HotBrick VPN 1400-2 User Manual
Dual WAN Firewall VPN 1400/2
User's Guide
Version 1.0 Date : Nov 2006
Please Check www.hotbrick.com for the latest version
TABLE OF CONTENTS
1: INTRODUCTION............................................................................................................................ 4
Internet Features........................................................................................................................ 4
Other Features ........................................................................................................................... 6
Package Contents...................................................................................................................... 7
Physical Details.......................................................................................................................... 7
2: QUICK INSTALLATION
Overview................................................................................................................................... 11
Procedure................................................................................................................................. 11
Requirements........................................................................................................................... 11
Installing................................................................................................................................... 14
LAN & DHCP………………………………………………………………………………………… . 15
Primary Setup........................................................................................................................... 18
3: LOADBALANCING ..................................................................................................................... 19
4: ADVANCED WAN ...................................................................................................................... 20
Port Options ............................................................................................................................. 20
PPPoE....................................................................................................................................... 22
PPTP ......................................................................................................................................... 23
5: ADVANCED CONFIGURATION.................................................................................................. 24
Host IP…………………………………………………………………………………………………. 24
Routing …….…………………………………………………………………………………………..26
Virtual Server............................................................................................................................ 28
Special Application.................................................................................................................. 32
Dynamic DNS ........................................................................................................................... 33
Multi DMZ.................................................................................................................................. 35
UPnP Setup ............................................................................................................................. 36
NAT Setting ............................................................................................................................. 37
Advanced Feature.................................................................................................................... 38
6: SECURITY MANAGEMENT …………………………………………………………………………...40
Block URL................................................................................................................................. 40
Access Filter............................................................................................................................. 41
Session Limit............................................................................................................................ 42
SysFilter Exception……………………………………………………………………………….…. 43
7: VPN Configuration ……………………………………………………………………………………..44
Tunnel to HotBrick Unit .......................................................................................................... 45
Tunnel to HotBrick client ………………………………………………..…………………………..45
Advanced settings ……………………………………………………………………………….……46
IPSec policy options …………………………………………………………………………..………49
VPN preset …………………………………………………………………………….…………..….. 50
SA List ………………………………………………………………………………….…………..….. 51
VPN log………………………………………………………………………………….…………..…..52
8: QOS CONFIGURATION ………………………………………………………………………………….53
Overview ………………………………………………………………………………………………...54
QoS Setup ................................................................................................................................ 54
QoS Policy … ........................................................................................................................... 54
9: MANAGEMENT ASSISTANT ...................................................................................................... 56
Admin. Setup............................................................................................................................ 56
Email Alert ................................................................................................................................ 57
SNMP ........................................................................................................................................ 58
Syslog....................................................................................................................................... 59
2
Upgrade Firmware.................................................................................................................... 60
10: DEVICE INFORMATION............................................................................................................ 61
Operation.................................................................................................................................. 61
System Status .......................................................................................................................... 61
WAN Status .............................................................................................................................. 62
10: DEVICE STATUS....................................................................................................................... 64
APPENDIX A SPECIFICATIONS..................................................................................................... 66
APPENDIX B WINDOWS TCP/IP SETUP ....................................................................................... 67
Overview................................................................................................................................... 67
TCP/IP Settings ........................................................................................................................ 69
APPENDIX C TROUBLESHOOTING .............................................................................................. 74
Overview................................................................................................................................... 73
General Problems .................................................................................................................... 73
Internet Access ........................................................................................................................ 73
APPENDIX D IPSEC TUNNEL EXAMPLES ................................................................................... 74
Tunnel to HotBrick Unit ........................................................................................................... 74
Copyright HotBrick 2006®. All Rights Reserved.
Document Version: 1.0
All trademarks and trade names are the properties of their respective owners.
3
1:Introduction
Congratulations on the purchase of your new Dual WAN VPN Firewall. The Dual WAN VPN
Firewall not only provides 2 WAN ports selections – it also provides Shared Broadband
Internet Access for all LAN users.
Internet Features
Dual WAN ports
There are 2 WAN ports available for use on the Dual WAN VPN Firewall. They can function
for load-balancing and failover.
