Cisco RVS4000 - Gigabit Security Router, Linksys RVS4000 User Manual

4-Port Gigabit Security Router with VPN

User Guide

Model: RVS4000

BUSINESS SERIES

Linksys is a registered trademark or trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. Copyright © 2008 Cisco Systems, Inc. All rights reserved. Other brands and product names are trademarks or registered trademarks of their respective holders.

About This Guide

Icon Descriptions

While reading through the User Guide you may see various icons that call attention to specific items. Below is a description of these icons:

NOTE: This check mark indicates that there is

a note of interest and is something that you should pay special attention to while using the product.

WARNING: This exclamation point indicates

that there is a caution or warning and it is something that could damage your property or product.

WEB: This globe icon indicates a noteworthy

website address or e-mail address.

Open Source

This product may contain material licensed to you under the GNU General Public License or other open-source software licenses. Upon request, open-source software source code is available at cost from Linksys for at least three years from the product purchase date.

WEB: For detailed license terms and additional

information visit: www.linksys.com/gpl

Online Resources

Website addresses in this document are listed without http:// in front of the address because most current web browsers do not require it. If you use an older web browser, you may have to add http:// in front of the web address.

Resource Website

Linksys www.linksys.com

Linksys International www.linksys.com/international

Glossary www.linksys.com/glossary

Network Security www.linksys.com/security

Linksys is a registered trademark or trademark of Cisco Systems, Inc. and/ or its affiliates in the U.S. and certain other countries. Copyright © 2007 Cisco Systems, Inc. All rights reserved. Other brands and product names are trademarks or registered trademarks of their respective holders.

4-Port Gigabit Security Router with VPN

Table of Contents

Chapter 1: Introduction 1

Chapter 2: Networking and Security Basics 2

An Introduction to LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

The Use of IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

The Intrusion Prevention System (IPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Chapter 3: Planning Your Virtual Private Network (VPN) 4

Why do I need a VPN?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1) MAC Address Spooﬁng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2) Data Sniﬃng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3) Man in the middle attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

What is a VPN? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

VPN Router to VPN Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Computer (using the Linksys VPN client software) to VPN Router . . . . . . . . . . . . 5

Chapter 4: Product Overview 6

Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Back Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 5: Setting Up and Conguring the Router 7

Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Setup > Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Setup > WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Setup > LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Setup > DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Setup > MAC Address Clone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Setup > Advanced Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Setup > Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Setup > IP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Firewall > Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Firewall > IP Based ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Firewall > Internet Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Firewall > Single Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Firewall > Port Range Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Firewall > Port Range Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

VPN > Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

VPN > IPSec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

VPN > VPN Client Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

VPN > VPN Passthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

QoS > Bandwidth Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

4-Port Gigabit Security Router with VPN

Table of Contents

QoS > QoS Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

QoS > DSCP Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Administration > Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Administration > Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Administration > Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Administration > Backup & Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Administration > Factory Default. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Administration > Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Administration > Firmware Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

IPS > Conﬁguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

IPS > P2P/IM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

IPS > Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

IPS > Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

L2 Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

L2 > Create VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

L2 > VLAN Port Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

L2 > VLAN Membership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

L2 > RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

L2 > Port Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

L2 > Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

L2 > Port Mirroring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

L2 > RSTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Status > Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Status > Local Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Appendix A: Troubleshooting 33

Frequently Asked Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Appendix B:

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Installing the Linksys QuickVPN Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Using the Linksys QuickVPN Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Distributing Certiﬁcates to QuickVPN Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Appendix C: Conguring

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

4-Port Gigabit Security Router with VPN

Using Linksys QuickVPN for Windows 2000, XP, or Vista 41

Installing from the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Downloading and Installing from the Internet . . . . . . . . . . . . . . . . . . . . . . . .41

Version Number of the QuickVPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

IPSec with a Windows 2000 or XP Computer 44

iii

Table of Contents

How to Establish a Secure IPSec Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Step 1: Create an IPSec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Step 2: Build Filter Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Step 3: Conﬁgure Individual Tunnel Rules . . . . . . . . . . . . . . . . . . . . . . . . . . .46

Step 4: Assign New IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Step 5: Create a Tunnel Through the Web-Based Utility. . . . . . . . . . . . . . . . . . .49

Appendix D: Gateway-to-Gateway VPN Tunnel 50

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Conﬁguration when the Remote Gateway Uses a Static IP Address . . . . . . . . . . . . . .50

Conﬁguration of the RVS4000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Conﬁguration of the RV082 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Conﬁguration of PC 1 and PC 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Conﬁguration when the Remote Gateway Uses a Dynamic IP Address. . . . . . . . . . . .52

Conﬁguration of the RVS4000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Conﬁguration of the RV082 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Conﬁguration of PC 1 and PC 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Conﬁguration when Both Gateways Use Dynamic IP Addresses . . . . . . . . . . . . . . . .53

Conﬁguration of the RVS4000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Conﬁguration of the RV082 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

Conﬁguration of PC 1 and PC 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

Appendix E: Trend Micro ProtectLink Gateway Service 55

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

How to Access the Web-Based Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

How to Purchase, Register, or Activate the Service. . . . . . . . . . . . . . . . . . . . . . . . .55

ProtectLink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

How to Use the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

ProtectLink > Web Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

ProtectLink > Email Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

ProtectLink > License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

Appendix F: Specications 60

Appendix G: Warranty Information 62

Exclusions and Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

Obtaining Warranty Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Appendix H: Regulatory Information 64

FCC Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

Safety Notices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

Industry Canada Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

4-Port Gigabit Security Router with VPN

Table of Contents

Avis d’Industrie Canada. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

User Information for Consumer Products Covered by EU Directive 2002/96/EC on Waste

Electric and Electronic Equipment (WEEE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Appendix I: Software License Agreement 69

Software in Linksys Products: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Software Licenses: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Schedule 1 Linksys Software License Agreement. . . . . . . . . . . . . . . . . . . . . . .69

Schedule 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

Schedule 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Appendix J: Contact Information 76

4-Port Gigabit Security Router with VPN

Chapter 1

Chapter 1: Introduction

Thank you for choosing the 4-Port Gigabit Security Router with VPN. The Linksys 4-Port Gigabit Security Router with VPN is an advanced Internet-sharing network solution for your small business needs. Like any router, it lets multiple computers in your office share an Internet connection.

