Ericsson HM210DP/DI, HM210dp, HM210di User Manual

ADSL Modem
HM210dp/di
User Guide
ADSL Modem
HM210dp/di
User Guide
.
ii
EN/LZT 108 6492 R2 – October 2003
Copyright
Ericsson AB – 2003 All Rights Reserved
Disclaimer
The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Ericsson shall have no liability for any error or damages of any kind resulting from the use of this document.
Abstract
This User guide describes how to install and set up the Ericsson ADSL Modem HM210dp/di in a Windows environment, and how to customize its configuration to get the most out of the product.
Trademark List
Windows
Windows is a registered trademark of Microsoft Corporation
Enclosure List
Contents
EN/LZT 108 6492 R2 – October 2003
iii
Contents
1 Introduction 1
1.1 About this User Guide 1
1.2 About the ADSL Modem HM210d 1
1.2.1 Features 1
2 Hardware Description and Installation 2
2.1 Before You Start 2
2.1.1 Package Contents 2
2.1.2 Subscription for ADSL Service 2
2.1.3 System Requirements 2
2.2 Physical Appearance 3
2.2.1 Front Panel and LED Indicators 3
2.2.2 Back Panel and Connectors 4
2.3 Choosing a Place for the Router 4
2.4 Connecting the Hardware 5
3 Local PC Configuration 6
3.1 Configuring PCs as DHCP Clients 6
3.1.1 In Windows 95, 98/98SE and Me: 6
3.1.2 In Windows 2000: 7
3.1.3 In Windows XP: 7
3.2 Assigning Static IP Addresses to your PCs 8
3.2.1 In Windows 95, 98/98SE and Me: 8
3.2.2 In Windows 2000: 9
3.2.3 In Windows XP: 9
4 Getting Started with the Configuration Manager 10
4.1 Accessing the Configuration Manager 10
4.2 Functional Layout 11
4.2.1 Commonly Used Buttons and Icons 12
Contents
iv EN/LZT 108 6492 R2 - October 2003
4.3 The Home Page and System View Table 13
4.4 Commiting Changes and Rebooting 15
4.4.1 Rebooting the HM210dp/di using Options 16
4.5 Quick Configuration 18
5 Basic Configuration 21
5.1 Configuring the ATM Virtual Circuit 21
5.1.1 Adding ATM VCs 21
5.1.2 Modifying ATM VCs 23
5.2 Configuring PPP Interfaces 24
5.2.1 Adding PPP Interfaces 24
5.2.2 Checking Your Connection Status 27
5.2.3 Modifying and Deleteing PPP Interfaces 28
5.3 Configuring EoA Interfaces 29
5.3.1 Adding EoA Interfaces 29
5.4 Configuring IPoA Interfaces 33
5.4.1 Adding IPoA Interfaces 33
5.4.2 Checking Your Connection Status 35
5.5 Bridging Connection Mode 36
5.5.1 Defining Bridge Interfaces 36
5.5.2 Check Your Connection Status 37
5.5.3 Deleting a Bridge Interface 37
6 Configuring IP Routes 38
6.1 Overview of IP Routes 38
6.2 Viewing the IP Routing Table 39
6.3 Adding IP Routes 41
7 Configuring DHCP 42
7.1 Overview of DHCP 42
7.2 DHCP Modes 42
7.3 Configuring DHCP Server 43
7.3.1 Creating DHCP Server Address Pools 44
Contents
EN/LZT 108 6492 R2 - October 2003
v
7.3.2 Enabling DHCP Server Mode 46
7.3.3 Configuring Your PCs as DHCP Clients 47
7.3.4 Viewing, Modifying and Deleting Address Pools 47
7.3.5 Excluding IP Addresses from a Pool 48
7.3.6 Viewing Current DHCP Address Assignments 48
7.4 Configuring DHCP Relay 49
7.4.1 Defining the DHCP Relay Interface(s) 49
7.4.2 Enabling DHCP Relay Mode 50
7.4.3 Configuring Your PCs as DHCP Clients 51
8 Configuring NAT 52
8.1 Overview of NAT 52
8.2 Viewing NAT Configuration 53
8.3 Viewing NAT Rules and Rule Statistics 55
8.4 Viewing Current NAT Translations 57
8.5 Adding NAT Rules 59
8.5.1 The NAPT Rule 59
8.5.2 The RDR Rule 60
8.5.3 The BASIC Rule 62
8.5.4 The FILTER Rule 64
8.5.5 The BIMAP Rule 66
8.5.6 The PASS Rule 68
9 Configuring DNS Server Addresses 70
9.1 Assigning DNS Addresses 70
9.2 Overview of DNS Relay 71
9.3 Configuring DNS Relay 71
10 Configuring RIP 74
10.1 Overview of RIP 74
10.2 Configuring the RIP 75
10.3 Viewing RIP Statistics 76
Contents
vi EN/LZT 108 6492 R2 - October 2003
11 Configuring Firewall Settings 78
11.1 Global Firewall Settings 78
11.2 Configuring IP Filters 80
11.2.1 Viewing Your IP Filter Configuration 81
11.2.2 Configuring IP Filter Global Settings 82
11.2.3 Creating IP Filter Rules 82
11.2.4 Viewing IP Filter Statistics 88
11.2.5 Managing Current IP Filter Sessions 89
11.3 Blocking Specific Protocols 90
12 Administration Tasks 93
12.1 Changing the System Date and Time 93
12.2 Configuring User Names and Passwords 94
12.3 Upgrading the Software 96
12.4 Using Diagnostics 97
12.5 Modifying Port Settings 99
12.5.1 Accessing a Server with a Non-Standard Port Number 99
12.6 Viewing System Alarms 100
13 Viewing DSL Line Information 101
14 Troubleshooting 104
14.1 LEDs 104
14.2 Internet Access 105
14.3 Configuration Manager Program 106
14.4 Diagnosing Problem Using IP Utilities 106
14.4.1 How to use WINIPCFG 106
14.4.2 How to use IPCONFIG 107
14.4.3 How to use PING 108
15 Important Information 109
15.1 Product Care and Maintenance 109
15.2 License Agreement 110
Contents
EN/LZT 108 6492 R2 - October 2003
vii
15.2.1 License 110
15.2.2 Term 110
15.2.3 Limited Warranty 110
15.2.4 Intended Use 111
15.2.5 Limitation of Liability 111
15.2.6 Governing Law 111
15.3 Regulatory Information 112
15.3.1 EU Directives 112
15.3.2 Safety Approvals 112
15.3.3 EMC Approvals 113
15.3.4 Telecom Approval 115
15.3.5 Caution 116
15.3.6 Power Supply 116
15.3.7 Environmental Information 116
15.3.8 Intended Use 117
16 Glossary 118
Introduction
EN/LZT 108 6492 R2 - October 2003
1
1 Introduction
Congratulations on becoming the owner of an Ericsson ADSL Modem HM210dp/di. Your LAN (Local Area Network) will now be able to access the Internet using your high-speed ADSL connection.
1.1 About this User Guide
This User Guide describes how to install and setup your HM210dp/di in a Windows environment, and how to customize its configuration to get the most out of your new product.
The Glossary includes abbreviations and explanations to technical terms used in this guide.
1.2 About the ADSL Modem HM210d
The ADSL Modem HM210 comes in two versions: HM210dp and HM210di. Both products offer the same features, but they rely on different types of telephone line in order to provide the ADSL service. HM210dp offers ADSL service over POTS (Plain Old Telephone System) lines, while HM210di uses ISDN (Integrated Services Digital Network) lines to provide the ADSL service.
1.2.1 Features
The main features of the HM210dp/di are listed below:
Internal ADSL modem for high-speed Internet access.
10/100Base-T Ethernet router to provide Internet connectivity to all
computers on your LAN.
Network Address Translation (NAT), Firewall and IP filtering
functions to provide security for your LAN.
Network configuration through DHCP Server and DHCP Relay.
Services including IP route and DNS configuration, RIP, and IP and
DSL performance monitoring.
Configuration Manager program you access via a web browser.
Hardware Description and Installation
2 EN/LZT 108 6492 R2 - October 2003
2 Hardware Description and Installation
This chapter describes the product and provides instructions about how to install the HM210dp/di in a PC/Windows environment.
2.1 Before You Start
2.1.1 Package Contents
Check the contents of the package against the shipping contents checklist below. If any of the items is missing, please contact the ADSL modem provider.
The ADSL Modem HM210dp/di
A Power Supply Adapter with connecting cable
ADSL Line Cable (RJ-11)
Ethernet Cable (RJ-45)
USB Cable
Quick Installation Guide
Documentation CD (including Acrobat Reader and this User Guide)
Your HM210dp/di package may also include other materials provided by your ADSL operator.
2.1.2 Subscription for ADSL Service
To use the ADSL Modem HM210dp/di, you will require an ADSL service subscription from your broadband service provider.
2.1.3 System Requirements
In order to use your HM210dp/di you must have the following:
One or more computers each containing an Ethernet 10/100Base-T
network interface card (NIC).
Hardware Description and Installation
EN/LZT 108 6492 R2 - October 2003
3
An Ethernet hub/switch if you are connecting the device to more
than one computer.
For system configuration using the built-in Configuration Manager
program you need a web browser such as Internet Explorer v5.0 or later, or Netscape v5.0 or later.
2.2 Physical Appearance
2.2.1 Front Panel and LED Indicators
The front panel of the HM210dp/di contains five control lamps (LEDs) that indicate the status of the modem. A general description of each LED is provided in the table below (from left to right):
Figure 1 - Front Panel of HM210dp
Label Status/Description
PWR On: Unit is powered on.
Off: Unit is powered off.
DIAG Flashes on/off at boot-up to indicate that the device
software is operational. Turns off after 10-15 seconds.
LAN On: Ethernet link established and active.
Off: No Ethernet link detected.
ACT Flashes when ADSL data activity occurs. May appear
solid when data traffic is heavy.
DSL On: ADSL link established and active.
Off: No ADSL link detected.
Table 1 - Description of LEDs
Hardware Description and Installation
4 EN/LZT 108 6492 R2 - October 2003
2.2.2 Back Panel and Connectors
The following figure illustrates the back panel of your HM210dp/di:
Figure 2 - Back Panel of the HM210dp/di
Description of connectors and buttons:
DSL – The DSL port is used for connecting the HM210dp/di to the
ADSL service port (splitter/filter or phone outlet) using the supplied ADSL line cable (RJ11 – RJ11).
LAN – The LAN port (Ethernet 10/100 BaseT) connect the
HM210dp/di to your PC’s Ethernet port, or to the uplink port on your LAN’s hub, using the supplied Ethernet cable (RJ45 – RJ45).
RESET button (tiny hole) – Used to reset and restore the
HM210dp/di to default settings. Push a paper clicp into the hole and hold for three seconds before releasing. Then wait for the device to finish boot up.
Power button – Used to switch the HM210dp/di ON and OFF.
PWR – Power socket for connecting the HM210dp/di to a power
outlet by using the supplied power adapter.
2.3 Choosing a Place for the Router
The HM210dp/di should be placed on a flat surface. Be sure to choose a location that enables you to see the LEDs, is close to a power outlet, ADSL outlet, and the PC.
NOTE! Proper ventilation is necessary to prevent the product from over-heating. Do not block or cover the slots and openings on the device, which are intended for ventilation and proper operation.
Hardware Description and Installation
EN/LZT 108 6492 R2 - October 2003
5
2.4 Connecting the Hardware
Follow the procedures below to connect related devices.
NOTE! Before you begin, turn the power off for all devices. These include your computer(s), your LAN hub/switch (if applicable), and the HM210dp/di.
1. Connect to the ADSL Line Connect one end of the provided ADSL Line cable to the port labeled DSL on the back panel of the HM210dp/di. Connect the other end to your ADSL service port (splitter/filter or phone outlet).
2. Connect to a PC or hub/switch:
- to a single PC
Attach one end of the provided Ethernet cable (straight-through) to the port labeled LAN on the HM210dp/di. Connect the other end to your PC’s Ethernet port.
- to a hub/switch
Attach one end of a “cross-over” Ethernet cable to a hub/switch and the other end to the LAN port on the HM210dp/di.
- to a hub/switch’s uplink port
Use a “straight-through” Ethernet cable to connect to the uplink port and the other end to the LAN port on the HM210dp/di.
3. Connect the Power Supply Connect the provided Power cable from the Power Supply Adapter to the PWR socket on the HM210dp/di. Plug the power supply adapter into a power source (wall outlet or power strip).
4. Turn on the HM210dp/di and power up your systems Press the Power button on the back panel of the HM210dp/di to turn on the device.
Turn on and boot up your computer(s) and any LAN devices such as hubs or switches.
