Linksys BEFSX41 User Manual
USER GUIDE
Broadband Firewall Router with
4-Port Switch/VPN Endpoint
Model: BEFSX41
About This Guide
Icon Descriptions
While reading through the User Guide you may see
various icons that call attention to specific items. Below is
a description of these icons:
NOTE: This check mark indicates that there is
a note of interest and is something that you
should pay special attention to while using the
product.
WARNING: This exclamation point indicates
that there is a caution or warning and it is
something that could damage your property or
product.
About This Guide
WEB: This globe icon indicates a noteworthy
website address or e-mail address.
Online Resources
Website addresses in this document are listed without
http:// in front of the address because most current web
browsers do not require it. If you use an older web browser,
you may have to add http:// in front of the web address.
Resource Website
Linksys www.linksys.com
Linksys International www.linksys.com/international
Glossary www.linksys.com/glossary
Network Security www.linksys.com/security
Copyright and Trademarks
Linksys, Cisco, and the Cisco Logo are
registered trademarks or trademarks of
Cisco Systems, Inc. and/or its affiliates
in the U.S. and certain other countries.
Copyright © 2008 Cisco Systems, Inc. All
rights reserved. Other brands and product
names are trademarks or registered
trademarks of their respective holders.
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
i
Table of Contents
Chapter 1: Product Overview 1
Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Back Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2: Advanced Conguration 2
How to Access the Web-Based Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Setup > Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Setup > DDNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Setup > MAC Address Clone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Setup > Advanced Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Security > Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Security > VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Restrict Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Applications & Gaming > Port Triggering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Applications & Gaming > UPnP Forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Applications & Gaming > DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Administration > Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Administration > Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Administration > Factory Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Administration > Firmware Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Status > Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Status > Local Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Appendix A: Troubleshooting 20
Appendix B: Specications 21
Appendix C: Warranty Information 22
Limited Warranty. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Appendix D: Regulatory Information 24
FCC Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Safety Notices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Industry Canada Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
User Information for Consumer Products Covered by EU Directive 2002/96/EC on Waste
Electric and Electronic Equipment (WEEE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Appendix E: Software License Agreement 29
Software in Linksys Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Software Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
ii
Chapter 1
Product Overview
Chapter 1: Product Overview
Thank you for choosing the Linksys by Cisco Broadband
Firewall Router with 4-Port Switch/VPN Endpoint. The
Router lets you access the Internet through its four
switched ports. You can also use the Router to share
resources such as computers, printers and files. A variety
of security features help to protect your data and your
privacy while online. Security features include a Stateful
Packet Inspection (SPI) firewall and NAT technology.
Configuring the Router is easy using the provided browserbased utility.
Front Panel
Power (Green) The Power LED lights up and
will stay on while the Router is powered on.
It flashes when the Router goes through its
self-diagnostic mode during every boot-up or
upgrades its firmware.
DMZ (Green) This features lights up when DMZ
is enabled.
1-4 (Green) These numbered LEDs correspond
with the numbered ports on the Router’s back
panel. These LEDs have a dual function. If the
LED is continuously lit, the Router is successfully
connected to a device through that port. A
flashing LED indicates network activity over
that port.
Back Panel
Reset There are two ways to reset the Router to
its factory default settings. Use a straightened
paper clip or similar object to press and hold the
Reset button for approximately five seconds.
You can also restore the defaults from the
Administration > Factory Defaults screen of the
Router’s web-based utility.
Internet The Internet port is where you will
connect your cable or DSL Internet connection.
1-4 These Ethernet ports (1, 2, 3, 4) connect
the Router to computers on your wired network
and other Ethernet network devices.
Power The Power port is where you will
connect the power adapter.
Internet (Green) The Internet LED lights up
when there is a connection made through the
Internet port. A flashing LED indicates network
activity over the Internet port.
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
1
Chapter 2
Chapter 2: Advanced Configuration
After setting up the Router with the Setup Wizard (located
on the CD-ROM), the Router will be ready for use. However,
if you’d like to change its advanced settings, use the
Router’s web-based utility. This chapter describes each
web page of the utility and each page’s key functions. You
can access the utility via a web browser on a computer
connected to the Router.
The web-based utility has these main tabs: Setup, Security,
Restrict Access, Applications & Gaming, Administration,
and Status. Additional tabs will be available after you click
one of the main tabs.
