address: Enter the source IP or starting source IP address this filter
rule is to be applied.
End IP Address: Enter the End source IP Address this filter rule is to be applied.
(for IP Range only)
Netmask: Enter the subnet mask of the above IP address.
Destination IP: Select Any, Subnet, IP Range or Single Address.
Starting IP Address: Enter the destination IP or starting destination IP address
this filter rule is to be applied.
End IP Address: Enter the End destination IP Address this filter rule is to be applied.
Page 79
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
79
(for IP Range only)
Netmask: Enter the subnet mask of the above IP address.
Protocol: Select the Transport protocol type (Any, TCP, UDP).
Source Port Range: Enter the source port number range. If you only want to specify
one service port, then enter the same port number in both boxes.
Destination Port Range: Enter the destination port number range. If you only want
to specify one service port, then enter the same port number in both boxes.
Helper: You could also select the application type you would like to apply for
automatic input.
Schedule: Click the Candidates and select what you need.
Log: You can Disable/ Enable the log statistics.
4.4.5.2 URL Filter
The URL Filter is a powerful tool that can be used to limit access to certain URLs on
the Internet. You can block web sites based on keywords or even block out an entire
domain. Certain web features can also be blocked to grant added security to your
network.
URL Filtering: You can choose to Enable or Disable this feature.
Keyword Filtering: Click the checkbox to enable this feature. To edit the list of
filtered keywords, click Details.
Domain Filtering: Click the "enable" checkbox to enable filtering by Domain Name.
Click the "Disable all WEB traffic except for trusted domains" check box to
allow web access only for trusted domains.
Page 80
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
80
Restrict URL Features: Click "Block Java Applet" to filter web access with Java
Applet components. Click "Block ActiveX" to filter web access with ActiveX
components. Click "Block Web proxy" to filter web proxy access. Click "Block
Cookie" to filter web access with Cookie components. Click "Block Surfing by IP
Address" to filter web access with an IP address as the domain name.
Exception List: You can input a list of IP addresses as the exception list for URL
filtering.
Enter a keyword to be filtered and click Apply. Your new keyword will be added to
the filtered keyword listing.
Domains Filtering: Click the top checkbox to enable this feature. You can also
choose to disable all web traffic except for trusted sites by clicking the bottom
checkbox. To edit the list of filtered domains, click Details.
Page 81
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
81
Enter a domain and select whether this domain is trusted or forbidden with the
pull-down menu. Next, click Apply. Your new domain will be added to either the
Trusted Domain or Forbidden Domain listing, depending on which you selected
previously.
Restrict URL Features: Use this to disable certain web features. Select the options
you want (Block Java Applet, Block ActiveX, Block Web proxy, Block Cookie, Block
Surfing by IP Address) and click Apply to save your changes.
You may also designate which IP addresses are to be excluded from these filters by
adding them to the Exception List. To do so, click Add.
Enter a name for the IP Address and then enter the IP address itself. Click Apply to
save your changes. The IP address will be entered into the Exception List, and
excluded from the URL filtering rules in effect.
Page 82
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
82
4.4.5.3 LAN MAC Filter
LAN Mac Filter can decide that Firetunnel will serve those devices at LAN side or not
by MAC Address.
Default Rule: Forward or Drop all LAN request. (Forward by default)
Create: You can also input a specified MAC Address to be dropped or Forward
without depending on the default rule.
Action: Select to Drop or Forward the packet specified in this filter entry.
Page 83
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
83
Click Create to configure the list.
Rule: Enable or disable this entry.
Action When Matched: Select to Drop or Forward the packet specified in this
filter entry.
MAC Address: The MAC Address you would like to apply.
Candidates: You can also select the Candidates which are referred from the ARP
table for automatic input.
Binding IP: Enable/ Disable this feature as you want.
IP Address: Type in the IP Address you want to bind if you enable the Binding IP
feature.
Log: Enable/ Disable the log statistics.
Page 84
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
84
4.4.5.4 Block WAN Request
Blocking WAN requests is one way to prevent DDOS attacks by preventing ping
requests from the Internet. Use this menu to enable or disable function.
4.4.5.5 Intrusion Detection
Intrusion Detection can prevent most common DoS attacks from the Internet or
from LAN users.
Intrusion Detection: Enable or disable this function.
Intrusion Function list: Check the item you want to detect the intrusion type.
Intrusion Log: All the detected and dropped attacks will be shown in the system
Page 85
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
85
log.
