USER GUIDE
BUSINESS SERIES
4-Port SSL/IPSec
VPN Router
Model: RVL200
About This Guide
Icon Descriptions
While reading through the User Guide you may see various icons that call attention to specific items. Below is a description of these icons:
NOTE: This check mark indicates that there is a note of interest and is something that you should pay special attention to while using the product.
WARNING: This exclamation point indicates that there is a caution or warning and it is something that could damage your property or product.
WEB: This globe icon indicates a noteworthy website address or e-mail address.
Online Resources
Website addresses in this document are listed without http:// in front of the address because most current web browsers do not require it. If you use an older web browser, you may have to add http:// in front of the web address.
Resource |
Website |
|
|
Linksys |
www.linksys.com |
Linksys International |
www.linksys.com/international |
Glossary |
www.linksys.com/glossary |
Network Security |
www.linksys.com/security |
|
|
Copyright and Trademarks
Specifications are subject to change without notice. Linksys is a registered trademark or trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. Copyright © 2007 Cisco Systems, Inc. All rights reserved. Other brands and product names are trademarks or registered trademarks of their respective holders.
About This Guide
Open Source
This product may contain material licensed to you under the GNU General Public License or other open-source software licenses. Upon request, open-source software source code is available at cost from Linksys for at least three years from the product purchase date.
WEB: For detailed license terms and additional information visit: www.linksys.com/gpl
4-Port SSL/IPSec VPN Router |
ii |
Table of Contents
Chapter 1: Introduction |
|
|
|
|
1 |
Introduction to the Router |
|
|
|
|
1 |
Introduction to Virtual Private Networks (VPNs) . . . . . . . . . . . . |
. . |
. . |
. |
|
. 1 |
VPN Router to VPN Router . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. |
. |
1 |
Computer (using SSL VPN client software) to VPN Router . . . . . . |
. . |
. . |
. |
|
. 2 |
Chapter 2: Product Overview |
|
|
|
|
3 |
Front Panel |
|
|
|
|
3 |
Back Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. |
|
. 3 |
Chapter 3: Installation |
|
|
|
|
4 |
Physical Installation . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. |
|
. 4 |
Horizontal Placement . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. |
. |
4 |
Vertical Placement . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
4 |
Wall-Mounting Placement . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. |
. |
4 |
Cable Connection . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
5 |
Chapter 4: Advanced Configuration |
|
|
|
|
6 |
Overview |
|
|
|
|
6 |
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. |
. |
6 |
Internet Explorer 6.0 or Higher . . . . . . . . . . . . . . . . . |
. . |
. . |
. |
. |
6 |
Netscape Communicator 8.0 or Higher . . . . . . . . . . . . . . |
. . |
. . |
. |
|
. 6 |
How to Access the Web-Based Utility . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
7 |
System Summary |
|
|
|
|
8 |
System Information . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. |
|
. 8 |
Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
9 |
Network Setting Status . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
9 |
Firewall Setting Status |
|
|
|
|
9 |
IPSec VPN Setting Status . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. |
|
. 9 |
SSL VPN Setting Status . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
9 |
Log Setting Status . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
9 |
Setup Tab > Network . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. |
.10 |
|
Network . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
10 |
Setup > Password . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
12 |
Password . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
13 |
Setup > Time . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
13 |
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
13 |
Setup > DMZ Host . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
13 |
DMZ Host |
|
|
|
|
13 |
Setup Tab > Forwarding . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. |
|
14 |
Forwarding |
|
|
|
|
14 |
Setup > UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . |
. . |
|
15 |
UPnP |
|
|
|
|
15 |
4-Port SSL/IPSec VPN Router
Table of Contents
Setup > One-to-One NAT |
|
16 |
One-to-One NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
.16 |
Setup > MAC Clone . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
16 |
MAC Clone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 |
||
Setup > DDNS |
|
17 |
DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
17 |
Setup > Advanced Routing . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
17 |
Advanced Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
17 |
DHCP > Setup |
|
18 |
Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
19 |
DHCP > Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
20 |
Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
20 |
DHCP > Multiple VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
20 |
Multiple VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
20 |
DHCP > Inter-VLAN Routing |
|
21 |
Inter-VLAN Routing . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
21 |
System Management > Diagnostic . . . . . . . . . . . . . . . . . . . . . . |
|
.21 |
Diagnostic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
21 |
System Management > Factory Default . . . . . . . . . . . . . . . . . . . . |
|
.22 |
Factory Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
22 |
System Management > Firmware Upgrade . . . . . . . . . . . . . . . . . . |
. |
22 |
Firmware Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
22 |
System Management > Restart |
|
22 |
Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
.23 |
System Management > Setting Backup . . . . . . . . . . . . . . . . . . . . |
|
.23 |
Import Configuration File . . . . . . . . . . . . . . . . . . . . . . . . |
|
.23 |
Export Configuration File |
|
23 |
System Management > Port Mirroring . . . . . . . . . . . . . . . . . . . . |
. |
23 |
Port Mirroring |
|
23 |
System Management > IGMP Snooping . . . . . . . . . . . . . . . . . . . . |
|
.23 |
Port Management > Port Setup . . . . . . . . . . . . . . . . . . . . . . . |
. |
24 |
Basic Per Port Config. . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
.24 |
Port Management > Port Status . . . . . . . . . . . . . . . . . . . . . . . |
. |
24 |
Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
24 |
Port Management > Create VLAN . . . . . . . . . . . . . . . . . . . . . . |
. |
25 |
Create VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
.25 |
Port Management > Port Setting |
|
25 |
Port Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
.25 |
Port Management > VLAN Membership . . . . . . . . . . . . . . . . . . . . |
|
.25 |
VLAN Membership |
|
26 |
QoS > Bandwidth Management . . . . . . . . . . . . . . . . . . . . . . . |
. |
26 |
Bandwidth Management |
|
26 |
4-Port SSL/IPSec VPN Router |
ii |
Table of Contents
QoS > QoS Setup |
|
|
|
|
28 |
QoS Setup . . . . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
28 |
QoS > Queue Settings . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
29 |
Queue Settings . . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
29 |
QoS > DSCP Settings . . . . . . . . |
. . . . . . . . . . . . . . . . |
. . |
. . |
|
.29 |
DSCP Settings |
|
|
|
|
30 |
Firewall > General |
|
|
|
|
30 |
General . . . . . . . . . . . . |
. . . . . . . . . . . . . . . . |
. . |
. . |
|
.30 |
Firewall > Access Rules . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
31 |
Access Rules . . . . . . . . . . |
. . . . . . . . . . . . . . . . |
. . |
. . |
|
.31 |
Add a New Access Rule . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
32 |
Firewall > Content Filter . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
33 |
Content Filter . . . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
33 |
IPSec VPN > Summary . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
34 |
Summary |
|
|
|
|
35 |
IPSec VPN > Gateway to Gateway . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
35 |
Add a New Tunnel . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
35 |
IPSec Setup . . . . . . . . . . |
. . . . . . . . . . . . . . . . |
. . |
. . |
|
.38 |
IPSec VPN > VPN Pass Through |
|
|
|
|
40 |