NOTE: When first installing the Router, you
should use the Setup Wizard on the Setup
CD-ROM. If you want to configure advanced
settings, use this chapter to learn about the
web-based utility.
Advanced Configuration
Setup > Basic Setup
How to Access the Web-Based Utility
To access the web-based utility, launch the web browser on
your computer, and enter the Router’s default IP address,
192.168.1.1, in the Address field. Then, press Enter.
A login screen will appear. Leave the User Name field
blank. The first time you open the web-based utility, use
the default password admin. (You can set a new password
from the Administration > Management screen.) Click OK
to continue.
Login Screen
Setup > Basic Setup
The first screen that appears is the Basic Setup screen. This
allows you to change the Router’s general settings.
Internet Setup
The Internet Setup section configures the Router to your
Internet connection. Most of this information can be
obtained through your Internet Service Provider (ISP).
Internet Connection Type
Select the type of Internet connection your ISP provides
from the drop-down menu. These are the available types:
Obtain an IP Automatically (DHCP) •
Static IP •
PPPoE •
RAS •
PPTP •
Heart Beat Signal •
L2TP •
Obtain an IP Automatically
By default, the Router’s Internet Connection Type is set to
Obtain an IP automatically, which should be kept only if
your ISP supports DHCP or you are connecting through a
dynamic IP address. (This option usually applies to cable
connections.)
Host Name/Domain Name Enter a Host Name and
Domain Name if required by your ISP.
MTU The MTU option specifies the largest packet size
permitted for network transmission. Select Enable if
you do not want the Router to regulate this packet size
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
2
Chapter 2
Advanced Configuration
(otherwise, leave it set at Disable) and enter the value
desired. You should leave this value in the 1200 to 1500
range. Most DSL users should use the default of 1492.
Internet Connection Type > Obtain an IP Automatically
Static IP
If you are required to use a permanent IP address to
connect to the Internet, select Static IP.
Internet Connection Type > Static IP
IP Address Enter the Router’s IP address, as seen from the
Internet. This is provided by your ISP.
Subnet Mask Enter the Router’s subnet mask, as seen by
users on the Internet (including your ISP). This is provided
by your ISP.
Default Gateway Your ISP will provide you with the IP
address of the ISP server.
Primary DNS and Secondary DNS Your ISP will provide
you with at least one DNS (Domain Name System) Server
IP Address.
Host Name/Domain Name Enter a Host Name and
Domain Name if required by your ISP.
MTU The MTU option specifies the largest packet size
permitted for network transmission. Select Enable if
you do not want the Router to regulate this packet size
(otherwise, leave it set at Disable) and enter the value
desired. You should leave this value in the 1200 to 1500
range. Most DSL users should use the default of 1492.
PPPoE
Some DSL-based ISPs use PPPoE (Point-to-Point Protocol
over Ethernet) to establish Internet connections. If you are
connected to the Internet through a DSL line, check with
your ISP to see if they use PPPoE. If they do, you will have
to enable PPPoE.
Internet Connection Type > PPPoE
User Name and Password Enter the User Name and
Password provided by your ISP.
Service Name If provided by your ISP, enter the Service
Name.
Connect on Demand: Max Idle Time You can configure
the Router to cut the Internet connection after it has been
inactive for a specified period of time (Max Idle Time). If
your Internet connection has been terminated due to
inactivity, Connect on Demand enables the Router to
automatically re-establish your connection as soon as you
attempt to access the Internet again. To use this option,
select Connect on Demand. In the Max Idle Time field,
enter the number of minutes you want to have elapsed
before your Internet connection terminates. The default
Max Idle Time is 5 minutes.
Keep Alive: Redial Period If you select this option,
the Router will periodically check your Internet
connection. If you are disconnected, then the Router
will automatically re-establish your connection. To use
this option, select Keep Alive. In the Redial Period field,
you specify how often you want the Router to check
the Internet connection. The default Redial Period is
30 seconds.
Host Name/Domain Name Enter a Host Name and
Domain Name if required by your ISP.
MTU The MTU option specifies the largest packet size
permitted for network transmission. Select Enable if
you do not want the Router to regulate this packet size
(otherwise, leave it set at Disable) and enter the value
desired. You should leave this value in the 1200 to 1500
range. Most DSL users should use the default of 1492.
When you are finished, click the Save Settings button.
Then click the Status tab, and click the Connect button to
start the connection.
