Linksys BEFSX41 User Manual

Instant Broadband®Series

EtherFast® Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Use this guide to install: BEFSX41

User Guide

COPYRIGHT & TRADEMARKS Specifications are subject to change without notice. Copyright © 2003 Linksys, All Rights Reserved. EtherFast, Instant Broadband, Linksys, and the Linksys logo are registered trademarks of Linksys Group, Inc. Microsoft, Windows, and the Windows logo are registered trademarks of Microsoft Corporation. All other trademarks and brand names are the property of their respective proprietors.

LIMITED WARRANTY Linksys guarantees that every Instant Broadband® EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint will be free from physical defects in material and workmanship for one year from the date of purchase, when used within the limits set forth in the Specifications section of this User Guide.

TThhiiss WWaarrrraannttyy iiss vvaalliidd aanndd mmaayy bbee pprroocceesssseedd oonnllyy iinn tthhee ccoouunnttrryy ooff ppuurrcchhaassee.. If the product proves defective during this warranty period, go to the Linksys website at

www.linksys.com

for complete RMA (Return Merchandise Authorization) assistance. You can also call Linksys Technical Support in order to obtain a RMA Number. BE SURE TO HAVE YOUR PROOF OF PURCHASE AND A BARCODE FROM THE PRODUCT'S PACKAGING ON HAND WHEN CALLING. RETURN REQUESTS CANNOT BE PROCESSED WITHOUT PROOF OF PURCHASE. When returning a product, mark the RMA Number clearly on the outside of the package and include a copy of your original proof of purchase. All customers located outside of the United States of America and Canada shall be held responsible for shipping and handling charges.

IN NO EVENT SHALL LINKSYS’S LIABILITY EXCEED THE PRICE PAID FOR THE PRODUCT FROM DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OF THE PRODUCT, ITS ACCOMPANYING SOFTWARE, OR ITS DOCUMENTATION. LINKSYS OFFERS NO REFUNDS FOR ITS PRODUCTS. Linksys makes no warranty or representation, expressed, implied, or statutory, with respect to its products or the contents or use of this documentation and all accompanying software, and specifically disclaims its quality, performance, merchantability, or fitness for any particular purpose. Linksys reserves the right to revise or update its products, software, or documentation without obligation to notify any individual or entity. Please direct all inquiries to:

Linksys P.O. Box 18558, Irvine, CA 92623. FCC STATEMENT

The Instant Broadband EtherFast Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint has been tested and complies with the specifications for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used according to the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which is found by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna

• Increase the separation between the equipment or devices

• Connect the equipment to an outlet other than the receiver’s

• Consult a dealer or an experienced radio/TV technician for assistance

BEFSX41-UG-30227D JL

EC Declaration of Conformity (Europe) In compliance with the EMC Directive 89/336/EEC, Low Voltage Dir ective 73/23/EEC, and

Amendment Directive 93/68/EEC, this product meets the requirements of the following standards:

• EN55022 Emission

• EN55024 Immunity Industry Canada (Canada) This Class B digital apparatus complies with Canadian ICES-003.

Cet appareil numérique de la classe (B) est conforme à la norme NMB-003 du Canada.

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

VPN 38 Password 51 Status 53 DHCP 55 Log 57 Help 59 Advanced 60 Filters 61 Forwarding 65 Dynamic Routing 70 Static Routing 71 DMZ Host 73 MAC Address Clone 75 DDNS 76

Appendix A: Troubleshooting 79

Common Problems and Solutions 79 Frequently Asked Questions 92

Appendix B: Maximizing VPN Security 96

Appendix C: Configuring IPSec between a Windows 2000 or XP PC and the Firewall Router 98

Introduction 98 Environment 98 Step One: Create an IPSec Policy 99 Step Two: Build Filter Lists 100 Step Three: Configure Individual Tunnel Rules 105 Step Four: Assign New IPSec Policy 113 Step Five: Create a Tunnel Through the Web-based Utility 114

Appendix D: SNMP Functions 116

Appendix E: How to Ping Your ISP’s E-mail & Web Addresses 117

Instant Broadband®Series

Chapter 1: Introduction 1

The Linksys EtherFast Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint 1 Features 1 An Introduction to LANs and WANs 2 IP Addresses 2 Network Setup Overview 4

Chapter 2: Your Virtual Private Network (VPN) 5

Why Do I Need a VPN? 5 What is a Virtual Private Network? 6

Chapter 3: Getting to Know the EtherFast Cable/DSL Firewall Router 9

The Router’s Back Panel 9 The Router’s Front Panel LEDs 10

Chapter 4: Connect the Router 12

Overview 12 Connecting Your Hardware Together and Booting Up 12

Chapter 5: Configure the PCs 14

Overview 14 Configuring Windows 95, 98, and Millennium PCs 15 Configuring Windows 2000 PCs 17 Configuring Windows XP PCs 19

Chapter 6: Configure the Router 21

Chapter 7: The Cable/DSL Firewall Router’s Web-based Utility 27

Overview 27 Quick and Easy Router Administration 27 Setup 28 Firewall 35

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Chapter 1: Introduction

The Linksys EtherFast®Cable/DSL Router

The Linksys Instant Broadband EtherFast Cable/DSL Firewall Router with 4Port Switch/VPN Endpoint is the perfect solution for connecting a small group of PCs to a high-speed broadband Internet connection or a 10/100 Ethernet backbone. The Router can be configured to limit internal users’ Internet access based on URLs and/or time periods—URL filtering and time f iltering. For enhanced protection against intruders from the Internet, the Router features an advanced Stateful Packet Inspection firewall.