VPN Pass Through . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
40 |
SSL VPN > Summary |
|
|
|
|
40 |
Summary |
|
|
|
|
40 |
SSL VPN > Certificate Management . . |
. . . . . . . . . . . . . . . . |
. . |
. . |
|
.40 |
SSL VPN > User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . |
. . . |
. .41 |
||
User Management . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
41 |
SSL VPN > Virtual Passage . . . . . . |
. . . . . . . . . . . . . . . . |
. . |
. . |
|
.42 |
Virtual Passage . . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
43 |
SNMP > Global Parameters . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
43 |
Global Parameters . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
43 |
SNMP > Views |
|
|
|
|
44 |
Views . . . . . . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
44 |
SNMP > Group Profile |
|
|
|
|
44 |
Group Profile . . . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
44 |
SNMP > Group Membership |
|
|
|
|
45 |
Group Membership . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
45 |
SNMP > Communities |
|
|
|
|
45 |
Communities . . . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
45 |
SNMP > Notification Recipient . . . . |
. . . . . . . . . . . . . . . . |
. . |
. . |
|
.46 |
Notification Recipient . . . . . . |
. . . . . . . . . . . . . . . . |
. . |
. . |
|
.46 |
Log > System Log . . . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
47 |
System Log |
|
|
|
|
47 |
Log > System Statistics . . . . . . . . |
. . . . . . . . . . . . . . . |
. . |
. . |
. |
48 |
4-Port SSL/IPSec VPN Router |
iii |
Table of Contents
Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.49 |
Basic Setup |
|
|
49 |
Access Rule Setup . . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
. |
51 |
Support |
|
|
53 |
Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.53 |
Linksys Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.53 |
Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.53 |
Appendix A: Troubleshooting |
|
|
55 |
Appendix B: Virtual Passage SSL VPN Client |
|
|
56 |
Overview |
|
|
56 |
Before You Begin (Windows OS) . . . . . . . . . . . . . . . . . . . . . . |
. |
. |
56 |
Internet Explorer 6.0 or Higher . . . . . . . . . . . . . . . . . . . . |
. . |
|
.56 |
Netscape Communicator 8.0 or Higher . . . . . . . . . . . . . . . . . |
. |
. |
57 |
Make the SSL VPN Portal a Trusted Site (Windows OS) . . . . . . . . . . . . |
. . |
|
.57 |
Login for the SSL VPN Portal (Windows OS) . . . . . . . . . . . . . . . . . |
. |
. |
58 |
Installation of the Virtual Passage Client (Windows OS) . . . . . . . . . . . . |
. |
. |
58 |
Logout of the SSL VPN Portal (Windows OS) . . . . . . . . . . . . . . . . |
. . |
|
.59 |
Windows Vista Usage . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.60 |
Login for the SSL VPN Portal (Mac OS X) . . . . . . . . . . . . . . . . . . |
. . |
|
.60 |
Installation of the Virtual Passage Client (Mac OS X) |
|
|
60 |
Removal of the Virtual Passage Client (Mac OS X) . . . . . . . . . . . . . . |
. . |
|
.61 |
Before You Begin (Linux OS) |
|
|
62 |
Login for the SSL VPN Portal (Linux OS) |
|
|
62 |
Installation of the Virtual Passage Client (Linux OS) . . . . . . . . . . . . . . |
. |
. |
62 |
Removal of the Virtual Passage Client (Linux OS) |
|
|
63 |
Appendix C: Bandwidth Management |
|
|
64 |
Overview |
|
|
64 |
Creation of New Services |
|
|
64 |
Creation of New Bandwidth Management Rules |
|
|
65 |
Appendix D: Active Directory Server |
|
|
66 |
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.70 |
Appendix E: User for the Active Directory Server |
|
|
71 |
Appendix F: Internet Authentication Service (IAS) Server |
|
|
73 |
Appendix G: Lightweight Directory Access Protocol (LDAP) Server |
|
|
79 |
4-Port SSL/IPSec VPN Router |
iv |
Table of Contents
Appendix H: Deployment in an Existing Network |
|
|
80 |
Overview |
|
|
80 |
LAN-to-LAN Connection . . . . . . . . . . . . . . . . . . . . . . . . . |
. |
. |
80 |
WAN-to-LAN Connection |
|
|
81 |
Appendix I: Gateway-to-Gateway VPN Tunnel |
|
|
82 |
Overview |
|
|
82 |
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.82 |
Configuration when the Remote Gateway Uses a Static IP Address . . . . . . . |
. |
. |
82 |
Configuration of the RVL200 |
|
|
82 |
Configuration of the RV082 . . . . . . . . . . . . . . . . . . . . . . |
. |
. |
83 |
Configuration of PC 1 and PC 2 . . . . . . . . . . . . . . . . . . . . |
. . |
|
.83 |
Configuration when the Remote Gateway Uses a Dynamic IP Address |
|
|
84 |
Configuration of the RVL200 |
|
|
84 |
Configuration of the RV082 . . . . . . . . . . . . . . . . . . . . . . |
. |
. |
84 |
Configuration of PC 1 and PC 2 . . . . . . . . . . . . . . . . . . . . |
. . |
|
.85 |
Configuration when Both Gateways Use Dynamic IP Addresses . . . . . . . . |
. . |
|
.85 |
Configuration of the RVL200 |
|
|
85 |
Configuration of the RV082 . . . . . . . . . . . . . . . . . . . . . . |
. |
. |
86 |
Configuration of PC 1 and PC 2 . . . . . . . . . . . . . . . . . . . . |
. . |
|
.86 |
Appendix J: IPSec NAT Traversal |
|
|
87 |
Overview |
|
|
87 |
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.87 |
Configuration of Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . |
. |
. |
87 |
Configuration of Router A . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.87 |
Configuration of Router B . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.88 |
Configuration of Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . |
. |
. |
89 |
Configuration of the One-to-One NAT Rules |
|
|
89 |
Configuration of Router B . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.89 |
Configuration of Router A . . . . . . . . . . . . . . . . . . . . . . |
. . |
|
.90 |
Appendix K: Configuration of Multiple Subnets |
|
|
91 |
Overview |
|
|
91 |
RVL200-to-RV042 Configuration . . . . . . . . . . . . . . . . . . . . . . |
. |
. |
91 |
RVL200 Configuration |
|
|
91 |
RV042 #1 Configuration |
|
|
92 |
RV042 #2 Configuration |
|
|
93 |
Appendix L: Multiple VLANs with Computers |
|
|
94 |
Overview |
|
|
94 |
RVL200-to-SRW2048 Configuration . . . . . . . . . . . . . . . . . . . . |
. . |
|
.94 |
RVL200 Configuration |
|
|
94 |
SRW2048 Configuration . . . . . . . . . . . . . . . . . . . . . . . |
. |
. |
95 |
4-Port SSL/IPSec VPN Router
Table of Contents
Appendix M: Multiple VLANs and Subnets |
|
|
|
96 |
Overview |
|
|
|
96 |
RVL200 Configuration |
|
|
|
96 |
Basic Instructions |
|
|
|
96 |
Inter-VLAN Routing Option . . . . . . . . . . . . . . . . |
. . . . . . |
. |
. |
97 |
Appendix N: Access of Multiple VLANs over a SSL VPN Tunnel |
|
|
|
98 |
Overview |
|
|
|
98 |
SSL VPN Connection |
|
|
|
98 |
Static Route . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . |
. . |
|
.98 |
Windows Operating System (OS) |
|
|
|
98 |
Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . |
. |
. |
98 |
Linux OS . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . |
. |
. |
98 |
Appendix O: Firmware Upgrade |
|
|
|
99 |
Overview |
|
|
|
99 |
Before You Begin . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . |
. . |
|
.99 |
Internet Explorer 6.0 or Higher . . . . . . . . . . . . . . |
. . . . . . |
. . |
|
.99 |
How to Access the Web-Based Utility . . . . . . . . . . . . . . |
. . . . . . |
. |
. |
99 |
Upgrade the Firmware . . . . . . . . . . . . . . . . . . . . |
. . . . . . |
. |
100 |
|
Appendix P: Battery Replacement |
|
|
101 |
|
Overview |
|
|
101 |
|
Replace the Lithium Battery |
|
|
101 |
|
Appendix Q: Specifications |
|
|
102 |
|
Appendix S: Regulatory Information |
|
|
104 |
|
FCC Statement . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . |
. |
. 104 |
|
Safety Notices |
|
|
104 |
|
Industry Canada Statement . . . . . . . . . . . . . . . . . . |
. . . . . . |
. |
104 |
|
Avis d’Industrie Canada |
|
|
104 |
|
User Information for Consumer Products Covered by EU Directive 2002/96/EC on Waste |
||||
Electric and Electronic Equipment (WEEE) |
|
|
105 |
|
Appendix T: Contact Information |
|
|
109 |
4-Port SSL/IPSec VPN Router |
vi |
Chapter 1
Chapter 1:
Introduction
Thank you for choosing the Linksys 4-Port SSL/IPSec VPN Router. The Router is an advanced Internet-sharing network solution for your small business needs. Like any router, it lets multiple computers in your office share an Internet connection. It features a built-in, 4-port, fullduplex, 10/100 Ethernet switch to connect four computers directly, or you can connect more switches to create as big a network as you need. If you have multiple routers in your Local Area Network (LAN), you can use the Router’s multiple subnet feature to support those routers.