Local PC Configuration
6 EN/LZT 108 6492 R2 - October 2003
3 Local PC Configuration
By default, the HM210dp/di acts as a DHCP server that automatically assigns all required Internet settings to your PCs, i.e. the DHCP clients. The predefined IP address and DHCP range is as below:
LAN Port IP Address 192.168.1.1 Subnet Mask 255.255.255.0 DHCP Range 192.168.1.3 – 192.168.1.34
The following instructions assume that your PC meets the following prerequisites:
1. Already is connected to the LAN port on the HM210dp/di through its network interface card (NIC).
2. Has the appropriate Ethernet adapter software installed.
3. Has the TCP/IP protocol installed. If not, refer to Microsoft documentation to install the TCP/IP protocol.
You need only to configure the PCs to accept the information when it is assigned. Follow the instructions that correspond to the operating system installed on each PC.
3.1 Configuring PCs as DHCP Clients
If you have not been provided any IP settings from your ISP/service provider, you should use DHCP that is the most common used method.
3.1.1 In Windows 95, 98/98SE and Me:
1. From the Start menu select Settings > Control Panel and double- click on the Network icon.
2. Click the Configuration tab and select TCP/IP for the network adapter that is connected to your HM210dp/di. Click the Properties button.
3. Select the IP Address tab and make sure that “Obtain an IP address automatically” is selected. If not, select it and click OK.
4. Click OK in the “Network” dialog box and close the Control Panel.
Local PC Configuration
EN/LZT 108 6492 R2 - October 2003
7
5. Some configuration files may be copied to your hard disk and if a “Settings Changes” message asks you to restart your PC, you should answer Yes.
3.1.2 In Windows 2000:
1. From the Start menu select Settings > Control Panel and double- click on the Network and Dial-up Connections icon.
2. Double-click on the Local Area Connection icon for the HM310dp. Be sure to choose the correct one if you have several dial-up icons.
3. Click the Properties button.
4. Select the Internet Protocol (TCP/IP) and click the Properties button.
5. Make sure that “Obtain an IP address automatically” is selected. If not, select it and click OK.
6. Click OK in the “Local Area Connection Properties” dialog box and click Close in the “Local Area Connection Status” dialog box.
7. Close the “Network and Internet Connections” window.
3.1.3 In Windows XP:
1. From the Start menu select Control Panel and double-click on Network Connections (Classic View) or double-click on the link Network and Internet connections followed by Network Connections (Category View).
2. Double-click on the Local Area Connection icon for the HM310dp. Be sure to choose the correct one if you have several dial-up icons.
3. Click the Properties button.
4. Select the Internet Protocol (TCP/IP) and click the Properties button.
5. Make sure that “Obtain an IP address automatically” is selected. If not, select it and click OK.
6. Click Close in the “Local Area Connection Properties” and “Local Area Connection Status” dialog boxes.
7. Close the “Network and Internet Connections” window.
Local PC Configuration
8 EN/LZT 108 6492 R2 - October 2003
3.2 Assigning Static IP Addresses to your PCs
In some cases, you may want to assign static IP information to your PCs directly if:
In bridged mode, you have completed the initial configuration and
you need to use the IP address and default gateway given by your ISP.
You have obtained one or more public IP addresses that you want
to always associate with specific computers (for example, if you are using a computer as a public web server).
You maintain different subnets on your LAN.
Before you begin, contact your ISP/service provider if you do not already have the following information:
IP address and subnet mask
Default Gateway IP address
DNS Server IP address
Follow the instructions that correspond to the operating system installed on each PC:
3.2.1 In Windows 95, 98/98SE and Me:
1. From the Start menu select Settings > Control Panel and double- click on the Network icon.
2. Click the Configuration tab and select TCP/IP for the network adapter (Ethernet or USB) that is connected to your HM310dp. Click the Properties button.
3. Select the IP Address tab.
4. Select “Specify an IP address” and enter the IP settings provided by your ISP/service provider. Click OK.
5. Click OK in the “Network” dialog box and close the Control Panel.
6. Some configuration files may be copied to your hard disk and if a “Settings Changes” message asks you to restart your PC, you should answer Yes.
Local PC Configuration
EN/LZT 108 6492 R2 - October 2003
9
3.2.2 In Windows 2000:
1. From the Start menu select Settings > Control Panel and double- click on the Network and Dial-up Connections icon.
2. Double-click on the Local Area Connection icon for the HM310dp. Be sure to choose the correct one if you have several dial-up icons.
3. Click the Properties button.
4. Select the Internet Protocol (TCP/IP) and click the Properties button.
5. Select “Specify an IP address” and enter the IP settings provided by your ISP/service provider. Click OK.
6. Click OK in the “Local Area Connection Properties” dialog box and click Close in the “Local Area Connection Status” dialog box.
7. Close the “Network and Internet Connections” window.
3.2.3 In Windows XP:
1. From the Start menu select Control Panel and double-click on Network Connections (Classic View) or double-click on the link Network and Internet connections followed by Network Connections (Category View).
2. Double-click on the Local Area Connection icon for the HM310dp. Be sure to choose the correct one if you have several dial-up icons.
3. Click the Properties button.
4. Select the Internet Protocol (TCP/IP) and click the Properties button.
5. Select “Use the following IP address” and enter the IP settings provided by your ISP/service provider. Click OK.
6. Click Close in the “Local Area Connection Properties” and “Local Area Connection Status” dialog boxes.
7. Close the “Network and Internet Connections” window.
Getting Started with the Configuration Manager
10 EN/LZT 108 6492 R2 - October 2003
4 Getting Started with the Configuration
Manager
Your HM210dp/di includes a web-based Configuration Manager, which enables you to configure the device settings to meet the needs of your network.
4.1 Accessing the Configuration Manager
You can access the Configuration Manager from any computer connected to the HM210dp/di. Follow the instructions below:
1. At any PC connected to the HM210dp/di, open a web browser, type the following URL in the address (or location) box, and press <Enter>:
http://192.168.1.1
2. When the Login screen appears, enter your User Name and Password and then click OK:
The first time you launch the Configuration Manager, use these default values: Default User Name: root Default Password: root
3. After a successful login, the home page - System View - of the Configuration Manager appears. See section 4.3 for further information.
Getting Started with the Configuration Manager
EN/LZT 108 6492 R2 - October 2003
11
4.2 Functional Layout
The Configuration Manager tasks are grouped into categories, which you can access by clicking the tabs at the top of each page. Each tab displays the available tasks in a horizontal menu at the top of the page. You can click on these menu items to display the specific configuration options.
A separate page displays for each task in the task bar. The left-most task displays by default when you click on a new tab. The same task may appear in more than one tab, when appropriate. For example, the LAN Config task displays in both the LAN tab and the Routing tab.
Tab Task bar
Getting Started with the Configuration Manager
12 EN/LZT 108 6492 R2 - October 2003
4.2.1 Commonly Used Buttons and Icons
The table below describes buttons and icons commonly used in the Configuration Manager.
Button / Symbol Description
Stores in temporary system memory any changes you have made on the current page. See section 4.4 “Committing Changes and Rebooting” for instructions on how to store changes permanently.
Redisplays the current page with updated statistics or settings.
When accumulated statistics are displaying, this button resets the statistics to their initial value.
Launches the online help for the current topic in a separate browser window. Help is available from any main topic page.
Delete an entry.
Modify an entry.
View details for an entry.
Getting Started with the Configuration Manager
EN/LZT 108 6492 R2 - October 2003
13
4.3 The Home Page and System View Table
The Home page - System View – displays when you first access the Configuration Manager. This page is one of two options available in the Home tab (the other is the Quick Configuration page, as described in section 4.5).
The System View table provides a snapshot of your system configuration. Note that some of the settings are links to the software pages that enable you to configure those settings. The following table describes each section of the System View table:
Getting Started with the Configuration Manager
14 EN/LZT 108 6492 R2 - October 2003
Table Heading Description
Device Displays basic information about the HM210dp/di
hardware and software versions, the system uptime (since the last reboot), and the preconfigured operating mode.
DSL Displays the operational status, version, and
performance statistics for the DSL line. You can click on DSL in the table heading or display the WAN tab to view additional DSL settings, which are described in chapter x.
WAN Interfaces Displays the software name(s) and various settings
for the device interface(s) that communicates with your ISP via DSL. Although you only have one physical DSL port, multiple software-defined interfaces can be configured to use it. For each interface, a “Lower Interface” name, such as aal5-0, should display. You can click on the lower interface name to view or change the ATM VC settings that this interface uses.
LAN Interfaces Displays the software names and various settings for
the device interfaces that communicate directly with your network. This typically includes an Ethernet interface named eth-0.
Services Summary Displays the status of various services that the
HM210dp/di performs to help you manage your network. A green ball indicates the service is active and a red X indicates that it is inactive: NAT – Translating private IP addresses to your public IP address. IP Filter – Setting up filtering rules that accept or deny incoming or outgoing data.
RIP – Enabling router-to-router communication. DHCP Relay – Enabling dynamic assignment of IP
information from your ISP to your computers. DHCP Client – Enabling dynamic assignment of IP information from your ISP or another computer on your network to the device’s LAN port. DHCP Server – Enabling dynamic assignment of IP information from the device’s built-in DHCP server to your LAN computers. IGMP – Enabling message forwarding from external sources such as your ISP, based on Internet Group Management Protocol (not configurable).
Getting Started with the Configuration Manager
EN/LZT 108 6492 R2 - October 2003
15
4.4 Commiting Changes and Rebooting
Whenever you change system settings, the changes are initially placed in a temporary storage (called random access memory or RAM). Your changes are made effective when you submit them, but will be lost if the device is reset or turned off.
NOTE! Submitting changes activates them immediately, but saves them only until the device is reset or powered down. Committing changes saves them permanently.
Follow these steps to commit changes to permanent storage:
1. Select Admin > Commit & Reboot. The Commit & Reboot page appears:
2. Click the Commit button. (Disregard the selection in the Reboot Mode: dropdown list, it does not affect the commit process). The changes are saved to permanent storage.
The previous settings are copied to backup storage so that they can be recalled if your new settings do not work properly (see the rebooting instructions in section 4.4.1).
NOTE! If you change the LAN IP address information, you MUST commit the changes and then reboot the system to activate them. All other changes are activated when you commit them (no reboot is needed).
Getting Started with the Configuration Manager
16 EN/LZT 108 6492 R2 - October 2003
4.4.1 Rebooting the HM210dp/di using Options
If, after rebooting the device, you find that it does not operate properly with the new configuration, you can reboot using options that reactivate a previous configuration or the factory default configuration.
1. Select Admin > Commit & Reboot. The Commit & Reboot page appears:
2. In the Reboot Mode: dropdown list you can select from the following options before clicking the Reboot button.
Setting Description
Reboot Reboots the device to activate your new
settings (if any).
Reboot from Default Configuration
Reboots the device to default settings provided by your ISP or the manufacturer. Choosing this option erases any custom settings.
Reboot from Backup Configuration
Reboots the device using settings stored in backup memory. These are the settings that were in effect before you committed new settings in the current session.
Reboot from Last Configuration
Reboots the device using the current settings in permanent memory, including any changes you just committed.
Reboot from Clean Configuration
Getting Started with the Configuration Manager
EN/LZT 108 6492 R2 - October 2003
17
Reboot from Minimum Configuration
NOTE! Do not reboot the device using the Reset button on the back panel of the HM210dp/di to activate new changes. This button resets the device settings to the manufacturer’s default values. Any custom settings will be lost.
Getting Started with the Configuration Manager
18 EN/LZT 108 6492 R2 - October 2003
4.5 Quick Configuration
The Quick Configuration page allows you to quickly configure your HM210dp/di for Internet connection. Your ISP should provide you with necessary information to complete the quick setup.
To quickly configure the system, go to Home > Quick Configuration. The Quick Configuration page appears:
Enter the provided fields as below:
Getting Started with the Configuration Manager
EN/LZT 108 6492 R2 - October 2003
19
Field Description
ATM Interface: Select the ATM interface you want to use (usually
atm-0) for this connection.
Operation Mode: Enabled/Disabled.
If set to Disabled, the device cannot provide Internet connectivity for your network.
Encapsulation:
Select the connection type your ISP uses to communicate with your HM210dp/di.
VPI and VCI:
Enter the VPI/VCI values given by your ISP.
Bridge:
This setting enables or disables bridging between the HM210dp/di and your ISP. Your ISP may also refer to this using RFC 1483” or “Ethernet over ATM”.
IGMP:
This setting enables or disables the Internet Group Management Protocol. Contact your ISP whether to enable this setting.
IP Address: and Subnet Mask:
If your ISP has assigned a public IP address to your LAN, enter the IP address and associated subnet mask in the boxes provided.
Use DHCP:
Select Enable if you want the HM210dp/di to act as a DHCP server for your LAN.
Default Route:
When enabled, the IP address specified above will be used as the default route for your LAN.
Gateway IP Address:
Specify the IP address that identifies the ISP server through which your Internet connection will be routed.
PPP
Username: Password:
If you select PPP as the Encapsulation type, enter the Username and Password provided by your ISP.
Use DNS:
Select Enable to turn on the DNS forwarding service, which forwards to your LAN PCs the DNS server addresses that your PPP connection learns from your ISP.