Use the Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint to create up to two IPSec VPN tunnels, so you can securely connect to the corporate server from your home office—or any location when you’re on the road. The Router provides a dedicated port for DMZ hosting and acts as the only externally recognized Internet gateway on your local area network (LAN). With the performance and security features of the Cable/DSL Firewall Router with 4Port Switch/VPN Endpoint, your network will take advantage of the Internet while keeping its data secure.

• Supports Universal Plug-and-Play

• Protects PCs from Ping of Death, SYN Flood, Land Attacks, IP Spoofing,

and Other DoS (Denial of Service) Attacks

• Supports Up to Two IPSec Virtual Private Network (VPN) Tunnels

• Supports URL Filtering and Time Filtering

• Blocks Proxy, Java, ActiveX, and Cookies

• Easily Configurable through a Web Browser from Any Networked PC

• Supports IPSec and PPTP Pass-Through

• Administer and Upgrade Your Router Remotely over the Internet

• Supports Traff ic and Event Logging

• Configurable as a DHCP Server on Your Network

• Administers Can Block Specific Internal Users’ Internet Access with

Filtering

• Supports SNMP ver. 2.0 and SNMP MIB I and II

• Supports NTP (Network Time Protocol) for Synchronization with Real-

Time Server

• Support for PPPoE Connection

• Dedicated Port for DMZ

The Linksys EtherFast Cable/DSL Firewall Router with

4-Port Switch/VPN Endpoint

Features

Instant Broadband®Series

Appendix F: Installing the TCP/IP Protocol 120

Appendix G: Finding the MAC Address and IP Address for Your Ethernet Adapter 122

Appendix H: Glossary 126

Appendix I: Specifications 139

Environmental 139

Appendix J: Warranty Information 140

Appendix K: Contact Information 141

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Instant Broadband®Series

Dynamic IP Addresses

A dynamic IP address is automatically assigned to a device on the network, such as PCs and print servers. These IP addresses are called “dynamic” because they are only temporarily assigned to the PC or device. After a certain time period, they expire and may change. If a PC logs onto the network (or the Internet) and its dynamic IP address has expired, the DHCP server will assign it a new dynamic IP address.

For DSL users, many ISPs may require you to log on with a user name and password to gain access to the Internet. This is a dedicated, high-speed connection type called Point to Point Protocol over Ethernet (PPPoE). PPPoE is similar to a dial-up connection, but PPPoE does not dial a phone number when establishing a connection. PPPoE also will provide the Router with a dynamic IP address to establish a connection to the Internet.

DHCP (Dynamic Host Configuration Protocol) Servers

PCs and other network devices using dynamic IP addressing are assigned a ne w IP address by a DHCP server. The PC or network device obtaining an IP address is called the DHCP client. DHCP frees you from having to assign IP addresses manually every time a new user is added to your network.

A DHCP server can either be a designated PC on the network or another network device, such as the Router. By default, the Router’s WAN setting is DHCP client.

Note: Since the Router is a device that connects two networks, it needs two IP addresses—one for the LAN side, and one for the WAN side. In this User Guide, you’ll see references to the “WAN IP address” and the “LAN IP address.”

Since the Router has firewall security, the only IP address that can be seen from the Internet for your network is the Router’s WAN IP address.

However, even this WAN IP address for the Router can be blocked, so that the Router and network seem invisible to the Internet—see the Blocking WAN Requests description under Filters in “Chapter 7: The Cable/DSL Firewall Router’s Web-based Utility.”

Simply put, a router is a network device that connects two networks together.

In this instance, the Router connects your Local Area Network (LAN), or the group of PCs in your home or office, to the Wide Area Network (WAN), that is, the Internet. The Router processes and regulates the data that travels between these two networks.

Think of the Router as a network device with two sides: the first side is made up of your priv ate Local Area Network (LAN) of PCs. The other, public side is the Internet, or the Wide Area Network (WAN), outside of your home or office.

The Router’s firewall (NAT) protects your network of PCs so users on the public, Internet side cannot “see” your PCs. This is how your LAN, or network, remains private. The Router protects your network by inspecting the first packet coming in through the WAN port before delivery to the f inal destination on the LAN port. The Router inspects Internet port services like the web server, ftp server, or other Internet applications, and, if allowed, it will forward the packet to the appropriate PC on the LAN side.

Remember that the Router’s ports connect to two sides: your 10/100 LAN ports and the Internet WAN port. The WAN and LAN ports transmit data at 10 Mbps or 100 Mbps.

What’s an IP Address?

IP stands for Internet Protocol. Every device on an IP-based network, including PCs, print servers, and routers, requires an IP address to identify its “location,” or address, on the network. This applies to both the WAN and LAN connections. There are two ways of assigning an IP address to your network devices.

Static IP Addresses

A static IP address is a fixed IP address that you assign manually to a PC or other device on the network. Since a static IP address remains valid until you disable it, static IP addressing ensures that the device assigned it will always have that same IP address until you change it. Static IP addresses are commonly used with network devices such as server PCs or print servers.

If you use the Router to share your cable or DSL Internet connection, contact your ISP to find out if they have assigned a static IP address to your account. If so, you will need that static IP address when configuring the Router. You can get the information from your ISP.

An Introduction to LANs and WANs

IP Addresses

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Chapter 2: Your Virtual Private Network (VPN)

Computer networking provides a flexibility not available when using an archaic, paper-based system. With this flexibility, however, comes an increased risk in security . This is why firewalls were first introduced. Firew alls help to protect data inside of a local network. But what do y ou do once information is sent outside of your local network, when emails are sent to their destination, or when you have to connect to your company's network when you are out on the road? How is your data protected?

That is when a VPN can help. VPNs are called Virtual Private Networks because they secure data moving outside of y our netw ork as if it w ere still within that network.

When data is sent out across the Internet from your computer, it is always open to attacks. You may already have a firewall, which will help protect data moving around or held within your network from being corrupted or intercepted by entities outside of your network, but once data moves outside of your network —when you send data to someone via email or communicate with an individual over the Internet—the firewall will no longer protect that data.