The five Secure Sockets Layer (SSL) Virtual Private Network (VPN) tunnels gives your mobile workers a secure and easy way to stay connected. Additionally, an IPSec (Internet Protocol Security), gateway-to-gateway VPN tunnel facilitates branch office connectivity. As an essential element of your business, the Router provides security functions for authentication, encryption, and firewall. Additional security features includes Denial of Service (DoS) prevention and HTTPS management, while the Quality of Service (QoS) features provide consistent voice and video quality throughout your business.
Use the browser-based utility to configure settings and run convenient wizards that will help you set up the Router and its access rules.
A VPN is a connection between two endpoints—a VPN Router, for instance—in different networks that allows private data to be sent securely over a shared or public network, such as the Internet. This establishes a private network that can send data securely between these two locations or networks.
The private network is established by creating a“tunnel”. A VPN tunnel connects the two computers or networks and allows data to be transmitted over the Internet as if it were still within those networks. A VPN tunnel uses industrystandard encryption and authentication techniques to secure the data sent between the two networks.
Virtual Private Networking was created as a cost-effective alternative to using a private, dedicated, leased line for a private network. It can be used to create secure networks linking a central office with branch offices, telecommuters, and/or professionals on the road. The 4-Port SSL/IPSec
Introduction
VPN Router supports two of the most popular VPN tunnel types, SSL and IPSec.
There are two basic ways to create a VPN connection:
• |
VPN Router to VPN Router |
||
• |
computer (using SSL VPN client software) to |
||
|
VPN Router |
||
|
|
|
|
|
|
NOTE: The 4-Port SSL/IPSec VPN Router does |
|
|
|
not support IPSec VPN client software. |
The VPN Router creates a“tunnel”or channel between two endpoints, so that data transmissions between them are secure. A computer with SSL or IPSec VPN client software can be one of the two endpoints.
For an IPSec VPN tunnel, any computer with the built-in IPSec Security Manager (Windows 2000 and XP) allows the VPN Router to create a VPN tunnel using IPSec (Windows Vista uses a similar utility). Other Windows operating systems require additional, third-party VPN client software applications that support IPSec to be installed.
For an SSL VPN tunnel, a computer can download the Virtual Passage SSL VPN client software during first-time connection to the SSL VPN Portal. (See“Appendix B: Virtual Passage SSL VPN Client.”)
VPN Router to VPN Router
An example of a VPN Router-to-VPN Router VPN would be as follows. At home, a telecommuter uses his VPN Router for his always-on Internet connection. His Router is configured with his office’s VPN settings. When he connects to his office’s router, the two routers create a VPN tunnel, encrypting and decrypting data. As VPNs utilize the Internet, distance is not a factor. Using the VPN, the telecommuter now has a secure connection to the central office’s network, as if he were physically connected.
4-Port SSL/IPSec VPN Router |
|
Chapter 1 |
Introduction |
Home
Internet
VPN Router
Central Office
VPN Router
VPN Router to VPN Router
The following is an example of a computer-to-VPN Router VPN. In her hotel room, a traveling businesswoman connects to her Internet Service Provider (ISP). Her notebook computer has VPN client software that is configured with her office’s VPN settings. She accesses the VPN client software and connects to the VPN Router at the central office. As VPNs utilize the Internet, distance is not a factor. Using the VPN, the businesswoman now has a secure connection to the central office’s network, as if she were physically connected.
Off-Site
Internet
Notebook with VPN
Client Software
VPN |
Central Office |
Router |
|
Computer to VPN Router
For additional information and instructions about creating your own VPN, visit the Linksys website at www.linksys.com.
4-Port SSL/IPSec VPN Router |
|
Chapter 2
Chapter 2:
Product Overview
Power (Green) The Power LED lights up green and stays on while the Router is powered on.
Diag (Orange) The Diag LED lights up when the Router is not ready for use. During a warm reset, it flashes slowly. During a reset to factory defaults, it flashes quickly. The LED turns off when the Router is ready for use.
Internet (Green) The Internet LED lights up and stays on when there is a connection made through the Internet port. It flashes to indicate network activity over the Internet port.
Ethernet 1-4 (Green) These numbered LEDs, corresponding with the numbered ports on the Router’s back panel, serve two purposes. If the LED is solidly lit, the Router is connected to a device through that port. It flashes to indicate network activity over that port.
Product Overview
Reset The Reset button can be used in one of two ways, warm reset and reset to factory defaults.
•WarmReset IftheRouterishavingproblems connecting to the Internet, press and hold in the Reset button for four seconds using the tip of a pen. This is similar to pressing the power button on your computer to reboot it. The Diag LED will flash slowly during a warm reset.
•Reset to Factory Defaults If you are
experiencing extreme problems with the Router and have tried all other troubleshooting measures, press and hold in the Reset button for ten seconds. This will restore the factory defaults and clear all of the Router’s custom settings. The Diag LED will flash quickly during a reset to factory defaults.
You can also reset the Router to factory defaults using the System Management > Factory Defaults screen of the Router’s web based utility.
Internet The Internet port is where you will connect your cable or DSL Internet connection.
Ethernet 1, 2, 3, 4 These Ethernet ports (1, 2, 3, 4) connect the Router to wired computers and other Ethernet network devices.
Power The Power port is where you connect the power adapter.
4-Port SSL/IPSec VPN Router |
|
Chapter 3
Chapter 3:
Installation
There are three ways to place the Router. The first way is to place it horizontally on a surface, so it sits on its four rubber feet. The second way is to stand the Router vertically on a surface. The third way is to mount it on a wall.
The Router has four rubber feet on its bottom panel. Set the Router on a flat surface near an electrical outlet.
WARNING: Do not place excessive weight on top of the Router; too much weight could damage it.
1.Line up the edges of the Router with the two stands.
2.Insert the Router into the stands.
3.Set the Router on a flat surface near an electrical outlet.
Installation
The Router has two wall-mount slots on its bottom. The distance between the two slots is 64.4 mm (2.535 inches).
Two screws are needed to mount the Router.
Suggested Mounting Hardware
5.0-6.0 mm |
1.6-2.0 mm |
-3.8 mm |
|
3.0 |
|||
|
|
†Note: Mounting hardware illustrations are not true to scale.
NOTE: Linksys is not responsible for damages incurred by insecure wall-mounting hardware.
Follow these instructions:
1.Determine where you want to mount the Router. Make sure that the wall you use is smooth, flat, dry, and sturdy. Also make sure the location is within reach of an electrical outlet.
2.Drill two holes into the wall. Make sure the holes are 64.4 mm (2.535 inches) apart.
3.Insert a screw into each hole and leave 5 mm (0.2 inches) of its head exposed.
4.Maneuver the Router so the wall-mount slots line up with the two screws.
5.Place the wall-mount slots over the screws and slide the Router down until the screws fit snugly into the wall-mount slots.
64.4 mm
Print this page at 100% size. Cut along the dotted line, and place on the wall to drill precise spacing.
Wall Mounting Template
4-Port SSL/IPSec VPN Router
Chapter 3 |
Installation |
To connect network devices to the Router, follow these instructions:
1.Before you begin, make sure that all of your hardware is powered off, including the Router, computers, switches, and cable or DSL modem.