The 4-Port Gigabit Security Router with VPN also features a built-in 4-Port full-duplex 10/100/1000 Ethernet switch to connect four PCs directly, or you can connect more hubs and switches to create as big a network as you need.

The Virtual Private Network (VPN) capability creates encrypted “tunnels” through the Internet, allowing up to 5 remote offices and 5 traveling users to securely connect into your office network from off-site. Users connecting through a VPN tunnel are attached to your company’s network — with secure access to files, e-mail, and your intranet — just as if they were in the building. You can also use the VPN capability to allow users on your small office network to securely connect out to a corporate network. The QoS features provide consistent voice and video quality throughout your business.

Introduction

The 4-Port Gigabit Security Router with VPN can serve as a DHCP Server, and has a powerful SPI firewall and Intrusion Prevention System (IPS) to protect your PCs against intruders and most known Internet attacks. It can be configured to filter internal users’ access to the Internet, and has IP and MAC address filtering so you can specify exactly who has access to your network. Configuration is a snap with the web browser-based configuration utility.

This user guide will give you all the information you need to connect, set up, and configure your Router.

4-Port Gigabit Security Router with VPN

Chapter 2

Networking and Security Basics

Chapter 2: Networking and Security Basics

An Introduction to LANs

A Router is a network device that connects two networks together.

The Router connects your local area network (LAN), or the group of PCs in your home or office, to the Internet. The Router processes and regulates the data that travels between these two networks.

The Router’s Network Address Translation (NAT) technology protects your network of PCs so users on the Internet cannot “see” your PCs. This is how your LAN remains private. The Router protects your network by inspecting the first packet coming in through the Internet port before delivery to the final destination on one of the Ethernet ports. The Router inspects Internet port services like the web server, ftp server, or other Internet applications, and, if allowed, it will forward the packet to the appropriate PC on the LAN side.

The Use of IP Addresses

and its dynamic IP address has expired, the DHCP server will assign it a new dynamic IP address.

A DHCP server can either be a designated PC on the network or another network device, such as the Router. By default, the Router’s Internet Connection Type is Obtain an IP automatically (DHCP).

The PC or network device obtaining an IP address is called the DHCP client. DHCP frees you from having to assign IP addresses manually every time a new user is added to your network.

For DSL users, many ISPs may require you to log on with a user name and password to gain access to the Internet. This is a dedicated, high-speed connection type called Point to Point Protocol over Ethernet (PPPoE). PPPoE is similar to a dial-up connection, but PPPoE does not dial a phone number when establishing a connection. It also will provide the Router with a dynamic IP address to establish a connection to the Internet.

By default, a DHCP server (on the LAN side) is enabled on the Router. If you already have a DHCP server running on your network, you MUST disable one of the two DHCP servers. If you run more than one DHCP server on your network, you will experience network errors, such as conflicting IP addresses. To disable DHCP on the Router, see the Basic Setup section in “Chapter 6: Setting Up and Configuring the Router.”

IP stands for Internet Protocol. Every device in an IPbased network, including PCs, print servers, and routers, requires an IP address to identify its location, or address, on the network. This applies to both the Internet and LAN connections.

There are two ways of assigning IP addresses to your network devices.

A static IP address is a fixed IP address that you assign manually to a PC or other device on the network. Since a static IP address remains valid until you disable it, static IP addressing ensures that the device assigned it will always have that same IP address until you change it. Static IP addresses are commonly used with network devices such as server PCs or print servers.

If you use the Router to share your cable or DSL Internet connection, contact your ISP to find out if they have assigned a static IP address to your account. If so, you will need that static IP address when configuring the Router. You can get the information from your ISP.

A dynamic IP address is automatically assigned to a device on the network. These IP addresses are called dynamic because they are only temporarily assigned to the PC or other device. After a certain time period, they expire and may change. If a PC logs onto the network (or the Internet)

4-Port Gigabit Security Router with VPN

NOTE: Since the Router is a device that connects

two networks, it needs two IP addresses—one for the LAN, and one for the Internet. In this User Guide, you’ll see references to the “Internet IP address” and the “LAN IP address.”

Since the Router uses NAT technology, the only IP address that can be seen from the Internet for your network is the Router’s Internet IP address. However, even this Internet IP address can be blocked, so that the Router and network seem invisible to the Internet.

The Intrusion Prevention System (IPS)

IPS is an advanced technology to protect your network from malicious attacks. IPS works together with your SPI Firewall, IP Based Access Control List (ACL), Network Address Port Translation (NAPT), and Virtual Private Network (VPN) to achieve the highest level of security. IPS works by providing real-time detection and prevention as an in-line module in a router.

The RVS4000 has hardware-based acceleration for realtime pattern matching for detecting malicious attacks. It actively filters and drops malicious TCP/UDP/ICMP/IGMP packets and can reset TCP connections. This protects your

Chapter 2

client PCs and servers running various operating systems including Windows, Linux, and Solaris from network worm attacks. However, this system does not prevent viruses contained in email attachments.

The P2P (peer-to-peer) and IM (instant messaging) control allows the system administrator to prevent network users from using those protocols to communicate with people over the Internet. This helps the administrators to set up company policies on how to use the Internet bandwidth wisely.

The signature file is the heart of the IPS system. It is similar to the Virus definition file on your PC’s Anti-Virus software. IPS uses this file to match against packets coming into the Router and performs actions accordingly. The RVS4000 is shipped with a signature file containing 1000+ rules, which cover the following categories: DDoS, Buffer Overflow, Access Control, Scan, Trojan Horse, Misc., P2P, IM, Virus, Worm, and Web Attacks.

Networking and Security Basics

Customers are encouraged to update their IPS signature file regularly to prevent any new types of attacks on the Internet.

IPS Scenarios

4-Port Gigabit Security Router with VPN

Chapter 3

Planning Your Virtual Private Network (VPN)

Chapter 3: Planning Your Virtual Private Network (VPN)

Why do I need a VPN?

Computer networking provides a flexibility not available when using an archaic, paper-based system. With this flexibility, however, comes an increased risk in security. This is why firewalls were first introduced. Firewalls help to protect data inside of a local network. But what do you do once information is sent outside of your local network, when e-mails are sent to their destination, or when you have to connect to your company’s network when you are out on the road? How is your data protected?