At this point, your data becomes open to hackers using a variety of methods to steal not only the data you are transmitting but also your network login and security data. Some of the most common methods are as follows:

1) MAC Address Spoof ing

Packets transmitted over a network, either your local network or the Internet, are preceded by a packet header. These packet headers contain both the source and destination information for that packet to transmit efficiently. A hacker can use this information to spoof (or fake) a MAC address allowed on the network. With this spoofed MAC address, the hacker can also intercept information meant for another user.

Instant Broadband®Series

By default, a DHCP server (LAN side) is enabled on the Router. If you already have a DHCP server running on your network, you must disable one of the two DHCP servers. If you run more than one DHCP server on your network, you will experience network errors, such as conflicting IP addresses. To disable DHCP on the Router, see the DHCP section in “Chapter 7: The Cable/DSL Firewall Router’s Web-based Utility.”

This user guide covers the basic steps for setting up a network with a router. After going through “Chapter 3: Getting to Know the EtherFast Cable/DSL Firewall Router,” most users will only need to use the following chapters:

• Chapter 4: Connect the Router

This chapter instructs you on how to connect the cable or DSL modem to the Router and connect the PC(s) to the Router.

• Chapter 5: Configure the PCs

This chapter instructs you on how to configure your PC(s) for a DHCP connection, if the network settings are not already set to DHCP.

• Chapter 6: Configure the Router

This chapter explains how to configure the Router using your web browser and the Router’s web-based utility. You will configure the Router using the settings provided by your ISP.

When you’re finished with the basic steps, then you are ready to connect to the Internet. After the PC(s) can access the Internet through the Router, you can alter the Router’s settings further; for example, you can adjust security features and other settings to enable online gaming.

Note: Even if you assign a static IP address to a PC, other PCs can still use DHCP’s dynamic IP addressing, as long as the static IP address is not within the DHCP range of the LAN IP Address.

If the dynamic IP addressing fails to provide a dynamic IP address, refer to “Appendix A: Troubleshooting.”

Network Setup Overview

Why Do I Need a VPN?

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

There are two basic ways to create a VPN connection:

• Firewall Router to Firewall Router

• Computer (using VPN client software that supports IPSec) to Firewall Router

The Firewall Router creates a “tunnel” or channel between two endpoints, so that data transmissions between them are secure. A computer with VPN client software that supports IPSec can be one of the two endpoints. Any computer with the built-in IPSec Security Manager (Microsoft 2000 and XP ) allows the Firewall Router to create a VPN tunnel using IPSec (refer to “Appendix C: Configuring IPSec between a Microsoft Windows 2000 or XP PC and the Firewall Router”). Other versions of Microsoft operating systems require additional, third-party VPN client software applications that support IPSec to be installed.

Firewall Router to Firewall Router

An example of a Firewall Router-to-Firewall Router VPN would be as follows. (See Figure 2-1.) At home, a telecommuter uses his Firewall Router for his always-on Internet connection. His router is conf igured with his off ice's VPN settings. When he connects to his office's router, the two routers create a VPN tunnel, encrypting and decrypting data. As VPNs utilize the Internet, distance is not a factor. Using the VPN, the telecommuter now has a secure connection to the central office's network, as if he were physically connected.

Instant Broadband®Series

2) Data Sniffing

Data “sniffing” is a method used by hackers to obtain network data as it travels through unsecured networks, such as the Internet. Tools for just this kind of activity, such as protocol analyzers and network diagnostic tools, are often built into operating systems and allow the data to be viewed in clear text.

3) Man in the middle attacks

Once the hacker has either sniffed or spoofed enough information, he can now perform a “man in the middle” attack. This attack is performed, when data is being transmitted from one network to another, by rerouting the data to a new destination. Even though the data is not received by its intended recipient, it appears that way to the person sending the data.

These are only a few of the methods hackers use and they are always developing more. Without the security of your VPN, your data is constantly open to such attacks as it travels over the Internet. Data travelling over the Internet will often pass through many different servers around the world before reaching its final destination. That's a long way to go for unsecured data and this is when a VPN serves its purpose.

A VPN, or Virtual Private Network, is a connection between two endpoints - a VPN Router, for instance - in different networks that allows private data to be sent securely over a shared or public network, such as the Internet. This establishes a private netw ork that can send data securel y between these two locations or networks.

This is done by creating a “tunnel”. A VPN tunnel connects the two PCs or networks and allows data to be transmitted over the Internet as if it were still within those networks. Not a literal tunnel, it is a connection secured by encrypting the data sent between the two networks.

VPN was created as a cost-effective alternative to using a private, dedicated, leased line for a private network. Using industry standard encryption and authentication techniques—IPSec, short for IP Security—the VPN creates a secure connection that, in effect, operates as if you were directly connected to your local network. Virtual Private Networking can be used to create secure networks linking a central office with branch offices, telecommuters, and/or professionals on the road (travelers can connect to a VPN Router using any computer with VPN client softw are that supports IPSec, such as SSH Sentinel).

What is a Virtual Private Network?

Figure 2-1

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Chapter 3: Getting to Know the EtherFast Cable/DSL Firewall Router

The Router’s ports, shown in Figure 3-1, are where network cables are connected

WAN The WAN (Wide Area Network) port is where you connect

your cable or DSL modem through an Ethernet cable. Your

modem connection will not work from any other port.

Ports 1-3 These three LAN (Local Area Network) ports are where you

will connect networked devices, such as PCs, print servers, switches, and anything else you want to put on your network. (These ports auto-detect crossover and straight-through cables.)