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
3
Chapter 2
Advanced Configuration
RAS
Remote Access Service (RAS) is a service that applies to
connections in Singapore only. For users in Singapore,
check with Singtel for information on RAS.
Internet Connection Type > RAS
User Name and Password Enter the User Name and
Password provided by Singtel.
RAS Plan Select the type of plan you have.
Connect on Demand: Max Idle Time You can configure
the Router to cut the Internet connection after it has been
inactive for a specified period of time (Max Idle Time). If
your Internet connection has been terminated due to
inactivity, Connect on Demand enables the Router to
automatically re-establish your connection as soon as you
attempt to access the Internet again. To use this option,
select Connect on Demand. In the Max Idle Time field,
enter the number of minutes you want to have elapsed
before your Internet connection terminates. The default
Max Idle Time is 5 minutes.
Keep Alive: Redial Period
Router will periodically check your Internet connection. If
you are disconnected, then the Router will automatically
re-establish your connection. To use this option, select
Keep Alive. In the Redial Period field, you specify how often
you want the Router to check the Internet connection. The
default value is 30 seconds.
Host Name/Domain Name Enter a Host Name and
Domain Name if required by your ISP.
MTU The MTU option specifies the largest packet size
permitted for network transmission. Select Enable if
you do not want the Router to regulate this packet size
(otherwise, leave it set at Disable) and enter the value
desired. You should leave this value in the 1200 to 1500
range. Most DSL users should use the default of 1492.
When you are finished, click the Save Settings button.
Then click the Status tab, and click the Connect button to
start the connection.
If you select this option, the
PPTP
Point-to-Point Tunneling Protocol (PPTP) is a service that
applies to connections in Europe only.
Internet Connection Type > PPTP
IP Address Enter the Router’s IP address, as seen from the
Internet. This is provided by your ISP.
Subnet Mask Enter the Router’s subnet mask, as seen by
users on the Internet (including your ISP). This is provided
by your ISP.
Default Gateway Your ISP will provide you with the IP
address of the ISP server.
User Name and Password Enter the User Name and
Password provided by your ISP.
Connect on Demand: Max Idle Time You can configure
the Router to cut the Internet connection after it has been
inactive for a specified period of time (Max Idle Time). If
your Internet connection has been terminated due to
inactivity, Connect on Demand enables the Router to
automatically re-establish your connection as soon as you
attempt to access the Internet again. To use this option,
select Connect on Demand. In the Max Idle Time field,
enter the number of minutes you want to have elapsed
before your Internet connection terminates. The default
Max Idle Time is 5 minutes.
Keep Alive: Redial Period
Router will periodically check your Internet connection. If
you are disconnected, then the Router will automatically
re-establish your connection. To use this option, select
Keep Alive. In the Redial Period field, you specify how often
you want the Router to check the Internet connection. The
default value is 30 seconds.
Host Name/Domain Name Enter a Host Name and
Domain Name if required by your ISP.
MTU The MTU option specifies the largest packet size
permitted for network transmission. Select Enable if
you do not want the Router to regulate this packet size
(otherwise, leave it set at Disable) and enter the value
If you select this option, the
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
4
Chapter 2
Advanced Configuration
desired. You should leave this value in the 1200 to 1500
range. Most DSL users should use the default of 1492.
When you are finished, click the Save Settings button.
Then click the Status tab, and click the Connect button to
start the connection.
Heart Beat Signal
Heart Beat Signal is a service used in Australia only. If you
are using a Heart Beat Signal connection, check with your
ISP for the necessary setup information.
Internet Connection Type > Heart Beat Signal
User Name and Password Enter the User Name and
Password provided by your ISP.
Heart Beat Server Enter the IP address of your ISP’s Heart
Beat server. This is provided by your ISP.
Connect on Demand: Max Idle Time You can configure
the Router to cut the Internet connection after it has been
inactive for a specified period of time (Max Idle Time). If
your Internet connection has been terminated due to
inactivity, Connect on Demand enables the Router to
automatically re-establish your connection as soon as you
attempt to access the Internet again. To use this option,
select Connect on Demand. In the Max Idle Time field,
enter the number of minutes you want to have elapsed
before your Internet connection terminates. The default
Max Idle Time is 5 minutes.
Keep Alive: Redial Period
Router will periodically check your Internet connection. If
you are disconnected, then the Router will automatically
re-establish your connection. To use this option, select
Keep Alive. In the Redial Period field, you specify how often
you want the Router to check the Internet connection. The
default value is 30 seconds.