That is when a VPN can help. VPNs are called Virtual Private Networks because they secure data moving outside of your network as if it were still within that network.

When data is sent out across the Internet from your computer, it is always open to attacks. You may already have a firewall, which will help protect data moving around or held within your network from being corrupted or intercepted by entities outside of your network, but once data moves outside of your network—when you send data to someone via e-mail or communicate with an individual over the Internet—the firewall will no longer protect that data.

At this point, your data becomes open to hackers using a variety of methods to steal not only the data you are transmitting but also your network login and security data. Some of the most common methods are as follows:

1) MAC Address Spoofing

Packets transmitted over a network, either your local network or the Internet, are preceded by a packet header. These packet headers contain both the source and destination information for that packet to transmit efficiently. A hacker can use this information to spoof (or fake) a MAC address allowed on the network. With this spoofed MAC address, the hacker can also intercept information meant for another user.

2) Data Sniffing

Data “sniffing” is a method used by hackers to obtain network data as it travels through unsecured networks, such as the Internet. Tools for just this kind of activity, such as protocol analyzers and network diagnostic tools, are often built into operating systems and allow the data to be viewed in clear text.

4-Port Gigabit Security Router with VPN

3) Man in the middle attacks

Once the hacker has either sniffed or spoofed enough information, he can now perform a “man in the middle” attack. This attack is performed, when data is being transmitted from one network to another, by rerouting the data to a new destination. Even though the data is not received by its intended recipient, it appears that way to the person sending the data.

These are only a few of the methods hackers use and they are always developing more. Without the security of your VPN, your data is constantly open to such attacks as it travels over the Internet. Data travelling over the Internet will often pass through many different servers around the world before reaching its final destination. That’s a long way to go for unsecured data and this is when a VPN serves its purpose.

What is a VPN?

A VPN, or Virtual Private Network, is a connection between two endpoints—a VPN Router, for instance—in different networks that allows private data to be sent securely over a shared or public network, such as the Internet. This establishes a private network that can send data securely between these two locations or networks.

This is done by creating a “tunnel”. A VPN tunnel connects the two PCs or networks and allows data to be transmitted over the Internet as if it were still within those networks. Not a literal tunnel, it is a connection secured by encrypting the data sent between the two networks.

VPN was created as a cost-effective alternative to using a private, dedicated, leased line for a private network. Using industry standard encryption and authentication techniques—IPSec, short for IP Security—VPN creates a secure connection that, in effect, operates as if you were directly connected to your local network. VPN can be used to create secure networks linking a central office with branch offices, telecommuters, and/or professionals on the road (travelers can connect to a VPN Router using any computer with the Linksys VPN client software.)

There are two basic ways to create a VPN connection:

VPN Router to VPN Router •

Computer (using the Linksys VPN client software) to • VPN Router

The VPN Router creates a “tunnel” or channel between two endpoints, so that data transmissions between them are secure. A computer with the Linksys VPN client software can be one of the two endpoints (refer to “Appendix B: Using Linksys QuickVPN for Windows 2000, XP, or Vista”). If you choose not to run the VPN client software, any computer with the built-in IPSec Security Manager (Microsoft 2000 and XP) allows the VPN Router to create a

Chapter 3

Planning Your Virtual Private Network (VPN)

VPN tunnel using IPSec (refer to “Appendix C: Configuring IPSec between a Windows 2000 or XP PC and the Router”). Other versions of Microsoft operating systems require additional, third-party VPN client software applications that support IPSec to be installed.

VPN Router to VPN Router

An example of a VPN Router-to-VPN Router VPN would be as follows. At home, a telecommuter uses his VPN Router for his always-on Internet connection. His router is configured with his office’s VPN settings. When he connects to his office’s router, the two routers create a VPN tunnel, encrypting and decrypting data. As VPNs utilize the Internet, distance is not a factor. Using the VPN, the telecommuter now has a secure connection to the central office’s network, as if he were physically connected. For more information, refer to “Appendix D: Configuring a Gateway-to-Gateway IPSec Tunnel.”

Home Office

PC 1 RVS4000 VPN Router PC 2

For additional information and instructions about creating your own VPN, please visit Linksys’s website at www.linksys.com. You can also refer to “Appendix B: Using Linksys QuickVPN for Windows 2000, XP, or Vista”, “Appendix C: Configuring IPSec between a Windows 2000 or XP PC and the Router,” and “Appendix D: Configuring a Gateway-to-Gateway IPSec Tunnel.”

VPN Router to VPN Router

Computer (using the Linksys VPN client software) to VPN Router

The following is an example of a computer-to-VPN Router VPN. In her hotel room, a traveling businesswoman dials up her ISP. Her notebook computer has the Linksys VPN client software, which is configured with her office’s IP address. She accesses the Linksys VPN client software and connects to the VPN Router at the central office. As VPNs utilize the Internet, distance is not a factor. Using the VPN, she now has a secure connection to the central office’s network, as if she were physically connected.

Office

VPN Router PC 2

Off-Site

Laptop running

Linksys VPN Client Software

Computer to VPN Router

4-Port Gigabit Security Router with VPN

Chapter 4

Product Overview

Chapter 4: Product Overview

Front Panel

The Router’s LEDs are located on the front panel of the Router.

Front Panel

POWER (Green) The Power LED lights up when

the Router is powered on. If the LED is flashing, the Router is running a diagnostic test.

DIAG (Red) The Diag LED lights up when the

system is not ready. The LED goes off when the system is ready. The Diag LED blinks during Firmware upgrades.

IPS (Green/Red) The IPS LED lights up when

the IPS function is enabled. If the LED is off, then IPS functions are disabled. If the IPS LED is flashing green, then an external attack has been detected. If the IPS LED is flashing red, an internal attack has been detected.

1-4 (ETHERNET) (Green) For each port, there

are three LEDs. If the corresponding LED is continuously lit, the Router is connected to a device at the speed indicated through the corresponding port (1, 2, 3, or 4). If the LED is flashing, the Router is actively sending or receiving data over that port.

INTERNET (Green) The Internet LED lights up

the appropriate LED depending upon the speed of the device attached to the Internet port. If the Router is connected to a cable or DSL modem, typically the 10 LED will be the only LED lit up. Flashing indicates activity.