Port 4/DMZ Port 4/DMZ operates like a regular LAN port to connect with

network devices, unless DMZ is enabled through the Cable/DSL Firewall Router’s web-based utility. Once DMZ is enabled, this port will be accessible with NO PROTECTION from the firewall. Be sure to disable the DMZ function through the web-based utility if you want this port shielded by the Cable/DSL Firewall Router’s firewall. (This port auto-detects crossover and straight-through cables.)

Power The Power port is where you will connect the power adapter.

The Router’s Back Panel

Figure 3-1

Instant Broadband®Series

Computer (using VPN client software that supports IPSec) to Firewall Router

The following is an example of a computer-to-Firewall Router VPN. (See Figure 2-2.) In her hotel room, a trav eling business woman dials up her ISP. Her notebook computer has VPN client softw are that is configured with her office's VPN settings. She accesses the VPN client software that supports IPSec and connects to the Firewall Router at the central office. As VPNs utilize the Internet, distance is not a factor. Using the VPN, the businesswoman now has a secure connection to the central office's network, as if she were physically connected.

For additional information and instructions about creating your own VPN, please visit Linksys’s website at www.linksys.com or refer to “Appendix C: Configuring IPSec between a Microsoft Windows 2000 or XP PC and the Firewall Router.”

Important: You must have at least one Firewall Router on one end of the VPN tunnel. At the other end of the VPN tunnel, you must have a second Firewall Router or a computer with VPN client software that supports IPSec.

Figure 2-2

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Instant Broadband®Series

WAN and LAN LEDs

Link/Act Green. The Link/Act LED serves two purposes. If the LED is con-

tinuously lit, the Router is successfully connected to a device through the corresponding port (1, 2, 3 or 4/DMZ). If the LED is flickering, the Router is actively sending or receiving data over that port.

Full/Col Green. The Full/Col LED also serves two purposes. If this LED is

lit up continuously, the connection made through the corresponding port is running in Full Duplex mode. If the LED flickers, the connection is experiencing collisions. Infrequent collisions are normal.

If this LED flickers too often, there may be a problem with your connection. See “Appendix A: Troubleshooting” if you encounter this problem.

100 Orange. The 100 LED lights up when a successful 100Mbps con-

nection is made through the corresponding port.

If this LED does not light up, then your connection speed is 10 Mbps.

Proceed to “Chapter 4:Connect the Router.”

The Router’s LEDs, shown in Figure 3-2, provide a graphic display of activity.

Diag Red. The Diag LED lights up when the Router goes through its self-

diagnosis mode during every boot-up. It will turn off upon successful completion of the diagnosis.

If this LED stays on for an abnormally long period of time, see “ Appendix A: Troubleshooting.”

DMZ Green. The DMZ LED lights up when the Cable/DSL Firewall

Router’s DMZ function is enabled. Enabling this function will remove firewall protection from Port 4/DMZ.

Power Green. The Power LED lights up when the Router is powered on.

The Reset Button

Briefly pressing the Reset Button will refresh the Cable/DSL Firewall Router’s connections, potentially clearing any jammed links.

Pressing the Reset Button and holding it in for a few seconds will clear all of the Cable/DSL Firewall Router’s data. This should be done only if you are experiencing heavy routing problems, and only after you have exhausted all of the other troubleshooting options. By resetting the Cable/DSL Fire w all Router, you run the risk of creating conflicts between your PCs’ actual IP Addresses and what the Cable/DSL Firewall Router thinks their IP Addresses should be. You may be forced to reboot the entire system(s).

If the Cable/DSL Firewall Router locks up, simply power it down for three to five seconds by removing the power cable from the Cable/DSL Firewall Router’s Power Port. Leaving the power off for too long could result in the loss of network connections.

The Router’s Front Panel LEDs

Figure 3-2

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Instant Broadband®Series

Repeat the above step to connect more PCs or network devices to the Router.

3. Connect the Ethernet cable from your cable or DSL modem to the WAN port on the Router’s back panel, as shown in Figure 4-3. This is the only port that will work for your modem connection.

4. As shown in Figure 4-4, connect the power adapter to the Power port on the back panel of the Router, and then plug the power adapter into a power outlet.

• The Power LED on the front panel will light up green as soon as the power adapter is connected properly. (The LEDs are shown in Figure 4-5.)

• The Diag LED will light up red for a few seconds when the Router goes through its self-diagnostic test. This LED will turn off when the self-test is complete.

5. Turn on the cable or DSL modem and PCs.

The Router’s hardware installation is now complete.

Figure 4-3

Figure 4-2

Figure 4-4

Figure 4-5

Chapter 4: Connect the Router

Unlike a hub or a switch, the Router’s setup consists of more than simply plugging hardware together. You will have to configure your networked PCs to accept the IP addresses that the Router assigns them (if applicable), and you will also have to configure the Router with setting(s) provided by your Internet Service Provider (ISP).

The installation technician from your ISP should have left the setup information with you after installing your broadband connection. If not, you can call your ISP to request the data.

Once you hav e the setup information you need for your specific type of Internet connection, you can begin installation and setup of the Router.

The diagram in Figure 4-1 shows a typical configuration.

1. Before you begin, make sure that all of your hardware is powered off, including the Router, PCs, hubs, switches, and cable or DSL modem.

2. Connect one end of an Ethernet cable to one of the LAN ports (labeled 1, 2, 3, or 4/DMZ) on the back of the Router, and the other end to a standard port on a network device, e.g., a PC, print server, hub, or switch (see Figure 4-2).

Overview

Cable or DSL

Modem

Cable/DSL Firewall Router

PC with Ethernet Adapter

Notebook with Ethernet Adapter

WAN

LAN

Figure 4-1

Connecting Your Hardware Together and Booting Up

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

1. Go to the Network screen by clicking the Start button. Click Settings and then Control Panel. From there, double-click the Network icon.

