Comtrend AR-5381U Users Manual
IPSec Connection Name User-defined label
Tunnel Mode Select tunnel protocol, AH (Authentication
Header) or ESP (Encapsulating Security
Payload) for this tunnel.
Remote IPSec Gateway Address The location of the Remote IPSec Gateway. IP
address or domain name can be used.
Tunnel access from local IP
addresses
Specify the acceptable host IP on the local
side. Choose Single or Subnet.
IP Address/Subnet Mask for VPN If you chose Single, please enter the host IP
address for VPN. If you chose Subnet, please
enter the subnet information for VPN.
Tunnel access from remote IP
addresses
Specify the acceptable host IP on the remote
side. Choose Single or Subnet.
IP Address/Subnet Mask for VPN If you chose Single, please enter the host IP
address for VPN. If you chose Subnet, please
enter the subnet information for VPN.
Key Exchange Method Select from Auto(IKE) or Manual
For the Auto(IKE) key ex change method, select Pre-shared key or Certificate (X.509)
authentication. For Pre-shared key authentication you must enter a key, while for
Certificate (X.509) authentication you must select a certificate from the list.
See the tables below for a summary of all available options.
101
Auto(IKE) Key Exchange Method
Pre-Shared Key / Certificate (X.509) Input Pre-shared key / Choose Certificate
Perfect Forward Secrecy Enable or Disable
Advanced IKE Settings Select Show Advanced Settings to reveal
the advanced settings options shown below.
Advanced IKE Settings Select Hide Advanced Settings to hide the
advanced settings options shown above.
Phase 1 / Phase 2 Choose settings for each phase, the available
options are separated with a “/” character.
Mode Main / Aggressive
Encryption Algorithm DES / 3DES / AES 128,192,256
Integrity Algorithm MD5 / SHA1
Select Diffie-Hellman Group 768 – 8192 bit
Key Life Time Enter your own or use the default (1 hour)
The Manual key exchange method options are summarized in the table below.
102
Manual Key Exchange Method
Encryption Algorithm DES / 3DES / AES (aes-cbc)
Encryption Key DES: 16 digit Hex, 3DES: 48 digit Hex
Authentication Algorithm MD5 / SHA1
Authentication Key MD5: 32 digit Hex, SHA1: 40 digit Hex
SPI (default is 101) Enter a Hex value from 100-FFFFFFFF
103
5.20 Certificate
A certificate is a public key, attached with its owner’s information (company name,
server name, personal real name, contact e-mail, postal address, etc) and digital
signatures. There will be one or more digital signatures attached to the certificate,
indicating that these entities have verified that this certificate is valid.
5.20.1 Local
CREATE CERTIFICATE REQUEST
Click Create Certificate Request to generate a certificate-signing request.
The certificate-signing request can be submitted to the vendor/ISP/ITSP to apply for
a certificate. Some information must be included in the certificate-signing request.
Your vendor/ISP/ITSP will ask you to provide the information they require and to
provide the information in the format they regulate. Enter the required information
and click Apply to generate a private key and a certificate-signing request.
104
The following table is provided for your reference.
Field Description
Certificate Name A user-defined name for the certificate.
Common Name Usually , the fully qualified domain name for the machine.
Organization Name The exact legal name of your organization.
Do not abbreviate.
State/Province Name The state or province where your organization is located.
It cannot be abbreviated.
Country/Region Name The two-letter ISO abbreviation for your country.
105
IMPORT CERTIFICATE
Click Import Certificate to paste the certificate content and the private key
provided by your vendor/ISP/ITSP into the corresponding boxes shown below.
Enter a certificate name and click Apply to import the local certificate.
106
5.20.2 Trusted CA
CA is an abbreviation for Certificate Authority, which is a part of the X.509 system.
It is itself a certificate, attached with the owner inf o rmation of this certificate
authority; but its purpose is not encryption/decryption. Its purpose is to sign and
issue certificates, in order to prove that these certificates are valid.
Click Import Certificate to paste the certificate content of your trusted CA. The
CA certificate content will be provided by your vendor/ISP /ITSP and is used to
authenticate the Auto-Configuration Server (ACS) that the CPE will connect to.
107
Enter a certificate name and click Apply to import the CA certificate.
108
5.21 Multicast
Input new IGMP or MLD protocol configuration fields if you want modify default
values shown. Then click Apply/Save.
109
Chapter 6 Wireless
The Wireless menu provides access to the wireless options discussed below.