Back Panel

The Router’s ports and Reset button are located on the back panel of the Router.

Back Panel

RESET The Reset button can be used in one of

two ways:

If the Router is having problems connecting

•

to the Internet, press the Reset button for just a second with a paper clip or a pencil tip. This is similar to pressing the Reset button on your PC to reboot it.

If you are experiencing extreme problems • with the Router and have tried all other troubleshooting measures, press and hold in the Reset button for 10 seconds. This will restore the factory defaults and clear all of the Router’s settings, such as port forwarding or a new password.

INTERNET The Internet port connects to a

cable or DSL modem.

1-4 (ETHERNET) The four Ethernet ports

connect to network devices, such as PCs, print servers, or additional switches.

POWER The Power port is where you will

connect the AC power cable.

4-Port Gigabit Security Router with VPN

Chapter 5

Setting Up and Configuring the Router

Chapter 5: Setting Up and Configuring the Router

The router is configured using the built-in Web-based Utility. To access the Web-based Utility of the Router, open your web browser and enter http://192.168.1.1 into the Address field. Press the Enter key and the Login screen will appear.

Address Bar of Web Browser

NOTE: The default IP address is 192.168.1.1. If

the IP address has been changed using DHCP or via the console interface, enter the assigned IP address instead of the default.

The first time you open the web-based utility, enter admin

(the default username) in the Username field and enter admin in the Password field. Click the OK button. You can

change the password later from the Administration tab’s Management screen.

Setup

The Setup tab is used to access all of the Router’s basic setup functions. The device can be used in most network settings without changing any of the default values. Some users may need to enter additional information in order to connect to the Internet through an ISP (Internet Service Provider) or broadband (DSL, cable modem) carrier

Setup > Summary

The Setup > Summary screen displays a read-only summary of the Router’s basic information. Clicking on a hyperlink (underlined text) takes you directly to the related page where you can update the information.

After you log in, the web-based utility starts. The utility’s main functions are indicated by eight tabs that appear at the top of each screen: Setup, Firewall, VPN, QoS, Administration, IPS, L2 Switch, and Status. After you select a tab, a list of that tab’s screens is displayed below the tab bar. To perform a specific function, you select a tab, then select the appropriate screen. By default, the Setup tab’s Summary screen is the first screen displayed following login.

The utility’s tabs and screens are described below. For brevity, screen names are listed using the notation: TabName > ScreenName.

Setup > Summary

System Information

Firmware version Displays the Router’s current software

version.

CPU Displays the Router’s CPU type.

System up time Displays the length of time that has

elapsed since the Router was last reset.

DRAM Displays the amount of DRAM installed in the

Router.

Flash Displays the amount of flash memory installed in

the Router.

Port Statistics

This section displays the following color-coded status information on the Router’s Ethernet ports:

Green • Indicates that the port has a connection.

Black • Indicates that the port has no connection.

4-Port Gigabit Security Router with VPN

Chapter 5

Setting Up and Configuring the Router

Network Setting Status

LAN IP Displays the IP address of the Router’s LAN

interface.

WAN IP Displays the IP address of the Router’s WAN

interface. If this address was assigned using DHCP, click DHCP Release to release the address, or click

DHCP Renew to renew the address.

Mode Displays the operating mode, Gateway or Router.

Gateway Displays the Gateway address, which is the IP

address of your ISP’s server.

DNS 1-2 The IP addresses of the Domain Name System

(DNS) server(s) that the Router is using.

DDNS Indicates whether the Dynamic Domain Name

System (DDNS) feature is enabled.

DMZ Host Indicates whether the DMZ Hosting feature is

enabled.

Firewall Setting Status

DoS (Denial of Service) Indicates whether the DoS

Protection feature is enabled to block DoS attacks.

Block WAN Request Indicates whether the Block WAN

Request feature is enabled.

Automatic Configuration - DHCP

By default, the Router’s Configuration Type is set to Automatic Configuration - DHCP, and it should be kept only if your ISP supports DHCP or you are connecting through a dynamic IP address.

Automatic Configuration - DHCP

Static IP

If your connection uses a permanent IP address to connect to the Internet, then select Static IP.

Remote Management Indicates whether the Remote

Management feature is enabled.

IPSec VPN Setting Status

IPSec VPN Summary Click the IPSec VPN Summary

hyperlink to display the VPN > Summary screen.

Tunnel(s) Used Displays the number of VPN tunnels

currently being used.

Tunnel(s) Available Displays the number of VPN tunnels

that are available.

Log Setting Status

E-mail If this displays Email cannot be sent because you

have not specified an outbound SMTP server address, then

you have not set up the mail server. Click the E-mail hyperlink to display the Administration > Log screen where you can configure the SMTP mail server.

Setup > WAN

Internet Connection Type

The Router supports six types of connections. Each Setup > WAN screen and available features will differ depending on what kind of connection type you select.

Static IP

Internet IP Address This is the Router’s IP address, when

seen from the WAN, or the Internet. Your ISP will provide you with the IP Address you need to specify here.

Subnet Mask This is the Router’s Subnet Mask, as seen

by external users on the Internet (including your ISP). Your ISP will provide you with the Subnet Mask.

Default Gateway Your ISP will provide you with the

Default Gateway Address, which is the ISP server’s IP address.

Primary DNS (Required) and Secondary DNS (Optional) Your ISP will provide you with at least one

DNS (Domain Name System) Server IP Address.

4-Port Gigabit Security Router with VPN

Chapter 5

When you have finished making changes to the screen, click Save Settings to save the changes, or click Cancel Changes to undo your changes.

PPPoE

Some DSL-based ISPs use PPPoE (Point-to-Point Protocol over Ethernet) to establish Internet connections. If you are connected to the Internet through a DSL line, check with your ISP to see if they use PPPoE. If they do, you will have to enable PPPoE.

Setting Up and Configuring the Router

PPTP

IP Address This is the Router’s IP address, when seen

from the WAN, or the Internet. Your ISP will provide you with the IP Address you need to specify here.

PPPoE

User Name and Password Enter the User Name and

Password provided by your ISP.