ARP Protection:
ARP protection is used to protect users on the LAN against ARP
virus. When enabled, ARP Protection will only protect computers that were set in
Fixed Host (refer to page 78) so that the ARP table of the hosts can be updated.
Periodically Firetunnel30 will send ARP packets to these computers to refresh their
ARP tables. Enabling ARP Protection can prevent potential viruses infecting
computers within the local network. Enabling this option will mitigate the effect of
ARP virus attack on LAN.
Session Limit: Allows administrators to self-define the amount of sessions that
currently allowed to connect to Firetunnel30. This function limits the number of
connections on per-user basis. This is useful when controlling users who will use the
applications which create a large number of connections (such as P2P software).
No Limit: No restrictions on the amount of sessions allowed to connect to
Firetunnel30.
Limit Maximum sessions per IP to: Restricts an upper limit of sessions
allowed to connect to Firetunnel30, additional sessions beyond the maximum
limit will not be allowed to connect.
Limit Maximum sessions per IP to (with reject and drop options): Just
like the previous option, this option expands on what to do with additional
sessions above the maximum limit. You can either reject the additional
sessions for a period of time or just drop all packets from those sessions for a
period of time.
4.4.6 VPN
VPN is a way to establish secured communication tunnels to an organization’s
network via the Internet.
You can find two items under the VPN section: IPSec and PPTP.
Page 86
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
86
4.4.6.1 IPSec
IPSec is a set of protocols that enable Virtual Private Networks (VPN).
You can find two items under the IPSec section: IPSec Wizard and IPSec Policy.
4.4.6.1.1 IPSec Wizard
Connection Name: A user-defined name for the connection.
Interface: Select the interface the IPSec tunnel will apply to.
WAN1: Select interface WAN1
WAN2: Select interface WAN2
Auto: The device will automatically apply the tunnel to WAN1 or WAN2
depending on which WAN interface is active when the IPSec tunnel is being
established. Note. Auto only applies to Fail Over mode. For Load Balance mode,
please do n ot s e lect "Auto". In Load B a l a n c e m o d e , Auto will be forced t o W A N 1
interface if Auto is selected.
Pre-shared Key: This is for the Internet Key Exchange (IKE) protocol. IKE is used
to establish a shared security policy and authenticated keys for services (such as
IPSec) that require a key. Before any IPSec traffic can be passed, each router must
be able to verify the identity of its peer. This can be done by manually entering the
pre-shared key into both sides (router or hosts).
Page 87
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
87
Connection Type:
There are 5 connection types:
(1)LAN to LAN: Firetunnel would like to establish an IPSec VPN tunnel with remote
router using Fixed Internet IP or domain name by using main mode.
Remote Secure Gateway Address (or Host Name): The IP address or hostname of
the remote VPN gateway.
Remote Network: The subnet of the remote network. Allows you to enter an IP
address and netmask.
Back: Back to the Previous page.
Next: Go to the next page.
(2)LAN to Mobile LAN: Firetunnel would like to establish an IPSec VPN tunnel with
remote router using Dynamic Internet IP by using aggressive mode.
Page 88
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
88
Remote Identifier: The Identifier of the remote gateway. According to the input
value, the ID type will be auto-defined as IP Address, FQDN(DNS) or FQUN(E-mail).
Remote Network: The subnet of the remote network. Allows you to enter an IP
address and netmask.
Back: Back to the Previous page.
Next: Go to the next page.
(3)LAN to Host: Firetunnel would like to establish an IPSec VPN tunnel with
remote client software using Fixed Internet IP or domain name by using main mode.
Secure Gateway Address (or Domain Name): The IP address or hostname of
the remote VPN device that is connected and establishes a VPN tunnel.
Back: Back to the Previous page.
Next: Go to the next page.
Page 89
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
89
(4)LAN to Mobile Host: Firetunnel would like to establish an IPSec VPN tunnel
with remote client software using Dynamic Internet IP by using aggressive mode.
Remote Identifier: The Identifier of the remote gateway. According to the input
value, the ID type will be auto-defined as IP Address, FQDN(DNS) or FQUN(E-mail).
Back: Back to the Previous page.
Next: Go to the next page.
(5)LAN to Host (for Firetunnel VPN Client only): Firetunnel would like to
establish an IPSec VPN tunnel with Firetunnel VPN Client software C01 by using
aggressive mode.
VPN Client IP Address: The VPN Client Address for Firetunnel VPN Client, this
value will be applied on both remote ID and Remote Network as single address.
Back: Back to the Previous page.
Next: Go to the next page.