This option can only be used when the HM210dp/di acts as a DHCP server for your LAN.
Getting Started with the Configuration Manager
20 EN/LZT 108 6492 R2 - October 2003
Field Description
DNS Primary/Secondary DNS Server:
You may just keep the default 0.0.0.0. If you enter the Primary/Secondary DNS addresses given by your ISP, these DNS servers will be used in addition to any DNS servers discovered automatically.
After completing the required settings, click the Submit button.
Then, go to Admin > Commit & Reboot and click the Commit button to store your changes to permanent memory.
Basic Configuration
EN/LZT 108 6492 R2 - October 2003
21
5 Basic Configuration
This chapter provides basic configuration instructions to get your HM210dp/di run and have your network connected to the Internet.
The instructions assume that the HM210dp/di is not predefined with any ATM VC, PPP or IpoA settings. For each connection method, example parameters are given for your better understanding. You should consult with your ISP to determine your connection mode and enter the actual values provided by your ISP.
NOTE! Your HM210dp/di may already be pre-configured with the necessary settings to get your network connected to the Internet. Contact your ISP to determine whether you should change any existing values.
5.1 Configuring the ATM Virtual Circuit
As your LAN computers access the Internet via the HM210dp/di, data is exchanged with your ISP through a complex network of telephone switches, Internet routers, servers, and other specialized hardware. These various devices communicate using a common language, or protocol, called Asynchronous Transfer Mode (ATM). On the Wide Area Network (WAN) that connects you to your IPS, the ATM protocol performs functions like those that the Ethernet protocol performs on your LAN.
This section describes how to configure the ATM Virtual Circuit (VC). The VC properties define the path the HM210dp/di uses to communicate with your ISP over the ATM network.
5.1.1 Adding ATM VCs
You may need to create a VC if none has been predefined on your system or if you use multiple services with your ISP. Each service may require its own VC.
Follow these instructions to add an ATM VC Interface:
1. Select ATM > ATM VC to display the ATM VC Configuration page.
2. Click the Add button to display the ATM VC – Add page:
Basic Configuration
22 EN/LZT 108 6492 R2 - October 2003
Enter the provided fields as below:
Field Description
VC Interface:
Select a VC interface from the available interfaces, e.g. aal5-0.
VPI and VCI:
Enter the VPI/VCI values given by your ISP, e.g. 0/33.
Mux Type:
Select LLC or VC as required by your ISP.
Max Proto per AAL5:
This setting indicates the number of higher-level interfaces that the VC can support (the higher level interfaces can be PPP, EoA, or IpoA interfaces). Contact your ISP to determine wich connection protocol(s) they require.
3. After entering the fields above, click the Submit button and when the confirmation page appears, click Close.
4. You will return to the ATM VC Configuration table and see the newly added ATM VC entry:
Basic Configuration
EN/LZT 108 6492 R2 - October 2003
23
5. Select Admin > Commit & Reboot and click the Commit button to store your changes to permanent memory.
6. You may need to create a new WAN interface, or modify an existing interface, so that it uses the new VC. See the instructions in the following sections for configuring a PPP (section 5.2), EoA (section
5.3) or IpoA (section 5.4) interfaces, depending on the type you use to communicate with your ISP.
5.1.2 Modifying ATM VCs
Your device may already be preconfigured with the necessary ATM VC properties, or the table may contain placeholder values that you must change before using the device. Contact your ISP to determine your ATM VC values. Follow these instructions to modify a preconfigured VC:
1. From the ATM VC Configuration page, click
in the “Actions” column for the interface you want to modify. The ATM VC Interface – Modify page displays.
2. Enter the new VPI and VCI values, select the Mux Type, or change the maximum number of protocols that the VC can carry, as directed by your ISP. You cannot modify the interface type over which an existing VC operates (aal5-0, for example). If you want to change the interface type, you must delete the existing interface, create a new one, and select the desired interface type.
3. After entering the fields above, click the Submit button and when the confirmation page appears, click Close.
4. Select Admin > Commit & Reboot and click the Commit button to store your changes to permanent memory.
Basic Configuration
24 EN/LZT 108 6492 R2 - October 2003
5.2 Configuring PPP Interfaces
When powered on, the HM210dp/di initiates a connection through your DSL line to your ISP.
The Point-to-Point (PPP) protocol is commonly used between ISPs and their customers to identify and control various communication properties, including:
Identifying the type of service the ISP provides to a given customer.
Identifying the customer to the ISP through a username and
password login.
Enabling the ISP to assign Internet information to the customer’s
computers.
Your ISP may or may not use the PPP protocol. Contact your ISP to determine if you will need to change the default settings in order to connect to their server.
5.2.1 Adding PPP Interfaces
If you intend to use more than one type of service from your ISP, the device can be configured with multiple PPP interfaces, each with unique logon and other properties.
Follow this procedure to define properties for a PPP interface:
1. Select WAN > PPP to display the Point to Point Protocol (PPP) Configuration page.
Basic Configuration
EN/LZT 108 6492 R2 - October 2003
25
2. Click the Add button to display the PPP Interface – Add page:
3. Enter the provided fields as below:
Field Description
PPP Interface:
Select a PPP interface from the available interfaces, e.g. ppp-0.
ATM VC:
Select the ATM VC you wish to use for this connection, e.g. aal5-0.
Interface Sec Type:
Public / Private / DMZ.
This setting defines the type of firewall protections that are in effect on the interface as described below:
A public interface connects to the Internet (PPP interfaces are typically public). Packets received on a public interface are subject to the most restrictive set of firewall protections defined in the software.
Basic Configuration
26 EN/LZT 108 6492 R2 - October 2003
A private interface connects to your LAN, such as the Ethernet interface. Packets received on a private interface are subject to a less restrictive set of protections, because they originate within the network.
The term DMZ (de-militarized zone), in Internet networking terms, refers to computers that are available for both public and in-network accesses (such as a company’s public Web server). Packets incoming on a DMZ interface – whether from a LAN or external source – are subject to a set of protections that is in between public and private interfaces in terms of restrictiveness.
Status:
Start – To establish a connection whenever you turn on the HM210dp/di. StartOnData – To establish a connection whenever the device gets a request to connect to the Internet, such as when you open a browser requesting for web pages.
Protocol:
PPPoA or PPPoE as required by your ISP.
Service Name:
ISPs may offer different types of services (for example, for online gaming or business communications), each requiring a different login and other connection properties. For PPPoA no need to set up. For PPPoE enter the Service Name if this is required by your ISP. Otherwise leave it blank.
Use DHCP:
When set to Enable, the device will acquire additional IP information from the ISP’s DHCP server. The PPP connection itself acquires the device’s IP address, mask, DNS address, and default gateway address. When enabled, the device will acquire IP addresses for various other server types (WINS, SMTP, POP3, etc).
Use DNS:
When set to Enable, the DNS address learned through the PPP connection will be distributed to clients of the device’s DHCP server. This option is useful only when the HM210dp/di is configured to act as a DHCP server for your LAN.
Default Route:
Indicates whether the HM210dp/di should use the IP address assigned to this connection as its default route.
Basic Configuration
EN/LZT 108 6492 R2 - October 2003
27
Security Information
Security Protocol:
Select PAP or CHAP as required by your ISP.
Login Name: Password:
The login name and password given by your ISP. NOTE that characters of colon (:), semicolon (;) and questions mark (?) are not allowed when entering login name and password.
5. After entering the fields above, click the Submit button and when the confirmation page appears, click Close.
6. You will return to the PPP Configuration page and see the newly added PPP interface. The “Oper. Status” column indicates if the link is currently up or down:
7. Select Admin > Commit & Reboot and click the Commit button to store your changes to permanent memory.
5.2.2 Checking Your Connection Status
Select Home > System Mode. The “WAN Interface” item should display the interface you created to communicate with your ISP. A green ball in the “Status” field indicates a successful connection:
Basic Configuration
28 EN/LZT 108 6492 R2 - October 2003
5.2.3 Modifying and Deleteing PPP Interfaces
To modify a PPP interface, display the PPP Configuration page and click
in the “Action(s)” column for the interface you want to modify. The PPP
Interface – Modify page displays.
You can change only the status of the PPP connection, the security protocol, your login name and your password. To modify the other settings, you must delete the interface and create a new one.
To delete a PPP interface, display the PPP Configuration page and click
in the “Action(s)” column for the interface you want to delete. You should not delete a PPP interface unless you have received instructions to do so from your ISP. Without an appropriately defined PPP interface, you may not be able to connect to your ISP. You can recreate the PPP interface with the same name at a later time.
After modifying or deleting a PPP interface, click the Submit button. Then select Admin > Commit & Reboot and click the Commit button to save your changes to permanent memory.
Basic Configuration
EN/LZT 108 6492 R2 - October 2003
29
5.3 Configuring EoA Interfaces
This section describes how to configure an Ethernet-over-ATM interface on the HM210dp/di, if one is needed to communicate with your ISP.
The Ethernet-over-ATM (EoA) protocol is often referred to as RFC1483, which is the Internet specification that defines it. It is commonly used to carry data between local area networks that use the Ethernet protocol and wide-area networks that use the ATM protocol. Many telecommunications industry networks use the ATM protocol. ISPs who provide DSL services often use the EoA protocol for data transfer with their customers’ DSL modems.
EoA can be implemented to provide a bridged connection between a DSL modem and the ISP. In a bridged connection, data is shared between the ISP’s network and their customer’s as if the networks were on the same physical LAN. Bridged connections do not use the IP protocol. EoA can also be configured to provide a routed connection with the ISP, which uses the IP protocol to exchange data.
Before creating an EoA interface or modifying the default settings, contact your ISP to determine which type of protocol they use.
5.3.1 Adding EoA Interfaces
Follow these instructions to add an EoA interface:
1. Select WAN > EoA to display the RFC1483/Ethernet over ATM(EoA) Configuration page.
Basic Configuration
30 EN/LZT 108 6492 R2 - October 2003
2. Click the Add button to display the EOA Interface – Add page:
3. Enter the provided fields as below:
Field Description
EOA Interface:
Select an EoA interface from the available interfaces, e.g. eoa-0.
Interface Sec Type:
Public / Private / DMZ.
This setting defines the type of firewall protections that are in effect on the interface as described below:
A public interface connects to the Internet (PPP interfaces are typically public). Packets received on a public interface are subject to the most restrictive set of firewall protections defined in the software.
A private interface connects to your LAN, such as the Ethernet interface. Packets received on a private interface are subject to a less restrictive set of protections, because they originate within the network.
The term DMZ (de-militarized zone), in Internet networking terms, refers to computers that are available for both public and in-network accesses
Basic Configuration
EN/LZT 108 6492 R2 - October 2003
31
(such as a company’s public Web server). Packets incoming on a DMZ interface – whether from a LAN or external source – are subject to a set of protections that is in between public and private interfaces in terms of restrictiveness.
Lower Interface:
Select an ATM VC interface previously created, e.g. aal5-0.
EoA interfaces are defined in software, and then associated with lower-level software and hardware structures (at the lowest level, they are associated with a physical port – the WAN port). This field should reflect an interface name defined in the next lower level of software over which the EoA interface will operate.
Conf. IP Address: Netmask:
0.0.0.0 / 0.0.0.0
To use the HM210dp/di as a bridge, you don’t need to set the IP address and subnet mask. Just keep the default.
Use DHCP: Enable / Disable
When Enabled, this setting instructs the device to accept IP information assigned dynamically by your ISP’s DHCP server. If the interface will be used for bridging with your ISP and you will not be routing data through it, leave this checkbox unselected.
Default Route: Enable / Disable
Indicates whether the HM210dp/di uses the IP address assigned to this interface, if any, as its default route for your LAN. Your system can have only one default route.
Gateway IP Address:
The external IP address that the HM210dp/di communicates with via the EoA interface to gain access to the Internet. This is typically an ISP server.
4. After entering the fields above, click the Submit button and when the confirmation page appears, click Close.
5. You will return to the EoA Configuration page and see the newly added EoA interface:
Basic Configuration
32 EN/LZT 108 6492 R2 - October 2003
6. Select Admin > Commit & Reboot and click the Commit button to store your changes to permanent memory.
Basic Configuration
EN/LZT 108 6492 R2 - October 2003
33
5.4 Configuring IPoA Interfaces
This section describes how to configure an IPoA (Internet Protocol-over­ATM) interface on the HM210dp/di.
An IPoA interface can be used to exchange IP packets over the ATM network, without using an underlying Ethernet over ATM (EoA) connection. Typically, this type of interface is used only in product development and test environments, to eliminate unneeded variables when evaluating IP layer processing.
5.4.1 Adding IPoA Interfaces
Follow these instructions to add an IPoA interface:
1. Select WAN > IPoA to display the IPoA Configuration page.
2. Click the Add button to display the IPoA Interface – Add page:
3. Enter the provided fields as below:
Field Description
IPoA Interface:
Select an IPoA interface from the available interfaces, e.g. ipoa-0.