2. On the Configuration tab, shown in Figure 5-1, select the TCP/IP line for the applicable Ethernet adapter. Do not choose a TCP/IP entry whose name mentions DUN, PPPoE, VPN, or AOL. If the word TCP/IP appears by itself, select that line. (If there is no TCP/IP line listed, refer to “Appendix F: Installing the TCP/IP Protocol” or your Ethernet adapter’s user guide to install TCP/IP now.) Click the Properties button.

Instant Broadband®Series

Chapter 5: Configure the PCs

The instructions in this chapter will help you configure each of your computers to be able to communicate with the Router.

T o do this, you need to configure your PC’s network settings to obtain an IP (or TCP/IP) address automatically (called DHCP). Computers use IP addresses to communicate with each other across a network or the Internet.

Find out which operating system your computer is running, such as Windows 95, 98, Millennium, NT 4.0, 2000, or XP. You will need to know which operating system your computer is running. You can find out by clicking the Start button and then going to the Settings option. Then click Control Panel, and then double-click the System icon. If your Start menu doesn’t have a Settings option, you’re running Windows XP. Click the Cancel button when done.

You may need to do this for each computer you are connecting to the Router.

The next few pages tell you, step by step, how to configure your network settings based on the type of W indows operating system you are using. Make sure that an Ethernet card or adapter has been successfully installed in each PC you will configure. Once you’ve configured your computers, continue to “Chapter 6: Configure the Router.”

Figure 5-1

Configuring Windows 95, 98, and Millennium PCs

Important: These instructions apply only to Windows 95, Windows 98, Windows Millennium, Windows 2000, or Windows XP machines. For TCP/IP setup under Windows NT, see your Windows manual. By default Windows 98, 2000, Me, and XP has TCP/IP installed and set to obtain an IP address automatically.

Overview

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

1. Go to the Network screen by clicking the Start button. Click Settings and then Control Panel. From there, double-click the Network and Dial-up Connections icon.

2. Select the Local Area Connection icon for the applicable Ethernet adapter (usually it is the first Local Area Connection listed). Double-click the Local Area Connection. (See Figure 5-3.) Click the Properties button.

Instant Broadband®Series

3. Click the IP Address tab and select Obtain an IP address automatically,

as shown in Figure 5-2.

4. Now click the Gateway tab to ensure that the Installed Gateway field is left blank. Click the OK button.

5. Click the OK button again. Windows may ask you for the original Windows installation disk or additional f iles. Supply them by pointing to the correct file location, e.g., D:\win98, D:\win9x, c:\windows\options\cabs, etc. (if “D” is the letter of your CD-ROM drive).

6. Windows may ask you to restart your PC. Click the Yes button. If W indows does not ask you to restart, restart your computer anyway.

Go to “Chapter 6: Configure the Router.”

Configuring Windows 2000 PCs

Figure 5-3

Figure 5-2

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

The following instructions assume you are running Windows XP with the default interface. If you are using the Classic interface (where the icons and menus look like previous Windows versions), please follow the instructions for Windows 2000.

1. Click to the Network screen by clicking the Start button and then Control Panel. From there, click the Network and Internet Connections icon and then the Network Connections icon.

Instant Broadband®Series

3. Select Internet Protocol (TCP/IP), shown in Figure 5-4, and click the Properties button.

4. Select Obtain an IP address automatically in both places, as shown in Figure 5-5, and click the OK button. Click the OK button again to complete the PC configuration.

5. Restart your computer.

Go to “Chapter 6: Configure the Router.”

Configuring Windows XP PCs

Figure 5-6

Figure 5-4

Figure 5-5

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Instant Broadband®Series

3. Select Internet Protocol (TCP/IP), as shown in Figure 5-7, and click the Properties button.

4. Select Obtain an IP address automatically. Once the new window Select Obtain an IP address automatically in both places, as shown in Figure 5-

8, and click the OK button. Click the OK button again to complete the PC configuration.

5. Restart your computer.

Go to “Chapter 6: Configure the Router.”

Chapter 6: Configure the Router

This chapter will show you how to configure the Router to function in your network and gain access to the Internet through your Internet Service Provider (ISP). Detailed description of the Router’s Web-based Utility can be found in “Chapter 7: The Cable/DSL Firewall Router’s Web-based Utility.” Your ISP may require the use of a Host Name and Domain Name. Further, you will set the WAN Connection Type on the Router’s Setup tab based on the information provided b y your ISP. You will need the setup information from your ISP. If you do not have this information, please contact your ISP before proceeding.

The instructions from your ISP will tell you how to set up your PC for Internet access. Because you are now using the Router to share Internet access among several computers, you will use the setup information to configure the Router instead of your PC. You only need to configure the Router once using the first computer you set up.

1. Open your web browser. (It is all right if you get an error message at this point. Continue following these directions.) Enter http://192.168.1.1 in the web browser’s Address field, as shown in Figure 6-1. Press the Enter key .

2. An Enter Network Password window, shown in Figure 6-2, will appear (Windows XP users will see a Connect to 192.168.1.1 window, shown in Figure 6-3). Windows XP, the screen may look different.) Leave the User Name field empty, and enter admin in lowercase letters in the Password field (admin is the default password). Then, click the OK button.

Figure 6-1

Figure 6-2

Figure 6-3

Figure 5-7

Figure 5-8

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Obtain an IP Address Automatically

If your ISP says that you are connecting through DHCP or a dynamic IP address from your ISP, perform these steps:

A. Select Obtain an IP

Automatically as the WAN Connection Type. (Shown in Figure 6-4.)

B. Click the Applyand Contin ue

buttons to save the setting, or click the Cancel button to clear the setting and start over . When y ou are finished, then proceed to step 5.