Connect on Demand: Max Idle Time You can configure

the Router to cut the Internet connection after it has been inactive for a specified period of time (Max Idle Time), and then automatically re-establish the connection as soon as you attempt to access the Internet again. To activate Connect on Demand, select the Connect on Demand option and enter in the Max Idle Time field the number of minutes of inactivity that must elapse before your Internet connection is terminated automatically.

Keep Alive: Redial period If you select this option, the

Router will periodically check your Internet connection. If you are disconnected, then the Router will automatically re-establish your connection. To use this option, click the radio button next to Keep Alive. In the Redial Period field, specify how often you want the Router to check the Internet connection. The default Redial Period is 30 seconds.

When you have finished making changes to the screen, click Save Settings to save the changes, or click Cancel Changes to undo your changes.

PPTP

Subnet Mask This is the Router’s Subnet Mask, as seen

by external users on the Internet (including your ISP). Your ISP will provide you with the Subnet Mask.

Default Gateway Your ISP will provide you with the

Default Gateway Address.

PPTP Server Enter the IP address of the PPTP server.

User Name and Password Enter the User Name and

Password provided by your ISP.

Connect on Demand: Max Idle Time You can configure

Keep Alive: Redial period If you select this option, the

When you have finished making changes to the screen, click Save Settings to save the changes, or click Cancel Changes to undo your changes.

Point-to-Point Tunneling Protocol (PPTP) is a service that applies to connections in Europe and Israel only.

4-Port Gigabit Security Router with VPN

Chapter 5

Heart Beat Signal

Heart Beat Signal is a service used in Australia. Check with your ISP for the necessary setup information.

Heart Beat Signal

User Name and Password Enter the User Name and

Password provided by your ISP.

Heart Beat Server Enter the IP address of the Heart Beat

server.

Connect on Demand: Max Idle Time You can configure

Keep Alive: Redial period If you select this option, the

When you have finished making changes to the screen, click Save Settings to save the changes, or click Cancel Changes to undo your changes.

L2TP

Layer 2 Tunneling Protocol (L2TP) is a service that tunnels Point-to-Point Protocol (PPP) across the Internet. It is used mostly in European countries. Check with your ISP for the necessary setup information.

Setting Up and Configuring the Router

L2TP

IP Address This is the Router’s IP address, when seen

from the WAN, or the Internet. Your ISP will provide you with the IP Address you need to specify here.

Subnet Mask This is the Router’s Subnet Mask, as seen

by external users on the Internet (including your ISP). Your ISP will provide you with the Subnet Mask.

Gateway Your ISP will provide you with the Default

Gateway Address.

L2TP Server Enter the IP address of the L2TP server.

User Name and Password Enter the User Name and

Password provided by your ISP.

Connect on Demand: Max Idle Time You can configure

Keep Alive: Redial period If you select this option, the

Router will periodically check your Internet connection. If you are disconnected, then the Router will automatically re-establish your connection. To use this option, click the radio button next to Keep Alive. In the Redial Period field, you specify how often you want the Router to check the Internet connection. The default Redial Period is 30 seconds.

When you have finished making changes to the screen, click Save Settings to save the changes, or click Cancel

Changes to undo your changes.

4-Port Gigabit Security Router with VPN

Chapter 5

Setting Up and Configuring the Router

Optional Settings (Required by some ISPs)

Some of these settings may be required by your ISP. Verify with your ISP before making any changes.

Optional Settings

Host Name Some ISPs, usually cable ISPs, require a host

name as identification. You may have to check with your ISP to see if your broadband Internet service has been configured with a host name. In most cases, leaving this field blank will work.

Domain Name Some ISPs, usually cable ISPs, require a

domain name as identification. You may have to check with your ISP to see if your broadband Internet service has been configured with a domain name. In most cases, leaving this field blank will work.

Password •

Host Name (DynDNS) or Domain name (TZO) •

Custom DNS (DynDNS) •

Click 4. Save Settings.

The Router will now advise the DDNS Service of your current WAN (Internet) IP address whenever this address changes. If using TZO, you should NOT use the TZO software to perform this “IP address update”.

Connect The Connect button is displayed when DDNS is

enabled. This button is used to contact the DDNS server to manually update your IP address information. The Status area on this screen is also updated.

Setup > LAN

The Setup > LAN screen allows you to change the Router’s local network settings.

MTU MTU is the Maximum Transmission Unit. It specifies

the largest packet size permitted for Internet transmission. Select Manual if you want to manually enter the largest packet size that will be transmitted. To have the Router select the best MTU for your Internet connection, keep the default setting, Auto.

Size When Manual is selected in the MTU field, this

option is enabled. It is recommended that you set this value within the range of 1200 to 1500, but the value can be defined between 128 and 1500.

DDNS Service DDNS Service is disabled by default. To

enable DDNS Service, follow these instructions:

DynDNS - Sign up for DDNS service at www.dyndns. • org, and write down your User Name, Password, and Host Name information.

TZO - Sign up for DDNS service at www.tzo.com, • and write down your E-mail Address, Password and Domain Name information.

Select the DDNS service provider whose service you 2. are using.

Configure the following fields:3.

User Name (DynDNS) or E-mail address (TZO). •

Setup > LAN

VLAN Select the VLAN for the DHCP server from the

drop-down menu.

NOTE: This option appears only if you have

created at least one VLAN from the L2 Switch > Create VLAN screen.

IPv4

The Router’s Local IP Address and Subnet Mask are shown here. In most cases, you can keep the defaults.

Local IP Address The default value is 192.168.1.1.

Subnet Mask The default value is 255.255.255.0.

4-Port Gigabit Security Router with VPN

Chapter 5

Setting Up and Configuring the Router

Server Settings (DHCP)

The Router can be used as your network’s DHCP (Dynamic Host Configuration Protocol) server, which automatically assigns an IP address to each PC on your network. Unless you already have one, it is highly recommended that you leave the Router enabled as a DHCP server.

DHCP Server DHCP is already enabled by factory default.

If you already have a DHCP server on your network, or if you don’t want a DHCP server, then select Disabled (no other DHCP features will be available). If you already have a DHCP server on your network, and you want this Router to act as a Relay for that DHCP Server, select DHCP Relay, then enter the DHCP Server IP Address. If you disable DHCP, assign a static IP address to the Router.