Host Name/Domain Name Enter a Host Name and
Domain Name if required by your ISP.
MTU The MTU option specifies the largest packet size
permitted for network transmission. Select Enable if
you do not want the Router to regulate this packet size
(otherwise, leave it set at Disable) and enter the value
desired. You should leave this value in the 1200 to 1500
range. Most DSL users should use the default of 1492.
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
If you select this option, the
When you are finished, click the Save Settings button.
Then click the Status tab, and click the Connect button to
start the connection.
L2TP
L2TP is a service that applies to connections in Israel only.
Internet Connection Type > L2TP
Server IP Address Enter the IP address of the L2TP server.
This is provided by your ISP.
User Name and Password Enter the User Name and
Password provided by your ISP.
Connect on Demand: Max Idle Time You can configure
the Router to cut the Internet connection after it has been
inactive for a specified period of time (Max Idle Time). If
your Internet connection has been terminated due to
inactivity, Connect on Demand enables the Router to
automatically re-establish your connection as soon as you
attempt to access the Internet again. To use this option,
select Connect on Demand. In the Max Idle Time field,
enter the number of minutes you want to have elapsed
before your Internet connection terminates. The default
Max Idle Time is 5 minutes.
Keep Alive: Redial Period If you select this option,
the Router will periodically check your Internet
connection. If you are disconnected, then the Router
will automatically re-establish your connection. To use
this option, select Keep Alive. In the Redial Period field,
you specify how often you want the Router to check
the Internet connection. The default Redial Period is
30 seconds.
Host Name/Domain Name Enter a Host Name and
Domain Name if required by your ISP.
MTU The MTU option specifies the largest packet size
permitted for network transmission. Select Enable if
you do not want the Router to regulate this packet size
(otherwise, leave it set at Disable) and enter the value
desired. You should leave this value in the 1200 to 1500
range. Most DSL users should use the default of 1492.
When you are finished, click the Save Settings button.
Then click the Status tab, and click the Connect button to
start the connection.
5
Chapter 2
Advanced Configuration
Network Setup
The Network Setup section changes the settings on the
network connected to the Router’s Ethernet ports.
Local IP Address The default value is 192.168.1.1.
Subnet Mask The default value is 255.255.255.0.
Network Address Server Settings (DHCP)
The settings allow you to configure the Router’s Dynamic
Host Configuration Protocol (DHCP) server function. The
Router can be used as a DHCP server for your network. A
DHCP server automatically assigns an IP address to each
computer on your network. If you choose to enable the
Router’s DHCP server option, make sure there is no other
DHCP server on your network.
down menu. Select Default NTP Server or User-Defined
NTP Server.
Click Save Settings to apply your changes, or click Cancel
Changes to cancel your changes.
Setup > DDNS
The Router offers a Dynamic Domain Name System (DDNS)
feature. DDNS lets you assign a fixed host and domain
name to a dynamic Internet IP address. It is useful when
you are hosting your own website, FTP server, or other
server behind the Router.
Before you can use this feature, you need to sign
up for DDNS service with a DDNS service provider,
www.dyndns.org or www.TZO.com. If you do not want to
use this feature, keep the default setting, Disabled.
DDNS
DDNS Service
If your DDNS service is provided by DynDNS.org, then
select DynDNS.org from the drop-down menu. If your
DDNS service is provided by TZO, then select TZO. The
features available on the DDNS screen will vary, depending
on which DDNS service provider you use.
Network Address Server Settings (DHCP)
Local DHCP Server DHCP is enabled by factory default.
If you already have a DHCP server on your network, or you
don’t want a DHCP server, then select Disable (no other
DHCP features will be available).
Start IP Address Enter a value for the DHCP server to
start with when is
default IP address is 192.168.1.1, the Start IP Address must
be 192.168.1.2 or greater, but smaller than 192.168.1.253.
The default is 192.168.1.100
Number of Address Enter the maximum number of
computers that you want the DHCP server to assign IP
addresses to. This number cannot be greater than 253.
The default is 50.
DHCP Address Range Displayed here is the range of
available IP addresses.
Client Lease Time The Client Lease Time is the amount
of time a network user will be allowed connection to the
Router with their current dynamic IP address. Enter the
amount of time, in minutes, that the user will be “leased”
this dynamic IP address. After the time is up, the user will
be automatically assigned a new dynamic IP address. The
default is 0 minutes, which means one day.