Conf. IP Address:
Enter the IP address given by your ISP.
Basic Configuration
34 EN/LZT 108 6492 R2 - October 2003
Interface Sec Type:
Public / Private / DMZ. This setting defines the type of firewall protections that are in effect on the interface as described below:
A public interface connects to the Internet (PPP interfaces are typically public). Packets received on a public interface are subject to the most restrictive set of firewall protections defined in the software.
A private interface connects to your LAN, such as the Ethernet interface. Packets received on a private interface are subject to a less restrictive set of protections, because they originate within the network.
The term DMZ (de-militarized zone), in Internet networking terms, refers to computers that are available for both public and in-network accesses (such as a company’s public Web server). Packets incoming on a DMZ interface – whether from a LAN or external source – are subject to a set of protections that is in between public and private interfaces in terms of restrictiveness.
Netmask:
Enter the IP address given by your ISP.
RFC 1577:
Specifies whether the IPoA protocol to be used complies with the IEFT specification named “RFC 1577 – Classical IP and ARP over ATM”. Select Yes for RFC 1577-Classical IP and ARP over ATM. Select No for RFC 1483 Router.
Use DHCP: Enable / Disable
When Enabled, this setting instructs the device to accept IP information assigned dynamically by your ISP’s DHCP server. If the interface will be used for bridging with your ISP and you will not be routing data through it, leave this checkbox unselected.
Default Route: Enable / Disable
Indicates whether the HM210dp/di uses the IP address assigned to this interface, if any, as its default route for your LAN. Your system can have only one default route.
Gateway IP Address:
Enter the gateway IP address given by your ISP.
Basic Configuration
EN/LZT 108 6492 R2 - October 2003
35
4. After entering the fields above, click the Submit button and when the confirmation page appears, click Close.
5. You will return to the IpoA Configuration table and see the newly added IPoA entry:
6. Click Map in the “Action” column. The IPoA Interface – Map page appears:
7. Select an ATM VC you have created earlier from the “Lower Interface:” dropdown list and then click Add. Click Close to exit the confirmation page.
8. Select Admin > Commit & Reboot and click the Commit button to store your changes to permanent memory.
5.4.2 Checking Your Connection Status
Select Home > System Mode. The WAN Interface item should display the interface you created to communicate with your ISP. A green ball in the Status field indicates a successful connection:
Basic Configuration
36 EN/LZT 108 6492 R2 - October 2003
5.5 Bridging Connection Mode
The HM210dp/di can be configured to act as a bridging device between your LAN and your ISP. Bridges are devices that enable two or more networks to communicate as if they are two segments of the same physical LAN.
Although the HM210dp/di is preconfigured to serve as router for providing Internet connectivity to your LAN, there are several instances in which you may also want to configure bridging:
Your ISP may use protocols that require bridging with your LAN.
The device can be configured to appear as a bridge when communicating with your ISP, while continuing to provide router functionality for your LAN.
Your LAN may include computers that communicate using “layer-3”
protocols other than the Internet Protocol. These include IPX and AppleTalk. In this case, the device can be configured to act as a bridge for packets that use these protocols while continuing to serve as a router for IP data.
5.5.1 Defining Bridge Interfaces
To enable bridging, you simply specify the device interfaces on which you want to bridge data, and then enable bridging mode.
Follow the steps below to enable bridging mode:
1. Select Bridging > Bridging page to display the Bridge Configuration page.
2. Select the interface names on which you ant to perform bridging and click the Add button.
If you do not have an eoa-0 interface, but instead have an interface named ppp-0 or ipoa-0, your device is not currently configured with a WAN interface that allows bridging with your ISP. Check with your ISP to determine whether they use the eoa protocol before changing this setting.
3. Click the Bridging: Enable radio button to turn on bridging and click the Submit button. A page will briefly display to confirm your changes, and will return you to the Bridge Configuration page.
4. Select Admin > Commit & Reboot and click the Commit button to store your changes to permanent memory.
Basic Configuration
EN/LZT 108 6492 R2 - October 2003
37
5.5.2 Check Your Connection Status
Select Home > System Mode. The WAN Interface item should display the interface you created to communicate with your ISP. A green ball in the Status field indicates a successful connection:
5.5.3 Deleting a Bridge Interface
To make an interface non-bridgeable, display the Bridge Configuration
page and click
next to the interface you want to delete.
Click OK to confirm the deletion.
The interface remains defined in the system, but is no longer capable of performing bridging.
Configuring IP Routes
38 EN/LZT 108 6492 R2 - October 2003
6 Configuring IP Routes
You can use the Configuration Manager to define specific routes for your Internet and network data. This chapter provides instructions for creating routes.
Most users do not need to define IP routes. On a typical small home or office LAN, the existing routes that set up the default gateways for your LAN computers and for the HM210dp/di provide the most appropriate path for all your Internet traffic. You may need to define routes if:
Your network setup includes two or more networks or subnets.
You connect to two or more ISP services.
You connect to a remote corporate LAN.
6.1 Overview of IP Routes
The essential challenge of a router is: when it receives data intended for a particular destination, which next device should it send that data to? When you define IP routes, you provide the rules that a computer uses to make these decisions.
Each time Internet data is passed from one Internet address to another, it is said to take a hop. A hop can be a handoff to a different port on the same device, to a different device on the same network, or to a device on an entirely different network.
When a hop passes data from one type of network to another, it uses a gateway. A gateway is an IP address that provides initial access to a network, just as a switchboard serves as a gateway to a specific set of phone numbers. For example, when a computer on your LAN requests access to a company’s web site, your ISP serves as a gateway to the Internet. As your request reaches its destination, another gateway provides access to the company’s web servers.
IP routes are defined on computers, routers, and other IP-enabled devices to instruct them which hop to take, or which gateway to use, to help forward data along to its specified destination.
If no IP route is defined for a destination, then IP data is passed to a predetermined default gateway. The default gateway serves like a higher- level telephone switchboard; it may not be able to connect directly to the destination, but it will know a set of other devices that can help pass the
Configuring IP Routes
EN/LZT 108 6492 R2 - October 2003
39
data intelligently. If it cannot determine which of these devices provides a good next hop (because no such route has been defined), then that device will forward the data to its default gateway. Eventually, a high level device, using a predefined IP route, will be able to forward the data along a path to its destination.
6.2 Viewing the IP Routing Table
All IP-enabled computers and routers maintain a table of IP addresses that are commonly accessed by their users. For each of these destination IP addresses, the table lists the IP address of the first hop the data should take. This table is known as the device’s routing table.
To view the HM210dp/di routing table, select Routing > IP Route. The following page appears:
The IP Route Table displays a row for each existing route. These include routes that were predefined on the device, routes you may have added, and routes that the device has identified automatically through communication with other devices.
The routing table should reflect a default gateway, which directs outbound Internet traffic to your ISP. This default gateway is shown in the row containing destination address 0.0.0.0.
The following table defines the fields in the IP Routing table:
Configuring IP Routes
40 EN/LZT 108 6492 R2 - October 2003
Field Description
Destination:
Specifies the IP address of the destination computer. The destination can be specified as the IP address of a specific computer or an entire network. It can also be specified as all zeros to indicate that this route should be used for all destinations for which no other route is defined (this is the route that creates the default gateway).
Netmask:
Indicates which parts of the destination address refer to the network and which parts refer to a computer on the network. The default gateway uses a netmask of 0.0.0.0.
NextHop
Specifies the next IP address to send data to when its final destination is that shown in the destination column.
IFName:
Displays the name of the interface on the device through which data is forwarded to the specified next hop.
Route Type:
Displays whether the route is direct or indirect. In a direct route, the source and destination computers are on the same network, and the router attempts to directly deliver the data to the computer. In an indirect route, the source and destination computers are on different networks, and the router forwards data to a device on another network for further handling.
Route Origin:
Displays how the route was defined. Dynamic indicates that the route was created automatically or predefined by your ISP or the manufacturer. Routes you create are labeled Local. Other routes can be created automatically (using RIP), or defined remotely through various network management protocols (LCL or ICMP).
Action:
Displays and icon (
) you can click to delete a
route.
Configuring IP Routes
EN/LZT 108 6492 R2 - October 2003
41
6.3 Adding IP Routes
To add an IP route to the routing table, follow the steps below:
1. Select Routing > IP Route > Add. The IP Route – Add page appears:
2. Specify the destination, netmask, and gateway or next hop for this route. For a description of these fields, refer to the table on the previous page.
To create a route that defines the default gateway for your LAN, enter 0.0.0.0 in both the Destination and Netmask fields. Enter your ISP’s IP address in the Gateway/NextHop field.
NOTE! You cannot specify the interface name, route type or route origin. These parameters are used only for routes that are identified automatically as the device communicates with other routing devices. For routes you create, the routing table displays system default values in these fields.
3. Click the Submit button. The IP routing Table will now display the new route.
4. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
Configuring DHCP
42 EN/LZT 108 6492 R2 - October 2003
7 Configuring DHCP
You can configure your network and HM210dp/di to use the Dynamic Host Configuration Protocol (DHCP). This chapter provides instructions for implementing DHCP on your network.
7.1 Overview of DHCP
DHCP is a protocol that enables network administrators to centrally manage the assignment and distribution of IP information to computers on a network.
When you enable DHCP on a network, you allow a device – such as the HM210dp/di or a router located with your ISP – to assign temporary IP addresses to your computers whenever they connect to your network. The assigning device is called a DHCP Server and the receiving device is a DHCP Client.
The DHCP server draws from a defined pool of IP addresses and “leases” them for a specified amount of time to your computers when they request an Internet session. It monitors, collects, and redistributes the addresses as needed.
On a DHCP-enabled network, the IP information is assigned dynamically rather than statically. A DHCP client can be assigned a different address from the pool each time it reconnects to the network.
DHCP allows you to manage and distribute IP addresses throughout your network from a central computer. Without DHCP, you would have to configure each computer separately with IP addresses and related information. DHCP is commonly used with large networks and those that are frequently expanded or otherwise updated
7.2 DHCP Modes
The HM210dp/di can be configured as a DHCP server, DHCP relay agent, or in some cases, a DHCP client.
DHCP Server
The HM210dp/di will maintain the pool of addresses and distribute them to your LAN computers. If the pool of addresses includes private IP addresses, you must also configure the Network Address Translation (NAT) service, so that the private addresses can be
Configuring DHCP
EN/LZT 108 6492 R2 - October 2003
43
translated to your public IP address on the Internet. Both DHCP server and NAT are enabled in the default configuration.
DHCP Relay Agent
If your ISP performs the DHCP server function for your network, then you can configure the HM210dp/di as a DHCP relay agent. When the HM210dp/di receives a request for Internet access from a computer on your network, it contacts your ISP for the necessary IP information, and then relays the assigned information back to the computer.
DHCP Client
If you have another PC or device on your network that is already performing the DHCP server function, you can configure the LAN port on the HM210dp/di to be a DHCP client of that server.
NOTE! Your can input settings for both DHCP server and DHCP relay mode, and then activate either mode at any time. Deactivated settings are retained for your future use.
7.3 Configuring DHCP Server
To set up DHCP server, you first define the ranges of IP addresses that you want to be distributed to your PCs, called DHCP server address pools.
IP address pools can contain multiple public addresses that you have purchased from your ISP, but are typically private addresses that you create. LAN administrators often create private IP addresses for use only on their networks. See “Overview of NAT” for an explanation of private IP addresses.
You can create up to two pools and the pools can maintain a combined total of 254 IP addresses. For example, you could configure only one pool with addresses in the range 192.168.1.2 through 192.168.1.255, or two pools with the following address range: Pool 0: 192.168.1.2 through 192.168.1.128 Pool 1: 192.168.1.129 through 192.168.1.255
You may want to create a second pool if any of these circumstances apply:
Your LAN configuration includes two subnets.
You have only one subnet, but the addresses you want to distribute
are not in a continuous range.
Configuring DHCP
44 EN/LZT 108 6492 R2 - October 2003
7.3.1 Creating DHCP Server Address Pools
To create a pool of IP addresses follow the steps below:
1. Select LAN > DHCP Server. The DHCP Server Configuration page appears:
Depending on your preconfigured settings, the table may display one or more address pools, each in a row, or may be empty.
2. To add an IP address pool, click Add. The DHCP Server Pool – Add page appears:
Configuring DHCP
EN/LZT 108 6492 R2 - October 2003
45
Enter the provided fields as below: The Start IP Address, End IP Address, Net Mask and Gateway
Address fields are required, the others are optional.
Field Description
Start IP Address: End IP Address:
Specify the lowest and highest IP addresses in the pool, up to a maximum range of 254 addresses. For example, if the LAN port is assigned IP address 192.168.1.1, then you could create a pool with address range 192.168.1.2 –
192.168.1.254 for distribution to your LAN computers.