Shared Broadband Internet Access
All LAN users can access the Internet through the Dual WAN VPN Firewall by sharing
two Broadband modems and connections.
High-Performance multi ADSL Modem Support
The Dual WAN VPN Firewall has two WAN ports, allowing the connection of up to two
broadband modems at the same time.
This can provide a greater increase in bandwidth than is allowed by a single modem.
Flexible configuration allows each WAN port to use a different type of modem and connection.
Additionally, you can determine how the Internet traffic is shared between the 2 modems.
Figure 1-1: Dual WAN VPN Firewall
4
Supports all common Connection Methods
LAN or WAN to maximize bandwidth usage. There are also smart health check methods to protect
All popular DSL and Cable Modems and connection methods are supported, including Fixed
IP, Dynamic IP, PPPoE, and PPTP.
Outbound/Inbound Traffic Load Balancing and Failover
There are many load-balancing methods to allow administrators to manage the traffic from
against connection failure by using failover.
PPPoE Session Management
Multiple PPPoE sessions are supported and you can choose to “map” sessions to
individual PCs if desired.
Multiple IP Address Support
If your ISP allocates you multiple public IP addresses, you can “map” them to internal
PCs if desired.
Special Application
This feature allows you to use some non-standard applications, where the port number used
to reply is not the same port number used by the sender.
Virtual Server
This feature allows Internet users to access your internal Internet servers on your LAN. For standard
servers such as Web, FTP or E-Mail servers, only the IP address of the server PC is required.
You can also define you own Server types if needed.
Multiple DMZ
A "DMZ" PC will receive incoming connection requests that would normally be blocked.
For each IP address allocated by your ISP, a separate "DMZ" PC can be specified. So if your
ISP has provided multiple IP addresses, you can have multiple “DMZ” PCs. Each “DMZ” PC
has unrestricted 2-way Internet access. This allows you to run programs that are
otherwise incompatible with NAT routers like the Multi-WAN VPN Link Balancer.
Access Filter
The network administrator can use the Access Filter to gain fine control over Internet
access and applications available to LAN users. Five (5) user groups are available, and each
group can be assigned unique access rights.
Block URL
Use this feature to block access to undesirable Web sites by LAN users. You can even have
different settings for different groups of PCs.
Session Limit
With the Session Limit feature, when the number of new sessions for the system exceeds the
maximum in the sampling time, any new session in the system will be dropped.
System Filter Exception
The firewall rejects every packet with an unrecognized port to avoid port scans by hackers.
This requires exception handling in situations where some servers (e.g. SMTP server port 113) or
clients need to respond to non-standard packets to indicate aliveness to their communication peers.
VPN (Virtual Private Network)
Up to 50 VPN tunnels are supported, with a fail-over mechanism.
5
Other Features
you to quickly create or extend your LAN.
16-Port Switching Hub
The Dual WAN VPN Firewall incorporates a 16-port 10 /100BaseT switching hub that allows
DHCP Server Support
Dynamic Host Configuration Protocol provides dynamic IP addresses to PCs and other
devices upon request. The Dual WAN VPN Firewall can act as a DHCP Server for devices
on your local LAN.
Multi Segment LAN Support
LANs containing one or more segments are supported, via the Multi-WAN VPN Load
Balancer's built-in static routing table or LAN ANY IP settings.
Easy Setup
Use your favorite WEB browser for configuration.
Remote Management
The Dual WAN VPN Firewall can be managed from any PC on your LAN. If the Internet
connection is active, the unit can also (optionally) be configured via the Internet.
Password - protected Configuration
Optional password protection is provided to prevent unauthorized users from modifying the
configuration data and settings.
HTTP Firmware Upgrade and backup
The web management feature allows you to use HTTP to upgrade new firmware and backup
the system configuration from the local or even from the remote site (as long as you enable “Remote
Upgrade” and “Remote web-based setup” from the Advanced Feature web page).
Email Alert
A warning email can be sent to the system administrator if one of the WAN ports drops
provided two WAN ports are enabled. Also, there is excessive ping notification available.
Syslog
Real time system information can be generated on the web page or a particular machine. This is
very useful when monitoring the device.