6.1 Basic
The Basic option allows you to configure basic features of the wireless LAN interface.
Among other things, you can enable or disable the wireless LAN interface, hide the
network from active scans, set the wireless network name (also known as SSID).
110
Consult the table below for descriptions of these options.
Option Description
Enable
Wireless
Hide Access
Point
A checkbox that enables or disables the wireless LAN interface.
When selected, a set of basic wireless options will appear.
Select Hide Access Point to protect the access point from detection
by wireless active scans. To check AP status in Windows XP, open
Network Connections from the start Menu and select View
Available Network Connections. If the access point is hidden, it
will not be listed there. T o connect a client to a hidden access point,
the station must add the access point manually to its wireless
configuration.
Clients
Isolation
When enabled, it prevents client PCs from seeing one another in My
Network Places or Network Neighborhood. Also, prevents one
wireless client communicating with another wireless client.
Disable WMM
Advertise
Stops the router from ‘advertising’ its Wireless Multimedia (WMM)
functionality, which provides basic quality of service for
time-sensitive applications (e.g. VoIP, Video).
Enable
Select the checkbox to enable this function.
Wireless
Multicast
Forwarding
SSID
[1-32
characters]
Sets the wireless network name. SSID stands for Service Set
Identifier. All stations must be configured with the correct SSID to
access the WLAN. If the SSID does not match, that user will not be
granted access.
BSSID The BSSID is a 48-bit identity used to identify a particular BSS
(Basic Service Set) within an area. In Infrastructure BSS
networks, the BSSID is the MAC (Media Access Control) address of
the AP (Access Point); and in Independent BS S or ad hoc networks,
the BSSID is generated randomly.
Max Clients The maximum number of clients that can access the router.
Wireless -
Guest /
Virtual
Access Points
This router supports multiple SSIDs called Guest SSIDs or Virtual
Access Points. To enable one or more Guest SSIDs select the
checkboxes in the Enabled column. To hide a Guest SSID select
its checkbox in the Hidden column.
Do the same for Isolate Clients and Disable WMM Advertise.
For a description of these two functions, see the previo us entries for
“Clients Isolation” and “Disable WMM Advertise”. Similarly, for
Enable WMF, Max Clients and BSSID, consult the matching
entries in this table.
NOTE: Remote wireless hosts cannot scan Guest SSIDs.
111
6.2 Security
The following screen appears when Wireless Security is selected. The options shown
here allow you to configure security features of the wireless LAN interface.
Click Save/Apply to implement new configuration settings.
WIRELESS SECURITY
Wireless security settings can be configured according to Wi-Fi Protected Setup
(WPS) or Manual Setup. The WPS method configures securi ty settings automatically
(see
112
6.2.1 WPS) while the Manual Setup method requires that the user configure these
settings using the Web User Interface (see the table below).
Select SSID
Select the wireless network name from the drop-down box. SSID stands for Service
Set Identifier. All stations must be configured with the correct SSID to access the
WLAN. If the SSID does not match, that client will not be granted access.
Network Authentication
This option specifies whether a network key is used for authenticat ion to the
wireless network. If network authentication is set to Open, then no authentication
is provided. Despite this, the iden tity of the client is still verified.
Each authentication type has its own settings. For example, selecting 802.1X
authentication will reveal the RADIUS Server IP address, Port and Key fields. WEP
Encryption will also be enabled as shown below.
The settings for WPA authentication are shown below.
113
The settings for WPA-PSK authentication are shown next.
WEP Encryption
This option specifies whether data sent over the network is encrypted. The same
network key is used for data encryption and network authentication. Four network
keys can be defined although only one can be used at any one time. Use the Current
Network Key list box to select the appropriate network key.
Security options include authentication and encryption services based on the wire d
equivalent privacy (WEP) algorithm. WEP is a set of security services used to
protect 802.11 networks from unauthorized access, such as eavesdropping; in this
case, the capture of wireless network traffic. When data encryption is enabled,
secret shared encryption keys are generated and used by the source station and the
destination station to alter frame bits, thus avoiding disclosure to eavesdroppers.
Under shared key authentication, each wire less station is assumed to have received
a secret shared key over a secure channel that is independent from the 802.11
wireless network communications channel.
Encryption Strength
This drop-down list box will display when WEP Encryption is en abled. The key
strength is proportional to the number of binary bits comprising the key. This
means that keys with a greater number of bits have a greater degree of security an d
are considerably more difficult to crack. Encryption strength can be set to either
64-bit or 128-bit. A 64-bit key is equivalent to 5 ASCII characters or 10
hexadecimal numbers. A 128-bit key contains 13 ASCII characters or 26
hexadecimal numbers. Each key contains a 24-bit header (an initiation vector)
which enables parallel decoding of multiple streams of encrypted data.
114
6.2.1 WPS
Wi-Fi Protected Setup (WPS) is an industry standard that simplifies wireless security
setup for certified network devices. Every WPS certified device has a PIN number
accessed through device software. The AR-5381u has a virtual button accessible
from the web user interface (WUI).
Devices with the WPS logo (shown here)
support WPS. If the WPS logo is not present
on your device it still may support WPS, in
this case, check the device documentation
for the phrase “Wi-Fi Protected Setup”.
NOTE: WPS is only available in Open, WPA-PSK, WPA2-PSK and Mixed
WPA2/WPA-PSK network authentication modes. Other authentication
modes do not use WPS so they must be configured manually.
To configure security settings with WPS, follow the procedures below. You must
choose either the Push-Button or PIN configuration method for Steps 6 and 7.
I. Setup
Step 1: Enable WPS by selecting Enabled from the drop down list box shown.
Step 2: Set the WPS AP Mode. Configured is used when the AR -5381u will assign
security settings to clients. Unconfigured is used when an external
client assigns security settings to the AR-5381u.
NOTES: Your client may or may not have the ability to provide security settings to
the AR-5381u. If it does not, then you must set the WPS AP mode to
Configured. Consult the device documentation to check its capabilities.
In addition, using Windows Vista, you can add an external registrar using
the StartAddER button (Appendix D - WPS OPERATION) has detailed
instructions).
115
II. NETWORK AUTHENTICATION
Step 3: Select Open, WPA-PSK, WPA2-PSK, or Mixed WPA2/WPA-PSK network
authentication mode from the Manual Setup AP section of the Wireless
Security screen. The example below shows WPA2-PSK mode.
Step 4: For the Pre-Shared Key (PSK) modes, enter a WP A Pre-Shared K ey. You
will see the following dialog box if the Key is too short or too long.
Step 5: Click the Save/Apply button at the bottom of the screen.
IIIa. PUSH-BUTTON CONFIGURATION
The WPS push-button configuration provides a semi-automated configuration
method. The WPS button on the rear panel of the router can be used for this
purpose or the Web User Interface (WUI) can be used exclusively.
The WPS push-button configuration is described in the procedure below. It is
assumed that the Wireless function is Enabled and that the router is configured as
the Wireless Access Point (AP) of your WLAN. In addition, the wireless client must
also be configured correctly and turned on, with WPS function enabled.
116
NOTE: The wireless AP on the router searches for 2 minutes. If the router stops
searching before you complete Step 7, return to Step 6.
Step 6: Press WPS button
Press the WPS button on the front panel of the router. The WPS LED will
blink to show that the router has begun searching for the client.
Step 7: Go to your WPS wireless client and activate the push-button function.
A typical WPS client screenshot is shown below as an example.
Now go to Step 8 (part IV. Check Connection) to check the WPS connection.
IIIb. WPS – PIN CONFIGURATION
Using this method, security settings are configured with a personal identification
number (PIN). The PIN can be found on the device itself or within the software.
The PIN may be generated randomly in the latter case. To obtain a PIN number for
your client, check the device documentation for specific instructions.
The WPS PIN configuration is described in the procedure below. It is assumed that
the Wireless function is Enabled and that the router is conf igured as the Wireless
Access Point (AP) of your wireless LAN. In addition, the wireless client must also be
configured correctly and turned on, with WPS function enabled.
NOTE: Unlike the push-button method, the pin method has no set time limit.
This means that the router will continue searchin g unt il it finds a client.
Step 6: Select the PIN radio button in the WSC Setup section of the Wireless
Security screen, as shown in A or B below , and then click the appropriate
button based on the WSC AP mode selected in step 2.
A - For Configured mode, click the Add Enrollee button.
Enter STA PIN: a Personal Identification N umber (PIN) has to be read from either
a sticker or the display on the new wireless device. This PIN must then be inputted
at representing the network, usually the Access Point of the network.
B - For Unconfigured mode, click the Config AP button.