Time Setting For an accurate keeping in the Router’s logs
and functions, select your local time zone from the drop-
suing IP addresses. Because the Router’s
.
DynDNS.org
Setup > DDNS > DynDNS.org
User Name Enter the User Name for your DDNS account.
Password Enter the Password for your DDNS account.
Host Name The is the DDNS URL assigned by the DDNS
service.
Internet IP Address The Router’s Internet IP address is
displayed here. Because it is dynamic, it will change.
Status The status of the DDNS service connection is
displayed here.
Click Save Settings to apply your changes, or click Cancel
Changes to cancel your changes.
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
6
Chapter 2
Advanced Configuration
TZO.com
Setup > DDNS > TZO
E-mail Address, TZO Password Key, and Domain
Name Enter the settings of the account you set up with
TZO.
Internet IP Address The Router’s Internet IP address is
displayed here. Because it is dynamic, it will change.
Status The status of the DDNS service connection is
displayed here.
Clone Click this button to clone the MAC address of the
computer you are using.
Click Save Settings to apply your changes, or click Cancel
Changes to cancel your changes.
Setup > Advanced Routing
This screen is used to set up the Router’s advanced
functions. Dynamic Routing automatically adjusts how
packets travel on your network. Static Routing sets up a
fixed route to another network destination.
Click Save Settings to apply your changes, or click Cancel
Changes to cancel your changes.
Setup > MAC Address Clone
A MAC address is a 12-digit code assigned to a unique
piece of hardware for identification. Some ISPs will require
you to register a MAC address in order to access the
Internet. If you do not wish to re-register the MAC address
with your ISP, you may assign the MAC address you have
currently registered with your ISP to the Router with the
MAC Address Clone feature.
Setup > MAC Address Clone
Setup > Advanced Routing
Advanced Routing
NAT
Enable/Disable If this Router is hosting your network’s
connection to the Internet, keep the default, Enable. If
another router exists on your network, select Disable.
When the NAT setting is disabled, the Dynamic Routing
feature can be enabled.
Dynamic Routing (RIP)
Enable/Disable This feature enables the Router to
automatically adjust to physical changes in the network’s
layout and exchange routing tables with the other router(s).
The Router determines the network packets’ route based
on the fewest number of hops between the source and
the destination. When the NAT setting is enabled, the
Dynamic Routing feature is automatically disabled. When
the NAT setting is disabled, this feature is available. Select
Enable to use the Dynamic Routing feature.
MAC Clone
MAC Clone Service To have the MAC address cloned,
select Enable.
MAC Address Enter the MAC address registered with
your ISP here.
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
Transmit RIP Version To use dynamic routing for
transmission of network data, select the protocol you
want: RIP1, RIP1-Compatible, or RIP2.
Receive RIP Version To use dynamic routing for reception
of network data, select the protocol you want, RIP1 or
RIP2.
7
Chapter 2
Static Routing
A static route is a pre-determined pathway that network
information must travel to reach a specific host or network.
Enter the information described below to set up a new
static route.
Select Entry To set up a static route between the Router
and another network, select a number from the dropdown list. Click Delete Entry to delete a static route.
Destination IP Address Enter the IP address of the
remote network or host to which you want to assign a
static route.
Advanced Configuration
Subnet Mask Enter the subnet mask. This determines
which portion of a Destination IP Address is the network
portion, and which portion is the host portion.
Gateway Enter the IP address of the gateway device that
allows for contact between the Router and the remote
network or host.
Hop Count Enter the maximum number of steps between
network nodes that data packets will travel. A node is any
device on the network, such as a computer, print server,
or router.
Interface Select the appropriate interface. This tells you
whether the Destination IP Address is on the LAN (Local
Area Network) or the Internet.
Click Show Routing Table to view the static routes you
have already set up.
Advanced Routing > Routing Table
Routing Table
For each route, the Destination LAN IP address, Subnet
Mask, Gateway, Hop Count, and Interface are displayed.
Click Refresh to update the information.
Security > Firewall
Additional Filters
This area allows you to block, or filter, certain Internet
applications from your network. Click the box next to
those applications you wish to filter.
Firewall Protection To add Firewall Protection, click
Enabled. If you do not want Firewall Protection, click
Disabled.
Filter Proxy Use of WAN proxy servers may compromise
the Router’s security. Denying Filter Proxy will disable
access to any WAN proxy servers. To enable proxy filtering,
click Enabled.