QoS Configuration.
This function gives specified packets a higher priority for pass-through. This is especially useful
if you have real-time applications like Internet phone, video conference etc.
UPnP
If UPnP (Universal Plug & Play) is set to “Enable”, the Dual WAN VPN Firewall becomes one of
the network devices. This is useful for discovering and controlling network devices, such as the Internet
gateway.
6
Package Contents
The following items should be included:
The Dual WAN VPN Firewall Unit
Power Cord
Quick Installation Guide
CD-ROM containing the on-line manual.
Note: If any of the above items are damaged or missing, please contact your dealer
immediately.
Physical Details
Front Panel
Figure 1-2: Front Panel
Operation of the Front Panel LED’s is as follows :
Power OFF – No Power
ON – Normal Operation
Status
System Blinking – Normal Operation.
Packets Blinking – Packets Active
Ethernet Green ON – 100M Linked
ON/OFF – Error
ON/OFF – No Packet
Yellow ON – 10M Linked
Blinking – Data Transmit / Receive.
OFF – Not Linked
Ethernet Ports and Reset Bottom
Ethernet Ports WAN ports: 2 are available for WAN connections.
LAN ports: the remaining ports are for LAN (device or hub) usage.
Ethernet cable to connect to a normal port or another hub.
Reset Button When pressed and released, the Dual WAN VPN Firewall will reboot (restart)
within 1 second. It will reset to factory default settings after you press and hold
the reset button over 3 seconds
7
Some Status and Error conditions are indicated by combinations of
LED’s, as shown below
LED Action Condition
Status – System (Solid Off) & Packets (Solid On) SDRAM error
Status – System (Solid Off) & Packets (Flash once) Timer/Interrupt error
Status – System (Solid Off) & Packets (Flash twice) LAN/WAN error
8
Rear Panel
Figure 1-3: Rear Panel
AC 100V ~ 240V Connect to AC100~240V / 50~60Hz with AC power cord.
Default Settings
When the Dual WAN VPN Firewall has finished booting, all configuration settings will initially be set to the
factory defaults, including:
IP Address set to its default value of 192.168.1.1, with a Network Mask of
255.255.255.0
DHCP Server is enabled
User Name: admin
Password cleared (no password)
TFTP Download
This setting should be used only if your Dual WAN VPN Firewall interface can’t be accessed, and you wish to
restore it by uploading new firmware. In that case use the following procedure:
1. Power on the Dual WAN VPN Firewall.
2. Use the supplied Windows utility or a TFTP client program to apply the new firmware. If you are
using the supplied Windows TFTP program, the screen will look like the following example.
Figure 1-4: Windows TFTP utility
Enter the name of the firmware upgrade file on your PC, or click the "Browse" button to
locate the file.
Enter the LAN IP address of the Dual WAN VPN Firewall in the "Server IP" field.
Click "Upgrade Firmware" to send the file to the Multi-WAN VPN Link Balancer.
3. When uploading is finished the unit should function normally, using the default settings.
9
Note:
The supplied Windows TFTP utility also allows you to perform three (3) additional operations:
Save the current configuration settings to your PC (use the "Save Configuration" button).
Restore a previously saved configuration file to the Dual WAN VPN Firewall (use the
"Upgrade Firmware" button).
Set the Dual WAN VPN Firewall to its default values (use the "Set to Default" button).
10
2: Quick Installation
Overview
Initial Basic Setup of your Dual WAN VPN Firewall involves the following steps:
1. Attach a PC to the Dual WAN VPN Firewall in port 3 ~ 16, and configure your LAN.
2. Install your Dual WAN VPN Firewall in your LAN, and connect the Broadband Modem or
Modems.
3. Configure your Dual WAN VPN Firewall for Internet Access.
4. Configure PCs on your LAN to use the Dual WAN VPN Firewall.
Requirements
1 or 2 WAN connections, each with an active Internet Access account with an ISP.
Network cables. Use standard 10/100BaseT network (UTP) cables with RJ45 connectors.
TCP/IP network protocol must be installed on all PCs.