2.Connect your cable or DSL modem’s Ethernet cable to the Router’s Internet port.
Connect to the Internet Port
3.Power on the cable or DSL modem.
4.Connect one end of an Ethernet network cable to one of the numbered ports on the back of the Router. Connect the other end to an Ethernet port on a network device, such as a computer or switch.
Repeat this step to connect more computers or other network devices to the Router.
Connect to the Network Device
5.Connect the included power adapter to the Router’s Power port, and then plug the power adapter into an electrical outlet.
Connect the Power
6.The Power LED on the front panel will light up as soon as the power adapter is connected properly.
7.Power on your computers and other network devices.
4-Port SSL/IPSec VPN Router |
|
Chapter 4
Chapter 4:
Advanced Configuration
For your convenience, use the Router’s web-based utility to set it up and configure it. This chapter will explain all of the functions in this utility.
These are the main tabs of the utility: System Summary, Setup, DHCP, System Management, Port Management, QoS, Firewall, IPSec VPN, SSL VPN, SNMP, Log, Wizard, Support, and Logout. Additional tabs will be available after you click one of the main tabs.
The Router’s web-based utility and SSL VPN Portal support Internet Explorer 6.0 (or higher) and Netscape Communicator 8.0 (or higher) running in a Windows environment.
To configure the SSLVPN software, your web browser must have SSL, JavaScript, ActiveX, and cookies enabled (these settings are enabled by default). If the settings are already enabled, proceed to the next section, “How to Access the Web-Based Utility”. If the settings are disabled, you should enable them before configuring the Router. Proceed to the instructions for your web browser.
1.Open Internet Explorer.
2.Click Tools.
3.Click Internet Options.
4.Click the Advanced tab.
5.Select Use SSL 2.0 and Use SSL 3.0.
Internet Explorer > Tools > Internet Options > Advanced
4-Port SSL/IPSec VPN Router
Advanced Configuration
6.Click OK.
7.Click the Security tab.
8.Click Custom Level.
9.Select Enable for Active scripting, Allow paste operations via script, and Scripting of Java applets.
Internet Explorer > Tools > Internet Options > Security
10.Click OK.
11.Click the Privacy tab.
12.Click Advanced.
13.Deselect (remove the checkmark from) Override automatic cookie handling.
Internet Explorer > Tools > Internet Options > Privacy
14.Click OK.
15.Click OK again.
1.Open Netscape Communicator.
2.Click Tools.
3.Click Options.
4.Click Site Controls.
5.Click the Trust Preferences tab.
6.In the Master Settings section, click I’m Not Sure.
Chapter 4
7.Select Allow cookies.
8.Select Enable JavaScript.
9.Click Advanced.
10.Select Enable ActiveX.
Netscape Communicator > Options > Site Controls > Web Features
11.Click OK.
12.Under Options, click Advanced.
13.Click Security.
14.Select Use SSL 2.0 and Use SSL 3.0.
Netscape Communicator > Options > Advanced > Security
15. Click OK.
Advanced Configuration
1.For local access of the Router’s web-based utility, launch your web browser, and enter the Router’s default IP address, 192.168.1.1, in the Address field. Press the Enter key.
Address Bar
NOTE: If the Remote Management feature on the Firewall > General screen has been enabled, then users with administrative privileges can remotely access the web-based utility. Use https://<WAN IP address of the Router>.
2.A login screen prompts you for your User Name and Password. Enter admin in the User Name field, and enter admin in the Password field. (You can change the Password on the Setup > Password screen.) Then click Login.
Login Screen
3.After you have logged in, you will be asked to install the Web Cache Cleaner application. This will prompt any user of the Router to delete all temporary Internet files, cookies, and browser history when the user logs out or closes the web browser window. (The ActiveX web cache control will be ignored by web browsers that do not support ActiveX.)
Click the link to install the Web Cache Cleaner.
4-Port SSL/IPSec VPN Router |
|
Chapter 4 |
Advanced Configuration |
|
|
|
|
Click to Install the Web Cache Cleaner
4. On the Security Warning screen, click Yes.
Click Yes to Install
5.The Web Cache Cleaner will be installed in C:\\ WINDOWS\Downloaded Program Files. Proceed to the rest of this chapter for information about the webbased utility.
When you or another user logs out, a Warning screen will appear. It will ask you to confirm that you want to delete the History Item for the Router. Click Yes.
Click Yes to Delete History
The first screen that appears is the System Summary screen, which displays the Router’s current status and settings. This information is read-only. Underlined text is hyperlinked to related setup pages, so if you click a hyperlink, the related setup screen will appear. On the right-hand side of this screen and all other screens of the utility is a link to the Site Map, which has links to all of the utility’s tabs. Click Site Map to view the Site Map. Then, click the desired tab.
System Summary
Site Map
Serial Number Displayed here is the serial number of the Router.
Firmware version Displayed here is the current version number of the firmware installed on the Router.
CPU Displayed here are the type and speed of the processor installed on the Router.
DRAM Displayed here is the size of DRAM installed on the Router’s motherboard.
Flash Displayed here is the size of flash memory installed on the Router’s board.
4-Port SSL/IPSec VPN Router
Chapter 4 |
Advanced Configuration |
System Up Time This is the length of time in days, hours, and minutes that the Router has been active. The current time and date are also displayed.
Click any port on the Router’s rear panel image to see the status of the selected port. If the port is disabled, it will be red; if enabled, it will be black. If the port is connected, it will be green. Information about the selected port will appear in a separate window.
The port’s Summary table shows the settings of the selected port, including Type, Interface, Link Status, Port Activity, Priority, Speed Status, Duplex Status, and Auto negotiation.
Port 1 Information
For the selected port, the statistics table shows this information: number of packets received, number of packet bytes received, number of packets transmitted, number of packet bytes transmitted, and number of packet errors.
To update the on-screen information, click Refresh. To exit this screen, click Close.
LAN IP It shows the current LAN IP Address of the Router, as seen by internal users on the network, and it hyperlinks to the LAN Setting section on the Network screen of the Setup tab.
WAN IP This shows the current WAN IP address of the Router, as seen by external users on the Internet and hyperlinks to the WAN Connection Type settings on the Network screen of the Setup tab. If the port is set to Obtain an IP automatically, two buttons, Release and Renew, will be available. Click Release to release the IP address, and
click Renew to update the DHCP Lease Time or get a new IP address. If the WAN port is set to PPPoE or PPTP, two buttons, Connect and Disconnect, will be available.
Mode It shows the Router’s Working Mode (Gateway or Router), and it hyperlinks to the Dynamic Routing section on the Advanced Routing screen of the Setup tab.
DNS It shows all DNS Server Addresses and hyperlinks to the WAN Connection Type settings on the Network screen of the Setup tab.
DDNS It shows the DDNS settings of the Router’s WAN port and hyperlinks to the DDNS screen of the Setup tab.
DMZ Host It shows the DMZ Private IP Address and hyperlinks to the DMZ Host screen of the Setup tab. The default is Disabled.
SPI (Stateful Packet Inspection) It shows the status (On/Off) of the SPI setting and hyperlinks to the General screen of the Firewall tab.
DoS (Denial of Service) It shows the status (On/Off) of the DoS setting and hyperlinks to the General screen of the Firewall tab.
Block WAN Request It shows the status (On/Off) of the Block WAN Request setting and hyperlinks to the General screen of the Firewall tab.
Remote Management It shows the status (On/Off) of the Remote Management setting and hyperlinks to the General screen of the Firewall tab.
IPSecVPN Summary It hyperlinks to the Summary screen of the IPSec VPN tab.
Tunnel(s) Used It shows the number of VPN tunnels used.
Tunnel(s) Available It shows the number of VPN tunnels available.
SSL VPN Summary It hyperlinks to the Summary screen of the SSL VPN tab.