Starting IP Address Enter a value for the DHCP server

to start with when issuing IP addresses. This value must be 192.168.1.2 or greater, but smaller than 192.168.1.254, because the default IP address for the Router is 192.168.1.1, and 192.168.1.255 is the broadcast IP address.

Maximum Number of DHCP Users Enter the maximum

number of PCs that you want the DHCP server to assign IP addresses to. This number cannot be greater than 253. In order to determine the DHCP IP Address range, add the starting IP address (e.g., 100) to the number of DHCP users.

IPv6

IPv6 Address If your network has implemented IPv6,

enter the proper IPv6 address in this field.

Prefix Length Enter the appropriate IPv6 prefix length.

Router Advertisement Enabling this option allows IPv6

hosts to configure their IP addresses automatically using the IPv6 prefix broadcast by the router.

DHCPv6

To enable the DHCP v6 feature, select Enable. To disable DHCP v6, select Disable.

Lease time Enter the lease time in minutes.

DHCP6 address range start Enter the starting DHCP v6

IP address.

DHCP6 address range end Enter the ending DHCP v6 IP

address.

Primary DNS Enter the Primary DHCP v6 DNS server

address.

Secondary DNS Enter the Secondary DHCP v6 DNS

server address.

Click Save Settings to save your changes, or click Cancel

Changes to undo your changes.

Client Lease Time This is the amount of time a DHCP

client can keep the assigned IP address before it sends a renewal request to the DHCP server.

Static DNS 1-3 If applicable, enter the IP address(es) of

your DNS server(s).

WINS The Windows Internet Naming Service (WINS)

provides name resolution service (similar to DNS) in Windows networks. If you use a WINS server, enter that server’s IP Address here. Otherwise, leave this blank.

Static IP Mapping

Static IP Mapping is used to bind a specific IP address to a specific MAC address. This helps external (WAN) users to access LAN servers that are advertised through NAPT port forwarding. You can define up to 50 entries.

Static IP Address Enter the IP address to be mapped.

MAC Address Enter the MAC address to be mapped.

Host Name Enter the host name to be mapped.

Click Add to create the entry and add it to the list. To modify an existing entry, select it from the list, edit the appropriate field(s), and then click Modify. To delete an entry, select it and click Remove.

Setup > DMZ

The DMZ screen allows one local PC to be exposed to the Internet for use of a special-purpose service such as Internet gaming and videoconferencing. Whereas Port Range Forwarding can only forward a maximum of 10 ranges of ports, DMZ hosting forwards all the ports for one PC at the same time.

Setup > DMZ

DMZ Hosting This feature allows one local PC to be

exposed to the Internet for use of a special-purpose service such as Internet gaming and videoconferencing. To use this feature, select Enable. To disable the DMZ feature, select Disable.

DMZ Host IP Address To expose one PC, enter the

computer’s IP address.

4-Port Gigabit Security Router with VPN

Chapter 5

Setting Up and Configuring the Router

Click Save Settings to save your changes, or click Cancel Changes to undo your changes.

Setup > MAC Address Clone

Some ISPs require that you register a MAC address. This feature “clones” your network adapter’s MAC address onto the Router, and prevents you from having to call your ISP to change the registered MAC address to the Router’s MAC address. The Router’s MAC address is a 12-digit code assigned to a unique piece of hardware for identification.

Setup > MAC Address Clone

MAC Address Clone Select Enabled or Disabled from

the drop-down menu.

MAC Address Enter the MAC Address registered with

your ISP in this field.

Clone My PC’s MAC When MAC Address Clone is enabled,

click this button to copy the MAC address of the network adapter in the computer that you are using to connect to the Web interface.

Click Save Settings to save the MAC Cloning settings or click Cancel Changes to undo your changes.

Setup > Advanced Routing

Operating Mode

Operation Mode Select the Operating mode in which

this Router will function.:

Gateway • This is the normal mode of operation. This

allows all devices on your LAN to share the same WAN (Internet) IP address. In Gateway mode, the NAT (Network Address Translation) mechanism is enabled.

Router • You either need another Router to act as the

Internet Gateway, or all PCs on your LAN must be assigned (fixed) Internet IP addresses. In Router mode, the NAT mechanism is disabled.

Dynamic Routing

The Router’s dynamic routing feature can be used to automatically adjust to physical changes in the network’s layout. The Router can use the dynamic RIP protocol to calculate the most efficient route for the network’s data packets to travel between the source and the destination, based upon the shortest paths. The RIP protocol regularly broadcasts routing information to other routers on the network.

RIP (Routing Information Protocol) If you want the

Router to use the RIP protocol, select Enabled; otherwise, keep the default setting, Disabled.

RIP Send Packet Version Choose the TX protocol you

want for transmitting data on the network: RIPv1 or RIPv2. This should match the version supported by other

Routers on your LAN.

RIP Recv Packet Version Choose the RX protocol you

want for receiving data from the network: RIPv1 or RIPv2. This should match the version supported by other Routers on your LAN.

Static Routing

Setup > Advanced Routing

4-Port Gigabit Security Router with VPN

Sometimes you will prefer to use static routes to build your routing table instead of using dynamic routing protocols. Static routes do not require CPU resources to exchange routing information with a peer router. You can also use static routes to reach peer routers that do not support dynamic routing protocols. Static routes can be used together with dynamic routes. Be careful not to introduce routing loops in your network.

To set up static routing, you should add route entries in the routing table that tell the Router where to forward packets to specific IP destinations.

Enter the following data to create a static route entry:

Select Set Number Select the set number (routing

table entry number) that you wish to view or configure. If necessary, click Delete This Entry to clear the entry.

Chapter 5

Setting Up and Configuring the Router

Destination IP Address Enter the network address of the

remote LAN segment. For a standard Class C IP domain, the network address is the first three fields of the Destination LAN IP, while the last field should be zero.

Subnet Mask Enter the Subnet Mask used on the

destination LAN IP domain. For Class C IP domains, the Subnet Mask is 255.255.255.0.

Gateway If this Router is used to connect your network

to the Internet, then your gateway IP is the Router’s IP Address. If you have another router handling your network’s Internet connection, enter the IP Address of that router instead.