Mac Address:
A MAC address is a manufacturer-assigned hardware ID that is unique for each device on a network. Use this field only if you want to assign a specific IP address to the computer that uses this MAC address. If you type a MAC address here, you must have specified the same IP
Configuring DHCP
46 EN/LZT 108 6492 R2 - October 2003
address in both the Start/End IP Address fields.
Netmask:
Specifies which portion of each IP address in this range refers to the network and which portion refers to the host (computer). You can use the network mask to distinguish which pool of addresses should be distributed to a particular subnet.
Domain Name:
A user-friendly name that refers to the subnet that includes the addresses in this pool. This is used for reference only.
Gateway Address:
The address of the default gateway for computers that receive IP addresses from this pool. If no value is specified, then the appropriate LAN (eth-0) port address on the device will be distributed to each PC as its gateway address.
DNS/SDNS Address:
The IP address of the Domain Name System server and Secondary Domain Name System server to be used by computers that receive IP addresses from this pool. These DNS servers translate common Internet names that you type into your web browser into their equivalent numeric IP addresses. Typically, these servers are located with your ISP.
SMTP … SWINS Address: (optional)
The IP addresses of devices that perform various services for computers that receive IP addresses from this pool (such as the SMTP, or Simple Mail Transfer Protocol, server which handles e-mail traffic). Contact your ISP for these addresses.
3. Click the Submit button. A confirmation page appears briefly to indicate that the pool has been added successfully. After a few seconds, the DHCP Server Pool – Add page displays with the newly added pool.
4. Follow the instructions in the next section to enable the DHCP Server mode.
7.3.2 Enabling DHCP Server Mode
To enable the DHCP server mode follow the steps below:
1. Select LAN > DHCP Mode and from the “DHCP Mode” dropdown list select DHCP Server. Click the Submit button.
Configuring DHCP
EN/LZT 108 6492 R2 - October 2003
47
2. A page appears to confirm the change.
3. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
7.3.3 Configuring Your PCs as DHCP Clients
For each computer that you want to configure to receive IP information automatically, configure the TCP/IP properties to “Obtain an IP address automatically” (the actual text may vary depending on your operating system). Refer to section 3.1 “Configuring your PCs as DHCP Clients” for detailed instructions.
7.3.4 Viewing, Modifying and Deleting Address Pools
To view, modify, or delete an existing address pool, display the DHCP Service Configuration page, and click the icons (in the “Action(s)”) column for the corresponding row in the address pool table.
To delete an IP address pool, click , then submit and commit your
changes.
To view details on an IP address pool, click . A page displays
with the same information that you entered when you added the pool.
To modify the pool, click . The DHCP Server Pool – Modify
page displays:
Configuring DHCP
48 EN/LZT 108 6492 R2 - October 2003
When modifying an IP address pool, you are only allowed to:
Change the domain name associated with the pool and to exclude
IP addresses within its range from distribution. To exclude an IP address, enter it in the field provided and click Add.
If you want to change other attributes, you must delete the pool and
create a new one.
After entering your changes, click the Submit button.
Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
7.3.5 Excluding IP Addresses from a Pool
If you have IP addresses that are designated for fixed use with specific devices, or for some other reason you do not want to make them available to your network, you can exclude them from the pool.
Display the DHCP Server Pool – Modify page. Type each address to be excluded in the “Excluded IP:” field and click Add. When you are done specifying excluded addresses, click the Submit button.
Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
7.3.6 Viewing Current DHCP Address Assignments
When the HM210dp/di functions as a DHCP server for your LAN, it keeps a record of any addresses currently leased to your computers.
Configuring DHCP
EN/LZT 108 6492 R2 - October 2003
49
To view a table of all current IP address assignments, select LAN > DHCP
Server and on that page click the Address Table button to view the DHCP Server Address Table page.
For each leased address, the table lists the following information:
Field Description
IP Address:
The address that has been leased from the pool.
Netmask:
The network mask associated with the leased address. This identifies the network ID and host ID portions of the address.
Mac Address:
The unique hardware ID of the computer to which the IP address has been assigned.
Pool Start:
The lower boundary of the address pool (shown here to identify the pool from which the leased address was assigned).
Address Type:
Can be Static or Dynamic. Static indicates that the IP address has been assigned permanently to the specific hardware device. Dynamic indicates that the IP address has been leased temporarily for a specified length of time.
Time Remaining:
The amount of time left for the device to use the assigned address. The default lease time is 30 days (31536000 seconds).
7.4 Configuring DHCP Relay
Some ISPs perform the DHCP server function for their customers’ home/small office networks. In this case, you can configure the device as a DHCP relay agent. When a computer on your network requests Internet access, the HM210dp/di contacts your ISP to obtain an IP address (and other information), and then forwards that information to the computer.
7.4.1 Defining the DHCP Relay Interface(s)
To define the DHCP Relay interface(s) follow the steps below:
Configuring DHCP
50 EN/LZT 108 6492 R2 - October 2003
1. Select LAN > DHCP Relay. The DHCP Relay Configuration page appears:
This page provides a text box for entering the IP address of your ISP’s DHCP server and a table that lists the interfaces on your HM210dp/di that can relay DHCP information.
2. Type the IP address of your ISP’s DHCP server in the fields provided. If you do not have this address, it is not essential to enter it. Requests for IP information from your LAN will be passed to the default gateway, which should route the request appropriately.
3. If the interface named eth-0 is not already displaying, select it from the dropdown list and click Add in the “Action” column.
4. Click the Submit button. A page appears to confirm your changes and then the program returns to the DHCP Relay Configuration page.
5. Follow the instructions in the next section to enable the DHCP Relay mode.
7.4.2 Enabling DHCP Relay Mode
To enable the DHCP relay mode follow the steps below:
1. Select LAN > DHCP Mode and from the “DHCP Mode” dropdown list select DHCP Relay. Click the Submit button.
Configuring DHCP
EN/LZT 108 6492 R2 - October 2003
51
2. A page appears to confirm the change.
3. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
7.4.3 Configuring Your PCs as DHCP Clients
For each computer that you want to configure to receive IP information automatically, configure the TCP/IP properties to “Obtain an IP address automatically” (the actual text may vary depending on your operating system). Refer to section 3.1 “Configuring your PCs as DHCP Clients” for detailed instructions.
Configuring NAT
52 EN/LZT 108 6492 R2 - October 2003
8 Configuring NAT
This chapter provides an overview of Network Address Translation (NAT) and instructions for modifying the default configuration on your HM210dp/di.
8.1 Overview of NAT
Network Address Translation is a method for disguising the private IP addresses you use on your LAN as the public IP address you use on the Internet. You define NAT rules that specify exactly how and when to translate between public and private IP addresses.
In a typical NAT setup, your ISP provides you with a single public IP address to use for your entire network. Then, you assign each computer on your LAN a unique private IP address. (Or, you define a pool of private IP addresses for dynamic assignment to your computers as described in chapter 7 “Configuring DHCP”.
On the HM210dp/di, you set up a NAT rule to specify that whenever one of your computers communicates with the Internet, (that is, it sends and receives IP data packets) its private IP address – which is referenced in each packet – will be replaced by the LAN’s public IP address.
When this type of NAT rule is applied, because the source IP address is swapped out, it appears to other Internet computers as if the data packets are actually originating from the computer assigned your public IP address (in this case, the HM210dp/di).
The NAT rule could further be defined to disguise the source port in the data packet (i.e. change it to another number), so that outside computers will not be able to determine the actual port from which the packet originated. Data packets that arrive in response contain the public IP address as the destination IP address and the disguised source port number. The HM210dp/di changes the IP address and source port number back to the original values (having kept track of the changes it made earlier), and then routes the packet to the originating computer.
NAT rules such as these provide several benefits:
They eliminate the need for purchasing multiple public IP addresses
for computers on your LAN. You can make up your own private IP addresses at no cost, and then have them translated to the public IP address when your computers access the Internet.
Configuring NAT
EN/LZT 108 6492 R2 - October 2003
53
They provide a measure of security for your LAN by enabling you to
assign private IP addresses and then have these and the source port numbers swapped out before your computers access the Internet.
The type of NAT function described above is called network address port translation (NAPT). You can use other types, called flavors, of NAT for other purposes; for example, providing outside access to your LAN or translating multiple private addresses to multiple public addresses. Section 0 “Adding NAT rules” gives a description of each of the flavors.
8.2 Viewing NAT Configuration
To view your NAT settings, select Services > NAT. The NAT Configuration page appears:
The NAT Configuration page contains the following elements:
The “NAT Options” drop-down list, which provides access to the
NAT Configuration page and Global Information table (shown by
Configuring NAT
54 EN/LZT 108 6492 R2 - October 2003
default), the NAT Rule Configuration page, and the NAT Translations page.
Enable/Disable radio buttons, which allow you to turn on or off the
NAT feature.
The NAT Global Information table, which displays the following
settings that apply to all NAT rule translations:
Field Description
TCP Idle Timeout(sec):
When a NAT rule is in effect on a TCP session in the active state, the session will timeout if no packets are received for the specified time.
TCP Close Wait(sec):
When in the TCP session’s closing state, the session will timeout if no packets are received for the specified time.
TCP Def Timeout(sec):
When in the TCP Session’s establishing state, the session will timeout if no packets are received for the specified time.
UDP Timeout(sec):
Same as TCP Idle Timeout, but for UDP packets.
ICMP Timeout(sec):
Same as TCP Idle Timeout, but for ICMP packets.
GRE Timeout(sec):
Same as TCP Idle Timeout, but for GRE packets.
Default NAT Age(sec):
For all other NAT translation sessions, the number of seconds after which a translation session will no longer be valid.
NAPT Port Start/End:
When a NAPT rule is defined, the source ports will be translated to sequential numbers in this range.
If you change any values, click the Submit button and then commit your changes to permanent system memory.
You can click the Global Stats button to view accumulated data on how many NAT rules have been invoked and how much data has been translated. A page similar to the one below is displayed:
Configuring NAT
EN/LZT 108 6492 R2 - October 2003
55
The table provides basic information for each NAT rule you have set up. You can click the Clear button to restart the accumulation of the statistics at their initial values.
8.3 Viewing NAT Rules and Rule Statistics
To view the NAT Rules currently defined on your system, select Services >
NAT and select NAT Rule Entry in the NAT Options drop-down list. The NAT Rule Configuration page appears:
Configuring NAT
56 EN/LZT 108 6492 R2 - October 2003
The NAT Rule Configuration table displays a row containing basic information for each rule. For a description of these fields, refer to the instructions for adding rules in section 0 “Adding NAT Rules”.
From the NAT Rule Configuration page, you can click the Add button to
add a new rule, or use the icons in the “Action” column to delete (
) or
view details on (
) a rule. To view data on how often a specific NAT rule has been used, click Stats in the “Action” column. A page similar to the one below appears:
The statistics show how many times this rule has been invoked and how many currently active sessions are using this rule. You can click the Clear
Configuring NAT
EN/LZT 108 6492 R2 - October 2003
57
button to reset the statistics to zeros and the Refresh button to display newly accumulated data.
8.4 Viewing Current NAT Translations
To view a list of NAT translations that have recently been performed and which remain in effect (for any of the defined rules), select Services > NAT and select NAT Translations in the NAT Options drop-down list The NAT Translations page appears:
For each current NAT translation session, the table contains the following fields:
Field Description
Trans Index The sequential number assigned to the IP session
used by this NAT translation session.
Rule ID The ID of the NAT rule invoked.
Interface The device interface on which the NAT rule was
invoked (from the rule definition).
Protocol The IP protocol used by the data packets that are
undergoing translations (from the rule definition). Example: TCP, UDP, ICMP.
Alg Type The Application Level Gateway (ALG), if any, that
was used to enable this NAT translation. (ALGs are special settings that certain applications require in
Configuring NAT
58 EN/LZT 108 6492 R2 - October 2003
order to work while NAT is enabled).
NAT Direction The direction (incoming or outgoing) of the
translation (from the port definition). A NAT direction is assigned to each port; the Ethernet port are defined as incoming port, and the WAN ports are defined as outgoing ports. The NAT direction is determined by the interface on which the rule is invoked.
Entry Age The elapsed time, in seconds, of the NAT translation
session.
You can click in the “Action” column to view additional details about a NAT translation session. The NAT Translation – Details table is displayed. In addition to the information displayed in the NAT Translations table, this table displays the following for the selected current translation sessions:
Field Description
Translated InAddress:
The public IP address to which the private IP address was translated.
In Address:
The private IP address that was translated.
Out Address:
The IP address of the outside destination (web, ftp, site, etc.)
In/Out Pckets:
The number of incoming and outgoing IP packets that have been translated in this translation session.
In Ports:
The actual port number corresponding to the LAN computer.
Out Ports:
The port number associated with the destination address.
Translated In Ports:
The port number to which the LAN computer’s actual port number was translated.
Configuring NAT
EN/LZT 108 6492 R2 - October 2003
59
8.5 Adding NAT Rules
This section explains how to create rules for the various NAT flavors.