Tunnel(s) Used It shows the number of VPN tunnels used.
Tunnel(s) Available It shows the number of VPN tunnels available.
It hyperlinks to the System Log screen of the Log tab.
4-Port SSL/IPSec VPN Router
Chapter 4 |
Advanced Configuration |
If you have not set up the e-mail server on the Log tab, the message, “E-mail cannot be sent because you have not specified an outbound SMTP server address,” will be displayed.
If you have set up the mail server but the log has not been generated due to the Log Queue Length and Log Time Threshold settings, the message, “E-mail settings have been configured,” will be displayed.
If you have set up the e-mail server and the log has been sent to the e-mail server, the message, “E-mail settings have been configured and sent out normally,” will be displayed.
If you have set up the e-mail server and the log cannot be sent to the e-mail server, the message, “E-mail cannot be sent out, probably use incorrect settings,” will be displayed.
The Setup > Network screen shows all of the Router’s basic setup functions. The Router can be used in most network setups without changing any of the default values; however, you may need to enter additional information in order to connect to the Internet through an ISP (Internet Service Provider) or broadband (DSL or cable) carrier. The setup information is provided by your ISP.
Setup > Network
Host Name and Domain Name Enter a host and domain name for the Router. Some ISPs require these names as identification. You may have to check with your ISP to see if your broadband Internet service has been configured with a host and domain name. In most cases, you can leave these fields blank.
LAN Setting
The MAC Address of the Router is displayed.
Device IP Address and Subnet Mask The default values are 192.168.1.1 for the Router’s local IP address and 255.255.255.0 for the subnet mask.
Multiple Subnet Select this option to enable the Multiple Subnet feature. Then click Add/Edit to create or modify subnet(s). A new screen appears.
Create or Modify a Subnet
LAN IP Address Enter the LAN IP address. Subnet Mask Enter the subnet mask.
Click Add to List. Click Save Settings to save your changes, or click Cancel Changes to undo them. Click Exit to return to the Network screen.
If you want to modify a subnet you have created, select it and Make changes.. Click Save Settings to save your changes, or click Cancel Changes to undo them. Click Exit to return to the Network screen.
If you want to delete a subnet you have created, select it and click Delete selected subnet. Click Save Settings to save your changes, or click Cancel Changes to undo them. Click Exit to return to the Network screen.
WAN Connection Type
WAN
There are four connection types available: Obtain an IP automatically, Static IP, PPPoE, and PPTP. Depending on which connection type you select, you will see various settings.
Obtain an IP Automatically
If your ISP automatically assigns an IP address, select
Obtain an IP automatically. (Most cable modem
4-Port SSL/IPSec VPN Router |
10 |
Chapter 4 |
Advanced Configuration |
subscribers use this connection type.) Your ISP assigns these values.
Obtain an IP Automatically
DNS Server (Required) 1/2 If you select Use the Following DNS Server Addresses, enter your DNS server IP address(es) (enter at least one). Multiple DNS server IP settings are common. In most cases, the first available DNS entry is used.
MTU The MTU (Maximum Transmission Unit) setting specifies the largest packet size permitted for network transmission. To manually set a value, select Manual and enter the value desired in the field provided. You should leave this value in the 1200 to 1500 range, and most DSL users should use the value 1492. The default is Auto, which allows the Router to select the best MTU for your Internet connection.
Click Save Settings to save your changes, or click Cancel Changes to undo them.
Static IP
If you are required to use a permanent IP address, select
Static IP.
Static IP
Specify WAN IP Address Enter the external IP address of the Router.
Subnet Mask Enter the subnet mask of the Router.
Default Gateway Address Enter the IP address of the default gateway.
DNS Server (Required) 1/2 If you select Use the Following DNS Server Addresses, enter your DNS server IP address(es) (enter at least one). Multiple DNS server IP settings are common. In most cases, the first available DNS entry is used.
MTU The MTU (Maximum Transmission Unit) setting specifies the largest packet size permitted for network transmission. To manually set a value, select Manual and enter the value desired in the field provided. You should leave this value in the 1200 to 1500 range, and most DSL users should use the value 1492. The default is Auto, which allows the Router to select the best MTU for your Internet connection.
Click Save Settings to save your changes, or click Cancel Changes to undo them.
PPPoE (Point-to-Point Protocol over Ethernet)
Some DSL-based Internet Service Providers (ISPs) use PPPoE (Point-to-Point Protocol over Ethernet) to establish Internet connections for end-users. If you use a DSL line, check with your ISP to see if they use PPPoE, select
PPPoE.
PPPoE
User Name and Password Enter your account’s User Name and Password. The maximum number of characters is 60.
Connect on Demand If you select the Connect on Demand option, the connection will be disconnected after a specified period of inactivity (Max Idle Time). If you have been disconnected due to inactivity, Connect on Demand enables the Router to automatically re-establish your connection as soon as you attempt to access the Internet again. Enter the number of minutes you want to have elapsed before your Internet access disconnects. The default Max Idle Time is 5 minutes.
4-Port SSL/IPSec VPN Router |
11 |
Chapter 4 |
Advanced Configuration |
Keep Alive: Interval If you select the Keep Alive option, the Router will send keep-alive packets as often as you specify. The default Interval is 30 seconds.
Keep Alive: Retry Times If you select the Keep Alive option, the Router will send keep-alive packets as many times as you specify. If the Router does not receive a response from the ISP, then the Router will terminate the connection and start sending PADI packets after the Redial Period. The default Retry Times is 5 times.
Keep Alive: Redial Period If you select the Keep Alive option, the Router will keep the connection alive by sending out a few data packets periodically, so your ISP thinks that the connection is still active. This option keeps your connection active indefinitely, even when it sits idle. The default Redial Period is 30 seconds.
MTU The MTU (Maximum Transmission Unit) setting specifies the largest packet size permitted for network transmission. To manually set a value, select Manual and enter the value desired in the field provided. You should leave this value in the 1200 to 1500 range, and most DSL users should use the value 1492. The default is Auto, which allows the Router to select the best MTU for your Internet connection.
Click Save Settings to save your changes, or click Cancel Changes to undo them.
PPTP (Point-to-Point Tunneling Protocol)
Point to Point Tunneling Protocol (PPTP) is a service that applies to connections in Europe and Israel only.
PPTP
Specify WAN IP Address Enter the external IP address of the Router.
Subnet Mask Enter the subnet mask of the Router.
Default Gateway Address Enter the IP address of the default gateway.
DNS Server (Required) 1/2 If you select Use the Following DNS Server Addresses, enter your DNS server IP address(es) (enter at least one). Multiple DNS server IP settings are common. In most cases, the first available DNS entry is used.
User Name and Password Enter your account’s User Name and Password. The maximum number of characters is 60.
Connect on Demand If you select the Connect on Demand option, the connection will be disconnected after a specified period of inactivity (Max Idle Time). If you have been disconnected due to inactivity, Connect on Demand enables the Router to automatically re-establish your connection as soon as you attempt to access the Internet again. Enter the number of minutes you want to have elapsed before your Internet access disconnects. The default Max Idle Time is 5 minutes.
Keep Alive If you select the Keep Alive option, the Router will keep the connection alive by sending out a few data packets periodically, so your ISP thinks that the connection is still active. This option keeps your connection active indefinitely, even when it sits idle. The default Redial Period is 30 seconds.
MTU The MTU (Maximum Transmission Unit) setting specifies the largest packet size permitted for network transmission. To manually set a value, select Manual and enter the value desired in the field provided. You should leave this value in the 1200 to 1500 range, and most DSL users should use the value 1492. The default is Auto, which allows the Router to select the best MTU for your Internet connection.
Click Save Settings to save your changes, or click Cancel Changes to undo them.
The Router’s default User Name and Password is admin, and Linksys strongly recommends that you change the Router’s password from the default to a unique password.