Page 90
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
90
After your configuration is done, you will see a Configuration Summary.
Back: Back to the Previous page.
Done: Click Done to apply the rule.
4.4.6.1.2 IPSec Policy
Click Create to create a new IPSec VPN connection account.
Configuring a New VPN Connection
Page 91
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
91
Connection Name: A user-defined name for the connection.
Tunnel: Select Enable to activate this tunnel. Select Disable to deactivate this
tunnel.
Interface: Select the interface the IPSec tunnel will apply to.
WAN1: Select interface WAN1
WAN2: Select interface WAN2
Auto: The device will automatically apply the tunnel to WAN1 or WAN2
depending on which WAN interface is active when the IPSec tunnel is being
established. Note. Auto only applies to Fail Over mode. For Load Balance mode,
please do n ot s e lect "Auto". In Load B a l a n c e m o d e , Auto will be forced t o W A N 1
interface if Auto is selected.
Local: This section configures the local host.
ID: This is the identity type of the local router or host. Choose from the
following four options:
Page 92
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
92
WAN IP Address: Automatically use the current WAN Address as ID.
IP Address: Use an IP address format.
FQDN DNS(Fully Qualified Domain Name): Consists of a hostname
and domain name. For example, WWW.VPN.COM is a FQDN. WWW is the
host name, VPN.COM is the domain name. When you enter the FQDN of
the local host, the router will automatically seek the IP address of the
FQDN.
FQUN E-Mail(Fully Qualified User Name): Consists of a username and
its domain name. For example, user@vpn.com is a FQUN. "user" is the
username and "vpn.com" is the domain name.
Data: Enter the ID data using the specific ID type.
Network: Set the IP address, IP range, subnet, or address range of the local
network.
Any Local Address: Will enable any local address on the network.
Subnet: The subnet of the local network. Selecting this option enables
you to enter an IP address and netmask.
IP Range: The IP Range of the local network.
Single Address: The IP address of the local host.
Remote: This section configures the remote host.
Secure Gateway Address (or Domain Name): The IP address or hostname
of the remote VPN device that is connected and establishes a VPN tunnel.
ID: The identity type of the local host. Choose from the following three options:
Remote IP Address: Automatically use the remote gateway Address as
ID with ID type – IP Address.
IP Address: Use an IP address format.
FQDN DNS(Fully Qualified Domain Name): Consists of a hostname
and domain name. For example, WWW.VPN.COM is a FQDN. WWW is the
host name, VPN.COM is the domain name. When you enter the FQDN of
the local host, the router will automatically seek the IP address of the
FQDN.
FQUN E-Mail(Fully Qualified User Name): Consists of a username and
its domain name. For example, user@vpn.com is a FQUN. "user" is the
username and "vpn.com" is the domain name.
Data: Enter the ID data using the specific ID type.
Network: Set the subnet, IP Range, single address, or gateway address of the
remote network.
Any Local Address: Will enable any local address on the network.
Page 93
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
93
Subnet: The subnet of the remote network. Selecting this option allows
you to enter an IP address and netmask.
IP Range: The IP Range of the remote network.
Single Address: The IP address of the remote host.
Gateway Address: The gateway address of the remote host.
Proposal:
Secure Association (SA): SA is a method of establishing a security policy
between two points. There are three methods of creating SA, each varying in
degrees of security and speed of negotiation:
Main Mode: Uses the automated Internet Key Exchange (IKE) setup;
most secure method with the highest level of security.
Aggressive Mode: Uses the automated Internet Key Exchange (IKE)
setup; mid-level security. Speed is faster than Main mode.
Manual Key: Standard level of security. It is the fastest of the three
methods.
Method: There are two methods of checking the authentication information,
AH (Authentication Header) and ESP (Encapsulating Security Payload). Use
ESP for greater security so that data will be encrypted and authenticated. AH
data will be authenticated but not encrypted.
Encryption Protocol: Select the encryption method from the pull-down menu.
There are several options: DES, 3DES, and AES (128, 192 and 256). 3DES and
AES are more powerful but increase latency.
DES: Stands for Data Encryption Standard. It uses a 56-bit encryption
method.
3DES: Stands for Triple Data Encryption Standard. It uses a 168-bit
encryption method.
AES: Stands for Advanced Encryption Standard. You can use 128, 192 or
256 bits as encryption method.
Authentication Protocol: Authentication establishes data integrity and
ensures it is not tampered with while in transit. There are two options:
Message Digest 5 (MD5), and Secure Hash Algorithm (SHA1). While slower,
SHA1 is more resistant to brute-force attacks than MD5.