8.5.1 The NAPT Rule
The NAT flavor NAPT was used in your default configuration. The NAPT flavor translates all LAN-side private source IP addresses to a single public IP address. It also translates the source port numbers to port numbers that are defined on the NAT Global Configuration page.
To create a NAPT rule, proceed as follows:
1. Select Services > NAT > NAT Rule Entry > Add. The NAT Rule – Add page appears:
2. In the Rule Flavor:” dropdown list, select NAPT.
3. In the Rule ID:” field, enter an ID for the rule. The Rule ID determines the order in which the rules are invoked (the lowest numbered rule is invoked first, and so on). In some case, two or more rules may be fined to act on the same set of IP addresses. Once a data packet matches a rule, the data is acted upon according to that rule and is not subjected to higher-numbered rules.
4. From the IF Name:” dropdown list, select the interface on the HM210dp/di to which this rule applies. Typically, NAT rules apply to communication between your LAN and the Internet. Because the device uses the WAN interface (named ppp-0 or eoa-0) to connect your LAN to your ISP, it is the usual IF Name selection.
Configuring NAT
60 EN/LZT 108 6492 R2 - October 2003
5. In the Local Address From/To:” fields, type the starting and
ending IP addresses respectively, of the range of private IP addresses you want to be translated. Or type the same address in both fields to specify a single IP address. If all LAN IP addresses should be translated, specify 0.0.0.0 and
255.255.255.255 respectively.
6. In the Global Address:” field, type the address that you want to
serve as the publicly known IP address for the LAN computer.
7. When you have completed entering all information, click the Submit button. A page appears to confirm the changes.
8. Click Close to return to the NAT Configuration page. The new rule should no be displayed in the NAT Rule table.
9. On the NAT Configuration page, ensure that the Enable radio button is selected and then click the Submit button. A page appears to confirm your changes.
10. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
8.5.2 The RDR Rule
You can create a RDR rule to make a computer on your LAN, such as Web or FTP server, available to Internet users without requiring you to obtain a public IP address for that computer. The computer’s private IP address is translated to your public IP address for all incoming and outgoing data packets.
NOTE! Without an RDR rule (or BIMAP rule), the HM210dp/di blocks attempts by external computers to access your LAN computers.
To create a RDR rule, proceed as follows:
1. Select Services > NAT > NAT Rule Entry > Add. The NAT Rule – Add page appears:
Configuring NAT
EN/LZT 108 6492 R2 - October 2003
61
2. In the Rule Flavor:” dropdown list, select RDR.
3. In the Rule ID:” field, enter an ID for the rule.
The Rule ID determines the order in which the rules are invoked (the lowest numbered rule is invoked first, and so on). In some case, two or more rules may be fined to act on the same set of IP addresses. Once a data packet matches a rule, the data is acted upon according to that rule and is not subjected to higher-numbered rules.
4. From the IF Name:” dropdown list, select the interface on the
HM210dp/di to which this rule applies. Typically, NAT rules apply to communication between your LAN and the Internet. Because the device uses the WAN interface (named ppp-0 or eoa-0) to connect your LAN to your ISP, it is the usual IF Name selection.
5. Select a Protocol:” to which this rule applies, or select ALL if the
rule applies to all data.
6. In the Local Address From/To:” fields, type the same private IP
address, or the lowest and highest IP addresses in a range: If you type the same IP address in both fields, incoming traffic that matches the criteria of this rule will be redirected to that IP address. If you type a range of IP addresses, incoming traffic will be redirected to any available computer in that range. This option
Configuring NAT
62 EN/LZT 108 6492 R2 - October 2003
would typically be used for load balancing, whereby traffic is distributed among several redundant servers.
7. In the Global Address From/To:” fields, type the public IP address assigned to you by your ISP. If you have multiple WAN interfaces, in both fields type the IP address of the interface to which this rule applies. This rule will not be enforced for data that arrives on WAN interfaces not specified here. If you have multiple WAN interfaces and want the rule to be enforced on a range of them, type the starting and ending IP addresses of the range.
8. Enter a destination port ID (or a range) as criteria for incoming traffic. Enter a starting and ending port number in the Destination Port From/To:” fields if incoming traffic destined for these port types should be redirected to the address(es) specified in step 6. Or, enter the same address in both fields.
9. If the publicly accessible LAN computer uses a non-standard port number for the type of traffic it receives, type the non-standard port number in the Local Port:” field.
10. When you have completed entering all information, click the Submit button. A page appears to confirm the changes.
11. Click Close to return to the NAT Configuration page. The new rule should no be displayed in the NAT Rule table.
12. On the NAT Configuration page, ensure that the Enable radio button is selected and then click the Submit button. A page appears to confirm your changes.
13. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
8.5.3 The BASIC Rule
The BASIC flavor translates the private (LAN-side) IP address to a public (WAN-side) IP address, like the NAPT rule. However, unlike the NAPT rule, the BASIC rule does not translate the port number in the packet header; they are passed through untranslated. Therefore, the BASIC rule does not provide the same level of security as the NAPT rule.
To create a RDR rule, proceed as follows:
Configuring NAT
EN/LZT 108 6492 R2 - October 2003
63
1. Select Services > NAT > NAT Rule Entry > Add. The NAT Rule – Add page appears:
2. In the Rule Flavor:” dropdown list, select BASIC.
3. In the Rule ID:” field, enter an ID for the rule. The Rule ID determines the order in which the rules are invoked (the lowest numbered rule is invoked first, and so on). In some case, two or more rules may be fined to act on the same set of IP addresses. Once a data packet matches a rule, the data is acted upon according to that rule and is not subjected to higher-numbered rules.
4. From the IF Name:” dropdown list, select the interface on the HM210dp/di to which this rule applies. Typically, NAT rules apply to communication between your LAN and the Internet. Because the device uses the WAN interface (named ppp-0 or eoa-0) to connect your LAN to your ISP, it is the usual IF Name selection.
5. Select a Protocol:” to which this rule applies, or select ALL if the rule applies to all data.
6. In the Local Address From/To:” fields, type the starting and ending IP addresses that identify the range of private addresses you want to be translated. Or, type the same IP address in both fields. If you specify a range, each address will be translated in sequence to a corresponding address in a range of global addresses (which you specify in the next step).
Configuring NAT
64 EN/LZT 108 6492 R2 - October 2003
7. In the Global Address From/To:” fields, type the starting and
ending IP address that identify the pool of public IP addresses to be translated to your private IP addresses. Or, type the same IP address in both fields (if you also specified a single address in the previous step).
8. When you have completed entering all information, click the Submit button. A page appears to confirm the changes.
9. Click Close to return to the NAT Configuration page. The new rule should no be displayed in the NAT Rule table.
10. On the NAT Configuration page, ensure that the Enable radio button is selected and then click the Submit button. A page appears to confirm your changes.
11. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
8.5.4 The FILTER Rule
Like the BASIC flavor, the FILTER flavor translates public and private IP addresses on a one-to-one basis. The FILTER flavor extends the capability of the BASIC rule. You can use the FILTER rule if you want an address translation to occur only when your LAN computers initiate access to specific destinations. The destinations can be identified by their IP addresses, ser type (such as FTP or Web server), or both.
To create a FILTER rule, proceed as follows:
1. Select Services > NAT > NAT Rule Entry > Add. The NAT Rule – Add page appears:
Configuring NAT
EN/LZT 108 6492 R2 - October 2003
65
2. In the Rule Flavor:” dropdown list, select FILTER.
3. In the Rule ID:” field, enter an ID for the rule.
The Rule ID determines the order in which the rules are invoked (the lowest numbered rule is invoked first, and so on). In some case, two or more rules may be fined to act on the same set of IP addresses. Once a data packet matches a rule, the data is acted upon according to that rule and is not subjected to higher-numbered rules.
4. From the IF Name:” dropdown list, select the interface on the
HM210dp/di to which this rule applies. Typically, NAT rules apply to communication between your LAN and the Internet. Because the device uses the WAN interface (named ppp-0 or eoa-0) to connect your LAN to your ISP, it is the usual IF Name selection.
5. Select a Protocol:” to which this rule applies, or select ALL if the
rule applies to all data.
6. In the Local Address From/To:” fields, type the starting and
ending IP addresses that identify the range of private addresses you want to be translated. Or, type the same IP address in both fields. If you specify a range, each address will be translated in sequence
Configuring NAT
66 EN/LZT 108 6492 R2 - October 2003
to a corresponding address in a range of global addresses (which you specify in the next step).
7. In the Global Address From/To:” fields, type the starting and ending IP address that identify the pool of public IP addresses to be translated to your private IP addresses. Or, type the same IP address in both fields (if you also specified a single address in the previous step).
8. Enter a Destination Address From/To:” ….
9. Enter a starting and ending port number in the Destination Port From/To:” fields if incoming traffic destined for these port types should be redirected to the address(es) ….
10. When you have completed entering all information, click the Submit button. A page appears to confirm the changes.
11. Click Close to return to the NAT Configuration page. The new rule should no be displayed in the NAT Rule table.
12. On the NAT Configuration page, ensure that the Enable radio button is selected and then click the Submit button. A page appears to confirm your changes.
13. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
8.5.5 The BIMAP Rule
Unlike the other NAT flavors, the BIMAP flavor performs address translation in both the outgoing and incoming directions.
In the incoming direction, when the specified interface receives a packet destined to your public IP address, this address is translated to the private IP address of a computer on your LAN.
In the outgoing direction, the private source IP address in a data packet is translated to the LAN’s public IP address.
BIMAP rules can be used to provide external access to a LAN device. They do not provide the same level of security as RDR rules, because RDR rules also reroute incoming packets based on the port ID. BIMAP rules do not account for the port number, and therefore allow external access regardless of the destination port type specified in the incoming packet.
To create a BIMAP rule, proceed as follows:
Configuring NAT
EN/LZT 108 6492 R2 - October 2003
67
1. Select Services > NAT > NAT Rule Entry > Add. The NAT Rule – Add page appears:
2. In the Rule Flavor:” dropdown list, select NAPT.
3. In the Rule ID:” field, enter an ID for the rule. The Rule ID determines the order in which the rules are invoked (the lowest numbered rule is invoked first, and so on). In some case, two or more rules may be fined to act on the same set of IP addresses. Once a data packet matches a rule, the data is acted upon according to that rule and is not subjected to higher-numbered rules.
4. From the IF Name:” dropdown list, select the interface on the HM210dp/di to which this rule applies. Typically, NAT rules apply to communication between your LAN and the Internet. Because the device uses the WAN interface (named ppp-0 or eoa-0) to connect your LAN to your ISP, it is the usual IF Name selection.
5. In the Local Address:” field, type the private IP address of the computer to which you are granting external access.
6. In the Global Address:” field, type the address that you want to serve as the publicly known IP address for the LAN computer.
7. When you have completed entering all information, click the Submit button. A page appears to confirm the changes.
8. Click Close to return to the NAT Configuration page. The new rule should no be displayed in the NAT Rule table.
9. On the NAT Configuration page, ensure that the Enable radio button is selected and then click the Submit button. A page appears to confirm your changes.
Configuring NAT
68 EN/LZT 108 6492 R2 - October 2003
10. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
8.5.6 The PASS Rule
You can create a PASS rule to allow a range of IP addresses to remain untranslated when another rule would otherwise do so.
The PASS rule must be assigned a rule ID that is a lower number than the ID assigned to the rule it is intended to pass. If you want a specific IP address or range of addresses to not be subject to an existing rule, say rule ID #5, then you can create a PASS rule with ID #1 through #4.
To create a PASS rule, proceed as follows:
1. Select Services > NAT > NAT Rule Entry > Add. The NAT Rule – Add page appears:
2. In the Rule Flavor:” dropdown list, select PASS.
3. In the Rule ID:” field, enter an ID for the rule. The Rule ID determines the order in which the rules are invoked (the lowest numbered rule is invoked first, and so on). In some case, two or more rules may be fined to act on the same set of IP addresses. Once a data packet matches a rule, the data is acted upon according to that rule and is not subjected to higher-numbered rules.
4. From the IF Name:” dropdown list, select the interface on the HM210dp/di to which this rule applies. Typically, NAT rules apply to communication between your LAN and the Internet. Because the device uses the WAN interface (named ppp-0 or eoa-0) to connect your LAN to your ISP, it is the usual IF Name selection.
Configuring NAT
EN/LZT 108 6492 R2 - October 2003
69
5. In the Local Address From/To:” fields, type the lowest and highest
IP addresses that define the range of private addresses you want to be passed without translation. If you want the PASS rule to act on only one address, type that address in both fields.
6. When you have completed entering all information, click the Submit button. A page appears to confirm the changes.
7. Click Close to return to the NAT Configuration page. The new rule should no be displayed in the NAT Rule table.
8. On the NAT Configuration page, ensure that the Enable radio button is selected and then click the Submit button. A page appears to confirm your changes.
9. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
Configuring DNS Server Addresses
70 EN/LZT 108 6492 R2 - October 2003
9 Configuring DNS Server Addresses
Domain Name System (DNS) servers map the user-friendly domain names that users type into their Web browsers (e.g. “yahoo.com”) to the equivalent numerical IP addresses that are used for Internet routing.
When a PC user types a domain name into a browser, the PC must first send a request to a DNS server to obtain the equivalent IP address. The DNS server will attempt to look up the domain name in its own database, and will communicate with higher-level DNS servers when the name cannot be found locally. When the address is found, it is sent back to the requesting PC and is referenced in IP packets for the remainder of the communication.
9.1 Assigning DNS Addresses
Multiple DNS addresses are useful to provide alternatives when one of the servers is down or is encountering heavy traffic. ISPs typically provide primary and secondary DNS addresses, and may provide additional addresses. Your LAN PCs learn these DNS addresses in one of the following ways:
Statically;
If your ISP provides you with their DNS server addresses, you can assign them to each PC by modifying the PCs IP properties.
Dynamically from a DHCP pool;
You can configure the DHCP Server feature on the HM210dp/di router and create an address pool that specifies the DNS addresses to be distributed to the PCs. Refer to section 7.3 “Configuring DHCP Server” for instructions on creating DHCP address pools.
In either case, you can specify the actual addresses of the ISP’s DNS servers (on the PC or in the DHCP pool), or you can specify the address of the LAN port on the HM210dp/di (e.g. 192.168.1.1). When you specify the LAN port IP address, the device performs DNS Relay, as described in the following section.
Follow the procedures below to connect related devices.
NOTE! If you specify the actual DNS addresses on the PCs or in the DHCP pool, the DNS Relay feature is not used.
Configuring DNS Server Addresses
EN/LZT 108 6492 R2 - October 2003
71
9.2 Overview of DNS Relay
When you specify the HM210dp/di’s LAN port IP address as the DNS address, then the device automatically performs “DNS relay”; i.e. because the device itself is not a DNS server, it forwards domain name lookup requests it receives from the LAN PCs to a DNS server at the ISP. It then relays the DNS server’s response to the PC.
When performing DNS relay, the HM210dp/di must maintain the IP addresses of the DNS servers it contacts. It can learn these addresses in either or both of the following ways:
Learned through PPP;
If the device uses a PPP connection to the ISP, the primary and secondary DNS addresses can be learned via the PPP protocol. To use this method, the “Use DNS” checkbox must be selected in the PPP interface properties. Using this option provides the advantage that you will not need to reconfigure the PCs or the HM210dp/di if the ISP changes their DNS addresses.
Configured on the HM210dp/di;
You can use the device’s DNS feature to specify the ISP’s DNS addresses. If the device also uses a PPP interface with the “Use DNS” property enabled, then these configured addresses will be used in addition to the two addresses learned through PPP. If “Use DNS” is not enabled, or if a protocol other than PPP is used (such as EoA), then these configured addresses will be used as the primary and secondary DNS addresses.
9.3 Configuring DNS Relay
Follow these steps to configure DNS Relay:
1. Configure the LAN PCs as DHCP clients of the HM210dp/di.
2. Go to LAN > DHCP Server, enter the LAN IP address (e.g.
192.168.1.1) or 0.0.0.0 as the DNS address in the DHCP server pool. By default, 0.0.0.0 is already set as the DNS of the DHCP pool.
3. Determine how the HM210dp/di will learn the DNS server address:
Option 1 – Using a PPP connection to learn the DNS
Use DNS must be enabled in the PPP interface properties. Go to Routing > PPP and check the PPP interface details:
Configuring DNS Server Addresses
72 EN/LZT 108 6492 R2 - October 2003
If “Use DNS” is disabled, you must delete the interface and create a new one with the new setting.
Option 2 – Configuring DNS on the HM210dp/di:
Configuring DNS Server Addresses
EN/LZT 108 6492 R2 - October 2003
73
You can configure the DNS server address to be relayed on the modem if one of the following circumstances applies:
Not using PPP connection to the ISP (or a protocol other
than PPP is used, such as EoA).
You use PPP connection and “Use DNS” is already
Enabled. Then these configured addresses will be used in addition to those DNS addresses learned through PPP.
You use PPP connection and “Use DNS” is Disabled. Then
these configured addresses will be used.
Go to Service > DNS to display the DNS Configuration page:
Type the IP address of the DNS server in an empty row and click Add. Click the Enableradio button, and then click the Sumbit button.
Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
Configuring RIP
74 EN/LZT 108 6492 R2 - October 2003
10 Configuring RIP
The HM210dp/di can be configured to communicate with other routing devices to determine the best path for sending data to its intended destination. This chapter describes how to configure your HM210dp/di to use one of these, called the Routing Information Protocol (RIP).
10.1 Overview of RIP
RIP is an Internet protocol you can set up to share routing table information with other routing devices on your LAN, at your ISP’s location, or on remote networks connected to your network via the ADSL line. Generally, RIP is used to enable communication on autonomous networks. An autonomous network is one in which all of the computers are administered by the same entity. An autonomous network may be a single network, or a grouping of several networks under the same administration. An example of an autonomous network is a corporate LAN, including devices that can access it from remote locations, such as the computers telecommuters use.
Using RIP, each device sends its routing table to its closes neighbor every 30 seconds. The neighboring device in turn passes the information on to its next neighbor and so on until all devices in the autonomous network have the same set of routes.
Most small home or office networks do not need to use RIP; they have only one router, such as the HM210dp/di, and one path to an ISP. In these cases there is no need to share routes, because all Internet data from the network is sent to the same ISP gateway.
You may want to configure RIP if any of the following circumstances apply to your network:
Your network includes an additional router or RIP-enabled PC. The
HM210dp/di and the router will need to communicate via RIP to share their routing tables.
Your network connects via the ADSL line to a remote network, such
as a corporate network. In order for your LAN to learn the routes used within your corporate network, they should both
be configured
with RIP.
Your ISP requests that you run RIP for communication with devices
on their network.
Configuring RIP
EN/LZT 108 6492 R2 - October 2003
75
10.2 Configuring the RIP
Follow the steps below to configure your HM210dp/di to use RIP:
1. Select Services > RIP and the RIP Configuration page appears:
2. The page contains radio buttons for enabling or disabling the RIP feature and a table listing interfaces on which the protocol is currently running. The first time you open this page, the table may be empty.
3. If necessary, change the Age(seconds)” and “Update Time(seconds):” values. These are global settings for all interfaces that use RIP.
Age time is the amount of time in seconds that the device’s RIP table will retain each route that it learns from adjacent computers.
Update Time specifies how frequently the HM210dp/di will send out its routing table to its neighbors.
4. In the “IF Name” column, select the interface on which you want to enable RIP. For communication with RIP-enables devices on your LAN, select eth-0 or the name of the appropriate virtual Ethernet interface. For communication with your ISP or a remote LAN, select the corresponding ppp, eoa, or other WAN interface.
5. Select a “Metric” value (hop count) for the interface. RIP uses a “hop count” as a way to determine the best path to a
Configuring RIP
76 EN/LZT 108 6492 R2 - October 2003
given destination in the network. The hop count is the sum of the metric values assigned to each port through which data is passed before reaching the destination. Among several alternative routes, the one with the lowest hop count is considered the fastest path. For example, if you assign this port a metric of 1, then RIP will add 1 to the hop count when calculating a route that passes through this port. If you know that communication via this interface is slower than through other interfaces on your network, you can assign it a higher metric value that the others. You can select any integer from 1 to 15.
6. Select a “Send Mode” and a “Receive Mode” according to the following:
The Send Mode setting indicates the RIP version this interface will use when it sends its route information to other devices.
The Receive Mode setting indicates the RIP version(s) in which information must be passed to the HM210dp/di in order to be accepted into its routing table.
RIP version 1 is the original RIP protocol. Select RIP1 if you have devices that communicate with this interface that understand RIP version 1 only. RIP version 2 is the preferred selection because it supports (classless” IP addresses (which are used to create subnets) and other features. Select RIP2 if all other routing devices on the autonomous network support this version of the protocol.
7. Click Add in the “Action” column and the new RIP entry will be displayed in the table.
8. Click the “Enable” radio button to enable the RIP feature.
9. When you are finished defining RIP interfaces, click the Submit button. A page appears to confirm your changes.
10. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
10.3 Viewing RIP Statistics
From the RIP Configuration page, you can click the Global Stats button to view statistics on attempts to send and receive route table data over RIP enabled interfaces on the HM210dp/di:
Configuring RIP
EN/LZT 108 6492 R2 - October 2003
77
You can click the Clear button to reset all statistics to zero and the Refresh button to display any newly accumulated data.
Configuring Firewall Settings
78 EN/LZT 108 6492 R2 - October 2003
11 Configuring Firewall Settings
The Configuration Manager provides built-in firewall functions, enabling you to protect the system against denial of service (DoS) attacks and other types of malicious accesses to your LAN. You can also specify how to monitor attempted attacks, and who should be automatically notified.
11.1 Global Firewall Settings
Follow the steps below to configure the global firewall settings:
1. Select Services > Firewall and the Firewall Configuration page appears:
2. Configure the settings according to the following:
Configuring Firewall Settings
EN/LZT 108 6492 R2 - October 2003
79
Field Description
Blacklist Status:
If you want the device to maintain and use a black list, click Enable. Click Disable if you do not want to maintain a list.
Blacklist Period(min):
Specifies the number of minutes that a computer’s IP address will remain on the black list.
Attack Protection:
Select Enable to use the build-in firewall protections that prevent the following common types of attacks:
IP Spoofing – Sending packets over the WAN interface using an internal LAN IP address as the source address. Tear Drop – Sending packets that contain over­lapping fragments. Smurf and Fraggle – Sending packets that use the WAN or LAN IP broadcast address as the source address. Land Attack – Sending packets that use the same address as the source and destination address. Ping of Death – Illegal IP packets length.
DOS Protection:
Click the Enable radio button to use the following denial of service protections:
SYN DoS, ICMP DoS and Per-host DoS protection.
Max Half open TCP Conn.:
Sets the percentage of concurrent IP sessions that can be in the half-open state. In ordinary TCP communication, packets are in the half-open state only briefly as a connection is being initiated; the state changes to active when packets are being exchanged, or closed when the exchange is complete. TCP connections in the half-open state can use up the available IP sessions. If the percentage is exceeded, then the half-open sessions will be closed and replaced with new sessions as they are initiated.
Max ICMP Conn.:
Sets the percentage of concurrent IP sessions that can be used for ICMP messages. If the percentage is exceeded, older ICMP IP sessions will be replaced by new sessions as
Configuring Firewall Settings
80 EN/LZT 108 6492 R2 - October 2003
they are initiated.
Max Single Host Conn.:
Sets the percentage of concurrent IP sessions that can originate from a single computer. This percentage should take into account the number of hosts on the LAN.
Log Destination:
Specifies how attempted violations of the firewall settings will be tracked. Records of such events can be sent out via Ethernet to be handled by a system utility Ethernet to (Trace) or can be e­mailed to specified administrators.
E-Mail ID of Admin 1/2/3:
Specifies the e-mail address(es) of the administrator(s) who should receive notices of any attempted firewall violations. Type the address(es) in standard internet e-mail address format, e.g.
j.smith@onecompany.xom
The e-mail message will contain the time of the violation, the source address of the computer responsible for the violation, the destination IP address, the protocol being used, the source and destination ports, and the number of violations occurring the previous 30 minutes. If the ICMP protocol were being used, then instead of the source and destination ports, the e-mail will report the ICMP code and type.
3. Click the Submit button.
4. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
11.2 Configuring IP Filters
When you define an IP filter rule and enable the feature, you instruct the HM210dp/di to examine each data packet it receives to determine whether it meets criteria set forth in the rule. The criteria can include the size of the packet, the network or internet protocol it is carrying, the direction in which it is traveling (for example from the LAN to the Internet or vice versa), the IP address of the sending computer, the destination IP address, and other characteristics of the packet data.
If the packet matches the criteria established in a rule, the packet can either be accepted (forwarded towards its destination) or denied (discarded) depending on the action specified in the rule.
Configuring Firewall Settings
EN/LZT 108 6492 R2 - October 2003
81
11.2.1 Viewing Your IP Filter Configuration
To view your IP filter configuration, select Services > IP Filter. The IP Filter Configuration page appears:
The IP Filter Configuration page displays global settings that you can modify, and the IP filter rule table, which shows all currently established rules. When rules are defined, you can use the icons in the “Action(s)”
column to edit (
), delete ( ) and view details on ( ) the corresponding
rule.
Configuring Firewall Settings
82 EN/LZT 108 6492 R2 - October 2003
11.2.2 Configuring IP Filter Global Settings
The IP Filter Configuration page enables you to configure several global IP Filter settings, and displays a table showing all existing IP Filter rules. The global settings that you can configure are:
Security Level: When High is selected, only those rules that are
assigned a security value of “High” will be in effect. The same is true for the Medium and Low settings. When None is selected, IP Filtering is disabled.