NOTE: The password cannot be recovered if it is lost or forgotten. If the password is lost or forgotten, you have to reset the Router to its factory default settings; this will remove all of your configuration changes.
4-Port SSL/IPSec VPN Router |
12 |
Chapter 4 |
Advanced Configuration |
Setup > Password
The User Name is admin; it cannot be changed.
Old Password Enter the old password. The default is admin when you first power up the Router.
New Password Enter a new password for the Router. Your password must have 20 or fewer characters and cannot contain any spaces.
Confirm New Password Re-enter the new password to confirm it.
Click Save Settings to save your change, or click Cancel Changes to undo it.
The Router uses the time settings to time stamp log events, automatically apply the Access Rules and Content Filter, and perform other activities for other internal purposes.
To set the local time, select Set the local time using the Network Time Protocol (NTP) automatically or Set the local time Manually.
Automatic
Setup > Time > Automatic
Time Zone Select your time zone (the default Time Zone is Pacific Time).
Daylight Saving To use the daylight saving feature, select Enabled. Enter the Month and Day of the start date, and then enter the Month and Day of the end date.
NTP Server Enter the URL or IP address of the NTP server. The default is time.nist.gov.
Manual
Setup > Time > Manual
Time Zone Select your time zone (the default Time Zone is Pacific Time).
Hours, Minutes, Seconds Enter the time. Month, Day, Year Enter the date.
Click Save Settings to save your changes, or click Cancel Changes to undo them.
The DMZ (Demilitarized Zone) Host feature allows one local user to be exposed to the Internet for use of a special-purpose service such as Internet gaming or videoconferencing. Although Port Range Forwarding can only forward 10 ranges of ports maximum, DMZ hosting forwards all the ports to one computer at the same time.
Setup > DMZ Host
DMZ Private IP Address Enter the local IP address of the computer you want to expose. The default value of 0 deactivates the DMZ Host.
4-Port SSL/IPSec VPN Router |
13 |
Chapter 4 |
Advanced Configuration |
Click Save Settings to save your change, or click Cancel Changes to undo it.
The Forwarding screen allows you to set up port range forwarding and port triggering applications. Port range forwarding can be used to set up public services or other specialized Internet applications on your network, while port triggering can be used to set up triggered ranges and forwarded ranges for Internet applications.
Setup > Forwarding
Port Range Forwarding
Port forwarding can be used to set up public services on your network. When users from the Internet make certain requests on your network, the Router can forward those requests to computers equipped to handle the requests. If, for example, you set the port number 80 (HTTP) to be forwarded to IP address 192.168.1.2, then all HTTP requests from outside users will be forwarded to 192.168.1.2.
NOTE: You must disable the Router’s DHCP function to use port forwarding.
You may use this function to establish a web server or FTP server via an IP gateway. Make sure that you enter a valid IP address. (You may need to establish a static IP address in order to properly run an Internet server.) For added security, Internet users will be able to communicate with the server, but they will not actually be connected. The packets will simply be forwarded through the Router.
Service Select the Service you want.
If the Service you need is not listed in the menu, click Service Management to add the new service. The Service Management screen appears.
Service Management
Service Name Enter a name.
Protocol Select the protocol it uses. Port Range Enter its range.
Click Add to List. Click Save Settings to save your changes, or click Cancel Changes to undo them. Click Exit to return to the Forwarding screen.
If you want to modify a service you have created, select it and click Update this service. Make changes. Click Save Settings to save your changes, or click Cancel Changes to undo them. Click Exit to return to the Forwarding screen.
If you want to delete a service you have created, select it and click Delete selected service. Click Save Settings to save your changes, or click Cancel Changes to undo them. Click Exit to return to the Forwarding screen.
IP Address Enter the IP address of the server that you want the Internet users to access.
Enable SelectEnabletoenablethisportrangeforwarding entry.
Click Add to List, and configure as many entries as you would like, up to a maximum of 30. To delete an entry, select it and click Delete selected application.
Port Triggering
Port triggering allows the Router to watch outgoing data for specific port numbers. The IP address of the computer that sends the matching data is remembered by the Router, so that when the requested data returns through the Router, the data is pulled back to the proper computer by way of IP address and port mapping rules.
4-Port SSL/IPSec VPN Router |
14 |
Chapter 4 |
Advanced Configuration |
Some Internet applications or games use alternate ports to communicate between the server and LAN host. When you want to use these applications, enter the triggering (outgoing) port and alternate incoming port in the Port Triggering table. Then the Router will forward the incoming packets to the LAN host.
Application Name Enter the name of the application.
Trigger Port Range Enter the starting and ending port numbers of the trigger port range.
Incoming Port Range Enter the starting and ending port numbers of the incoming port range.
Click Add to List, and configure as many entries as you would like, up to a maximum of 30. To delete an entry, select it and click Delete selected application.
Click Show Tables to see the details of your entries. The Port Range Forwarding Table List appears.
Port Range Forwarding Table List
Port Range Forwarding Select this option to view the Port Range Forwarding entries.
Port Triggering Select this option to view the Port Triggering entries.
Click Refresh to update the on-screen information. Click Close to exit this screen and return to the Forwarding screen.
On the Forwarding screen, click Save Settings to save your changes, or click Cancel Changes to undo them.
Universal Plug and Play (UPnP) can be used to set up public services on your network. When the UPnP function is enabled, Windows XP can modify these entries via UPnP.
Setup > UPnP
UPnP Function Select Yes to enable the UPnP function. Otherwise, keep the default, No.
Service Select the Service you want.
If the Service you need is not listed in the menu, click Service Management to add the new service. The Service Management screen appears.
Service Management
Service Name Enter a name.
Protocol Select the protocol it uses.
External Port Enter the external port number. Internal Port Enter the internal port number.
Click Add to List. Click Save Settings to save your changes, or click Cancel Changes to undo them. Click Exit to return to the UPnP screen.
If you want to modify a service you have created, select it and click Update this service. Make changes. Click Save Settings to save your changes, or click Cancel Changes to undo them. Click Exit to return to the UPnP screen.
If you want to delete a service you have created, select it and click Delete selected service. Click Save Settings to save your changes, or click Cancel Changes to undo them. Click Exit to return to the UPnP screen.
Name or IP Address Enter the name or IP address of the server that you want the Internet users to access.
Enable Select Enable to enable this UPnP entry.
Click Add to List, and configure as many entries as you would like, up to a maximum of 30. To delete an entry, select it and click Delete selected application.
Click Show Tables to see the details of your entries. The UPnP Forwarding Table List appears.
4-Port SSL/IPSec VPN Router |
15 |
Chapter 4 |
Advanced Configuration |
|
|
|
|
UPnP Forwarding Table List
Click Refresh to update the on-screen information. Click Close to exit this screen and return to the UPnP screen.
On the UPnP screen, click Save Settings to save your changes, or click Cancel Changes to undo them.
One-to-One NAT (Network Address Translation) creates a relationship that maps valid external IP addresses to internal IP addresses hidden by NAT. A device with an internal IP address may be accessed at the corresponding external valid IP address.
To create this relationship, define internal and external IP address ranges of equal length. Once the relationship is defined, the device with the first internal IP address is accessible at the first IP address in the external IP address range, and so forth.
Forexample,youhaveaLocalAreaNetwork(LAN)forwhich the ISP has assigned the IP address range of 209.19.28.16 to 209.19.28.31, with 209.19.28.16 used as the Wide Area Network (WAN) or NAT public IP address of the Router. The address range of 192.168.168.1 to 192.168.168.255 is used for the devices on the LAN. With One-to-One NAT, the devices with the internal IP addresses of 192.168.168.2 to 192.168.168.15 may be accessed at the corresponding external IP addresses.
NOTE: The Router’s WAN IP address should not be included in the range you specify.
Setup > One-to-One NAT
One-to-One NAT
One-to-One NAT Select Enable to use the One-to-One NAT function.