Procedure
1: Configuring the Dual WAN VPN Firewall for your LAN
1. Use a standard LAN cable to connect your PC to any LAN port (3 -16) on the Dual WAN VPN
Firewall. (Default 2 WAN ports from port 1 – 2)
2. Connect the power cord into a power outlet on the rear panel of Dual WAN VPN Firewall.
3. Start your PC. If your PC is already running, restart it. It will then obtain an IP address from the
Dual WAN VPN Firewall.
4. Start your WEB browser.
5. In the Address or Location box enter: HTTP://192.168.1.1
6. You will be prompted for the User Name and password, as shown below.
Figure 2- 1: Password Dialog
Enter admin for the "User Name" and leave the "Password" blank.
The "User Name" is always admin.
You can and should set a password, using the following Admin Password screen.
11
No Response?
Is your PC using a Fixed IP address?
If so, you must configure your PC to use an IP address within the range 192.168.1.2 to
192.168.1.254, with a Network Mask of 255.255.255.0. See Appendix B – Windows
TCP/IP Setup for details.
Check that the Dual WAN VPN Firewall is properly installed, LAN connection is OK,
and it is powered ON.
7 After the login, you will see the Admin Password screen, as shown below.
Assign a password by entering it in the "Password" and "Verify Password” Fields.
Figure 2- 2: Home Screen (Admin. Setup)
12
8. Select LAN & DHCP from the menu. You will see a screen like the example below.
Figure 2- 3: LAN & DHCP Setup
9. If your LAN already has a DHCP Server, and you wish to continue to use it, the following
configuration is required.
The DHCP Server function in the Dual WAN VPN Firewall must be disabled. This setting is
on the LAN & DHCP screen.
Your DHCP Server must be configured to provide the Dual WAN VPN Firewall LAN IP
address as the "Default Gateway".
Your DHCP Server must provide correct DNS addresses to the PCs.
10. Ensure these settings are suitable for your LAN.
11. The default settings are suitable for many situations.
12. See the following table for details of each setting.
Save your data, then go to Installing the Dual WAN VPN Firewall in your LAN.
13
Installing the Dual WAN VPN Firewall on your LAN
Figure 2- 4: Installation Diagram
13. Ensure the Dual WAN VPN Firewall and the DSL/Cable modem are powered OFF.
Leave the modem or modems connected to their data line.
14. Connect the Broadband modem or modems to the Dual WAN VPN Firewall.
If using only one (1) Broadband modem, connect it to WAN port 1.
Use the cable supplied with your DSL/Cable modem. If no cable was supplied, use a
standard cable.
15. Use standard LAN cables to connect PCs to the LAN ports on the Dual WAN VPN Firewall.
Both 10BaseT and 100BaseT connections can be used simultaneously.
If you need to connect the Dual WAN VPN Firewall to another Hub, use a standard
LAN cable to connect any LAN port on the Dual WAN VPN Firewall to a standard port on
another hub. Any LAN port on the Dual WAN VPN Firewall will automatically act as an
"Uplink" port when required.
If a device is set to 2 WAN ports from port 1 to 2, the others are LAN ports from port 3 to
16.
16. Power Up
Power on the Cable or DSL modem or modems.
Connect the supplied power cord to the Dual WAN VPN Firewall and power up.
17. Check the LEDs
The Power LED should be ON.
The Link/ACT LED should be ON, if the corresponding WAN port is connected to a
broadband modem.
For each PC connected to the LAN ports, the corresponding LAN LED (either 10/Yellow or
100/Green) should be ON.
14
3. Quick Installation - LAN & DHCP
Select LAN & DHCP from the menu. You will see a screen like the example below.
Figure 3- 1: LAN & DHCP
Ensure these settings are suitable for your LAN.
The default settings are suitable for most networks.
See the following table for setting details.
15
LAN IP Configuration:
IP address - for the Dual WAN VPN Firewall, as seen from the local LAN. Use the
default value unless the address is already in use or your LAN is using a different IP
address range. In the latter case, enter an unused IP Address from within the range used
by your LAN.
Subnet Mask -The default value 255.255.255.0 is standard for small (class "C")
networks. For other networks, use the Subnet Mask for the LAN segment to which the
Dual WAN VPN Firewall is attached (the same value as the PCs on that LAN).