Hop Count This value gives the number of nodes that a

data packet passes through before reaching its destination. A node is any device on the network, such as switches, PCs, etc. The maximum hop count value is 16.

Show Routing Table Click this button to show the

routing table established either through dynamic or static routing methods.

Inter-VLAN Routing

Inter-VLAN Routing Select Enable to allow packets to

be routed between VLANs that are in different subnets. The default is Enable.

Set the local time using Network Time Protocol (NTP) Automatically If you wish to use a Network Time Protocol

server to set the time and date, select this option, then complete the following fields.

Time Zone Select the time zone for your location and

your time setting is synchronized over the Internet.

Auto Daylight Saving If your location observes daylight

savings time, select the Enable option.

User-defined NTP Server To specify a user-defined

NTP server, select the Enable option, then enter the NTP Server’s IP address in the NTP Server IP field.

NTP Server IP If the User-defined NTP Server option is set

to Enable, enter the IP address of the NTP server.

Click Save Settings to save your settings or click Cancel Changes to undo your changes.

Setup > IP Mode

Click Save Settings to save the Routing settings or click Cancel Changes to undo your changes.

Setup > Time

Set the local time Manually If you wish to enter the time

and date manually, select this option, then select the Date from the drop-down fields and enter the hour, minutes, and seconds in the Time fields using 24-hour format. For example, for 10:00 pm, enter 22 in the hours field, 0 in the minutes field, and 0 in the seconds field.

Setup > IP Mode

IPv4 Only Select this option to use IPv4 on the Internet

and local network.

Dual-Stack IP Select this option to use IPv4 on the

Internet and IPv4 and IPv6 on the local network. Then select how the IPv6 hosts will connect to the Internet:

NAPT-PT • This allows an IPv6-only host on your LAN to

connect to IPv4-only hosts on the WAN using addresstranslation and protocol-translation (per RFC2766).

6to4 Tunnel • This allows your IPv6 network to connect

to other IPv6 networks via tunnels through IPv4 (per RFC3056). The remote router also needs to support 6to4.

Click Save Settings to save your settings or click Cancel

Changes to undo your changes.

4-Port Gigabit Security Router with VPN

Chapter 5

Setting Up and Configuring the Router

Firewall

From the Firewall Tab, you can configure the Router to deny or allow specific internal users from accessing the Internet. You can also configure the Router to deny or allow specific Internet users from accessing the internal servers. You can set up different packet filters for different users that are located on internal (LAN) side or external (WAN) side based on their IP addresses or their network Port number.

Firewall > Basic Settings

Single IP Address • Allows access from the single IP

address that you enter in the field provided.

IP Range • Allows access from a range of IP addresses

that you enter in the field provided.

Subnet • Allows access from the Subnet that you enter

in the field provided.

Remote Upgrade This option allows you to upgrade the

Router remotely. To allow remote upgrade, select Enable. The Remote Management feature must be set to Enable as well. The default is Disable.

Multicast Passthrough If an IGMP Proxy running on the

Router, set this to Enable to cause the Router to allow IP Multicast traffic to come in from the Internet. The default is Disable.

SIP Application Layer Gateway When this feature is

enabled, the SIP Application Layer Gateway (ALG) allows Session Initiation Protocol (SIP) packets (used for Voice over IP) to traverse the NAT firewall. This feature can be disabled if the VoIP service provider is using other NAT traversal solutions such as STUN, TURN, and ICE.

Block Place a checkmark next to the Web features that

you wish to restrict.

Firewall > Basic Settings

Firewall When this feature is enabled, the Router’s NAT

firewall feature is enabled.

DoS Protection When this feature is enabled, the Router

will block DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it.

Block WAN Request When this feature is enabled, the

Router filters out anonymous requests from the WAN.

Remote Management This feature allows you to use

an http or https port to remotely manage the Router. To enable this feature, select Enable and enter the port number in the Port field, then configure the HTTPS and Remote IP address settings that appear below.

HTTPS This option limits access to the Web-based Utility

from the WAN to https sessions only. An https session uses SSL encryption, providing better protection for your remote session than http. The default is Enable.

Remote IP address • Select the appropriate value to

specify which external IP address(es) can access the Router:

Java • Java is a programming language for websites. If

you deny Java, you run the risk of not having access to Internet sites created using this programming language.

Cookies • A cookie is data stored on your PC and used

by Internet sites when you interact with them, so you may not want to deny cookies.

ActiveX • ActiveX is a Microsoft (Internet Explorer)

programming language for websites. If you deny ActiveX, you run the risk of not having access to Internet sites using this programming language. Also, Windows Update uses ActiveX, so if this is blocked, Windows update will not work.

Access to Proxy HTTP Server • If local users have access

to WAN proxy servers, they may be able to circumvent the Router’s content filters and access Internet sites blocked by the Router. Denying Proxy will block access to any WAN proxy servers.

Firewall > IP Based ACL

The IP-Based ACL screen allows you to create an Access Control List (ACL) with up to 50 rules. Each ACL rule denies or allows access to the network based on various criteria including priority, service type, interface, source IP address, destination IP address, day of the week, and time of day.

Any IP Address • Allows access from any external IP

address.

4-Port Gigabit Security Router with VPN

Chapter 5

Firewall > IP Based ACL

Setting Up and Configuring the Router

Editing IP ACL Rules

Priority This is the rule’s priority.

Enable This indicates whether the rule is enabled or

disabled.

Action. This is the rule’s action, either Allow or Deny.

Service This is the service(s) to which the rule applies.

Source Interface This is the source interface, either WAN,

LAN, or ANY.

Source This is the source IP address, which can be one

specific IP address, ANY (all IP addresses), a range of IP addresses, or a specific IP subnet.

Destination This is the destination IP address, which can

be one specific IP address, ANY (all IP addresses), a range of IP addresses, or a specific IP subnet.

Time The time of day when the rule is in effect, either Any

Time (24 hours) or a specific start and end time.

Day The day(s) of the week when the rule is in effect. This

may be Any Day or a user-specified set of days.

Edit button Click Edit at the end of a row to edit the

associated rule.

Delete button Click Delete at the end of a row to delete

the associated rule.