Filter Cookies A cookie is data stored on your PC and
used by Internet sites when you interact with them. To
enable cookie filtering, click Enabled.
Filter Java Applets Java is a programming language
for websites. If you deny Java Applets, you run the risk
of not having access to Internet sites created using this
programming language. To enable Java Applet filtering,
click Enabled.
Filter ActiveX ActiveX is a programming language for
websites. If you deny ActiveX, you run the risk of not having
access to Internet sites created using this programming
language. To enable ActiveX filtering, click Enabled.
Use these features to enhance your network’s security and
filter multicasting.
Click Save Settings to apply your changes, or click Cancel
Changes to cancel your changes.
Security > Firewall
The Firewall screen allows you to enable or disable the
firewall, which shields your network from outside users,
and manage different filters, which provide additional
protection. Filters block specific internal users from
accessing the Internet and block anonymous Internet
requests and/or multicasting.
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
Block WAN Requests
Block Anonymous Internet Requests This feature
makes it more difficult for outside users to work their
way into your network. This feature is enabled by default.
Select Disabled to allow anonymous Internet requests
Filter Multicast Multicasting allows for multiple
transmissions to specific recipients at the same time. If
multicasting is permitted, then the Router will allow IP
multicast packets to be forwarded to the appropriate
.
8
Chapter 2
Advanced Configuration
computers. Select Enabled to filter multicasting. This
feature is disabled by default.
Filter Internet NAT Redirection This feature uses port
forwarding to block access to local servers from local
networked computers. Select Enabled to filter Internet
NAT redirection. This feature is disabled by default.
Click Save Settings to apply your changes, or click Cancel
Changes to cancel your changes.
Security > VPN
The VPN screen allows you to enable VPN tunnels.
VPN Tunnel
Security > VPN
VPN Passthrough
IPSec Passthrough Internet Protocol Security (IPSec) is
a suite of protocols used to implement secure exchange
of packets at the IP layer. To allow IPSec tunnels to pass
through the Router, keep the default, Enabled.
PPPoE Passthrough Point-to-Point over Ethernet
(PPPoE) Passthrough allows your computer(s) to use the
PPPoE client software provided by your ISP. Some ISPs
may request that you use this feature on the Router. To
allow PPPoE Passthrough, keep the default, Enabled.
PPTP Passthrough Point-to-Point Tunneling Protocol
(PPTP) allows the Point-to-Point Protocol (PPP) to be
tunneled through an IP network. To allow PPTP tunnels to
pass through the Router, keep the default, Enabled.
Click Save Settings to apply your changes, or click Cancel
Changes to cancel your changes.
Security > VPN Tunnel
Establishing a Tunnel
The Router creates a tunnel or channel between two
endpoints, so that the data or information between these
endpoints is secure. To establish this tunnel, select the
tunnel you wish to create in the Select Tunnel Entry dropdown box. It is possible to create up to two simultaneous
tunnels. To delete a tunnel, click the Delete button. To view
a summary of that tunnel, click the Summary button.
Then check the box next to Enable to enable the tunnel.
Once the tunnel is enabled, enter the name of the tunnel
in the Tunnel Name field. This is to allow you to identify
multiple tunnels and does not have to match the name
used at the other end of the tunnel.
Local Secure Group and Remote Secure Group
A Local Secure Group is a computer(s) on your network
that can access the tunnel. A Remote Secure Group is a
computer(s) on the remote end of the tunnel that can
access the tunnel. Under Local Secure Group and Remote
Secure Group, you may choose one of three options:
Subnet, IP Address, and IP Range. Under Remote Secure
Group, you have two additional options: Host and Any.
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
Subnet If you select Subnet (which is also the default),
this will allow all computers on the local subnet to access
the tunnel. When using the Subnet setting, the default
values of 0 should remain in the last fields of the IP and
Mask settings.
9
Chapter 2
Advanced Configuration
IP Address If you select IP Address, only the computer
with the specific IP Address that you enter will be able to
access the tunnel.
IP Range If you select IP Range, it will be a combination
of Subnet and IP Address. You can specify a range of IP
Addresses within the Subnet which will have access to the
tunnel.
The next two options are for Remote Secure Groups only.
Host If you select Host for the Remote Secure Group,
then the Remote Secure Group will be the same as the
Remote Security Gateway setting: IP Address, FQDN (Fully
Qualified Domain Name), or Any.