DHCP server configuration :
DHCP Server Setup - If enabled, the Dual WAN VPN Firewall will allocate IP
Addresses to PCs (DHCP clients) on your LAN when they start up. The default and
recommended value is "Enable". (Windows Systems, by default, act as DHCP clients. This
setting is called Obtain an IP address automatically.)
DHCP Server Setup - If you are already using a DHCP Server, the DHCP Server
setting must be disabled, and the existing DHCP server must be set to provide the IP
address of the VPN Dual WAN VPN Firewall as the Default Gateway.
Client Lease Time – This is the period of time that a DHCP server leases an IP address
to a DHCP client.
DHCP IP address range
Offered Range fields set the values used by the DHCP server when allocating IP
Addresses to DHCP clients. This range also determines the number of DHCP clients
supported.
Free Entries indicates how many DHCP entries are not currently allocated, and
available.
ARP Proxy
Enable this ONLY if the LAN port has an IP address in the same address range as the
WAN port(s). This means that all PCs using this Gateway must have valid fixed
external (Internet) IP addresses. If enabled, enter the IP address range used on your
LAN.
LAN Any IP Setup
The default is disabled. If you enable “LAN ANY IP”, that means no matter what static IP
address your client has, the client does not need to change their IP address to access the Internet.
This is normally used when the client is on a different IP segment than the LAN segment.
16
DHCP Client List
This table shows the IP addresses that have been allocated by the DHCP Server.
For each allocated address, the following information is displayed.
Name – The ""hostname"" of the PC. In some cases, this may not be known.
MAC Address – The physical address (network adapter address) of the PC.
IP Address – The IP address allocated to this PC.
Type – Indicates IP address to be dynamic or static.
Status – If leased the IP address was allocated by this DHCP Server.
Time Left – The time left before the lease expires
17
Quick installation - Primary setup
Connection mode
Enable Select this if you have connected a broadband modem to this port.
Disable – Select this if there is no broadband modem connected to this port.
Backup – Use this if you have a broadband modem on each port, and wish to normally use only
one. Select Enable for the primary port, and Backup for the secondary port. The Backup port will
only be used if the primary port fails.
Connection type (Check the data supplied by your ISP, and select the appropriate option)
Static IP Select this if your ISP has provided a Fixed or Static IP address. Then enter the data
into the Address Info fields.
Dynamic IP Select this if your ISP provides an IP address automatically when you connect. You
can ignore the Address Info fields.
PPPoE – Select this if your ISP uses this method. (Usually, your ISP will provide some PPPoE
software. This software is no longer required, and should not be used.) When this method is
selected, you must complete the PPPoE dialup fields.
Note: If using the PPTP connection method, select Static IP or Dynamic IP, as appropriate, according to
the IP address method used by your ISP.
Address Info
This is for Static IP users only. Enter the address information provided by your ISP. If your
ISP provided multiple IP addresses, you can use the Multi-DMZ
DNS
This is for Static IP users only. Enter the address information provided by your ISP. If your
ISP provided multiple IP addresses, you can use the Multi-DMZ
Optional
Host name – This is required by some ISPs. If your ISP provided a Host Name, enter it here.
Otherwise, you can use the default value.
Domain name – This is required by some ISPs. If your ISP provided a Domain Name, enter
it here. Otherwise, you can use the default value.
MAC address – Some ISP's record your MAC address (also called "Physical address"
or "Network Adapter address"). If so, you can enter the MAC address required by your
ISP in this field. Otherwise, this should be left at the default value.
18
3 : Loadbalancing
This screen is only operational if using Internet connections on both WAN ports
Figure 3-2: Load Balance
Load balancing – Load Balancing
Enable – Use this to enable your Load Balance settings. Unless this is checked, the other
settings on this screen have no effect.
Balance Type – Select the desired option:
• Bytes rx+tx – Traffic is measured by Bytes.
• Packets rx+tx – Traffic is measured by Packets.
• Sessions established – Traffic is measured by Sessions.
• IP Address – Traffic is measured by IP Address.