To add a new rule to the ACL rule table, click Add New Rule and the Edit IP ACL Rule screen appears. Follow the instructions in the section below to create a new ACL rule. To disable all the rules without deleting them, click Disable All Rules. To delete all the rules from the table, click Delete All Rules.

Edit IP ACL Rule

Action Select the desired action, Allow or Deny, from

the drop-down menu.

Service Select the service types to which the rule will

apply. You can either select one of the predefined services in the drop-down menu; select ALL to allow or deny all types of IP traffic; or define a new service by clicking Service Management to bring up the Service Management screen, then the new service’s Name, select the Type (TCP, UDP, or TCP/UDP), enter the Start Port and Finish Port, then click Save. The new service will then appear in the drop-down menu on the Edit IP ACL Rule screen.

Log Select this option to log all traffic that is filtered by

this rule.

Log Prefix Enter a text string that will be prepended to

each matched event in the log.

Source Interface Select the source interface, WAN, LAN,

or ANY, from the drop-down menu.

Source IP To apply the rule to one source IP address,

select Single from the drop-down menu, then enter the address in the field. To apply the rule to all source IP addresses, select ANY from the drop-down menu. To apply the rule to a range of IP addresses, select Range and enter the starting and ending IP addresses. To apply the rule to a subnet, select Net and enter the IP address and subnet mask.

Destination IP To apply the rule to one destination IP

address, select Single from the drop-down menu, then enter the address in the field. To apply the rule to all destination IP addresses, select ANY from the drop-down menu. To apply the rule to a range of IP addresses, select Range and enter the starting and ending IP addresses. To apply the rule to a subnet, select Net and enter the IP address and subnet mask.

4-Port Gigabit Security Router with VPN

Days To make the rule apply on a daily basis, select

Everyday. To make the rule apply on specific days of the

week only, select the desired days.

Chapter 5

Time To make the rule apply for an entire day, select

24 Hours. To make the rule apply only during a specific

period of the day, enter the starting time in the From field and the ending time in the To field.

Click Save Settings to save your settings. Click Cancel Changes to cancel your changes. Click Return to return to the IP-Based ACL screen.

Firewall > Internet Access Policy

Setting Up and Configuring the Router

Internet Policy Summary

Firewall > Internet Access Policy

Access can be managed by a policy. Use the settings on this screen to establish an access policy. Selecting a policy from the drop-down menu will display that policy’s settings. You can then perform the following operations:

Create a Policy—see instructions below. •

Delete the current policy—click • Delete.

View all policies—click • Summary to display the Internet Policy Summary popup which lists all of the Internet access policies and includes the following information: No., Policy Name, Days, Time, and a checkbox to delete (clear) the policy. To delete a policy, check the checkbox in the Delete column, and click Delete.

View or change the PCs covered by the current policy— • click Edit List of PCs to display the List of PCs popup.

4-Port Gigabit Security Router with VPN

List of PCs

On the List of PCs popup, you can define PCs by MAC Address or IP Address. You can also enter a range of IP Addresses if you want this policy to affect a group of PCs.

To create an Internet Access policy:

Select the desired policy number from the 1. Internet Access Policy drop-down menu.

Enter a Policy Name in the field provided. 2.

To enable this policy, set the 3. Status option to Enable.

Click 4. Edit List of PCs to select which PCs will be affected by the policy. The List of PCs popup will appear. You can select a PC by MAC Address or IP Address. You can also enter a range of IP Addresses if you want this policy to affect a group of PCs. After making your changes, click Save Settings to apply your changes.

Click the appropriate option, 5. Deny or Allow, depending on whether you want to block or allow Internet access for the PCs you listed on the List of PCs popup.

Decide which Days and what Times you want this 6.

Chapter 5

Setting Up and Configuring the Router

policy to be enforced. Select the individual days during which the policy will be in effect, or select Everyday. Enter a range of hours and minutes during which the policy will be in effect, or select 24 Hours.

If you wish to block access to Web sites, use the 7. Website

Blocking by URL Address or Website Blocking by Keyword feature.

Website Blocking by URL Address • . Enter the URL

or Domain Name of the web sites you wish to block.

Website Blocking by Keyword • . Enter the

keywords you wish to block in the fields provided. If any of these Keywords appears in the URL of a web site, access to the site will be blocked. Note that only the URL is checked, not the content of each Web page.

Click Save Settings to save the policy settings you have entered. Click Cancel Changes to cancel any changes you have entered.

Firewall > Single Port Forwarding

For example, you could configure your Web Server to accept connections on both port 80 (standard) and port

8080. Then enable Port Forwarding, and set the External Port to 80, and the Internal Port to 8080. Now, any traffic from the Internet to your Web server will be using port 8080, even though the Internet users used the standard port, 80. (Users on the local LAN can and should connect to your Web Server using the standard port 80.)

Protocol Select the protocol used for this application,

TCP and/or UDP.

IP Address For each application, enter the IP address of

the PC running the specific application.

Enabled Click the Enabled checkbox to enable port

forwarding for the relevant application.

Click Save Settings to save the settings you have entered. Click Cancel Changes to cancel any changes you have entered.

Firewall > Port Range Forwarding

Firewall > Single Port Forwarding

Application Enter the name of the application you wish

to configure.

External Port This is the port number used by the server

or Internet application. Internet users must connect using this port number. Check with the software documentation of the Internet application for more information.

Internal Port This is the port number used by the Router

when forwarding Internet traffic to the PC or server on your LAN. Normally, this is the same as the External Port number. If it is different, the Router performs a “Port Translation”, so that the port number used by Internet users is different from the port number used by the server or Internet application.

4-Port Gigabit Security Router with VPN

Firewall > Port Range Forwarding

Application Enter the name of the application you wish

to configure.

Start This is the beginning of the port range. Enter the

beginning of the range of port numbers (external ports) used by the server or Internet application. Check with the software documentation of the Internet application for more information if necessary.

End This is the end of the port range. Enter the end of

the range of port numbers (external ports) used by the server or Internet application. Check with the software documentation of the Internet application for more information if necessary.

Protocol Select the protocol(s) used for this application,

TCP and/or UDP.

IP Address For each application, enter the IP address of

the PC running the specific application.

+ 58 hidden pages

Cisco RVS4000 - Gigabit Security Router, Linksys RVS4000 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual