VR-100 8-Port Dual-WAN VPN Router
Table of Contents
1. Introduction .......................................................................... 1
Main features:............................................................................................................3
Dual WAN.......................................................................................................................................... 3
Firewall Security ................................................................................................................................ 3
VPN Support...................................................................................................................................... 3
Networking......................................................................................................................................... 4
Network Management........................................................................................................................ 5
2. How To Install ....................................................................... 6
Hardware Features:...................................................................................................6
Feature List........................................................................................................................................ 6
LED Status......................................................................................................................................... 7
Reset Button...................................................................................................................................... 7
Physical Setup of the Router:...................................................................................8
Set the Router on a desktop or other flat, secure surface................................................................. 8
Rack-Mounting the Router................................................................................................................. 8
Wall-Mounting the Router.................................................................................................................. 8
Connecting the 8-Port Dual-WAN VPN Router to your Network: ..........................9
3. How To Manage...................................................................11
Login.........................................................................................................................11
Sitemap.....................................................................................................................11
Home......................................................................................................................... 12
System Information.......................................................................................................................... 12
Port Statistics................................................................................................................................... 13
General Setting Status..................................................................................................................... 14
Advance Setting Status ................................................................................................................... 15
Firewall Setting Status..................................................................................................................... 15
VPN Setting Status.......................................................................................................................... 16
Log Setting Status: .......................................................................................................................... 17
General Setting........................................................................................................ 18
Configure ......................................................................................................................................... 18
Dual WAN........................................................................................................................................ 23
Password......................................................................................................................................... 27
Time................................................................................................................................................. 27
• i •
VR-100 8-Port Dual-WAN VPN Router
Advanced Setting ....................................................................................................29
DMZ Host......................................................................................................................................... 29
Forwarding....................................................................................................................................... 29
UPnP................................................................................................................................................ 32
Routing............................................................................................................................................. 33
One-to-One NAT.............................................................................................................................. 35
DDNS............................................................................................................................................... 37
MAC Clone....................................................................................................................................... 39
DHCP ........................................................................................................................40
Setup................................................................................................................................................ 40
Status............................................................................................................................................... 42
Tool...........................................................................................................................43
SNMP............................................................................................................................................... 43
Diagnostic........................................................................................................................................ 44
Restart ............................................................................................................................................. 46
Factory Default ................................................................................................................................ 46
Firmware Upgrade........................................................................................................................... 47
Setting Backup................................................................................................................................. 47
Port Management ....................................................................................................49
Port Setup........................................................................................................................................ 49
Port Status....................................................................................................................................... 50
Firewall.....................................................................................................................52
General............................................................................................................................................ 52
Access Rules................................................................................................................................... 54
Content Filter ................................................................................................................................... 59
VPN...........................................................................................................................61
Summary.......................................................................................................................................... 61
Gateway to Gateway ....................................................................................................................... 65
Client to Gateway ............................................................................................................................ 77
VPN Pass Through.......................................................................................................................... 90
Log............................................................................................................................92
System Log...................................................................................................................................... 92
System Statistics ............................................................................................................................. 95
Logout ......................................................................................................................96
• ii •
VR-100 8-Port Dual-WAN VPN Router
1. Introduction
10/100 8-Port Dual-WAN VPN Router contains tw o WAN ports and eight Ethernet 10/100 LAN
ports and mainly supports small and medium size enterprise business network with a high
security VPN. The router brings high-speed network security to enterprise businesses, remote
users, service providers, and data centers. The router’s design combines firewall, VPN
support, NAT, and powerful traffic management with Fast Ethernet connections to provide
consistent network infrastructure security.
With the unique two WAN ports, the device can have a backup WAN interface. 8-Port
Dual-WAN VPN Router supports Smart Link Backup and Load Balance for Dual WAN
management, and this feature enhances the robustness. The extra WAN port can also be
assigned as a DMZ port.
The product’s built-in advanced firewall features can resist various kinds of malicious attacks
and curious intruders. The product uses Stateful Packet Inspection (SPI) to examine all data
packets based on the established security policies. It also provides automatic protection from
Denial of service (DoS) attacks such as SYN flooding, IP Spoofing, LAND attack, ping of death
and all reassembly attacks. NAT functionality with firewall conceals network address to avoid
its disclosure as public information and also provides a solution for IP address depletion
problem. The product also has the reverse NAT capabilities that enable users to host various
internet services in the private IP address space, such as web servers, e-mail servers…, etc.
The VPN in this product provides the security for transferring important data. It supports up to
100 VPN tunnels and 2 Group VPNs. Group VPN feature facilitates the setup and it’s not
necessary for network administrators to individually configure remote VPN clients.
The product implements the Authentication Header (AH) and Encapsulating Security Payload
(ESP) protocols that provides anti-replay service for automatic key management and
confidentiality, authentication and integrity for data stream.
8-Port Dual-WAN VPN Router provides network users with a web-based user interface, which
• 1 •
VR-100 8-Port Dual-WAN VPN Router
is flexible, effective, and easy to use. Furthermore, network administrators can easily control,
manage and monitor the network’s conditions through this web-based interface.
• 2 •
Main features:
Dual WAN
z Smart Link Backup
z Load Balance (Auto Mode)
z Network Service Detection
z Protocol Binding
VR-100 8-Port Dual-WAN VPN Router
Firewall Security
z Firewall Throughput: up to 100 Mbps (Uni-directional)
z IP filtering; allows you to configure IP address filters
z Port filtering; allows you to configure TCP/UDP port filters
z Denial of Service (DoS) prevention
z Support Stateful Packet Inspection (SPI)
z Firewall detection: Ping of Death, SYN Flooding, Land attack, IP Spoofing
z Email Alert for Hacker Attack
VPN Support
z IPSec VPN
z VPN Throughput: up to 95 Mbps
z Support up to 100 VPN tunnels
z Up to 2 Group VPNs support
z Friendly VPN Tunnel Management
• 3 •
z IKE: Pre-Shared keys
z IPSec Encryption DES/3DES/AES
z IPSec Authentication MD5/SHA1
z Support PMTU
z DPD detection
z View Log
Networking
z Concurrent Sessions: up to 20,000
VR-100 8-Port Dual-WAN VPN Router
z Dedicated DMZ
z DHCP Client/Server, dynamic IP, static IP support
z TCP/IP
z IP Routing
z PPPoE
z NAT with popular ALG support
z NAT with port forwarding
z NAT with port triggers
z DNS Relay
z DDNS: Support DynDNS and 3322 Dynamic DNS
z ARP
z ICMP
z FTP/TFTP
z Password protected configuration or management sessions for web access
z Load Balancing
• 4 •
VR-100 8-Port Dual-WAN VPN Router
z Port-based QoS
Network Management
z Comprehensive web based management and policy setting
z SNMP v1/v2c
z Firmware upgrade through Web browser
z Monitoring, Logging, and Alarms of system activities
z Locate and configure all device with the same subnet
• 5 •
2. How To Install
Hardware Features:
Feature List
VR-100 8-Port Dual-WAN VPN Router
WAN
LAN
CPU
SDRAM
Flash ROM
Internal Power
EMI/EMC
z 2 RJ-45 10/100Base-T Ethernet Ports
z 8 RJ-45 10/100Base-T Ethernet ports
z Intel IXP425-533 MHz
z 32 Mbytes SDRAM
z 16 Mbytes Flash
z Input: AC100~240V, 0.4A ; Output: DC3.3V / 3A
z FCC Class B, CE Class B
z Operating Temp.: 0ºC to 40ºC (32ºF to 104ºF)
Operation
Requirement
Dimensions
z Storage Temp.: 0ºC to 70ºC (32ºF to 158ºF)
z Operating Humidity: 10% to 85% Non-Condensing
z Storage Humidity: 5% to 90% Non-Condensing
z 13” x 9” x 1.75”
• 6 •
(330.2mm x 228.6mmx44.45mm)
LED Status
LED Color Description
VR-100 8-Port Dual-WAN VPN Router
Power Green
DIAG Orange
Link/Act Green
Speed Green
z Green On: Power On
z Orange On: System not ready and the Router goes
through its self-diagnostic mode
z Orange Off: System ready and the Router completes
the diagnosis successfully
z Light up: Ethernet Link
z Flicker: When the port is sending or receiving data
z Green On: 100Mbps
z Green Off: 10Mbps
Reset Button
Action Description
Push button for 4
seconds
Push button for 10
seconds
z Warm Reset
z DIAG LED : Orange blinking slowly
z Factory Default
z DIAG LED : Orange blinking fast
• 7 •
VR-100 8-Port Dual-WAN VPN Router
Physical Setup of the Router:
You can set the Router on a desktop, install it in a rack with attached brackets, or mount it on
the wall.
Set the Router on a desktop or other flat, secure surface.
Do not place excessive weight on top of the chassis that could damage the chassis.
Rack-Mounting the Router
The Router comes with two brackets and eight screws for mount with a 19-inch rack. The
attached brackets are shown as below. Line up the bracket holes with the holes located on the
Router’s sides. Attach the mounting brackets using the included screws, four on each side of
the Router. When the brackets are attached to the Router, you can rack-mount it. Attach the
Router to the rack, using two screws on each side of the Router.
Wall-Mounting the Router
The Router is with two holes on the bottom, and the horizontal distant between two holes is
94mm. After the nails are secured on the wall, you can wall-mount it.
• 8 •
VR-100 8-Port Dual-WAN VPN Router
Connecting the 8-Port Dual-WAN VPN Router to
your Network:
The figures describe the integration of the 8-Port Dual-WAN VPN Router into the network.
Figure1: Dual WAN
Figure2: DMZ
• 9 •
VR-100 8-Port Dual-WAN VPN Router
The Router is a network device that connects two networks together.
z Set up WAN connection: WAN port can be connected to a modem, hub, switch or to a
router.
z Set up LAN connection: LAN port can be connected to a hub, switch or to a computer
directly.
z Set up DMZ/WAN port: This port can work as an additional WAN port or a DMZ port.
When it works as the dedicated DMZ port (Figure 2), it can be connected to the public servers,
such as Web and Mail servers. When it works as the WAN port (Figure 1), it can have the
above WAN connection.
Connect the power cord into a power outlet and the power port on the rear panel of 8-Port
Dual-WAN VPN Router, and the 8-Port Dual-WAN VPN Router runs a series of self-diagnostic
tests to check for proper operation.
• 10 •
3. How To Manage
Login
VR-100 8-Port Dual-WAN VPN Router
z Enter User Name and Password in the blank area, and then click OK.
z The Router's default User Name and Password is 'admin' when you first power up the
Router.
Sitemap
Click Sitemap button to view the sitemap. Click the tab in sitemap, and it will link to the page.
• 1 1 •
VR-100 8-Port Dual-WAN VPN Router
Home
The Home screen displays the router’s current status and settings. This information is read
only. If you click the button with underline, it will hyperlink to related setup pages.
System Information
z Serial Number: The serial number of the 8-Port Dual-WAN VPN Router unit.
• 12 •
VR-100 8-Port Dual-WAN VPN Router
z System up time: The length of time in Days, Hours, and Minutes that the 8-Port
Dual-WAN VPN Router is active.
z Firmware version: The current version number of the firmware installed on this unit.
z CPU: The type of the 8-Port Dual-WAN VPN Router processor. It is Intel IXP425.
z DRAM: The size of DRAM on the board. It is 32MB.
z Flash: The size of Flash on the board. It is 16MB.
z Current Time
: It shows current time. There is one thing that should be noticed. Users
should correctly synchronize the time with a remote NTP server and VR-100 will show
the exact time.
Port Statistics
Users can click the port number from port diagram to see the status of the selected port. Once
the port is disabled, its color will turn into red. In Summary table, it shows the setting of the
port selected by users, such as Type, Link Status(up or down), Port Disable(on or off), Priority
(High or Normal), Speed Status(10Mbps or 100Mbps), Duplex Status(half or full), and Auto
negotiation(Enabled or disabled). In Statistics table, it shows the port receive/transmit packet
count/packet byte count and Port Packet Error Count of the selected port.
• 13 •
VR-100 8-Port Dual-WAN VPN Router
General Setting Status
z LAN IP: It shows the current IP Address of the Router, as seen by internal users on the
Internet, and hyperlinks to LAN Setting in General Setting page.
z WAN1 IP: It shows the current WAN1 IP Address of the Router, as seen by external
users on the Internet and hyperlinks to WAN Connection type in Setup page. When users
select Obtain an IP automatically and it shows two buttons, Release and Renew. Users can
• 14 •
VR-100 8-Port Dual-WAN VPN Router
click Release button to release the IP that users have already got and click Renew button to
update the DHCP Lease Time or get a new IP. When users select PPPoE or PPTP, and it
shows Connect / Disconnect.
z WAN2/DMZ IP: It shows the current WAN2 IP Address of the Router, or DMZ IP when
DMZ selected, as seen by external users on the Internet and hyperlinks to WAN Connection
type in General Setting page.
z Default Gateway (WAN1~2): It shows all Gateway Addresses and hyperlinks to WAN
Connection Type in General Setting page.
z DNS: It shows all DNS Server Addresses and hyperlinks to WAN Connection Type in
General Setting page.
Advance Setting Status
z DMZ Host: It shows DMZ Private Address and hyperlinks to DMZ Host in Advance
Setting page. The default is disabled.
z Working Mode: It shows the Working Mode (Gateway or Router) and hyperlinks to
Dynamic Routing in Advanced Setting page.
z DDNS: It shows the status (Enable / Disable) and hyperlinks to DDNS in Advanced
Setting page.
Firewall Setting Status
• 15 •
VR-100 8-Port Dual-WAN VPN Router
z SPI (Stateful Packet Inspection): It shows the status (On/Off) and hyperlinks to the
General in Firewall page.
z DoS (Deny of Service): It shows the status (On/Off) and hyperlinks to the General in
Firewall page.
z Block WAN Request: It shows the status (On/Off) and hyperlinks to the Block WAN
Request in Firewall page.
z Remote Management: It shows the status (On/Off) and hyperlinks to the remote
Management in Firewall page.
VPN Setting Status
VPN Summary: It hyperlinks to VPN page.
z Tunnel(s) Used: It shows the number of Tunnels Used.
z Tunnel(s) Available: It shows the number of Tunnels Available.
z Current Connected (The Group Name of GroupVPN1) users: It shows the number of
users.
z Current Connected (The Group Name of GroupVPN2) users: It shows the number of
users.
z If GroupVPN is disabled, it will show “No Group VPN was defined”.
• 16 •
VR-100 8-Port Dual-WAN VPN Router
Log Setting Status:
It hyperlinks to System Log of Log page
z If you have not set up the mail server in Log page, it shows “E-mail cannot be sent
because you have not specified an outbound SMTP server address.”
z If you have set up the mail server but the log has not been shown due to Log Queue
Length and Log Time Threshold settings, it shows “E-mail settings have been
configured.”
z If you have set up the mail server and the log has been sent to the mail server, it shows
“E-mail settings have been configured and sent out normally.”
z If you have set up the mail server and log can not be sent to mail sever successfully, it
shows “E-mail cannot be sent out, probably use incorrect settings.”
• 17 •
General Setting
VR-100 8-Port Dual-WAN VPN Router
The General Setting screen contains all of the router’s basic setup functions. For most users,
the default values for the device should be satisfactory. The device can be used in most
network settings without changing any of the values. Some users will need to enter additional
information in order to connect to the Internet through an ISP (Internet Service Provider) or
broadband (DSL, cable modem) carrier.
Configure
Configure
Host Name & Domain Name: Enter a host and domain name for the Router. Some ISPs
(Internet Service Providers) may require these names as identification, and these settings can
be obtained from your ISP. In most cases, leaving these fields blank will work.
• 18 •
VR-100 8-Port Dual-WAN VPN Router
LAN Setting
This is the Router’s LAN IP Address and Subnet Mask. The default value is 192.168.1.1 for IP
address and 255.255.255.0 for the Subnet Mask.
Dual-WAN / DMZ Setting
Before choosing the following WAN Connection Type, please choose the Dual-WAN / DMZ
Setting first.
DMZ:
In order to allow such services, 8-Port Dual-WAN VPN Router comes with a special DMZ port
which is used for setting up public servers. The DMZ sits between the local network and the
Internet. Servers on the DMZ are publicly accessible, but they are protected from attacks such
as SYN Flooding. Use of the DMZ port is optional, it may be left unconnected.
Using the DMZ is preferred and, if practical, a strongly recommended alternative to Public
LAN Servers or putting these servers on the WAN port where they are not protected and not
accessible by users on the LAN.
Each of the servers on the DMZ will need a unique, publishable Internet IP address. The
Internet Service Provider used to connect the network to the Internet should be able to provide
these addresses, as well as information on setting up public Internet servers.
Subnet: If select Subnet, DMZ and WAN will be at different Subnet.
• 19 •
VR-100 8-Port Dual-WAN VPN Router
Specify DMZ IP Address: Enter the DMZ IP Address.
Subnet Mask: Enter the Subnet Mask.
Range: If select Range, DMZ and WAN will be at the same Subnet.
IP Range for DMZ Port: Enter the DMZ IP Address and Subnet Mask.
Click the Apply button to save the network settings or click the Cancel button to undo your
changes.
WAN Connection Type:
Obtain an IP automatically:
If your ISP is running a DHCP server, select Obtain an IP automatically option. Your ISP will
assign these values, includes DNS Server automatically. Or users can check the box of Use
the Following DNS Server Addresses, and enter the specific DNS Server IP. Multiple DNS
IP Settings are common. In most cases, the first available DNS entry is used.
• 20 •
VR-100 8-Port Dual-WAN VPN Router
Static IP:
If you have specified WAN IP Address, Subnet Mask, Default Gateway Address and DNS
Server, select Static IP. You can get this information from your ISP.
PPPoE (Point-to-Point Protocol over Ethernet):
You have to check with your ISP to make sure whether PPPoE should be enabled or not. If
they do use PPPoE:
1. Enter your Username and Password.
2. If you select Connect on Demand option, the PPPoE connection will be disconnected
• 21 •
VR-100 8-Port Dual-WAN VPN Router
particularly when it has been idle for a period longer than the Max Idle Time setting.
3. If you select Keep Alive option, the Router will keep the connection alive by sending
out a few data packets at Redial Period, so your Internet service thinks that the
connection is still alive.
PPTP (Point-to-Point Tunneling Protocol):
1. Fill in blanks for the specified WAN IP Address, Subnet Mask and Default Gateway
Address, which the PPTP server’s IP that resides in the Modem.
2. Enter your Username and Password.
3. If you select Connect on Demand option, the connection will be disconnected if it has
been idle for a period longer than the Max Idle Time setting.
4. If you select Keep Alive option, the Router will keep the connection alive by sending
out a few data packets at Redial Period, so your Internet service thinks that the
connection is still alive.
• 22 •
VR-100 8-Port Dual-WAN VPN Router
Dual WAN
There are two functions provided for users – Smart Link Backup and Load Balance (Auto
Mode). If users select DMZ in setup page, users could not change the Dual W AN setting here.
If Smart Link Backup is selected, users only need to decide which WAN port is primary and
then the other will be the backup.
If Load Balance is selected, it will be automatically computing the maximum bandwidth of
WAN1 and WAN2 by using Weighted Round Robin to balance the loading.
• 23 •
VR-100 8-Port Dual-WAN VPN Router
Firstly, enter The Max. Bandwidth of Upstream and Downstream for WAN1 and WAN2
provided by ISP.
z Network Service Detection: This tool can detect the network connection status of ISP by
pinging Default Gateway , ISP Host and Remote Host. If you check this Detection, you have
to choose at least one option from the following three items.
1. Default Gateway: If you choose this item, the Router will ping the default gateway first.
2. ISP Host: After pinging Default Gateway, the Router will ping ISP Host “Retry timeout”
later. The ISP Host is provided by ISP.
3. Remote Host: Enter the IP address of Remote Host that you’re going to ping.
4. DNS Lookup Host: Enter the Host Name or Domain Name that you’re going to ping.
z Retry count: The count of ping. The default is 5.
z Retry timeout: The interval between two ping actions. The default is 30 seconds.
• 24 •
VR-100 8-Port Dual-WAN VPN Router
When Fail:
z Generate the Error Condition in the System Log: The Router will generate the System
Log when ping fails to inform users that the ISP connection is disconnected.
z Remove the Connection: This WAN Interface will be suspended when the network
connection to ISP is not active. The traffic on this W AN will be disp atched to the other WAN port.
Once ISP returns to connect, the traffic will be dispatched back.
Protocol Binding
This device supports the Protocol Binding functionality. It allows users to specify the internal IP
or/and Service going through the specified WAN port.
Service: Users can choose the Service from the drop-down menu, or click the service
management to add new Service. The default Service is SMTP.
• 25 •
VR-100 8-Port Dual-WAN VPN Router
Source IP: Users can specify the internal IP to go through the specific WAN port. If users
need the Service Binding only, entering zero in Source IP filed is suggested.
Destination IP: Users can specify the specific Service from the internal Source IP to
Destination IP going through the specific W AN port, and enter the Destination IP. If users need
the Service Binding only, entering zero in Destination IP field is suggested.
If users need IP Binding only, please select All from the Service drop-down menu.
Interface: Choose WAN1 or WAN2.
Enable: Users can check the enable box to enable this Protocol Binding rule.
Click Add to list button to add the Protocol Binding rule to list, and users can set up to 30
rules, or click Delete selected application button to delete the selected rule.
Click the Apply button to save the Dual WAN Load Balance settings or click the Cancel
button to undo the changes.
• 26 •
VR-100 8-Port Dual-WAN VPN Router
Password
The Router's default password is 'admin', and it is strongly recommended that you change the
Router's password. If you leave the password filed blank, all users on your network will be
able to access the Router simply by entering the unit’s IP address into their web browser’s
location window.
Old Password:
Enter the old password. The default Password is ‘admin’ when you first power up the Router.
(Note: The password cannot be recovered if it is lost or forgotten. If the password is lost or
forgotten, you have to reset the Router to its factory default state.)
New Password:
Enter a new password for the Router. Your password must be less than 15 characters long
and it is not allowed to contain any spaces.
Confirm New Password:
Re-enter the password for confirmation.
Click the Apply button to save the Password settings or click the Cancel button to undo the
changes.
Time
8-Port Dual-WAN VPN Router uses the time settings to time stamp log events, to
• 27 •
VR-100 8-Port Dual-WAN VPN Router
automatically update the Content Filter List, and for other internal purposes.
Set the local time using Network Time Protocol (NTP) automatically or manually.
Automatically:
Select the Time Zone and enter the Daylight Saving and NTP Server. The default Time Zone
is Greenwich Mean Time.
Manually:
Enter the Hours, Minutes, Seconds, Month, Day and Year.
Click the Apply button to save the Time settings or click the Cancel button to undo the
changes.
• 28 •
VR-100 8-Port Dual-WAN VPN Router
Advanced Setting
DMZ Host
The DMZ (Demilitarized Zone) Host feature allows one local user to be exposed to the
Internet to use a special-purpose service such as Internet gaming and video-conferencing.
Enter the DMZ Private IP Address to access DMZ Host settings. The Default value zero (0)
will deactivate DMZ Host.
Click the Apply button to save the DMZ Host setting or click the Cancel button to undo the
changes.
Forwarding
Port forwarding can be used to set up public services on your network. When users from the
Internet make certain requests on your network, the Router can forward those requests to
computers equipped to handle the requests. If, for example, you set the port number 80
(HTTP) to be forwarded to IP Address 192.168.1.2, then all HTTP request s from out side users
will be forwarded to 192.168.1.2.
You may use this function to establish a Web server or FTP server via an IP Gateway. Be sure
that you enter a valid IP Address. (You may need to establish a static IP address in order to
properly run an Internet server.) For added security, Internet users will be able to
communicate with the server, but they will not actually be connected. The packets will simply
be forwarded through the Router.
• 29 •
VR-100 8-Port Dual-WAN VPN Router
Port Range Forwarding:
1. Select the Service from the pull-down menu.
2. If the Service you need is not listed in menu, please click the Service Management
button to add new Service and enter the Protocol and Port Range. Then click the Save
Setting button.
3. Enter the IP Address of the server that you want the Internet users to access. Then
• 30 •
VR-100 8-Port Dual-WAN VPN Router
enable the entry.
4. Click the Add to List button, and configure as many entries as you would like. You can
also Delete the selected application.
Port Triggering
Some Internet applications or games use alternate ports to communicate between server and
LAN host. When you want to use those applications, enter the triggering (outgoing) port and
alternate incoming port in this table. The Router will forward the incoming packets to the LAN
host.
1. Enter the range of port numbers and enter the application name, and enter the
incoming port range.
2. You can click the Add to List button to add Port Triggering or Delete selected
application.
Click the Apply button to save the Forwarding settings, click the Cancel button to undo your
changes, click the Show Tables to see the details.
• 31 •
UPnP
VR-100 8-Port Dual-WAN VPN Router
UPnP forwarding can be used to set up public services on your network. Windows XP can
modify those entries via UPnP when UPnP function is enabled by selecting Yes.
1. Users have to click the Service Management first to enter the Service Name,
Protocol and External Port and Internal Port, and then Add to list and Save Settings.
Otherwise, there will be no entry in Service menu.
2. Enter the Host Name or IP Address of the server that you want the Internet users to
access, and then enable the entry.
3. Click the Add to List button, and configure as many entries as you would like. The
maximum entry is 30. You can also Delete the selected application.
4. Users can also change the IP address and Disable the entry. Click the selected entry,
change IP or Disable, then click Update this Application button.
Click the Apply button to save the settings, click the Cancel button to undo your changes,
click the Show Tables to see the details.
• 32 •
VR-100 8-Port Dual-WAN VPN Router
Routing
Dynamic Routing
The Router's dynamic routing feature can be used to automatically adjust to physical changes
in the network's layout. The Router uses the dynamic RIP protocol. It determines the route
that the network packets take based on the fewest number of hops between the source and
the destination. The RIP protocol regularly broadcasts routing information to other routers on
the network.
z Working Mode: Select Gateway mode if your Router is hosting your network’s
connection to the Internet. Select Router mode if the Router exists on a network with
other routers, including a separate network gateway that handles the Internet connection.
In Router Mode, any computer connected to the Router will not be able to connect to the
Internet unless you have another router function as the Gateway.
z RIP (Routing Information Protocol): The Router , using the RIP protocol, calculates t he
most efficient route for the network’s data packets to travel between the source and the
destination, based upon the shortest paths.
z Receive RIP versions: Choose the RX protocol you want for receiving data from the
network. (None, RIPv1, RIPv2, Both RIPv1 and v2).
z Transmit RIP versions: Choose the TX protocol you want for transmitting data on the
network. (None, RIPv1, RIPv2-Broadcast, RIPv2-Multicast)
• 33 •
VR-100 8-Port Dual-WAN VPN Router
Static Routing
You will need to configure Static Routing if there are multiple routers inst alled on your network.
The static routing function determines the path that data follows over your network before and
after it passes through the Router. You can use st atic routing to allow dif ferent IP domain users
to access the Internet through this device. This is an advanced feature. Please proceed
with caution.
This Router is also capable of dynamic routing (see the Dynamic Routing tab). In many cases,
it is better to use dynamic routing because the function will allow the Router to automatically
adjust to physical changes in the network's layout. In order to use static routing, the Router's
DHCP settings must be disabled.
To set up static routing, you should add routing entries in the Router's table that tells the
device where to send all incoming packets. All of your network routers should direct the
default route entry to this Router.
• 34 •
VR-100 8-Port Dual-WAN VPN Router
Enter the following data to create a static route entry:
1. Destination IP: Enter the network address of the remote LAN segment. For a standard
Class C IP domain, the network address is the first three fields of the Destination LAN IP,
while the last field should be zero.
2. Subnet Mask: Enter the Subnet Mask used on the destination LAN IP domain. For
Class C IP domain, the Subnet Mask is 255.255.255.0.
3. Default Gateway: If this Router is used to connect your network to the Internet, then
your Gateway IP is the Router's IP Address. If you have another router handling your
network's Internet connection, enter the IP Address of that router instead.
4. Enter Hop Count (max. 15): This value gives the number of nodes that a data packet
passes through before reaching its destination. A node is any device on the network,
such as switches, PCs, etc.
5. Interface: (LAN, WAN1, WAN2/DMZ) Interface tells you whether your network is on the
LAN or the WAN, or the Internet. If you’re connecting to a sub-network, select LAN. If
you’re connecting to another network through the Internet, select WAN.
Click Add to list to add route entry or click Delete Selected IP to delete the static route entry
or Update this IP.
Click the Apply button to save the Routing settings, click the Cancel button to undo your
changes or click the Show Routing Table button to view the current routing table.
One-to-One NAT
One-to-One NAT creates a relationship which maps valid external addresses to internal
addresses hidden by NAT. Machines with an internal address may be accessed at the
corresponding external valid IP address.
Creating this relationship between internal and external addresses is done by defining internal
and external address ranges of equal length. Once that relationship is defined, the machine
with the first internal address is accessible at the first IP addre ss in the external address range,
the second machine at the second external IP address, and so on.
• 35 •
VR-100 8-Port Dual-WAN VPN Router
Consider a LAN for which the ISP has assigned the IP addresses range from 209.19.28.16 to
209.19.28.31, with 209.19.28.16 used as the 8-Port Dual-WAN VPN Router WAN IP (NAT
Public) Address. The address range of 192.168.168.1 to 192.168.168.255 is used for the
machines on the LAN. Typically, only machines that have been designated as Public LAN
Servers will be accessible from the Internet. However, with One-to-One NAT the machines
with the internal IP addresses of 192.168.168.2 to 192.168.168.15 may be accessed at the
corresponding external IP address.
Note: The 8-Port Dual-WAN VPN Router WAN IP (NAT Public) Address may not be included
in a range.
1. Enable One-to-One NAT: If you check the box, One-to-One NAT will be enabled.
2. Private Range Begin: Enter the beginning IP address of the private address range
being mapped in the Private Range Begin field. This will be the IP address of the first
machine being made accessible from the Internet.
3. Public Range Begin: Enter the beginning IP address of the public address range being
mapped in the Public Range Begin field. This address assigned by the ISP. The 8-Port
• 36 •
VR-100 8-Port Dual-WAN VPN Router
Dual-WAN VPN Router WAN IP (NAT Public) Address may not be included in the
range.
4. Range Length: Enter the number of IP addresses for the range. The range length may
not exceed the number of valid IP address. Up to 64 ranges may be added. To map a
single address, use a Range Length of 1.
Note: One-to-One NAT does change the way the firewall functions work. Access to machines
on the LAN from the Internet will be allowed, and the local IP will be exposed to the internet
unless Network Access Rules are set. You can click Add to List button or Delete selected
range.
Click the Apply button to save the settings or click the Cancel button to undo your changes.
DDNS
DDNS (Dynamic DNS) service allows you to assign a fixed domain name to a dynamic WAN
IP address. This allows you to host your own Web, FTP or other type of TCP/IP server in your
LAN.
Before configuring DDNS, you need to visit www.dyndns.org or www.3322.org and register
a domain name.
• 37 •
VR-100 8-Port Dual-WAN VPN Router
z DDNS Service: The DDNS feature is disabled by default. To enable this feature, just
select DynDNS.org from the pull-down menu, and enter the Username, Password, and
Host Name of the account you set up with DynDNS.org or 3322.org.
z Internet IP Address: The Router's current Internet IP Address is displayed here.
Because it is dynamic, this will change.
z Status: When you finish entering the Username, Password and Host Name, click the
Save Settings button, and the Status will be updated. It will show "DDNS is updated
successfully" once DDNS is updated successfully. If it shows "The hostname does not
exist", "Username is not correct", "Hostname is not correct", please make sure you enter
the correct information of the account you set up with DynDNS.org.
Click the Apply button to save the DDNS settings or click the Cancel button to undo your
changes.
• 38 •
VR-100 8-Port Dual-WAN VPN Router
MAC Clone
Some ISPs require that you register a MAC address. This "clones" your network adapter's
MAC address onto the Cable/DSL Firewall Router, and prevents you from having to call your
ISP to change the registered MAC address to the Cable/DSL Firewall Router's MAC address.
The Cable/DSL Firewall Router's MAC address is a 12-digit code assigned to a unique piece
of hardware for identification, like a social security number.
Input the MAC Address to User Defined WAN MAC Address field or select MAC Address
from this PC.
Click Apply to save the MAC Cloning settings or click the Cancel button to undo your
changes.
• 39 •
VR-100 8-Port Dual-WAN VPN Router
DHCP
Setup
The Router can be used as a DHCP (Dynamic Host Configuration Protocol) server on your
network. A DHCP server assigns available IP addresses to each computer on your network
automatically. If you choose to enable the DHCP server option, you must configure all of the
PCs on your LAN to connect to a DHCP server.
• 40 •
VR-100 8-Port Dual-WAN VPN Router
If the Router's DHCP server function is disabled, you have to carefully configure the IP
address, Mask, and DNS settings of every computer on your network. Be careful not to assign
the same IP Address to different computers.
Make any changes to the available fields as described below.
Enable DHCP Server: Check the box to enable the DHCP Server. If you already have a
DHCP server on your network, leave the box blank.
Dynamic IP
z Client Lease Time: This is the lease time assigned if the computer (DHCP client)
requests one. The range is 5 ~ 43,200 Minutes.
z Range Start/End: Enter a starting IP address and ending IP address to make a range to
assign dynamic IPs. The default range is 100~149.
Static IP
The administrator can assign the Static IP for the specific client based on this user’s MAC
address. Enter the Static IP Address and MAC Address, and then click the Add to list
button. You can set up to 30 static IP entries.
DNS
You can assign the DNS server(s) to the DHCP clients. This is optional, and the Router will
use these for quicker access to functioning DNS service.
WINS Server
Windows Internet Naming Service (WINS) is a service that resolves NetBIOS names to IP
addresses. The WINS is assigned if the computer (DHCP client) requests one. If you do not
know the WINS, leave it as 0.
Click the Apply button to save the DHCP settings or click the Cancel button to undo the
changes.
• 41 •
Status
VR-100 8-Port Dual-WAN VPN Router
z A Status page is available to review DHCP Server Status. The DHCP Server Status
reports the IP of DHCP Server, the number of Dynamic IP Used, Dynamic IP Used,
Static IP Used, DHCP Available and Total.
z Client Table shows the current DHCP Client information. You will see the related
information (Client Host Name, IP Address, MAC Address, and Leased Time) of all
network clients using the DHCP server. Clicking Trash Can button to delete the line, and
the IP Address of Client Host got will be released, or clicking Refresh button to refresh
the Client Table.
• 42 •
VR-100 8-Port Dual-WAN VPN Router
Tool
SNMP
SNMP, Simple Network Management Protocol, is a network protocol that provides network
administrators with the ability to monitor the status of the 8-Port Dual-WAN VPN Router and
receive notification of any critical events as they occur on the network. The 8-Port Dual-WAN
VPN Router supports SNMP v1/v2c and all relevant Management Information Base II (MIBII)
groups. The appliance replies to SNMP Get commands for MIBII via any interface and
supports a custom MIB for generating trap messages.
To configure SNMP, type in the necessary information in the following fields:
z Enable SNMP: SNMP is enabled by default. To disable the SNMP agent, leave the box
blank.
z System Name: This is the hostname of the 8-Port Dual-WAN VPN Router.
• 43 •
VR-100 8-Port Dual-WAN VPN Router
z System Contact: Type in the name of the network administrator for the 8-Port
Dual-WAN VPN Router.
z System Location: The network administrator's contact information is placed into this
field. Type in an E-mail address, telephone number, or pager number.
z Get Community Name: Create a name for a group or community of administrators who
can view SNMP data. The default value is "Public".
z Set Community Name: Create a name for a group or community of administrators who
can receive SNMP traps. A name must be entered.
z Trap Community Name: Type the Trap Community Name, which is the password sent
with each trap to the SNMP manager.
z Send SNMP Trap to: Enter the IP or Domain Name in this filed and 8-Port Dual-WAN
VPN Router will send traps to.
Click the Apply button to save the SNMP settings or click the Cancel button to undo your
changes.
Diagnostic
8-Port Dual-WAN VPN Router has two tools built in which will help with trouble shooting
network problems.
DNS Name Lookup
The Internet has a service called the Domain Name Service (DNS) which allows users to
enter an easily remembered host name, such as www.8-Port Dual-WAN VPN Router.com,
instead of numerical TCP/IP addresses to access Internet resources. 8-Port Dual-WAN VPN
Router has a DNS lookup tool that will return the numerical TCP/IP address of a host name.
• 44 •
VR-100 8-Port Dual-WAN VPN Router
Enter the host name to lookup in the Look up the name field and click the Go button. Do not
add the prefix
http://; otherwise the result will be Address Resolving Failed. 8-Port Dual-WAN
VPN Router will then query the DNS server and display the result at the bottom of the screen.
Note: The IP address of the DNS server must be entered in the Network Settings page for
the Name Lookup feature to function.
Ping
The Ping test bounces a packet off a machine on the Internet back to the sender. This test
shows if 8-Port Dual-WAN VPN Router is able to contact the remote host. If users on the LAN
are having problems accessing services on the Internet, try pinging the DNS server, or other
machine at the ISP’s location. If this test is successful, try pinging devices outside the ISP.
This will show if the problem lies with the ISP’s connection.
Enter the IP address of the device being pinged and click the Go button. The test will take a
few seconds to complete. Once completed, a message showing the results will be displayed
at the bottom of the Web browser window. The results include Packet s transmitted / received /
loss and Round Trip Time (Minimum, Maximum, and Average).
• 45 •
VR-100 8-Port Dual-WAN VPN Router
Note: Ping requires an IP address. 8-Port Dual-WAN VPN Router’s DNS Name Lookup tool
may be used to find the IP address of a host.
Restart
The recommended method of restarting your 8-Port Dual-WAN VPN Router is to use this
"Restart" tool. Restarting with this button will send out your
8-Port Dual-WAN VPN Router provides Active Firmware and Backup Firmware, and users
can choose the firmware version for the router restart with. The default is Active Firmware
Version.
log file before the box is reset.
Factory Default
The "Factory Default" button can be used to clear all of your configuration information and
• 46 •
VR-100 8-Port Dual-WAN VPN Router
restore 8-Port Dual-WAN VPN Router to its factory state. Only use this feature if you wish to
discard all other configuration preferences.
Firmware Upgrade
Users can use the following download function to download the new version of firmware into
computer in advance, and then select the file. Finally , click the Firmware Upgrade Right Now
button.
Setting Backup
• 47 •
VR-100 8-Port Dual-WAN VPN Router
Import Configuration File:
You will need to specify where your preferences file is located. When you click "Browse", your
browser will bring up a dialog which will allow you to select a file which you had previously
saved using the "Export Settings" button. After you have selected the file, click the "Import"
button. This process may take up to a minute. You will then need to restart your 8-Port
Dual-WAN VPN Router in order for the changes to take effect.
Export Configuration File:
When you click the "Export" button, your browser will bring up a dialog asking you where you
would like to store your preferences file. This file will be called "config.exp" by default, but you
may rename it if you wish. This process may take up to a minute.
• 48 •
VR-100 8-Port Dual-WAN VPN Router
Port Management
In this router , users can configure th e connectio n status for each port, such as Priority, Speed,
Duplex, and Auto-Negotiation.
Port Setup
Basic Per Port Config.
z Port Disable: Check the box, the port will be disabled. It is a per-port setting.
z Priority: Select High or Normal for Port-based QoS (Quality of Service). QoS is used to
maximize a network’s performance and this setting allows you to prioritize performance
on eight LAN ports.
z Speed: Users can manually config the per-port speed as 10Mbps or 100Mbps.
• 49 •
VR-100 8-Port Dual-WAN VPN Router
z Duplex: Users can manually config the per-port duplex as half-duplex or full-duplex.
z Auto-negotiation: If enable this function, every port can be set as auto-negotiation.
Users will not need to set up speed and duplex.
Click the Apply button to save the LAN Port settings or click the Cancel button to undo your
changes.
Port Status
Users can choose the port number from pull down menu to see the status of the selected port.
z In Summary table, it will show the setting for the port selected by users, such as Type,
Link Status(up or down), Port Activity (on or off), Priority (High or Normal), Speed
Status(10Mbps or 100Mbps), Duplex Status(half or full), and Auto negotiation(on or off).
• 50 •
VR-100 8-Port Dual-WAN VPN Router
z In Statistics table, it will show the port receive/transmit packet count/packet byte count
and Port Packet Error Count of the selected port. Click Refresh button to refresh the port
status.
• 51 •
VR-100 8-Port Dual-WAN VPN Router
Firewall
General
From the Firewall Tab, you can configure the Router to deny or allow specific internal users
from accessing the Internet. You can also configure the Router to deny or allow specific
Internet users from accessing the internal servers. You can set up different packet filters for
different users that are located on internal (LAN) side or external (WAN) side based on their IP
addresses or their network Port number.
Firewall:
The default is enabled. If users disable the Firewall function, SPI, DoS, Block WAN Request
will be disabled, Remote Management will be enabled and Access Rules and Content Filter
will be disabled.
SPI (Stateful Packet Inspection):
• 52 •
VR-100 8-Port Dual-WAN VPN Router
The Router's Firewall uses Stateful Packet Inspection to maintain connection information that
passes through the firewall. It will inspect all packets based on the established connection,
prior to passing the packets for processing through a higher protocol layer.
DoS (Denial of Service):
Protect internal networks from Internet attacks, such as SYN Flooding, Smurf, LAND, Ping of
Death, IP Spoofing and reassembly attacks.
Block WAN Request:
This feature is designed to prevent attacks through the Internet. When it is enabled, the
Router will drop both the unaccepted TCP request and ICMP p acket s fro m the WAN side. The
hacker will not find the Router by pinging the WAN IP address. If DMZ is enabled, this function
will be disabled.
Remote Management:
This Router supports remote management. If you want to manage this Router through the WAN
connection, you have to 'Enable' this option. Users can enter port number for remote
management, and default is 80.
Multicast Pass Through:
IP Multicasting occurs when a single data transmission is sent to multiple recipients at the
same time. Using this feature, the Router allows IP multicast packets to be forwarded to the
appropriate computers.
MTU (Maximum Transmission Unit):
This feature specifies the largest packet size permitted for network transmission. It is
recommended that you enable this feature, and the default of MTU size is 1500 bytes.
Restrict WEB Features:
Java:
Java is a programming language for websites. Some web sites contain small programs, and it
may be dangerous to run an unknown program on your machine. You can check the Java box
• 53 •
VR-100 8-Port Dual-WAN VPN Router
to filter the Java Applets for security reason, but you may take the risk of not having access to
Internet sites which created using this programming language if Java is blocked.
Cookies:
A cookie is data stored on your PC and used by Internet sites when you interact with them.
Cookies are usually used to track visitors, and store information about their personal
preferences. You can check the Cookies box to block Cookies in order to maintain a higher
level of anonymity on the Web.
Active X:
Active X is a programming language for websites. Some web sites contain small programs,
and it may be dangerous to run an unknown program on your machine. You can check the
Active X box to filter the Active X for security reason, but you may take the risk of not having
access to Internet sites which created using this programming language if Active X is blocked.
Access to HTTP Proxy Servers:
Use of Proxy Servers may compromise the Router’s security . You can check the box to enable
proxy filtering, and it will disable access to any proxy servers.
Don’t block Java/ActiveX/Cookies to Trusted Domain:
Access Rules
Network Access Rules evaluate network traffic's Source IP address, Destination IP address,
and IP protocol type to decide if the IP traffic is allowed to pass through the firewall.
The ability to define Network Access Rules is a very powerful tool. Using custom rules, it is
possible to disable all firewall protection or block all access to the Internet. Use extreme
caution when creating or deleting Network Access Rules.
8-Port Dual-WAN VPN Router has the following Default Rules.
z All traffic from the LAN to the WAN is allowed.
• 54 •
VR-100 8-Port Dual-WAN VPN Router
z All traffic from the WAN to the LAN is denied.
z All traffic from the LAN to the DMZ is allowed.
z All traffic from the DMZ to the LAN is denied.
z All traffic from the WAN to the DMZ is allowed.
z All traffic from the DMZ to the WAN is allowed.
Custom rules can be created to override the above 8-Port Dual-WAN VPN Router default
rules, but there are four additional default rules that will be always active, and custom rule can
not override the four rules.
z HTTP service from LAN side to 8-Port Dual-WAN VPN Router is always allowed.
z DHCP service from LAN side is always allowed.
z DNS service from LAN side is always allowed.
z Ping service from LAN side to 8-Port Dual-WAN VPN Router is always allowed.
• 55 •
VR-100 8-Port Dual-WAN VPN Router
Besides the Default Rules, all configured Network Access Rules are listed in the table, and
you can choose the Priority for each custom rule. Click the Edit button to edit the rule, and
click the Trash Can icon to delete the rule.
Click Add New Rule button to add new Access Rules, or click the Restore to Default Rules
button to restore to the default rules, and all custom rules will be deleted.
• 56 •
Add a new Rule
VR-100 8-Port Dual-WAN VPN Router
Services
z Action: Select the Allow or Deny radio button depending on the intent of the rule.
z Service: Select the service from the Service pull-down menu. If the service you need is
not listed in the menu, click the Service Management button to add new Service. Enter
Service Name, Protocol and Prot Range, and click Add to list and Save Setting.
• 57 •
VR-100 8-Port Dual-WAN VPN Router
z Log: Users can select Log packet to match this rule or Not log.
z Source Interface: Select the Source Interface (LAN, WAN1, WAN2, Any) from the
pull-down menu. Once DMZ is enabled, the options will be LAN, WAN1, DMZ, Any.
z Source IP: Select Any, Single or Range, and enter IP Address for single and range.
z Destination IP: Select Any, Single or Range, and enter IP Address for single and range.
Scheduling
z Apply this rule (time parameter): Select the time range and the day of the week for this
rule to be enforced. The default condition for any new rule is always to enforce.
• 58 •
Content Filter
VR-100 8-Port Dual-WAN VPN Router
Forbidden Domains
When the Block Forbidden Domains check box is selected, the 8-Port Dual-WAN VPN
Router will forbid web access to sites on the Forbidden Domains list.
Scheduling
The Time of Day feature allows you to define specific times when Content Filtering is enforced.
For example, you could configure the 8-Port Dual-WAN VPN Router to filter employee Internet
access during normal business hours, but allow unrestricted access at night and on
weekends.
Apply this rule:
• 59 •
VR-100 8-Port Dual-WAN VPN Router
z Always: When selected, Content Filtering is enforced at all times.
z From: When selected, Content Filtering is enforced during the time and days specified.
Enter the time period, in 24-hour format, and select the day of the week that Content
Filtering is enforced.
Click the Apply button when you finish the Content Filter settings, or click the Cancel button
to undo your changes.
• 60 •
VPN
VR-100 8-Port Dual-WAN VPN Router
Summary
The VPN Summary displays the Summary, Tunnel Status and GroupVPN Status.
Summary:
It shows the number of Tunnel(s) Used and Tunnel(s) Available. 8-Port Dual-WAN VPN
Router supports up to 100 tunnels.
Detail:
Click the Detail button to see the detail of VPN Summary as below, and users can use the
tools on the top to save, export or print the details of VPN Summary.
• 61 •
Tunnel Status:
VR-100 8-Port Dual-WAN VPN Router
Add New Tunnel:
Add Gateway to Gateway Tunnel or Add Client to Gateway Tunnel.
z Gateway to Gateway: The following figure illustrates the Gateway to Gateway tunnel, a
tunnel created between two VPN Routers. When click “Add Now”, it will show Gateway to
Gateway page.
• 62 •
VR-100 8-Port Dual-WAN VPN Router
z Client to Gateway: The following figure illustrates the Client to Gateway tunnel, a tunnel
created between the VPN Router and the Client user using VPN client software that
supports IPSec. When click “Add Now”, it will show Client to Gateway page.
1. Page: Previous page, Next page, Jump to page / 100 pages and entries per page
2. Y ou can click Previous page and Next p age button to jump to the tunnel that you want to
see. You can also enter the page number into “Jump to page” directly and choose the
item number that you want to see per page (3, 5, 10, 20, All).
3. T unnel No.: It shows the used T unne l No. 1~100, and the tunnels defined in GroupVPN
are also included.
4. Name: It shows the Tunnel Name that you enter in Gateway to Gateway page, Client to
Gateway page or Group ID Name.
5. Status: It shows Connected, Hostname Resolution Failed, Resolving Hostname or
Waiting for Connection. If users select Manual in IPSec Setup page, the Status will
show Manual and no Tunnel Test function for Manual Keying Mode.
6. Phase2 Encrypt/Auth/Group: It shows the Encryption (DES/3DES/AES),
Authentication (MD5/SHA1) and Group (1/2/5) that you chose in IPSec Setup field. If
you chose Manual mode, there will be no Phase 2 DH Group, and it will show the
Encryption and Authentication method that you set up in Manual mode.
7. Local Group: It shows the IP and subnet of Local Group.
8. Remote Group: It shows the IP and subnet of Remote Group.
9. Remote Gateway: It shows the IP of Remote Gateway.
10. Tunnel Test: Click the Connect button to verify the tunnel status. The test result will be
• 63 •
updated in Status.
VR-100 8-Port Dual-WAN VPN Router
11. Configure: Edit and Delete
page. You can change the settings. If you click
: If you click Edit button, it will link to the original setup
, all settings of this tunnel will be
deleted, and this tunnel will be available.
12. Tunnel(s) Enable and Tunnel(s) Defined: It shows the number of Tunnel(s) Enabled
and Tunnel(s) Defined. The number of Tunnel Enabled may be fewer than the number
of Tunnel Defined once the Defined Tunnels are disabled.
GroupVPN Status:
If you did not enable GroupVPN, it will be blank in GroupVPN Status.
1. Group ID Name: It shows the name you enter in Add new client to gateway tunnel
page.
2. Connected Tunnels: It shows the number of connected tunnels.
3. Phase2 Encrypt/Auth/Group: It shows the Encryption (DES/3DESAES),
Authentication (MD5/SHA1) and Group (1/2/5) that you chose in IPSec Setup field.
4. Local Group: It shows the IP address and Subnet of Local Group you set up.
5. Remote Client: It shows the number of Remote Client of this GroupVPN.
6. Remote Clients Status: If you click the Detail List button, it shows the details of Group
Name, IP address and Connection Time of this Group VPN.
7. Configure: Edit and Delete
: If you click Edit button, it will link to the original setup
page, and you can change the settings. If you click
, all settings of this tunnel will be
deleted, and this tunnel will be available.
• 64 •
VR-100 8-Port Dual-WAN VPN Router
Gateway to Gateway
By setting this page, users can add the new tunnel between two VPN devices.
1. Tunnel No.: The tunnel number will be generated automatically from 1~100.
2. Tunnel Name: Enter the Tunnel Name, such as LA Office, Branch Site, Corporate Site,
etc. This is to allow you to identify multiple tunnels and does not have to match the
name used at the other end of the tunnel.
3. Interface: You can select the Interface from the pull-down menu. Whe n dual WAN is
enable, there will be two options. (WAN1/WAN2).
4. Enable: Check the box to enable VPN.
Local Group Setup
Local Security Gateway Type: There are five types. They are IP Only, IP + Domain Name
(FQDN) Authentication, IP + E-mail Addr. (USER FQDN) Authentication, Dynamic IP +
Domain Name (FQDN) Authentication, Dynamic IP + E-mail Addr. (USER FQDN)
Authentication. The type of Local Security Gateway Type should match with the Remote
Security Gateway Type of VPN devices in the other end of tunnel.
1. IP Only: If you select IP Only, only the specific IP Address will be able to access the
tunnel. The WAN IP of 8-Port Dual-WAN VPN Router will come out in this filed
automatically, and you don’t need to enter.
• 65 •
VR-100 8-Port Dual-WAN VPN Router
2. IP + Domain Name (FQDN) Authentication: If you select this type, enter the FQDN
(Fully Qualified Domain Name), and IP address will come out automatically. The FQDN
is the host name and domain name for a specific computer on the Internet, for example,
vpn.myvpnserver.com. The IP and FQDN must be same with the Remote Security
Gateway type of the remote VPN device, and the same IP and FQDN can be only for
one tunnel connection.
3. IP + E-mail Addr. (USER FQDN) Authentication: If you select this type, enter the
E-mail address, and IP address will come out automatically.
4. Dynamic IP + Domain Name (FQDN) Authentication: If the Local Security Gateway
is with a dynamic IP, you can select this type. When the Remote Security Gateway
requests to create a tunnel with 8-Port Dual-WAN VPN Router, and the 8-Port
Dual-WAN VPN Router will work as a responder. If you select this type, just enter the
Domain Name for Authentication, and the Domain Name must be same with the
Remote Security Gateway of the remote VPN device. The same Domain Name can be
only for one tunnel connection, and users cannot use the same Domain Name to create
a new tunnel connection.
• 66 •
VR-100 8-Port Dual-WAN VPN Router
5. Dynamic IP + E-mail Addr. (USER FQDN) Authentication: If the Local Security
Gateway is with a dynamic IP, you can select this type. When the Remote Security
Gateway requests to create a tunnel with 8-Port Dual-WAN VPN Router, and the 8-Port
Dual-WAN VPN Router will work as a responder. If you select this type, just enter the
E-mail address for Authentication.
Local Security Group Type
Select the local LAN user(s) behind the router that can use this VPN tunnel. Local Security
Group Type may be a single IP address or a Subnet. The Local Secure Group must match
the other router's Remote Secure Group.
1. IP Address: If you select IP Address, only the computer with the specific IP Address
that you enter will be able to access the tunnel. The default IP is 192.168.1.0.
2. Subnet: If you select Subnet (which is the default), this will allow all computers on the
local subnet to access the tunnel. Enter the IP Address and the Subnet Mask. The
default IP is 192.168.1.0, and default Subnet Mask is 255.255.255.192.
• 67 •
VR-100 8-Port Dual-WAN VPN Router
Remote Group Setup
Remote Security Gateway T ype: There are five types. They are IP Only, IP + Domain Name
(FQDN) Authentication, IP + E-mail Addr. (USER FQDN) Authentication, Dynamic IP +
Domain Name (FQDN) Authentication, Dynamic IP + E-mail Addr. (USER FQDN)
Authentication. The type of Remote Security Gateway should match with the Local
Security Gateway Type of VPN devices in the other end of tunnel.
1. IP Only: If you select IP Only, only the specific IP Address that you enter will be able to
access the tunnel. It’s the IP Address of the remote VPN Router or device which you
wish to communicate. The remote VPN device can be another VPN Router or a VPN
Server. If you know the st atic IP address of remote VPN device, select IP address from
drop-down menu. If you don’t know the static IP address of remote VPN device, but the
domain name of remote VPN device is known, you can select IP by DNS Resolved,
and enter the real domain name on the Internet. 8-Port Dual-WAN VPN Router will get
the IP address of remote VPN device by DNS Resolved, and IP address of remote VPN
device will be displayed on VPN Status of Summary page.
2. IP + Domain Name (FQDN) Authentication: If you select this type, enter the FQDN
(Fully Qualified Domain Name) and IP address of the VPN device at the other end of
the tunnel. If you know the static IP address of remote VPN device, select IP address
• 68 •
VR-100 8-Port Dual-WAN VPN Router
from drop-down menu. If you don’t know the static IP address of remote VPN device,
but the domain name of remote VPN device is known, you can select IP by DNS
Resolved, and enter the real domain name on the Internet. 8-Port Dual-WAN VPN
Router will get the IP address of remote VPN device by DNS Resolved, and IP address
of remote VPN device will be displayed on VPN Status of Summary
page. Then, enter
the Domain Name as an ID; it can be not a real domain name on Internet. The IP and
Domain Name ID must be same with the Local Gateway of the remote VPN device, and
the same IP and Domain Name ID can be only for one tunnel connection.
3. IP + E-mail Addr. (USER FQDN) Authentication: If you know the static IP address of
remote VPN device, select IP address from drop-down menu. If you don’t know the
static IP address of remote VPN device, but the domain name of remote VPN device is
known, you can select IP by DNS Resolved, and enter the real domain name on the
Internet. 8-Port Dual-WAN VPN Router will get the IP address of remote VPN device by
DNS Resolved, and IP address of remote VPN device will be displayed on VPN Status
of Summary page. Then, enter the
E-mail Address as an ID.
4. Dynamic IP + Domain Name (FQDN) Authentication: If you select this type, the
Remote Security Gateway will be a dynamic IP, so you don’t need to enter the IP
• 69 •
VR-100 8-Port Dual-WAN VPN Router
address. When the Remote Security Gateway requests to create a tunnel with 8-Port
Dual-WAN VPN Router, and the 8-Port Dual-W AN VPN Router will work as a responder.
If you select this type, just enter the Domain Name for Authentication, and the Domain
Name must be same with the Local Gateway of the remote VPN device. The same
Domain Name can be only for one tunnel connection, and users cannot use the same
Domain Name to create a new tunnel connection.
5. Dynamic IP + E-mail Addr. (USER FQDN) Authentication: If you select this type, the
Remote Security Gateway will be a dynamic IP, so you don’t need to enter the IP
address. When the Remote Security Gateway requests to create a tunnel with 8-Port
Dual-WAN VPN Router, and the 8-Port Dual-W AN VPN Router will work as a responder.
If you select this type, just enter the E-mail address for Authentication.
Remote Security Group Type
Select the Remote Security Group that behind the above Remote Gateway Type you chose
that can use this VPN tunnel. Remote Security Group Type may be a single IP address or a
Subnet.
1. IP Address: If you select IP Address, only the remote computer with the specific IP
Address that you enter will be able to access the tunnel.
• 70 •
VR-100 8-Port Dual-WAN VPN Router
2. Subnet: If you select Subnet (which is the default), this will allow all computers on the
remote subnet to access the tunnel. Enter the remote IP Address and the Subnet Mask.
The default Subnet Mask is 255.255.255.0.
IPSec Setup
In order for any encryption to occur, the two ends of the tunnel must agree on the type of
encryption and the way the data will be decrypted. This is done by sharing a “key” to the
encryption code. There are two Keying Modes of key management, Manual and IKE with
Preshared Key (automatic).
1. Manual
If you select Manual, it allows you to generate the key yourself, and no key negotiation is
needed. Basically, manual key management is used in small static environments or for
troubleshooting purposes. Both sides must use the same Key Management method.
Incoming & Outgoing SPI (Security Parameter Index): SPI is carried in the ESP
• 71 •
VR-100 8-Port Dual-WAN VPN Router
(Encapsulating Security Payload Protocol) header and enables the receiver and sender to
select the SA, under which a packet should be processed. The hexadecimal value is
acceptable, and the valid range is 100~ffffffff. Each tunnel must have a unique Inbound SPI
and Outbound SPI. No two tunnels share the same SPI. The Incoming SPI here must match
the Outgoing SPI value at the other end of the tunnel, and vice versa
Encryption: There are two methods of encryption, DES and 3DES. The Encryption method
determines the length of the key used to encrypt/decrypt ESP packets. DES is 56-bit
encryption and 3DES is 168-bit encryption. 3DES is recommended because it is more secure,
and both sides must use the same Encryption method.
Authentication: There are two methods of authentication, MD5 and SHA. The Authentication
method determines a method to authenticate the ESP packets. MD5 is a one-way hashing
algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a
160-bit digest. SHA is recommended because it is more secure, and both sides must use the
same Authentication method.
Encryption Key: This field specifies a key used to encrypt and decrypt IP traffic, and the
Encryption Key is generated by users themselves. The hexadecimal value is acceptable in
this field. Both sides must use the same Encryption Key. If DES is selected, the Encryption
Key is 16-bit. If users do not fill up to 16-bit, this filed will be filled up to 16-bit automatically by
0. If 3DES is selected, the Encryption Key is 48-bit. If users do not fill up to 48-bit, this filed will
be filled up to 48-bit automatically by 0.
Authentication Key: This field specifies a key used to authenticate IP traffic and the
Authentication Key is generated yourself. The hexadecimal value is acceptable in this field.
Both sides must use the same Authentication key. If MD5 is selected, the Authentication Key
is 32-bit. If users do not fill up to 32-bit, this filed will be filled up to 32-bit automatically by 0. If
SHA1 is selected, the Authentication Key is 40-bit. If users do not fill up to 40-bit, this filed will
be filled up to 40-bit automatically by 0.
• 72 •
2. IKE with Preshared Key (automatic)
VR-100 8-Port Dual-WAN VPN Router
IKE is an Internet Key Exchange protocol that used to negotiate key material for SA (Security
Association). IKE uses the Pre-shared Key field to authenticate the remote IKE peer.
Phase 1 DH Group: Phase 1 is used to create a security association (SA). DH (Diffie-Hellman)
is a key exchange protocol that is used during phase 1 of the authentication process to
establish pre-shared keys. There are three groups of different prime key lengths. Group 1 is
768 bits, Group 2 is 1,024 bits and Group 5 is 1,536 bits. If network speed is preferred, select
Group 1. If network security is preferred, select Group 5.
Phase 1 Encryption: There are three methods of encryption, DES, 3DES and AES. The
Encryption method determines the length of the key used to encrypt/decrypt ESP packets.
DES is 56-bit encryption and 3DES is 168-bit encryption. In addition, AES includes three types
of encryptions, AES-128, AES-192, and AES-256. Both sides must use the same Encryption
method. 3DES or AES is recommended because it is more secure.
Phase 1 Authentication: There are two methods of authentication, MD5 and SHA. The
Authentication method determines a method to authenticate the ESP packets. Both sides
must use the same Authentication method. MD5 is a one-way hashing algorithm that
produces a 128-bit digest.
• 73 •
VR-100 8-Port Dual-WAN VPN Router
SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended
because it is more secure.
Phase 1 SA Life Time: This field allows you to configure the length of time a VPN tunnel is
active in Phase 1. The default value is 28,800 seconds.
Perfect Forward Secrecy: If PFS is enabled, IKE Phase 2 negotiation will generate a new
key material for IP traffic encryption and authentication. If PFS is enabled, a hacker using
brute force to break encryption keys is not able to obtain other or future IPSec keys.
Phase 2 DH Group: There are three groups of different prime key lengths. Group1 is 768 bits,
Group2 is 1,024 bits and Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If
network security is preferred, select Group 5. You can choose the different Group with the
Phase 1 DH Group you chose. If Perfect Forward Secrecy is disabled, there is no need to set
up the Phase 2 DH Group since no new key would be generated, and the key of Phase 2 will
be same with the key in Phase 1.
Phase 2 Encryption: Phase 2 is used to create one or more IPSec SAs, which are then used
to key IPSec sessions. There are three methods of encryption, DES, 3DES and AES. The
Encryption method determines the length of the key used to encrypt/decrypt ESP packets.
DES is 56-bit encryption and 3DES is 168-bit encryption. In addition, AES includes three types
of encryptions, AES-128, AES-192, and AES-256. Both sides must use the same Encryption
method. 3DES or AES is recommended because it is more secure.If users enable the AH
Hash Algorithm in Advanced, it’s recommended to select Null to disable encrypt/decrypt ESP
packets in Phase 2, but both sides of tunnel must use the same setting.
Phase 2 Authentication: There are two methods of authentication, MD5 and SHA. The
Authentication method determines a method to authenticate the ESP packets. Both sides
must use the same Authentication method. MD5 is a one-way hashing algorithm that
produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest.
If users enable the AH Hash Algorithm in Advanced, it’s recommended to select Null to disable
authenticate the ESP packets in Phase 2, but both sides of tunnel must use the same setting.
Phase 2 SA Life Time: This field allows you to configure the length of time a VPN tunnel is
• 74 •
VR-100 8-Port Dual-WAN VPN Router
active in Phase 2. The default value is 3,600 seconds.
Preshared Key: The character and hexadecimal values are acceptable in this field, e.g.
"My_@123" or "4d795f40313233." The maximum entry of this field is 30-digit. Both sides must
use the same Pre-shared Key. It’s recommended to change Preshared keys regularly to
maximize VPN security.
Clink the Apply button to save the settings or click the Cancel button to undo the changes.
Advanced
For most users, the settings on the VPN page should be satisfactory. This device provides an
advanced IPSec setting page for some special users such as reviewers. Clicking the
"Advanced" will link to that page. Advanced settings are only for IKE with Preshared Key
mode of IPSec.
Aggressive Mode: There are two types of Phase 1 exchanges: Main mode and Aggressive
mode. Aggressive Mode requires half of the main mode messages to be exchanged in Phase
1 of the SA exchange. If network security is preferred, select Main mode. When users select
the Dynamic IP in Remote Security Gateway Type, it will be limited as Aggressive Mode.
Compress (Support IP Payload compression Protocol (IP Comp)):
8-Port Dual-WAN VPN Router supports IP Payload compression Protocol. IP Payload
Compression is a protocol to reduce the size of IP datagrams. If Compress is enabled, 8-Port
Dual-WAN VPN Router will propose compression when initiating a connection. If the
responders reject this propose, 8-Port Dual-WAN VPN Router will not implement the
• 75 •
VR-100 8-Port Dual-WAN VPN Router
compression. When 8-Port Dual-WAN VPN Router works as a responder, 8-Port Dual-WAN
VPN Router will always accept compression even without enabling compression.
Keep-Alive: This mechanism helps to keep up the connection of IPSec tunnels. Whenever a
connection is dropped and detected, it will be re-established immediately.
AH Hash Algorithm: AH (Authentication Header) protocol describe the packet format and the
default standards for packet structure. With the use of AH as the security protocol, protected is
extended forward into IP header to verify the integrity of the entire packet by use of portions of
the original IP header in the hashing process. There are two algorithms, MD5 and SHA1. MD5
produces a 128-bit digest to authenticate packet data and SHA1 produces a 160-bit digest to
authenticate packet data. Both sides of tunnel should use the same algorithm.
NetBIOS broadcast: Check the box to enable NetBIOS traffic to pass through the VPN tunnel.
By default, the Router blocks these broadcasts.
Dead Peer Detection (DPD): When DPD is enabled, the 8-Port Dual-WAN VPN Router will
send the periodic HELLO/ACK messages to prove the tunnel liveliness when both peers of a
VPN tunnel provide DPD mechanism. Once a dead peer is detected, the 8-Port Dual-WAN VPN
Router will disconnect the tunnel so the connection can be re-established. The Interval is the
number of seconds between DPD messages. The default is DPD enabled, and default Interval
is 10 seconds.
Click the Apply button when you finish the settings or click the Cancel button to undo the
changes.
.
• 76 •
VR-100 8-Port Dual-WAN VPN Router
Client to Gateway
By setting this page, you can create a new tunnel between Local VPN device and mobile user.
You can select Tunnel to create tunnel for single mobile user, or select Group VPN to create
tunnels for multiple VPN clients. Group VPN feature facilitates the setup and it’ s not necessary
to individually configure remote VPN clients.
Tunnel
1. Tunnel No.: The tunnel no. will be generated automatically from 1~100.
2. T unnel Name: Once the tunnel is enabled, enter the Tunnel Name field. Such as, Sales
Name. This is to allow you to identify multiple tunnels and does not have to match the
name used at the other end of the tunnel.
3. Interface: Select the Interface from the pull-down menu. When dual WAN is enable,
there will be two options. (WAN1/WAN2).
4. Enable: Check the box to enable VPN.
Group VPN
1. Group No.: The group no. will be generated automatically from 1~2. Two GroupVPNs
• 77 •
VR-100 8-Port Dual-WAN VPN Router
are supported by 8-Port Dual-WAN VPN Router.
2. Group ID Name: Enter the Group ID Name. Such as, American Sales Group.
3. Interface: Select the Interface from the drop-down menu. When dual WAN is enable,
there are two options. (WAN1/WAN2).
4. Enable: Check the box to enable GroupVPN.
Local Group Setup
(There is no Local Security Gateway Type setup for GroupVPN mode.)
Local Security Gateway Type: There are five types. They are IP Only, IP + Domain Name
(FQDN) Authentication, IP + E-mail Addr. (USER FQDN) Authentication, Dynamic IP +
Domain Name (FQDN) Authentication, Dynamic IP + E-mail Addr. (USER FQDN)
Authentication. The type of Local Security Gateway Type should match with the Remote
Security Gateway Type of remote VPN clients in the other end of tunnel.
IP Only: If you select IP Only, only the specific IP Address will be able to access the tunnel.
The WAN IP of 8-Port Dual-WAN VPN Router will come out in this filed automatically, and you
don’t need to enter.
IP + Domain Name (FQDN) Authentication: If you select this type, enter the FQDN (Fully
Qualified Domain Name), and IP address will come out automatically. The FQDN is the host
name and domain name for a specific computer on the Internet, for example,
vpn.myvpnserver.com. The IP and FQDN must be same with the Remote Client’s setting, and
the same IP and FQDN can be only for one tunnel connection.
• 78 •
VR-100 8-Port Dual-WAN VPN Router
IP + E-mail Addr. (USER FQDN) Authentication: If you select this type, enter the E-mail
address, and IP address will come out automatically.
Dynamic IP + Domain Name (FQDN) Authentication: If the Local Security Gateway is a
dynamic IP, you can select this type. When the Remote Client requests to create a tunnel with
8-Port Dual-WAN VPN Router, and the 8-Port Dual-WAN VPN Router will work as a responder.
If you select this type, just enter the Domain Name for Authentication, and you don’t need to
enter the IP address. The Domain Name must be same with the Remote Client’s settings. The
same Domain Name can be only for one tunnel connection, and users cannot use the same
Domain Name to create a new tunnel connection.
Dynamic IP + E-mail Addr. (USER FQDN) Authentication: If the Local Security Gateway is
a dynamic IP, you can select this type. When the Remote Client requests to create a tunnel
with 8-Port Dual-WAN VPN Router, and the 8-Port Dual-WAN VPN Router will work as a
responder. If you select this type, just enter the E-mail address for Authentication, and you
don’t need to enter the IP address.
Local Security Group Type
Select the local LAN user(s) behind the router that can use this VPN tunnel. Local Security
• 79 •
VR-100 8-Port Dual-WAN VPN Router
Group Type may be a single IP address, a Subnet or an IP range. The Local Secure Group
must match Remote VPN Client’s Remote Secure Group.
IP Address: If you select IP Address, only the computer with the specific IP Address that you
enter will be able to access the tunnel. The default IP is 192.168.1.0
Subnet: If you select Subnet (which is the default), this will allow all computers on the local
subnet to access the tunnel. Enter the IP Address and the Subnet Mask. The default IP is
192.168.1.0, and default Subnet Mask is 255.255.255.192.
Remote Client Setup:
In Tunnel condition:
Remote Client: There are five types of Remote Client. They are IP Only, IP + Domain Name
(FQDN) Authentication, IP + E-mail Addr. (User FQDN) Authentication, Dynamic IP +
Domain Name (FQDN) Authentication, Dynamic IP + E-mail Addr. (User FQDN)
Authentication.
IP Only: If you know the fixed IP of a remote client, you can select IP and enter the IP Address.
Only the specific IP Address that you enter will be able to access the tunnel. This IP Address
can be a computer with VPN client software that supports IPSec. If you know the static IP
address of remote client, select IP address from drop-down menu. If you don’t know the static
IP address of remote client, but the domain name of remote client is known, you can select IP
by DNS Resolved, and enter the real domain name on the Internet. 8-Port Dual-WAN VPN
• 80 •
VR-100 8-Port Dual-WAN VPN Router
Router will get the IP address of remote client by DNS Resolved, and IP address of remote
client will be displayed on
VPN Status of Summary page.
IP + Domain Name (FQDN) Authentication: If you know the static IP address of remote client,
select IP address from drop-down menu. If you don’t know the static IP address of remote
client, but the domain name of remote client is known, you can select IP by DNS Resolved,
and enter the real domain name on the Internet. 8-Port Dual-WAN VPN Router will get the IP
address of remote client by DNS Resolved, and IP address of remote client will be displayed on
VPN Status of Summary page. Then, enter the Domain Name as an ID; it can be not a real
domain name on Internet. The IP and Domain Name ID must be same with the Local setting of
the remote client, and the same IP and Domain Name ID can be only for one tunnel connection.
IP + E-mail Addr. (User FQDN) Authentication: If you know the static IP address of a remote
client, select IP address from the drop-down menu. If you don’t know the static IP address of
remote client, but the domain name of remote client is known, you can select IP by DNS
Resolved, and enter the real domain name on the Internet. 8-Port Dual-WAN VPN Router will
• 81 •
VR-100 8-Port Dual-WAN VPN Router
get the IP address of the remote client by DNS Resolved, and IP address of the remote client
will be displayed on VPN Status of Summary page. Then, enter E-mail Address as an ID.
Dynamic IP + Domain Name (FQDN) Authentication: If you select this type, the Remote
Security Gateway will be a dynamic IP, so you don’t need to enter the IP address. When the
Remote Security Gateway requests to create a tunnel with 8-Port Dual-WAN VPN Router, and
the 8-Port Dual-WAN VPN Router will work as a responder. If you select this type, just enter
the Domain Name for Authentication, and the Domain Name must be same with the Local
Gateway of the remote client. The same Domain Name can be only for one tunnel connection,
and users cannot use the same Domain Name to create a new tunnel connection.
Dynamic IP + E-mail Addr. (User FQDN) Authentication: If you select this type, the Remote
Security Gateway will be a dynamic IP, so you don’t need to enter the IP address. When the
Remote Security Gateway requests to create a tunnel with 8-Port Dual-WAN VPN Router, and
the 8-Port Dual-WAN VPN Router will work as a responder. If you select this type, just enter
the E-mail address for Authentication.
• 82 •
VR-100 8-Port Dual-WAN VPN Router
In Group VPN condition:
Remote Client: There are three types of Remote Client, Domain Name (FQDN), E-mail
Address (USER FQDN) and Microsoft XP/2000 VPN Client.
Domain Name (FQDN) (Fully Qualified Domain Name): If you select FQDN, enter the
FQDN of the Remote Client. When the Remote Client requests to create a tunnel with 8-Port
Dual-WAN VPN Router, and the 8-Port Dual-WAN VPN Router will work as a responder. The
Domain Name must match with the local settings of remote client.
E-mail Address (USER FQDN): Enter the E-mail address of USER FQDN.
Microsoft XP/2000 VPN Client: This option is used for Dynamic IP users which use Microsoft
VPN client. The difference between Microsoft and other VPN client is that Microsoft client
does not support Aggressive mode and FQDN/USER FQDN ID options.
IPSec Setup
In order for any encryption to occur, the two ends of the tunnel must agree on the type of
encryption and the way the data will be decrypted. This is done by sharing a “key” to the
encryption code. There are two Keying Modes of key management, Manual and IKE with
Preshared Key (automatic). If GroupVPN is enabled, the key management will be IKE
with Preshared Key only.
• 83 •
VR-100 8-Port Dual-WAN VPN Router
Manual
If you select Manual, it allows you to generate the key yourself, and no key negotiation is
needed. Basically, manual key management is used in small static environments or for
troubleshooting purposes. Both sides must use the same Key Management method.
Incoming & Outgoing SPI (Security Parameter Index): SPI is carried in the ESP
(Encapsulating Security Payload Protocol) header and enables the receiver and sender to
select the SA, under which a packet should be processed. The hexadecimal value is
acceptable, and the valid range is 100~ffffffff. Each tunnel must have a unique Inbound SPI
and Outbound SPI. No two tunnels share the same SPI. The Incoming SPI here must match
the Outgoing SPI value at the other end of the tunnel, and vice versa
Encryption: There are two methods of encryption, DES and 3DES. The Encryption method
determines the length of the key used to encrypt/decrypt ESP packets. DES is 56-bit
encryption and 3DES is 168-bit encryption. 3DES is recommended because it is more secure,
and both sides must use the same Encryption method.
Authentication: There are two methods of authentication, MD5 and SHA. The Authentication
method determines a method to authenticate the ESP packets. MD5 is a one-way hashing
algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a
160-bit digest. SHA is recommended because it is more secure, and both sides must use the
same Authentication method.
Encryption Key: This field specifies a key used to encrypt and decrypt IP traffic, and the
Encryption Key is generated yourself. The hexadecimal value is acceptable in this field. Both
• 84 •
VR-100 8-Port Dual-WAN VPN Router
sides must use the same Encryption Key. If DES is selected, the Encryption Key is 16-bit. If
users do not fill up to 16-bit, this filed will be filled up to 16-bit automatically by 0. If 3DES is
selected, the Encryption Key is 48-bit. If users do not fill up to 48-bit, this filed will be filled up
to 48-bit automatically by 0.