Private Range Begin Enter the starting IP address of the internal IP address range. This is the IP address of the first device that
Public Range Begin Enter the starting IP address of the public IP address range. This IP address is provided by the ISP. (Do not include the Router’s WAN IP Address.)
Range Length Enter the number of IP addresses in the range. The range length cannot exceed the number of valid IP addresses. To map a single address, enter 1.
Click Add to List, and configure as many entries as you would like, up to a maximum of 64. To delete an entry, select it and click Delete selected range.
NOTE: One-to-One NAT affects how the firewall functions work. Access to LAN devices from the Internet is allowed unless access rules are set.
Click Save Settings to save your changes, or click Cancel Changes to undo them.
Some ISPs require that you register a MAC address, which is a 12-digit code assigned to a unique piece of hardware for identification. The MAC Clone feature “clones” your network adapter’s MAC address onto the Router, so you don’t have to call your ISP to change the registered MAC address to the Router’s MAC address.
For the WAN port, you can assign or clone a MAC address.
4-Port SSL/IPSec VPN Router |
16 |
Chapter 4 |
Advanced Configuration |
Setup > MAC Clone
User Defined WAN MAC Address To manually clone a MAC address, select User Defined WAN MAC Address, and then enter the 12 digits of your adapter’s MAC address.
MAC Address from this PC To clone the MAC address of the computer you are currently using to configure the Router, select MAC Address from this PC.
Click Save Settings to save your changes, or click Cancel Changes to undo them.
Dynamic Domain Name System (DDNS) service allows you to assign a fixed domain name to a dynamic WAN IP address, so you can host your own web, FTP or other type of TCP/IP server in your LAN. The DDNS feature is disabled by default.
Before configuring DDNS, visit www.dyndns.org and register a domain name. (The DDNS service is provided by DynDNS.org).
Setup > DDNS
DDNS Service To enable DDNS, select DynDNS.org. Otherwise, select Disable.
User Name and Password Enter your DynDNS.org account information.
Host Name Enter your host name in the three Host Name fields. For example, if your host name were myhouse. dyndns.org, then myhouse would go into the first field, dyndns would go into the second field, and org would go into the last field.
Click Save Settings, and the status of the DDNS function will be updated.
Internet IP Address The Router’s current Internet IP address is displayed. Because it is dynamic, this will change.
Status The status of the DDNS function is displayed. If the status information indicates an error, make sure you have correctly entered the information for your account with your DDNS service.
Click Save Settings to save your changes, or click Cancel Changes to undo them.
The Advanced Routing screen allows you to configure the dynamic and static routing settings.
Setup > Advanced Routing
Dynamic Routing
The Router’s dynamic routing feature can be used, so the Router will automatically adjust to physical changes in the network’s layout. Using the dynamic RIP protocol, the Router calculates the most efficient route for the network’s data packets to travel between the source and the destination, based upon the shortest paths. The RIP protocol regularly broadcasts routing information to
4-Port SSL/IPSec VPN Router |
17 |
Chapter 4 |
Advanced Configuration |
other routers on the network. It determines the route that the network packets take based on the fewest number of hops between the source and the destination.
Working Mode Select Gateway mode if the Router is hosting your network’s connection to the Internet. Select Router mode if the Router exists on a network with other routers, including a separate network gateway that handles the Internet connection. In Router mode, any computer connected to the Router will not be able to connect to the Internet unless you have another router function as the gateway.
RIP (Routing Information Protocol) To use dynamic routing for communication of network data, select Enabled. Otherwise, keep the default, Disabled.
Receive RIP versions To use dynamic routing for reception of network data, select the protocol you want:
None, RIPv1, RIPv2, or Both RIP v1 and v2.
Transmit RIP versions To use dynamic routing for transmission of network data, select the protocol you want:
None, RIPv1, RIPv2 - Broadcast, or RIPv2 - Multicast.
Static Routing
If the Router is connected to more than one network or there are multiple routers installed on your network, it may be necessary to set up static routes. The static routing function determines the path that data follows over your network before and after it passes through the Router. You can use static routing to allow different IP domain users to access the Internet through the Router.
Static routing is a powerful feature that should be used by advanced users only. In many cases, it is better to use dynamic routing because it enables the Router to automatically adjust to physical changes in the network’s layout.
If you want to use static routing, the Router’s DHCP settings must be disabled. Then add routing entries to the Static Routing table. These entries tell the Router where to send all incoming packets. All of your network routers should direct the default route entry to the 4-Port SSL/IPSec VPN Router.
NOTE: Static routing is an advanced feature. Create these routes with care.
To create a static route entry, enter the following information:
Destination IP Enter the network address of the remote LAN segment. For a standard Class C IP domain, the network address is the first three fields of the Destination LAN IP, while the last field should be 0.
Subnet Mask Enter the subnet mask used on the destination LAN IP domain. For Class C IP domains, the subnet mask is 255.255.255.0.
Default Gateway Enter the IP address of your network’s gateway. If this Router is used to connect your network to the Internet, then the gateway IP is the Router’s Internet IP address. If you have another router handling your network’s Internet connection, enter the IP address of that router instead.
Hop Count Enter the appropriate value (maximum is 15). This indicates the number of nodes that a data packet passes through before reaching its destination. A node is any device on the network, such as a switch, PC, or router.
Interface Select the appropriate interface. The Interface tells you whether your network is on the LAN or the WAN (the Internet). If you’re connecting to a sub-network, select LAN. If you’re connecting to another network through the Internet, select the appropriate WAN port option.
Click Add to List, and configure as many entries as you would like, up to a maximum of 30. To delete an entry, select it and click Delete selected IP.
Click Show Tables to see the details of your entries. Click Save Settings to save your changes, or click Cancel Changes to undo them.
The Router can be used as a DHCP (Dynamic Host Configuration Protocol) server on your network. A DHCP server automatically assigns available IP addresses to computers on your network. If you choose to enable the DHCP server option, all of the computers on your LAN must be set to obtain an IP address automatically from a DHCP server. (By default, Windows computers are set to obtain an IP automatically.)
If the Router’s DHCP server function is disabled, you have to carefully configure the IP address, subnet mask, and DNS settings of every computer on your network. Make sure you do not assign the same IP address to different computers.
4-Port SSL/IPSec VPN Router |
18 |
Chapter 4 |
Advanced Configuration |
|
|
|
|
DHCP > Setup
Enable DHCP Server To use the Router as your network’s DHCP server, select Enable DHCP Server. If you already have a DHCP server on your network, remove the check mark.
Dynamic IP
Client Lease Time The Client Lease Time is the amount of time a network user will be allowed connection to the Router with their current dynamic IP address. Enter the amount of time, in minutes, that the user will be “leased” this dynamic IP address. The range is 5-43,200 minutes. The default is 1440 minutes.
Dynamic IP Range Start/End Enter a starting IP address and ending IP address to create a range of available IP addresses. The default range is 100-149. Enter a value for the DHCP server to start with when issuing IP addresses. This value must be 192.168.1. 2 or greater, because the default IP address for the Router is 192.168.1.1.
Static IP
You can assign a static IP address to a specific device based on its MAC address.
Show unknown MAC addresses Click Show unknown MAC addresses to view all devices’ IP addresses and corresponding MAC addresses. The Unknown MAC Address List appears.
Unknown MAC Address List
To add an IP address and MAC address set to the Static IP list, select Enable, and then click Apply. To add all IP addresses and MAC addresses to the Static IP list, click
Select All.
To update the on-screen information, click Refresh. To exit this screen and return to the DHCP > Setup screen, click Close.
Static IP Address Enter the static IP address. You can enter 0.0.0.0 if you want the Router to assign a static IP address to the device.
MAC Address Enter the MAC address of the device. Name Enter a descriptive name for the device.
Enable Select Enable to assign the static IP address to this device.