MD5: A one-way hashing algorithm that produces a 128−bit hash.
SHA1: A one-way hashing algorithm that produces a 160−bit hash.
Perfect Forward Secure: Choose whether to enable PFS using Diffie-Hellman
public-key cryptography to change encryption keys during the second phase of
VPN negotiation. This function will provide better security, but extends the VPN
Page 94
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
94
negotiation time. Diffie-Hellman is a public-key cryptography protocol that
allows two parties to establish a shared secret over the Internet.
Pre-shared Key: This is for the Internet Key Exchange (IKE) protocol. IKE is
used to establish a shared security policy and authenticated keys for services
(such as IPSec) that require a key. Before any IPSec traffic can be passed, each
router must be able to verify the identity of its peer. This can be done by
manually entering the pre-shared key into both sides (router or hosts).
IKE Life Time: Allows you to specify the timer interval for renegotiation of the
IKE security association. The value is in seconds, eg. 28800 seconds = 8 hours.
Key Life Time: Allows you to specify the timer interval for renegotiation of
another key. The value is in seconds eg. 3600 seconds = 1 hour.
Netbios Broadcast: Allows Firetunnel to send local Netbios Broadcast packet
through the IPSec Tunnel, please select Enable or Disable.
DPD Setting: DPD, Dead Peer Detection.
DPD Function: Select Enable or Disable DPD function.
Detection Interval: please input the interval time to send out DPD packet.
Idle Timeout: Please input the consecutive no response time to disconnect
this tunnel.
Click the Apply button to save your changes.
After you have created the IPSec connection, you can check the account information
by clicking the IPSec status.
Name: This is the user-defined name of the connection.
Enable: This function activates or deactivates the IPSec connection.
Local Network: Displays IP address and subnet of the local network.
Page 95
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
95
Remote Network: Displays IP address and subnet of the remote network.
Remote Gateway: This is the IP address or Domain Name of the remote VPN
device that is connected and has an established IPSec tunnel.
SA: This is the selected IPSec security method.
Action: Shows if this VPN tunnel is active or not.
4.4.6.2 PPTP
PPTP is a set of protocols that enable Virtual Private Networks (VPN). VPN is a way
to establish secured communication tunnels to an organization’s network via the
Internet.
PPTP function: Select Enable to activate PPTP Server. Disable to deactivate PPTP
Server function.
Auth. Type: The authentication type, Pap or Chap, PaP, Chap.
Encryption Key Length: Auto, 40 bits or 128 bits.
Peer Encryption Mode: Only Stateless or Allow Stateless and Stateful.
IP Addresses Assigned to Peer Start from: 192.168.1.x: please input the IP assigned
range from 1 ~ 254 (except Firetunnel 30’s LAN IP address with 192.168.1.254 as
Firetunnel 30’s default LAN IP address and IP pool range of DHCP server settings
with 100~199 as Firetunnel 30’s default DHCP IP pool range.)
Idle Timeout “ ” Min: Specify the time for remote peer to be disconnected without
any activities, from 0~120.
Click Create to create a new PPTP VPN connection account.
Page 96
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
96
Connection Name: A user-defined name for the connection.
Tunnel: Select Enable to activate this tunnel. Select Disable to deactivate this
tunnel.
Username: Please input the username for this account.
Password: Please input the password for this account.
Retype Password: Please repeat the same password as previous field.
Connection Type: Select Remote Access for single user, Select LAN to LAN for
remote gateway.
Peer Network IP: Please input the IP for remote network.
Peer Netmask: Please input the Netmask for remote network.
Netbios Broadcast: Allows Firetunnel to send local Netbios Broadcast packets
through the PPTP Tunnel, please select Enable or Disable.
4.4.7 QoS
Firetunnel 30 can optimize your bandwidth by assigning priority to both inbound and
outbound data with QoS. This menu allows you to configure QoS for both inbound
and outbound traffic.
Page 97
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
97
The first menu screen gives you an overview of which WAN ports currently have QoS
active, and the bandwidth settings for each.
WAN1 Outbound:
QoS Function: QoS status for WAN1 outbound. Select Enable to activate QoS for
WAN1’s outgoing traffic. Select Disable to deactivate.
Max ISP Bandwidth: The maximum bandwidth afforded by the ISP for WAN1’s
outbound traffic.
WAN1 Inbound:
QoS Function: QoS status for WAN1 inbound. Select Enable to activate QoS for
WAN1’s incoming traffic. Select Disable to deactivate.