Any If you select Any for the Remote Security Group, the
local VPN Router will accept a request from any IP address.
This setting should be chosen when the other endpoint is
using DHCP or PPPoE on the Internet side.
Remote Security Gateway
The Remote Security Gateway is the VPN device, such as a
second VPN Router, on the remote end of the VPN tunnel.
Under Remote Security Gateway, you have three options:
IP Address, FQDN, and Any. In this section, you can also
set the levels and types of encryption and authentication.
IP Address If you select IP Address, enter the IP Address of
the VPN device at the other end of the tunnel. The remote
VPN device can be another VPN Router, a VPN Server,
or a computer with VPN client software that supports
IPSec. The IP Address may either be static (permanent)
or dynamic (changing), depending on the settings of the
remote VPN device. Make sure that you have entered the
IP Address correctly, or the connection cannot be made.
Remember, this is NOT the IP Address of the local VPN
Router, but the IP Address of the remote VPN Router or
device with which you wish to communicate.
FQDN (Fully Qualified Domain Name) If you select
FQDN, enter the FQDN of the VPN device at the other
end of the tunnel. The remote VPN device can be another
VPN Router, a VPN Server, or a computer with VPN client
software that supports IPSec. The FQDN is the host name
and domain name for a specific computer on the Internet,
for example, vpn.myvpnserver.com.
Any If you select Any for the Remote Security Gateway,
the VPN device at the other end of the tunnel will accept
a request from any IP address. The remote VPN device can
be another VPN Router, a VPN Server, or a computer with
VPN client software that supports IPSec. If the remote
user has an unknown or dynamic IP address (such as a
professional on the road or a telecommuter using DHCP
or PPPoE), then Any should be selected.
Encryption Using Encryption also helps make your
connection more secure. There are two different types of
encryption: DES or 3DES (3DES is recommended because
it is more secure). You may choose either of these, but it
must be the same type of encryption that is being used by
the VPN device at the other end of the tunnel. Or, you may
choose not to encrypt by selecting Disable.
Authentication Authentication acts as another level of
security. There are two types of authentication: MD5 and
SHA (SHA is recommended because it is more secure). As
with encryption, either of these may be selected, provided
that the VPN device at the other end of the tunnel is using
the same type of authentication. Or, both ends of the
tunnel may choose to Disable authentication.
Key Management
In order for any encryption to occur, the two ends of the
tunnel must agree on the type of encryption and the way
the data will be decrypted. This is done by sharing a “key”
to the encryption code. Under Key Management, you may
choose automatic or manual key management.
Automatic Key Management Select Auto (IKE) and enter
a series of numbers or letters in the Pre-shared Key field.
Check the box next to PFS (Perfect Forward Secrecy) to
ensure that the initial key exchange and IKE proposals are
secure. Based on this word, which MUST be entered at both
ends of the tunnel if this method is used, a key is generated
to scramble (encrypt) the data being transmitted over the
tunnel, where it is unscrambled (decrypted). You may use
any combination of up to 24 numbers or letters in this
field. No special characters or spaces are allowed. In the
Key Lifetime field, you may optionally select to have the key
expire at the end of a time period of your choosing. Enter
the number of seconds you’d like the key to be useful, or
leave it blank for the key to last indefinitely.
Manual Key Management Similarly, you may choose
Manual keying, which allows you to generate the key
yourself. Enter your key into the Encryption KEY field.
Then enter an Authentication KEY into that field. These
fields must both match the information that is being
entered in the fields at the other end of the tunnel. Up
to 24 alphanumeric characters are allowed to create the
Encryption Key. Up to 20 alphanumeric characters are
allowed to create the Authentication Key.
The Inbound SPI and Outbound SPI fields are different,
however. The Inbound SPI value set here must match the
Outbound SPI value at the other end of the tunnel. The
Outbound SPI here must match the Inbound SPI value at
the other end of the tunnel. That is, the Inbound SPI and
Outbound SPI values would be opposite on the other end
of the tunnel. Only numbers can be used in these fields.
After you click the Save Settings button, hexadecimal
characters (series of letters and numbers) are displayed in
the Inbound SPI and Outbound SPI fields.
The Status field at the bottom of the screen will show
when a tunnel is active.
To connect a VPN tunnel, click the Connect button.
The View Logs button, when logging is enabled on the
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
10
Loading...