117
Step 7: Activate the PIN function on the wirel ess client. For Configured mode,
the client must be configured as an Enrollee. For Unconfigured mode,
the client must be configured as the Registr ar. This is different from the
External Registrar function provided in Windows Vista.
The figure below provides an example of a WPS client PIN function in-progress.
Now go to Step 8 (part IV. Check Connection) to check the WPS connection.
IV. CHECK CONNECTION
Step 8: If the WPS setup method was successful, you will be able access the
wireless AP from the client. The client software should show the status.
The example below shows that the connection established successfully.
You can also double-click the Wireless Network Connection icon from the
Network Connections window (or the system tr ay) to confirm the status of
the new connection.
118
6.3 MAC Filter
This option allows access to the router to be restricted based upon MAC addresses.
To add a MAC Address filter, click the Add button shown below. To delete a filter,
select it from the MAC Address table below and click the Remove button.
Option Description
Select
SSID
MAC
Restrict
Mode
MAC
Address
After clicking the Add button, the following screen appears.
Enter the MAC address in the box provided and click Save/Apply.
Select the wireless network name from the drop-down box. SSID stands
for Service Set Identifier . All stations must be configured with the correct
SSID to access the WLAN. If the SSID does not match, that user will not
be granted access.
Disabled: MAC filtering is disabled.
Allow: Permits access for the specified MAC addresses.
Deny: Rejects access for the specified MAC addresses.
Lists the MAC addresses subject to the MAC Restrict Mode. A maximum
of 60 MAC addresses can be added. Every network device has a unique
48-bit MAC address. This is usually shown as xx.xx.xx. xx.xx.xx, where
xx are hexadecimal numbers.
119
6.4 Wireless Bridge
This screen allows for the configuration of wireless bridge features of the WIFI
interface. See the table beneath for detailed explanations of the various options.
Click Save/Apply to implement new configuration settings.
Feature Description
120
Feature Description
AP Mode Selecting Wireless Bridge (aka Wireless Distribution System)
disables Access Point (AP) functionality, while select ing Access
Point enables AP functionality . In Access Point mode, wireless
bridge functionality will still be available and wireless stations
will be able to associate to the AP.
Bridge Restrict Selecting Disabled disables wireless bridge restriction, which
means that any wireless bridge will be granted access.
Selecting Enabled or Enabled (Scan) enables wireless bridge
restriction. Only those bridges selected in the Remote Bridges
list will be granted access. Click Refresh to update the station
list when Bridge Restrict is enabled.
121
6.5 Advanced
The Advanced screen allows you to configure advanced features o f the wireless LAN
interface. You can select a particular channel on which to operate, force the
transmission rate to a particular speed, set the fragmentation threshold, set the RTS
threshold, set the wakeup interval for clients in power-save mode, set the beacon
interval for the access point, set XPress mode and set whether short or long
preambles are used. Click Save/Apply to set new advanced wireless options.
122
Field Description
Band Set to 2.4 GHz for compatibility with IEEE 802.11x
standards. The new amendment allows IEEE 802.11n
units to fall back to slower speeds so that legacy IEEE
802.11x devices can coexist in the same network. IEEE
802.11g creates data-rate parity at 2.4 GHz with the IEEE
802.11a standard, which has a 54 Mbps rate at 5 GHz.
(IEEE 802.11a has other differences compared to IEEE
802.11b or g, such as offering more channels.)
Channel Drop-down menu that allows selection of a specific
channel.
Auto Channel Timer
Auto channel scan timer in minutes (0 to disable)
(min)
802.11n/EWC An equipment interoperability standard setting based on
IEEE 802.11n Draft 2.0 and Enhanced Wireless
Consortium (EWC)
Bandwidth Select 20GHz or 40GHz bandwidth. 40GHz bandwidth uses
two adjacent 20GHz bands for increased data throughput.
Control Sideband Select Upper or Lower sideband when in 40GHz mode.
802.11n Rate Set the physical transmission rate (PHY).
802.11n Protection Turn Off for maximized throughput.
Turn On for greater security.
Support 802.11n
Client Only
Turn Off to allow 802.11b/g clients access to the router.
T urn On to prohibit 802.11b/g clients access to the router.
RIFS Advertisement One of several draft-n features designed to improve
efficiency. Provides a shorter delay between OFDM
transmissions than in802.11a or g.
OBSS Co-Existence Co-existence between 20 MHZ AND 40 MHZ overlapping
Basic Service Set (OBSS) in WLAN.