Private/Public/DMZ Default Action: This setting specifies a default
action to be taken (Accept or Deny on private, public or DMZ-type devise interfaces when they receive packets that do not match any of the filtering rules.
Private – Typically, the global setting for private interfaces is Accept, so that LAN computers have access to the Internet
connection of the HM210dp/di.
Public – The interface connect to the Internet, e.g. PPP, EoA and IpoA interfaces. Typically, the global setting for public interfaces is Deny, so that all accesses to your LAN initiated from external computers are denied (discarded at the public interface), except for those allowed by a specific IP Filter rule.
DMZ – Refers to computers that are available for both public and in­network accesses (such as a company’s public Web server). Packets received on a DMZ interface – whether from a LAN or external source – are subject to a set of protections that is in between public and private interfaces. The global setting for DMZ­type interfaces may be set to Deny so that all attempts to access these servers are denied by default. The administrator may then configure IP Filter rules to allow accesses of certain types.
11.2.3 Creating IP Filter Rules
To create an IP filter rule, you set various criteria that must be met in order for the rule to be invoked. Use these instructions to add a new IP filter rule, and refer to the examples in section 11.2.3.1 for assistance:
1. On the main IP Filter Configuration page, click the Add button. The IP Filter Rule – Add page appears:
Configuring Firewall Settings
EN/LZT 108 6492 R2 - October 2003
83
2. Enter or select data for each field that applies to your rule:
Configuring Firewall Settings
84 EN/LZT 108 6492 R2 - October 2003
Field Description
Rule ID:
Rules are processed from lowest to highest on each data packet, until a match is found. It is recommended that you assign rule Ids in multiples of 5 or 10 (e.g. 10, 20, 30) so that you leave enough space between them for inserting a new rule if necessary.
Action:
The action can be Accept (forward to destination) or Deny (discard the packet).
Direction:
Incoming refers to packets coming from the LAN, and outgoing refers to packets going to the Internet. You can use rules that specify the incoming direction to restrict external computers from accessing your LAN.
Interface:
The interface on which the rule will take affect.
In Interface:
The interface from which packets must have been forwarded to the interface specified in the previous section. This option is valid only for the outgoing direction.
Log Option:
When Enable is selected, a log entry will be created on the system each time this rule is invoked.
Security Level:
The security level that must be enabled globally for this rule to take affect. A rule will be active only if its security level is the same as the globally configured setting (shown on the main IP Filter page). For example, if the rule is set to “Medium” and the global firewall level is set to “Medium”, then the rule w ill be active; but if the global firewall level is set to “High” or “Low”, then the rule will be inactive.
Blacklist Status:
Specifies whether or not a violation of this rule w ill result in the offending computer’s IP address being added to the Black List, which blocks the router from forwarding packets from that source for a specified period of time.
Log Tag:
A description of up to 16 characters to be recorded in the log in the event that a packet violates this rule. Be sure to set the Log Option to
Configuring Firewall Settings
EN/LZT 108 6492 R2 - October 2003
85
Enable if you configure a Log Tag.
Start/End Time:
The time range during which this rule is to be in effect, specified in military units.
Src IP Address:
IP address criteria for the source computer(s) from which the packet originates. Use the following expressions to specify IP:
any: any source IP address lt: less than lteq: less than or equal to gt: greater than eq: equal to neq: not equal to range: within the specified range, inclusive out of range: outside the specified range self: the IP address of the router interface on
which this rule takes effect.
Dest IP Address:
IP address rule criteria for the destination computer(s), i.e. the IP address of the computer to which the packet is being sent.
In addition to the options described for the “Src IP Address” field, the following option is available:
bcast: Specifies that the rule will be invoked for any packets sent to the broadcast address for the receiving interface. (The broadcast address is used to send packets to all hosts on the LAN or subnet connected to the specified interface). When you select this option, you do not need to specify the address, so the address fields are dimmed.
Protocol:
The basic IP protocol criteria that must be met for a rule to be invoked. Using the options in the drop-down list, you can specify that packets must contain the selected protocol (eq), that they must not contain the specified protocol (neq), or that the rule can be invoked regardless of the protocol (any). TCP, UDP and ICMP are commonly IP protocols; others can be identified by number from 0-255 as defined by IANA.
Apply Stateful Inspection:
If this option is enabled, then stateful filtering is performed and the rule is also applied in the other direction on the given interface during an IP session.
Configuring Firewall Settings
86 EN/LZT 108 6492 R2 - October 2003
Source Port:
Port number criteria for the computer(s) from which the packet originates. This field will be dimmed (unavailable for entry) if you have not specified a protocol critera. See the description of Src IP Address for the selection options.
Dest Port:
Port number criteria for the destination computer(s), i.e. the port number of the type of computer to which the packet is being sent. This field will be dimmed (unavailable for entry) unless you have selected TCP or UDP as the protocol. See the description of Src IP Address for the selection options.
TCP Flag:
Specifies whether the rule should apply only to TCP packets that contain the synchronous (SYN) flag, only to those that contain the non­synchronous (NOT-SYN) flag, or to all TCP packets. This field will be dimmed (unavailable for entry) unless you selected TCP as the protocol.
ICMP Type:
Specifies whether the value in the type field in ICMP packet headers will be used as a criteria. The code value can be any decimal value from 0 to 255. You can specify that the value must be equal (eq) or not equal (neq) to the specified value, or you can select any to enable the rule to be invoked on all ICMP packets. This field will be dimmed (unavailable for entry) unless you specify ICMP as the protocol.
ICMP Code:
Specifies whether the value in the code field in ICMP packet headers will be used as criteria. The code value can be any decimal value from 0 to 255. You can specify that the value must be equal (eq) or not equal (neq) to the specified value, or you can select any to enable the rule to be invoked on all ICMP packets. This field will be dimmed (unavailable for entry) unless you specify ICMP as the protocol.
IP Frag Pkt:
Determines how the rule applies to IP packets that contain fragments. You can choose from the following options:
Yes: The rule will be applied only to packets that contain fragments. No: The rule will be applied only to packets that do not contain fragments.
Configuring Firewall Settings
EN/LZT 108 6492 R2 - October 2003
87
Ignore: (Default) The rule will be applied to packets whether or not they contain fragments, assuming that they match the other criteria.
IP Option Pkt:
Determines whether the rule should apply to IP packets that have options specified in their packet headers. You can choose from the following options:
Yes: The rule will be applied only to packets that contain header options. No: The rule will be applied only to packets that do not contain header options. Ignore: (Default) The rule will be applied to packets whether or not they contain header options, assuming that they match the other criteria.
Packet Size:
Specifies that the IP Filter rule will take affect only on packets whose size in bytes matches this criteria. (lt=less than, gt=greater than, lteq=less than or equal to, etc).
TOD Rule Status:
The Time of Day Rule Status determines how the Start Time/End Time settings are used.
Enable: (Default) The rule is in effect for the specified time period. Disable: The rule is not in effect for the specified time period, but is effective at all other times.
3. When you are done selecting criteria, ensure that the Enable radio button is selected and then click the Submit button.
If the security level of the rule matches the globally configured setting, a green ball in the “Status” column for that rule, indicating that the rule is now in effect. A red ball will display when the rule is disabled or if its security level is different than the globally configured level.
4. Ensure that the Security Level and Private/Public/DMZ Default Action settings on the IP Filter configuration page are configured as needed, then click the Submit button.
5. Select Admin > Commit & Reboot and click the Commit button to save your changes to permanent storage.
Configuring Firewall Settings
88 EN/LZT 108 6492 R2 - October 2003
11.2.3.1 IP Filter Rule Examples
Example 1 – Blocking a specific computer on your LAN from accessing
web servers on the Internet;
1. Add a new rule for outgoing packets on the ppp-0 interface from any incoming interface (this would include the eth-0 interface, for example).
2. Specify a source IP address of the computer you want to block.
3. Specify the Protocol = TCP and enable the Store State setting.
4. Specify a destination port = 80, which is the standard port number for web servers.
5. Enable the rule by clicking the radio button at the top of the page.
6. Click Submit to create the rule.
7. On the IP Filter Configuration page, set the Security Level to the same level you chose for the rule, and set both the Private Default Action and the Public Default Action to Accept.
8. Click Submit to commit your changes.
Example 2 – Blocking Telnet access to the device;
1. Add a new rule for incoming packets on the ppp-0 interface.
2. Specify that the packet must contain the TCP protocol, and must be destined for port 23, the standard port number used for the Telnet protocol.
3. Enable the rule by clicking the radio button at the top of the page.
4. Click Submit to create the rule, and commit your changes.
11.2.4 Viewing IP Filter Statistics
To view statistics on how many packets were accepted or denied for a rule, select Services > IP Filter > Stats in the row corresponding to the rule. The IP Filter Rule – Statistics page displays:
Configuring Firewall Settings
EN/LZT 108 6492 R2 - October 2003
89
You can click the Clear button to reset the count to zero and the Refresh button to display newly accumulated data.
11.2.5 Managing Current IP Filter Sessions
When two computers communicate using the IP protocol, an IP session is created for the duration of the communication. The HM210dp/di allows a fixed number of concurrent IP sessions. You can view information about each current IP session and delete sessions (for security reasons, for example).
To view all current IP sessions, select Services > IP Filter > Session to display the IP Filters Session page:
The IP Filter Session table displays the following fields for each current IP session:
Field Description
Session Index The ID assigned by the system to the IP session (all
sessions, whether or not they are affected by an IP
Configuring Firewall Settings
90 EN/LZT 108 6492 R2 - October 2003
filter rule, are assigned a session index).
Time to expire The number of seconds in which the connection will
automatically expire.
Protocol The underlying IP protocol used on the connection,
such as TCP, UDP, IGMP, etc.
I/F The interface on which the IP Filter rule is effective.
IP Address The IP address involved in the communication. The
first one shown is the initiator of the communication.
Port The hardware addresses of the ports involved in the
communication.
In/Out Rule Index The number of the IP Filter rule that is applied to this
session (assigned when the rule was created).
In/Out Action The action (accept, deny, or unknown) being taken on
data coming in to or going out from the interface. This action is specified in the rule definition.
Actions
Provides a icon you can click on (
) to delete the IP session. When you delete a session, the communication between is discontinued.
You can click the Refresh button to display newly accumulated data.
11.3 Blocking Specific Protocols
The Blocked Protocols feature enables you to prevent the HM210dp/di from passing any data that uses a particular protocol. Unlike the IP Filter feature, you cannot specify additional criteria for blocked protocols, such as particular users or destinations.
NOTE! Blocking certain protocols may disrupt or disable your network communication or Internet access. DO NOT use this feature unless you are certain that a particular protocol is not
needed or wanted on your network.
To block specific protocols running across the system, select Services > Blocked Protocols. The Blocked Protocols page appears:
Configuring Firewall Settings
EN/LZT 108 6492 R2 - October 2003
91
Check the protocol type you want to block and click the Submit button. Make sure to use the Commit feature to save your changes to the permanent memory.
To unblock a specific protocol, uncheck the protocol and repeat the submit and commit tasks.
The following list describes each of the available protocols:
Protocol Description
PPPoE Point-to-Point Protocol over Ethernet. Many DSL
modems use PPPoE to establish and maintain a connection with a service provider. PPPoE provides a means of logging in to the ISPs servers so that they can authenticate you as a customer and provide you access to the Internet. Check with your ISP before blocking this protocol.
IP Multicast IP Multicast is an extension to the IP protocol. It
enables individual packets to be sent to multiple hosts on the Internet, and is often used for handling e-mail mailing lists and teleconferencing/videoconferencing.
RARP Reverse Address Resolution Protocol. This IP
protocol provides a way for computers to determine their own IP addresses when they only know their
Configuring Firewall Settings
92 EN/LZT 108 6492 R2 - October 2003
hardware address (i.e. MAC addresses). Certain types of computers, such as diskless workstations, must use RARP to determine their IP address before communicating with other network devices.
AppleTalk A networking protocol used for Apple Macintosh
networks.
NetBEUI NetBIOS Enhanced User Interface. On many LAN
operating systems, the NetBEUI rotocol provides the method by which computers identify themselves to and communicate with each other.
IPX Internetwork Packet Exchange. A networking protocol
used on Novell Netware-based LANs.
BPDU Bridge Protocol Data Unit. BPDUs are data messages
that are exchanged across the switches between LANs that are connected by a bridge. BPDU packets contain information on ports, addresses, priorities, and costs, and are exchanged across bridges to detect and eliminate loops in a network.
ARP Address Resolution Protocol. Computers on a LAN
use ARP to learn the hardware addresses (i.e. MAC addresses) of other computers when they know only their IP addresses.
IPV6 Multicast IP Multicasting under IP Protocol version 6. See IP
Multicast above.
802.1.Q This IEEE specification defines a protocol for virtual LANs on Ethernet networks. A virtual LAN is a group of PCs that function as a local area network, even though the PCs may not be physically connected. They are commonly used to facilitate administration of large networks.
Loading...