Static IP Address

If your ISP says that you are connecting through a static or fixed IP address from your ISP, perform these steps:

A. Select Static IP as the WAN

Connection Type. (Shown in Figure 6-5.)

B. Enter the IP Address.

C. Enter the Subnet Mask.

D. Enter the Gateway Addr ess.

E. Enter the DNS in the 1, 2,

and/or 3 fields. You need to enter at least one DNS address.

F. Click the Applyand Continue buttons to save the settings, or click the Cancel

button to clear the settings and start over. When you are finished, then proceed to step 5.

Instant Broadband®Series

Figure 6-4

Figure 6-5

3. The Router conf iguration screen will appear with the Setup tab selected. Based on the setup instructions from your ISP, you may need to provide the following information.

Host Name and Domain Name: These fields allow you to provide a host name and domain name for the Router. These f ields are usually left blank. If requested by your ISP (usually cable ISPs), complete these two fields.

Device IP Address and Subnet Mask: The values for the Router’s IP Address and Subnet Mask are shown on the Setup screen. The default value is 192.168.1.1 for the IP Address and 255.255.255.0 for the Subnet Mask. Leave these settings alone.

4. The Router supports six connection types: Obtain an IP Address Automatically, Static IP Address, PPPoE, RAS, PPTP, and HBS. These types are listed in the drop-down menu for the WAN Connection Type set- ting. Each Setup screen and availab le features will dif fer depending on what kind of connection type you select. Proceed to the instructions for the connection type you are using. When you are finished with the Setup tab, proceed to step 5.

IMPORTANT: If you have previously enabled any Internet-sharing proxy server software on any of your PCs, you must disable it now.

Some examples of Internet-sharing software are Internet LanBridge, Wingate, ICS, and Sygate. To disable your Internet-sharing software:

• If you are running Netscape Navigator , click Edit>> Preferences >> Advanced >> Proxies. Click Direct Connection to the Internet.

• If you are running Internet Explorer 5.x or higher, click Start >> Settings >> Contr ol P anel >> Internet Options >> Connections >> LAN Settings. Remove checkmarks from all three boxes. Click the OK button to continue.

Also, you must disable any Inter net lo g-on softw ar e(such as Iv asion Winpoet or Enternet 300) and any firewall software (such as ZoneAlarm and Watchdog) on all of your PCs.

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

PPTP

PPTP is a service used in Europe only. (Shown in Figure 6-8.) If you are using a PPTP connection, check with your ISP for the necessary setup information.

When you are finished with the Setup tab, proceed to step 5.

HBS

HBS is a service used in Australia only. (Shown in Figure 6-9.) If you are using a HBS connection, check with your ISP for the necessary setup information.

When you are finished with the Setup tab, proceed to step 5.

Instant Broadband®Series

Figure 6-8

Figure 6-9

PPPoE

If your DSL provider says that you are connecting through PPPoE or if you normally enter a user name and password to access the Internet, perform these steps:

A. Select PPPoE as the WAN

Connection Type. (Shown in Figure 6-6.)

B. Enter the User Name.

C. Enter the Password.

D. Click the Apply and Continue buttons to save the settings, or click the Cancel

button to clear the settings and start over.

E. When you are finished, click the Status tab, and then click the Connect

button to start the connection. Proceed to step 5.

RAS

RAS is a service used in Singapore only. (Shown in Figure 6-7.) If you are using a RAS connection, check with your ISP for the necessary setup information.

When you are finished with the Setup tab, proceed to step 5.

Figure 6-6

Figure 6-7

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Chapter 7: The Cable/DSL Firewall Router’s Web-based Utility

For your convenience, use the Router’s web-based utility to administer it. This chapter will explain all of the functions in this utility. The utility can be accessed via Microsoft Internet Explorer or Netscape Navigator through use of a computer connected with an Ethernet cable to the Router.

For a basic Router setup, most users only have to use the following screens of the utility:

• Setup Enter the settings provided by your ISP.

• Password The Router’s default password is admin. To secure the Router,

change the Password from its default.

The Status, Firewall, VPN, Password, Status, DHCP, Log, and Help tabs are also available for basic setup of the Router. For advanced setup of the Router, click the Advanced tab to access these screens: Filters, Forwarding, Dynamic Routing, Static Routing, DMZ Host, and MAC Address Clone.

To access the web-based utility of the Router, launch Internet Explorer or Netscape Navigator, and enter the Router’s default IP address, 192.168.1.1, in the Address f ield, as shown in Figure 7-1. Then, press Enter.

Instant Broadband®Series

Overview

Quick and Easy Router Administration

Figure 7-1

5. If you haven’t already done so, click the Apply button and then the Continue button to save your Setup settings. Close the web browser.

6. Reset the power on your cable or DSL modem.

7. Restart your computers so that they can obtain the Router’s new settings.

If you need advanced setting information, please refer to “Chapter 7: The Cable/DSL Firewall Router’s Web-based Utility” or the Linksys support website at support.linksys.com.

Congratulations! You’ve successfully configured the Router. Test the setup by opening your web browser from any computer and entering www.linksys.com/registration, as shown in Figure 6-10.

If you are unable to reach our website, you may want to review what you did in this section or refer to “Appendix A: Troubleshooting.”

Proceed to “Chapter 7: The Cable/DSL Firewall Router’s Web-based

Utility” for more details and advanced settings information.

Figure 6-10

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

• Device IP Address and Subnet Mask The values for the Router’s IP

Address and Subnet Mask are shown here. The default values are

192.168.1.1 for the Device IP Address and 255.255.255.0 for the Subnet Mask.

• WAN Connection Type The Router supports six connection types:

DHCP, PPPoE, Static IP, PPTP, RAS, and HBS. Each Setup screen and available features will differ depending on what kind of connection type you select.