RX Chain Power Save Enabling this feature turns off one of the Receive chains,
going from 2x2 to 2x1 to save power.
RX Chain Power Save
Quiet Time
The number of seconds the traffic must be below the PPS
value below before the Rx Chain Power Save feature
activates itself.
RX Chain Power Save
PPS
The maximum number of packets per seconds that can be
processed by the WLAN interface for a duration of Quiet
Time, described above, before the Rx Chain Power Sa v e
feature activates itself.
54g Rate Drop-down menu that specifies the following fixed rates:
Auto: Default. Uses the 11 Mbps data rate when possible
but drops to lower rates when necessary. 1 Mbps, 2Mbps,
5.5Mbps, or 11Mbps fixed rates. The appropriate setting
is dependent on signal strength.
Multicast Rate Setting for multicast packet transmit rate (1-54 Mbps)
Basic Rate Setting for basic transmission rate.
123
Field Description
Fragmentation
Threshold
A threshold, specified in bytes, that determines whether
packets will be fragmented and at what size. On an
802.11 WLAN, packets that exceed the fragmentation
threshold are fragmented, i.e., split into, smaller units
suitable for the circuit size. Packets smaller than the
specified fragmentation threshold value are not
fragmented. Enter a value between 256 and 2346. If you
experience a high packet error rate, try to slightly increase
your Fragmentation Threshold. The value should remain
at its default setting of 2346. Setting the Fragmentation
Threshold too low may result in poor performance.
RTS Thresho ld Request to Send, when set in bytes, specifies the packet
size beyond which the WLAN Card invokes its RTS/CTS
mechanism. Packets that exceed the specified RTS
threshold trigger the RTS/CTS mechanism. The NIC
transmits smaller packet without using RTS/CTS. The
default setting of 2347 (maximum length) disables RTS
Threshold.
DTIM Interval Delivery Traffic Indication Message (DTIM) is also known
as Beacon Rate. The entry range is a value between 1
and 65535. A DTIM is a countdown variable that informs
clients of the next window for listening to broadcast and
multicast messages. When the AP has buffered
broadcast or multicast messages for associated clients, it
sends the next DTIM with a DTIM Interval value. AP
Clients hear the beacons and awaken to receive the
broadcast and multicast messages. The default is 1.
Beacon Interval The amount of time between beacon transmissions in
milliseconds. The default is 100 ms and the acceptable
range is 1 – 65535. The beacon transmissions identify
the presence of an access point. By default, network
devices passively scan all RF channels listening for
beacons coming from access points. Before a station
enters power save mode, the station needs the beacon
interval to know when to wake up to receive the beacon
(and learn whether there are buffered frames at the
access point).
Global Max Clients The maximum number of clients that can connect to the
router.
Xpress
TM
Technology Xpress T echnology is compliant with draft specifications of
two planned wireless industry standards.
Transmit Power Set the power output (by percentage) as desired.
WMM (Wi-Fi
Multimedia)
The technology maintains the priority of audio, video and
voice applications in a Wi-Fi network. It allows multimedia
service get higher priority.
WMM No
Acknowledgement
Refers to the acknowledge policy used at the MAC level.
Enabling no Acknowledgement can result in more efficient
throughput but higher error rates in a noisy Radio
Frequency (RF) environment.
WMM APSD This is Automatic Power Save Delivery. It saves power.
124
6.6 Site Survey
The graph displays wireless APs found in your neighborhood by channel.
125
6.7 Station Info
This page shows authenticated wireless stations and their status. Click the Refresh
button to update the list of stations in the WLAN.
Consult the table below for descriptions of each column heading.
Heading Description
MAC Lists the MAC address of all the stations.
Associated Lists all the stations that are associated with the Access
Point, along with the amount of time since pack ets were transferred
to and from each station. If a station is idle fo r too long, it is
removed from this list.
Authorized Lists those devices with authorized access.
SSID Lists which SSID of the modem that the stations connect to.
Interface Lists which interface of the modem that the stations connect to.
126
6.8 WiFi Button
This page allows you to enable or disable the WiFi Button.
127
Chapter 7 Diagnostics
7.1 Diagnostics – Individual Tests
The first Diagnostics screen is a dashboard that shows overall connection status.
If a test displays a fail status, click the button to retest and confirm the error.
If a test continues to fail, click Help
and follow the troubleshooting procedures.
128
Loading...