Max ISP Bandwidth: The maximum bandwidth afforded by the ISP for WAN1’s
inbound traffic.
WAN2 Outbound:
QoS Function: QoS Status for WAN2 outbound. Select Enable to activate QoS for
WAN2’s outgoing traffic. Select Disable to deactivate.
Max ISP Bandwidth: The maximum bandwidth afforded by the ISP for WAN2’s
outbound traffic.
WAN2 Inbound:
QoS Function: QoS Status for WAN2 inbound. Select Enable to activate QoS for
WAN2’s incoming traffic. Select Disable to deactivate.
Max ISP Bandwidth: The maximum bandwidth afforded by the ISP for WAN2’s
inbound traffic.
Page 98
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
98
Creating a New QoS Rule
To get started using QoS, you will need to establish QoS rules. These rules tell
Firetunnel 30 how to handle both incoming and outgoing traffic. The following
example shows you how to configure WAN1 Outbound QoS. Configuring the other
traffic types follows the same process.
To make a new rule, click Rule Table. This will bring you to the Rule Table which
displays the rules currently in effect.
Next, click Create to open the QoS Rule Configuration window.
Interface: The current traffic type. This can be WAN1 (outbound, inbound) and
WAN2 (outbound, inbound).
Application: User defined application name for the current rule.
Guaranteed: The guaranteed amount of bandwidth for this rule as a percentage.
Maximum: The maximum amount of bandwidth for this rule as a percentage.
Priority: The priority assigned to this service. Select a value from 0 to 6, 0 being
Page 99
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
99
highest.
DSCP Marking: Used to classify traffic. Select from Best Effort, Premium, Gold
Service (High Medium, Low), Silver (H,M,L), and Bronze (H,M,L).
Address Type: The type of address this rule applies to. Select IP Address or MAC
Address.
Bandwidth Type:
Shared Bandwidth: Please select Shared Bandwidth if you would like the specified
bandwidth to be shared for all IP address in specified IP range.
Bandwidth per source IP Address: Please select Bandwidth per source IP
Address if you would like the specified bandwidth to be applied individually per
source IP address in specified IP range.
For IP Address:
Source IP Address Range: The range of source IP Addresses this rule applies to.
Destination IP Address Range: The range of destination IP Addresses this rule
applies to.
Source Port Range: The range of source ports this rule applies to.
Destination Port Range: The range of destination ports this rule applies to.
Helper: You could also select the application type you would like to apply for
automatic input.
DSCP: DSCP matching is used to identify traffic for the rule. This option will only be
applied to the packets whose DSCP filed’s IP header matches the criteria selected
from the drop-down menu.
Schedule: Allows you select a time for this QoS policy to be applied to. This option
allows Admin to easily control the QoS of a particular user using a particular IP by
using several Schedule events for the different parts of the day. (Look for Chapter
4.4.9.4 Schedule on how to create a new schedule)
Candidate: Clicking on Candidate will present you with a pop-up window of the
available Schedule policies set.
Click Apply to save your changes.
Page 100
Black Box Corporation
1000 Park Drive, Lawrence, PA 15055-1018
USA, Canada: www.blackbox.com,
EU, Africa, Asia, South America, Australia: www.blackbox.eu
100
For MAC Address:
Source MAC Address: The source MAC Address of the device this rule applies to.
Candidates: You can also select the Candidates which are referred from the ARP
table for automatic input.
Source Port Range: The range of source ports this rule applies to.
Destination Port Range: The range of destination ports this rule applies to.
Helper: You could also select the application type you would like to apply for
automatic input.
4.4.8 Virtual Server
In TCP/IP and UDP networks, a port is a 16-bit number used to identify which
application program (usually a server) incoming connections should be delivered to.
Some ports have numbers that are pre-assigned to them by the Internet Assigned
Numbers Authority (IANA), and these are referred to as "well-known ports". Servers
follow the well-known port assignments so clients can locate them.
If you wish to run a server on your network that can be accessed from the WAN (i.e.
from other machines on the Internet that are outside your local network), or any
application that can accept incoming connections (e.g. peer-to-peer applications)
and are using NAT (Network Address Translation), then you will usually need to
configure your router to forward these incoming connection attempts using specific
ports to the PC on your network running the application. You will also need to use
port forwarding if you want to host an online game server. The reason for this is that
when using NAT, your publicly accessible IP address will be used by and point to your
router, which then needs to deliver all traffic to the private IP addresses used by
Loading...