Obtain an IP Address Automatically

By default, the Router’s WAN Connection Type is set to obtain an IP address automatically, shown in Figure 7-4, and it should be used only if your ISP supports DHCP.

To apply any of the settings you change on a page, click the Apply button, and then click the Continue button. To cancel any values you’ve entered on any page, click the Cancel button.

Instant Broadband®Series

An Enter Network Password window, shown in Figure 7-2, will appear (Windo ws XP users will see a Connect to 192.168.1.1 window , shown in Figure 7-3). Leave the User Name field blank, and enter admin in the Password field. Then click the OK button. Router

In this section, you’ll find brief descriptions of each web page in the Utility and each page’s key functions.

To apply any of the settings you change on a page, click the Apply button, and then click the Continue button. To cancel any values you’ve entered on any page, click the Cancel button.

The Setup screen is the first screen you see when you access the web-based utility. If you have already installed and set up the Router, you have already seen this screen and properly configured all of the screen’s values.

• Host Name & Domain Name These fields allow you to supply a host

and domain name for the Router. Some ISPs require these names as identification. You may have to check with your ISP to see if your broadband Internet service has been conf igured with a host and domain name. In most cases, leaving these fields blank will work.

• Firmware Version This entry shows the version and date of the firmware

you are using. Future versions of the Router’s firmware will be posted and available for download on the Linksys website at www.linksys.com.

• Time Zone Set your local time zone here.

Note: You can test and see if the settings are correct by successfully connecting to the Internet.

Figure 7-4

Setup

Figure 7-2

Figure 7-3

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Instant Broadband®Series

PPPoE

Some DSL-based ISPs use PPPoE (Point-to-Point Protocol over Ethernet) to establish Internet connections for end-users. If you are connected to the Internet through a DSL line, check with your ISP to see if they use PPPoE. If they do, select the PPPoE connection type, as shown in Figure 7-6.

User Name and Password Enter the User Name and Password provided by your ISP.

Connect on Demand and Max Idle Time You can configure the Router to cut your connection with your ISP after a specified period of time (Max Idle Time). If you have been disconnected due to inactivity, Connect on Demand enables the Router to automatically re-establish your connection as soon as y ou attempt to access the Internet again. If you wish to activate Connect on Demand, click the radio button. In the Max Idle Time f ield, enter the number of minutes you want to have elapsed before your Internet access disconnects.

Keep Alive Option and Redial Period If you select this option, the Router will periodically check your Internet connection. If you are disconnected, then the Router will automatically re-establish your connection. To use this option, click the radio button next to Keep Aliv e. The default Redial Period is 30 sec- onds.

To apply any of the settings you change on a page, click the Apply button, and then click the Continue button. To cancel any values you’ve entered on any page, click the Cancel button.

Important: For DSL users, if you need to enable PPPoE support, choose PPPoE. If you do enable PPPoE, remember to remove any PPPoE applications that are already installed on any of your PCs.

Figure 7-6

Static IP

If you are required to use a permanent IP address, then select Static IP, as shown in Figure 7-5.

Specify W AN IP Address This is the IP address that the Router has, when seen from the WAN, or the Internet. Your ISP will provide you with the IP Address you need to specify here.

Subnet Mask This is the Router’s Subnet Mask, as seen by external users on the Internet (including your ISP). Your ISP will provide you with the Subnet Mask.

Default Gateway Address Your ISP will provide you with the Default Gateway Address.

DNS (Required) Your ISP will provide you with at least one DNS (Domain Name System) Server IP Address.

To apply any of the settings you change on a page, click the Apply button, and then click the Continue button. To cancel any values you’ve entered on any page, click the Cancel button.

Figure 7-5

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Instant Broadband®Series

PPTP

Point to Point Tunneling Protocol (PPTP) is a service that applies to connections in Europe only. Figure 7-8 shows a PPTP setup.

Specify WAN IP Address This is the IP

address that the Router has, when seen from the WAN, or the Internet. Your ISP will provide you with the IP Address you need to specify here.

Subnet Mask This is the Router’s Subnet Mask, as seen by external users on the Internet (including your ISP). Your ISP will provide you with the Subnet Mask.

Default Gateway Address Your ISP will provide you with the Default Gateway Address.

Connect on Demand and Max Idle Time You can configure the Router to cut your connection with your ISP after a specified period of time (Max Idle Time). If you have been disconnected due to inactivity , Connect on Demand enables the Router to automatically re-establish your connection as soon as you attempt to access the Internet again. If you wish to activate Connect on Demand, click the radio button. In the Max Idle Time f ield, enter the number of minutes you want to have elapsed before your Internet access disconnects.

To apply any of the settings you change on a page, click the A ppl y button, and then click the Continuebutton. T o cancel an y values y ou’ ve entered on an y page, click the Cancel button.

Figure 7-8

RAS

Remote Access Service (RAS) is a service that applies to connections in Singapore only (shown in Figure 7-

7). For users in

Singapore, check with Singtel for information on RAS.

User Name and Password Enter the User Name and Password supplied by Singtel.

RAS Plan Select the type of plan you have. Connect on Demand and Max Idle Time You can configure the Router to cut

your connection with your ISP after a specified period of time (Max Idle Time). If you have been disconnected due to inactivity, Connect on Demand enables the Router to automatically re-establish your connection as soon as y ou attempt to access the Internet again. If you wish to activate Connect on Demand, click the radio button. In the Max Idle Time f ield, enter the number of minutes you want to have elapsed before your Internet access disconnects.

To apply any of the settings you change on a page, click the Apply button, and then click the Continue button. To cancel any values you’ve entered on any page, click the Cancel button.

Figure 7-7

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Instant Broadband®Series

HBS

The HeartBeat Signal (HBS) is a service that applies to connections in Australia only. (Shown in Figure 7-9.) For users in Australia, check with your ISP for setup information.