Authentication Key: This field specifies a key used to authenticate IP traffic and the
Authentication Key is generated by users. The hexadecimal value is acceptable in this field.
Both sides must use the same Authentication key. If MD5 is selected, the Authentication Key
is 32-bit. If users do not fill up to 32-bit, this filed will be filled up to 32-bit automatically by 0. If
SHA1 is selected, the Authentication Key is 40-bit. If users do not fill up to 40-bit, this filed will
be filled up to 40-bit automatically by 0.
IKE with Preshared Key (automatic)
IKE is an Internet Key Exchange protocol that is used to negotiate key material for SA
(Security Association). IKE uses the Pre-shared Key field to authenticate the remote I KE peer.
Phase 1 DH Group: Phase 1 is used to create a security association (SA). DH (Diffie-Hellman)
is a key exchange protocol that is used during phase 1 of the authentication process to
establish pre-shared keys. There are three groups of different prime key lengths. Group 1 is
768 bits, Group 2 is 1,024 bits and Group 5 is 1,536 bits. If network speed is preferred, select
• 85 •
VR-100 8-Port Dual-WAN VPN Router
Group 1. If network security is preferred, select Group 5.
Phase 1 Encryption: There are three methods of encryption, DES, 3DES and AES. The
Encryption method determines the length of the key used to encrypt/decrypt ESP packets.
DES is 56-bit encryption and 3DES is 168-bit encryption. In addition, AES includes three types
of encryptions, AES-128, AES-192, and AES-256. Both sides must use the same Encryption
method. 3DES or AES is recommended because it is more secure.
Phase 1 Authentication: There are two methods of authentication, MD5 and SHA. The
Authentication method determines a method to authenticate the ESP packets. Both sides
must use the same Authentication method. MD5 is a one-way hashing algorithm that
produces a 128-bit digest.
SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended
because it is more secure.
Phase 1 SA Life Time: This field allows you to configure the length of time a VPN tunnel is
active in Phase 1. The default value is 28,800 seconds.
Perfect Forward Secrecy: If PFS is enabled, IKE Phase 2 negotiation will generate a new
key material for IP traffic encryption and authentication. If PFS is enabled, a hacker using
brute force to break encryption keys is not able to obtain other or future IPSec keys.
Phase 2 DH Group: There are three groups of different prime key lengths. Group1 is 768 bits,
Group2 is 1,024 bits and Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If
network security is preferred, select Group 5. You can choose the different Group with the
Phase 1 DH Group you chose. If Perfect Forward Secrecy is disabled, there is no need to set
up the Phase 2 DH Group since no new key is generated, and the key of Phase 2 will be same
with the key in Phase 1.
Phase 2 Encryption: Phase 2 is used to create one or more IPSec SAs, which are then used
to key IPSec sessions. There are three methods of encryption, DES, 3DES and AES. The
Encryption method determines the length of the key used to encrypt/decrypt ESP packets.
DES is 56-bit encryption and 3DES is 168-bit encryption. In addition, AES includes three types
of encryptions, AES-128, AES-192, and AES-256. Both sides must use the same Encryption
• 86 •
VR-100 8-Port Dual-WAN VPN Router
method. 3DES or AES is recommended because it is more secure.If users enable the AH
Hash Algorithm in Advanced, it’s recommended to select Null to disable encrypt/decrypt ESP
packets in Phase 2 for most users, but both sides must use the same setting.
Phase 2 Authentication: There are two methods of authentication, MD5 and SHA. The
Authentication method determines a method to authenticate the ESP packets. Both sides
must use the same Authentication method. MD5 is a one-way hashing algorithm that
produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest.
If users enable the AH Hash Algorithm in Advanced, it’s recommended to select Null to disable
authentication of the ESP packets in Phase 2 for most users, but both sides must use the
same setting.
Phase 2 SA Life Time: This field allows you to configure the length of time a VPN tunnel is
active in Phase 2. The default value is 3,600 seconds.
Preshared Key: The character and hexadecimal values are acceptable in this field, e.g.
"My_@123" or "4d795f40313233." The maximum entry of this filed is 30-digit. Both sides must
use the same Pre-shared Key. It’s recommended to change Preshared keys regularly to
maximize VPN security.
Clink the Apply button to save the settings or click the Cancel button to undo the changes.
Advanced
For most users, the settings on the VPN page should be satisfactory. This device provides an
advanced IPSec setting page for some special users such as reviewers. Clicking the
"Advanced" will link you to that page. Advanced settings are only for IKE with Preshared
Key mode of IPSec.
• 87 •
VR-100 8-Port Dual-WAN VPN Router
Aggressive Mode: There are two types of Phase 1 exchanges: Main mode and Aggressive
mode. Aggressive Mode requires half of the main mode messages to be exchanged in Phase
1 of the SA exchange. If network security is preferred, select Main mode. If network speed is
preferred, select Aggressive mode. When Group VPN is enabled, it will be limited as
Aggressive Mode. If you select Dynamic IP in Remote Client Type in tunnel mode, it will be
also limited as Aggressive Mode.
Compress (Support IP Payload compression Protocol (IP Comp))
8-Port Dual-WAN VPN Router supports IP Payload compression Protocol. IP Payload
Compression is a protocol to reduce the size of IP datagrams. If Compress is enabled, 8-Port
Dual-WAN VPN Router will propose compression when initiating a connection. If the
responders reject this propose, 8-Port Dual-WAN VPN Router will not implement the
compression. When 8-Port Dual-WAN VPN Router works as a responder, 8-Port Dual-WAN
VPN Router will always accept compression even without enabling compression.
Keep-Alive: This mechanism helps to keep up the connection of IPSec tunnels. Whenever a
connection is dropped and detected, it will be re-established immediately.
AH Hash Algorithm: AH (Authentication Header) protocol describes the packet format and
the default standards for packet structure. With the use of AH as the security protocol,
protection is extended forward into IP header to verify the integrity of the entire packet by use
of portions of the original IP header in the hashing process. There are two algorithms, MD5
and SHA1. MD5 produces a 128-bit digest to authenticate packet data and SHA1 produces a
160-bit digest to authenticate packet data. Both sides should use the same algorithm.
NetBIOS broadcast: Check the box to enable NetBIOS traffic to pass through the VPN tunnel.
By default, the Router blocks these broadcasts.
• 88 •
VR-100 8-Port Dual-WAN VPN Router
Dead Peer Detection (DPD): When DPD is enabled, the 8-Port Dual-WAN VPN Router will
send the periodic HELLO/ACK messages to prove the tunnel liveliness when both peers of VPN
tunnel provide DPD mechanism. Once a dead peer is detected, the 8-Port Dual-WAN VPN
Router will disconnect the tunnel so the connection can be re-established. The Interval is the
number of seconds between DPD messages. The default is DPD enabled, and default Interval
is 10-sec. (There is no DPD for Group VPN).
Click the Apply button when you finish settings or click the Cancel button to undo the
changes.
• 89 •
VPN Pass Through
VR-100 8-Port Dual-WAN VPN Router
IPSec Pass Through
Internet Protocol Security (IPSec) is a suite of protocols used to implement secure exchange
of packets at the IP layer. To allow IPSec tunnels to pass through the Router, IPSec Pass
Through is enabled by default.
PPTP Pass Through
Point to Point Tunneling Protocol (PPTP) Pass Through is the method used to enable VPN
sessions. PPTP Pass Through is enabled by default.
L2TP Pass Through
Layer 2 Tunneling Protocol (L2TP) Pass Through is the method used to enable VPN sessions.
PPTP Pass Through is enabled by default.
Click the Apply button when you finish the VPN Pass Through settings, or click the Cancel
• 90 •
button to undo the changes.
VR-100 8-Port Dual-WAN VPN Router
• 91 •
Log
System Log
VR-100 8-Port Dual-WAN VPN Router
There are three parts in System Log- Syslog, E-mail and Log Setting.
Syslog
z Enable Syslog: If check the box, Syslog will be enabled.
z Syslog Server: In addition to the standard event log, the 8-Port Dual-WAN VPN Router
can send a detailed log to an external Syslog server. Syslog is an industry-standard protocol
used to capture information about network activity. The 8-Port Dual-WAN VPN Router Syslog
captures all log activities and includes every connection source and destination IP address, IP
service, and number of bytes transferred. Enter the Syslog server name or IP address in the
Syslog Server field. Restart the 8-Port Dual-WAN VPN Router for the change to take effect.
E-mail
z Enable E-Mail Alert: If check the box, E-Mail Albert will be enabled.
• 92 •
VR-100 8-Port Dual-WAN VPN Router
z Mail Server: If you wish to have any log or alert information E-mailed to you, then you
must enter the name or numerical IP address of your SMTP server. Your Internet Service
Provider can provide you with this information.
z Send E-mail To: This is the E-mail address to which your log files will be sent. You may
leave this field blank if you do not want to receive copies of your log information.
z Log Queue Length (entries): The default is 50 entries. 8-Port Dual-WAN VPN Router
will e-mail log when Log entries is over 50.
z Log Time Threshold (minutes): The default is 10 minutes. 8-Port Dual-WAN VPN
Router will e-mail log every 10 minutes. 8-Port Dual-WAN VPN Router will e-mail log
when meet any one of Log Queue Length or Log Time Threshold settings.
z E-mail Log Now: Click E-mail Log Now to immediately send the log to the address in
the Send E-mail to Filed.
Log Setting
z Alert Log: Check the following event boxes for receiving alert log, including Syn
Flooding, IP Spoofing, Win Nuke, Ping of Death and Unauthorized Login Attempt.
z General Log: Check the following event boxes for receiving log, including System Error
Messages, Deny Policies, Allow Policies, Content Filtering, Data Inspection, Authorized
Login, and Configuration Changes.
• 93 •
VR-100 8-Port Dual-WAN VPN Router
There are four buttons following Log Setting section.
z View System Log: Once you press this button, the new window will pop up the Log, and
user can choose ALL, System Log, Access Log, Firewall Log and VPN Log.
z Outgoing Log T able: Once you press this button, the new window will pop up and show
you the outgoing packet information including LAN IP, Destination URL/IP and
Service/Port number.
z Incoming Log Table: Once you press this button, the new window will pop up and show
you the incoming packet information including Source IP and Destination Port number.
z Clear Log Now: This button will clear out your log without E-mailing it. Only use this
button if you don't mind losing your log information.
• 94 •
System Statistics
VR-100 8-Port Dual-WAN VPN Router
8-Port Dual-WAN VPN Router is able to perform the system statistics includes the Device
Name, Status, IP Address, MAC Address, Subnet Mask, Default Gateway, Received Packets,
Sent Packets, Total Packets, Received Bytes, Sent Bytes, Total Bytes, Error Packets
Received and Dropped Packets Received for LAN, WAN1 and WAN2.
• 95 •
VR-100 8-Port Dual-WAN VPN Router
Logout
The Logout button is located on the lower right corner of the Web Interface. This button will
terminate the management session and the Authentication window will be displayed. You will
need to re-enter your User Name and Password to login and continue to manage the 8-Port
Dual-WAN VPN Router.
• 96 •
Loading...