Loading Share on WAN 1 – Enter the percentage (%) of traffic to be sent over WAN 1. If one
WAN port connection has greater bandwidth than the other, the one with the greater bandwidth
should be given a higher percentage of traffic than the other.
NAT statistics This section displays the current data about WAN 1 and WAN 2. You can use this
information to help you "fine-tune" the settings above.
Interface statistics This section displays cumulative statistics. Use the "Restart Counters" button
to restart these counters when required.
19
4 : Advanced WAN
Port options
Connection validation
Health Check – If disabled, the Alive Indicator Check is not performed. The default is enabled.
Health checking is performed by ICMP echo request and HTTP packets to the specified destination
that could be either: the Name or IP Address the user specified in the “Alive Indicator” input box
or the gateway of the WAN interface used if “Alive Indicator” input box is blank.
Alive Indicator – This is the IP address used to check if the WAN connection is operating. The
Dual WAN VPN Firewall will contact this system to check if the WAN connection is working.
Change this address if you wish. Default is the gateway IP. Note: This is not used for PPPoE
connections.
MTU – The Maximum Transmission Unit determines the packet size to be used on the WAN
interface. Normally, this does not need to be changed, but if your ISP advises you to use a
specific MTU, enter it here.
20
Transparant bridge option
Bridge Mode – If set to Enable, this WAN port does not use NAT or the Load Balance function
when both the LAN and WAN have real IP addresses on the same network segment.
NetBIOS Broadcast – This function allows you to access files through Microsoft Network
ed.
Traffic Management
Strict Binding: traffic from bridged hosts (eg. transparent to WAN 1) can only go
through that specified WAN(eg. WAN 1) interface.
Loose Binding: Traffic from bridge hosts (eg. transparent to WAN 1) can go
thru the alternative WAN (eg.WAN 2) interface when bind interface (eg. WAN 1) is
down, it acts like a fail over mechanism for transparent bridge mode.
Load Balancing: Traffic from bridge hosts (eg. transparent to WAN 1) can go thru either
WAN (eg. WAN 1 or WAN 2) interface based on loading mechanism specified in the load balance
section, it's acting like as a load balancing mechanism for transparent bridge mode.
ARP Table – the ARP table is used by the device to determine the bridge hosts’ location (eg.
inside/outside WAN and which WAN). Its size can be adjusted if needed. View ARP
Tables displays ON/OFF for bridge mode on each WAN port. Clear ARP Tables disables
bridge mode on all WAN ports.
21
The screen is required in order to use multiple PPPoE sessions on the same WAN port. It
can also be used to manually connect or disconnect a PPPoE session.
Advanced WAN – PPPoE
Select WAN port & Session
WAN Port – Selected WAN port using the PPPoE connection
PPPoE Session – Usually the ISP provides multiple floating real IPs for PPPoE. Each WAN
port can have up to 8 PPPoE sessions with different IP addresses, if your WAN port is
using a PPPoE connection.
PPPoE Session MTU – The Maximum Transfer Unit for PPPoE packet data. Leave it
at the default, unless the ISP specifies a different PPPoE packet data size. The default
value of MTU is 1492 bytes.
WAN IP Account
User Name – Enter the PPPoE user name assigned by your ISP.
Password – Enter the PPPoE password assigned by your ISP.
Verify Password – Re-enter the PPPoE password assigned by your ISP.
22
Advanced WAN PPTP
Advanced WAN
WAN Port - Select the desired WAN port (click desired WAN on Connection Status). The
data of the selected port will then be displayed in the WAN IP Account section.
PPTP MTU – Maximum transfer unit for PPTP. The default value is 1460
WAN IP Account
User Name – The PPTP user name (login name) assigned by your ISP.
Password – The PPTP password associated with the User Name above. This is assigned
by your ISP, and used to login to the PPTP Server.
Verify Password – Re-enter the PPTP password assigned by your ISP.
Server IP Address – Enter the IP address of the PPTP Server, as provided by your ISP.
Static IP Adress – If you have a fixed IP address enter it here. Otherwise this field
should be left at 0.0.0.0
Connection Status – This displays the current PPTP connection status.
23
Loading...