User Name and Password Enter the User Name and Password supplied by your ISP.

Heart Beat Server Enter the IP address of the Heart Beat Server. This is supplied by your ISP.

To apply any of the settings you change on a page, click the Apply button, and then click the Continue button. To cancel any values you’ve entered on any page, click the Cancel button.

The Firewall Tab, shown in Figure 7-10, allows you to set the Cable/DSL Firewall Router’s level of security. Some environments require greater security while some Internet applications work better with fewer restrictions. This tab allows you to customize these settings.

Advanced Firewall Protection Enable this option to employ SPI (Stateful Packet Inspection) and DoS (Denial of Service). These functions allow for more detailed review of data packets entering your network environment and prevention of Denial of Service attacks.

Firewall

Figure 7-10

Figure 7-9

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

PPTP Pass Through

• Point-to-Point Tunneling Protocol Pass Through is the method used to

enable VPN sessions to a Windows NT 4.0 or 2000 server. PPTP Pass Through is enabled by default. To disable this feature, click on Disable next to PPTP Pass Through, and then the Apply button. Click the Continue button.

PPPoE Pass Through

• PPPoE Pass Through allows your PC(s) to use the PPPoE client software

provided by your ISP. Some ISPs may request that you use this feature on the Router. PPPoE Pass Through is enabled by default. To disable PPPoE Pass Through, click on Disable and then the Apply button. Click the

Continue button.

Remote Management

• This feature allows you to manage the Router from a remote location, via

the Internet. To enable this feature, click on Enable, and enter the port number you want to use when accessing the Router remotely. Click the Apply button and then the Continue button. Remote Management must be activated before you can manage the Router from a remote location. If you wish to use this feature on the browser, enter http:\\<WAN IP Address>: port. (Enter your specific WAN IP Address in place of <WAN IP Address>, and enter the port number in place of the word port.)

• T o disab le Remote Management, click on Disable, and click the Apply button. Then click the Continue button.

Remote Upgrade

• This feature allows you to upgrade the Router’s fir mware from a remote location. To enable Remote Upgrade, click on Enable, and then click the Apply button. Then click the Continue button. Remote Management must

be activated before you can manage the Router from a remote location.

MTU (Maximum Transmission Unit)

• This feature specifies the largest packet size permitted for network trans- mission. Select Auto to leave the MTU at its factory default value. Select Manual to enable the MTU value you enter in the Size f ield. It is recom-

mended that you keep this value in the 1200 to 1500 range. For most DSL users, it is recommended to use the value 1492.

To apply any of the settings you change on a page, click the Apply button, and then click the Continuebutton. T o cancel an y values y ou’ ve entered on an y page, click the Cancel button. For further help on this tab, click the Help button.

Instant Broadband®Series

Web Filter You can either enable or disable these four f iltering methods by selecting Allow or Deny.

• Pro xy If local users have access to WAN proxy servers, they may be able

to circumvent the Router’s content filters and access Internet sites blocked by the Router. Denying Proxy will block access to any WAN proxy servers.

• Java Java is a programming language for w ebsites. If you deny Java, you

run the risk of not having access to Internet sites created using this programming language.

• ActiveX ActiveX is a programming language for websites. If you deny

ActiveX, you run the risk of not having access to Internet sites created using this programming language.

• Cookie A cookie is data stored on your PC and used by Internet sites

when you interact with them, so you may not want to deny cookies.

Block WAN Request

• By enabling the Block WAN Request feature, you can prevent your netw ork

from being “pinged,” or detected, by other Internet users. The Block WAN Request feature also reinforces your network security by hiding your network ports. Both functions of the Block WAN Request feature make it more difficult for outside users to access your network. This feature is enab led by default. Select Disable to disable this feature. Then click the Apply button and then the Continue button to save your changes.

Multicast Pass Through

• IP Multicasting occurs when a single data transmission is sent to multiple

recipients at the same time. Using this feature, the Router allows IP multicast packets to be forwarded to the appropriate computers. Select Enableto support the feature, or Disable to disable it.

IPSec Pass Through

• Internet Protocol Security (IPSec) is a suite of protocols used to implement

secure exchange of packets at the IP layer. To allow IPSec tunnels to pass through the Router, IPSec Pass Through is enabled by default. To disable IPSec Pass Through, click on Disable and then the Apply button. Click the Continue button.

EtherFast®Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint

Virtual Private Networking (VPN) is a security measure that basically creates a secure connection between two remote locations. This connection is very specific as f ar as its settings are concerned; this is what creates the security. The VPN screen, shown in Figure 7-11, allows you to configure your VPN settings to make your network more secure.

Establishing a Tunnel

The Firewall Router creates a tunnel or channel between two endpoints, so that the data or information between these endpoints is secure. To establish this tunnel, select the tunnel you wish to create in the (Select Tunnel Entry) drop- down box. It is possible to create up to two simultaneous tunnels.

Then check the box next to Enable to enable the tunnel.

Once the tunnel is enabled, enter the name of the tunnel in the Tunnel Name field. This is to allow you to identify multiple tunnels and does not have to match the name used at the other end of the tunnel.

Click the Delete This Tunnel button to delete any tunnel entry. Click the Summary button to view information about the selected tunnel, after the tunnel has been connected.

3938

Note: Network security, while a desirable and often necessary aspect of networking, is complex and requires a thorough understanding of networking principles.

Instant Broadband®Series

VPN

Figure 7-11

+ 52 hidden pages

Linksys BEFSX41 User Manual

Table of Contents

Chapter 1: Introduction

Chapter 2: Your Virtual Private Network (VPN)

Chapter 3: Getting to Know the EtherFast Cable/DSL Firewall Router

Chapter 4: Connect the Router

Chapter 5: Configure the PCs

Chapter 6: Configure the Router