Click Add to List, and configure as many entries as you would like, up to a maximum of 100. To delete an entry, select it and click Delete selected Entry.
Block MAC address on the list with wrong IP address To block traffic from devices with MAC addresses on the Static IP list but using the wrong IP addresses, select this option. It prevents users from changing device IP addresses without your permission.
Block MAC address not on the list To block traffic from devices using dynamic IP addresses, select this option. It blocks all devices with MAC addresses not listed on the Static IP list.
DNS
DNS Server You can assign DNS server(s) to the DHCP clients so the Router will use the DNS server(s) for faster access to functioning DNS server(s). Enter the IP address of at least one DNS server.
WINS
WINS Server Windows Internet Naming Service (WINS) is a service that resolves NetBIOS names to IP addresses. WINS is assigned if the computer (DHCP client) requests one. If you do not know the IP address of the WINS server, keep the default, 0.0.0.0.
4-Port SSL/IPSec VPN Router |
19 |
Chapter 4 |
Advanced Configuration |
NOTE: To support NetBIOS for DHCP and Virtual Passage clients, the Router uses two methods. (Virtual Passage is an ActiveX-based VPN client that provides full network connectivity for Windows users. It allows remote access to the Router’s network through a secure connection.)
First, when the DHCP and Virtual Passage clients receive dynamic IP addresses from the Router, it automatically includes the information of the WINS server to support NetBIOS. Second, if a user sets up a static IP address, then the IP address, subnet mask, default gateway, and DNS server settings must be configured on the Internet Protocol (TCP/IP) screen of the Windows operating system. Then the WINS IP address must be configured on the advanced TCP/IP screen. (For more information, refer to Windows Help.)
Click Save Settings to save your changes, or click Cancel Changes to undo them.
On the Status screen, view the status information for the DHCP server and its clients.
DHCP > Status
For the DHCP server, the following information is shown: DHCP Server This is the IP address of the DHCP server.
Dynamic IP Used It shows the number of dynamic IP addresses used.
DHCP Available This indicates the number of dynamic IP addresses available.
Total It shows the total number of dynamic IP addresses that can be assigned by the DHCP server.
Client Table
For all network clients using the DHCP server, the Client Table shows the current DHCP Client information:
Client Host Name This is the name assigned to a client host.
IP Address It is the dynamic IP address assigned to a client.
MAC Address This indicates the MAC address of a client.
Leased Time It displays the amount of time a network user will be allowed connection to the Router with their current dynamic IP address.
Delete Click the Trash Can icon to delete a DHCP client, and the client host’s IP address will be released.
Click Refresh to refresh the on-screen information.
Use this screen to establish relationships between multiple subnets and Virtual Local Area Networks (VLANs).
DHCP > Multiple VLANs
Enable Multiple VLANs Select this option to establish a relationship between multiple subnets and VLANs. If you enable this option and the multiple subnets and VLANs are not enabled, then the Router will prompt you to configure and enable the multiple subnets and VLANs.
VLAN ID The VLANs are configured on the Port Management > Create VLAN screen (by default, all VLANs created on this screen are part of the default subnet). The VLAN IDs you assigned are displayed on the Multiple VLANs screen.
Multiple Subnet Multiple subnets define different IP networks using the subnet mask. They are created after multiple VLANs are created. (If you want to change the settings of VLAN 1, then use the Setup > Network screen
4-Port SSL/IPSec VPN Router |
20 |
Chapter 4 |
Advanced Configuration |
to configure the Device IP Address and Subnet Mask settings.)
•Subnet1-4 Thesubnetnumbersarecreatedaccording to the VLAN numbers. (The multiple subnets can also be configured on the Setup > Network screen.)
•IP Address Enter an IP address.
•Subnet Mask Select the appropriate subnet mask.
Dynamic IP Range When the IP Address and Subnet Mask settings are configured, the range of IP addresses is displayed. You can change the range of IP addresses as long as the total number of IP addresses assigned by DHCP is 253. The greater the number of multiple subnets, the fewer the number of IP addresses assigned by DHCP.
NOTE: The Router’s built-in DHCP server can assign up to 253 IP addresses.
Click Save Settings to save your changes, or click Cancel Changes to undo them.
To route packets between different VLANs, enable the Multiple VLANs option on the Multiple VLANs screen, and then select the VLANs on the Inter-VLAN Routing screen.
DHCP > Inter-VLAN Routing
VLAN1-4 Select the VLANs that can route packets to each other. For example, if you select VLAN1 and VLAN2, then packets can be routed between VLAN1 and VLAN2, but packets cannot be routed between VLAN3 and VLAN4.
Click Save Settings to save your changes, or click Cancel Changes to undo them.
The Router has two built-in tools, DNS Name Lookup and Ping, which are used for troubleshooting network problems.
The Internet has a service called the Domain Name Service (DNS), which allows users to enter an easily remembered host name, such as www.linksys.com, instead of numerical TCP/IP addresses to access Internet resources. The DNS Name Lookup tool will return the numericalTCP/IP address of a host name.
The Ping test bounces a packet off a machine on the Internet back to the sender. This test shows if the Router is able to contact the remote host. If users on the LAN are having problems accessing services on the Internet, try pinging the DNS server or other machine at the ISP’s location. If this test is successful, try pinging devices outside the ISP. This will show if the problem lies with the ISP’s connection.
DNS Name Lookup/Ping Select which tool you want to use, DNS Name Lookup or Ping. Then proceed to the appropriate instructions.
DNS Name Lookup
Before using this tool, make sure the IP address of the DNS server is entered on the Setup > Network screen; otherwise, this tool will not work.
System Management > Diagnostic > DNS Name Lookup
Look up the name Enter the host name, and click Go. (Do not add the prefix http:// or else you will get an error message.) The Router will then query the DNS server and display the result at the bottom of the screen.
Ping
Before using this tool make sure you know the device or host’s IP address. If you do not know it, use the Router’s
DNS Name Lookup tool to find the IP address.
4-Port SSL/IPSec VPN Router |
21 |
Chapter 4 |
Advanced Configuration |
|
|
|
|
System Management > Diagnostic > Ping
Ping host or IP address Enter the IP address of the device being pinged, and click Go.The test will take a few seconds to complete. When completed, the Router will display the results at the bottom of the screen. The results include this information: status; number of packets transmitted, received, or lost; and round trip time (minimum, maximum, and average).
Usethisscreentoclearallofyourconfigurationinformation and restore the Router to its factory default settings. Only use this feature if you wish to discard all the settings and preferences that you have configured.
System Management > Factory Default
Return to Factory Default Setting Click Return to Factory Default Setting if you want to restore the Router to its factory default settings. After clicking the button, a confirmation screen appears. Click OK to continue.
You can use this feature to upgrade the Router’s firmware to the latest version.
System Management > Firmware Upgrade
To download the firmware, refer to the Firmware Download instructions. If you have already downloaded the firmware onto your computer, then click the Browse button to look for the file.
NOTE: If you are using Internet Explorer on Windows XP, disable the pop-up blocking function before you upgrade the Router’s firmware. Refer to “Appendix O: Firmware Upgrade” for more information.
Firmware Upgrade Right Now After you have selected the file, click Firmware Upgrade Right Now.
NOTE: The Router will take approximately ten minutes to upgrade its firmware. During this process, do not power off the Router or press the Reset button.
Firmware Download
Firmware Download from Linksys Web Site If you need to download the latest version of the Router’s firmware, click Firmware Download from Linksys Web Site. The Support page of the Linksys website appears.
Select 4-Port SSL/IPSec VPN Router from the dropdown menu, and choose the firmware from the available options. After downloading the firmware file, extract it on your computer. Then follow the Firmware Upgrade instructions.
For more details, refer to “Appendix O: Firmware Upgrade”.
If you need to restart the Router, Linksys recommends that you use the Restart tool on this screen. When you restart
4-Port SSL/IPSec VPN Router |
22 |