Netgear BR500 User Manual

Download

User Manual

Insight Instant VPN Router

BR500

NETGEAR, Inc.

350 E. Plumeria DriveMarch 2020 San Jose, CA 95134, USA202-11903-04

Insight Instant VPN Router BR500

Support and Community

Visit netgear.com/support to get your questions answered and access the latest downloads.

You can also check out our NETGEAR Community for helpful advice at community.netgear.com.

Regulatory and Legal

Si ce produit est vendu au Canada, vous pouvez accéder à ce document en français canadien à https://www.netgear.com/support/download/.

(If this product is sold in Canada, you can access this document in Canadian French at https://www.netgear.com/support/download/.)

For regulatory compliance information including the EU Declaration of Conformity, visit https://www.netgear.com/about/regulatory/.

See the regulatory compliance document before connecting the power supply.

For NETGEAR’s Privacy Policy, visit https://www.netgear.com/about/privacy-policy.

By using this device, you are agreeing to NETGEAR’s Terms and Conditions at https://www.netgear.com/about/terms-and-conditions. If you do not agree, return the device to your place of purchase within your return period.

Trademarks

Revision History

CommentsPublish DatePublication Part

Number

March 2020202-11903-04

March 2020202-11903-03

April 2019202-11903-02

Revised Limitation for a Mac VPN client on page 9. Revised About Instant VPN connections on page 127.

Added Limitation for a Mac VPN client on page 9. Revised About Instant VPN connections on page 127.

Added IPSec VPN options to the chapter Set Up VPN Connections on page 126.

First publication.October 2018202-11903-01

Chapter 1 Set Up and Access the Router

About this user manual and NETGEAR Insight.................................9

Limitation for a Mac VPN client...........................................................9

Set up the BR500 router with an Internet connection......................9

Set up the BR500 router to connect to a modem......................10

Set up the BR500 router to connect to the LAN of an existing

router...............................................................................................13

Router management options............................................................15

Change the language of the local browser interface....................17

Add the router to an Insight managed network.............................18

Access Insight to manage the router...............................................19

Chapter 2 Specify Your Internet Settings Manually

Use the Internet Setup Wizard..........................................................21

Manually set up the router Internet connection.............................22

Specify a dynamic or fixed IP address Internet connection without

a login..............................................................................................22

Specify a PPPoE Internet connection that uses a login.............24

Specify a PPTP or L2TP Internet connection that uses a login..25

Specify IPv6 Internet connections....................................................27

Requirements for entering IPv6 addresses.................................28

Use Auto Detect for an IPv6 Internet connection......................28

Use Auto Config for an IPv6 Internet connection......................30

Set up an IPv6 6to4 tunnel Internet connection.........................31

Set up an IPv6 6rd Internet connection.......................................33

Set up an IPv6 passthrough Internet connection.......................35

Set up an IPv6 fixed Internet connection....................................35

Set up an IPv6 DHCP Internet connection..................................37

Set up an IPv6 PPPoE Internet connection..................................38

Change the MTU size.........................................................................40

Set Up and Manage Dynamic DNS..................................................42

Set up a new Dynamic DNS account...........................................42

Specify a DNS account that you already created.......................43

Change the Dynamic DNS settings.............................................44

Insight Instant VPN Router BR500

Chapter 3 Manage the Firewall and Security

Manage the basic firewall settings...................................................47

Manage port scan protection and denial of service protection.47

Set up a default DMZ server.........................................................48

Manage IGMP proxying................................................................49

Manage NAT filtering....................................................................49

Manage the SIP application-level gateway.................................50

Allow or block device access to your network................................51

Enable and manage network access control..............................51

Manage network access control lists...........................................53

Add a device to or remove it from the allowed list...................53

Add a device to or remove it from the blocked list...................54

Specify keywords and domains to block Internet sites..................55

Set up keyword and domain blocking........................................55

Specify a trusted device................................................................56

Remove a keyword or domain from the blocked list................57

Remove all keywords and domains from the blocked list........58

Block specific services and applications from the Internet...........59

Add a service blocking rule for a predefined service or

application......................................................................................59

Add a service blocking rule for a custom service or

application......................................................................................60

Change a service blocking rule....................................................62

Remove a service blocking rule...................................................63

Set up a schedule for blocking.........................................................63

Manage custom firewall traffic rules.................................................65

Add a firewall traffic rule...............................................................65

Change a firewall traffic rule.........................................................67

Remove a traffic rule......................................................................68

Remove several or all traffic rules from the firewall...................68

Chapter 4 Manage the LAN and VLAN Settings

Change the router network device name........................................71

Manage the default IP address settings and LAN subnets...........71

Change the LAN IP address settings for a LAN subnet.............72

Manage the DHCP server address pool for a LAN subnet.......73

Disable the DHCP server for a LAN subnet................................74

Manage the Router Information Protocol settings....................75

Add a LAN subnet..........................................................................76

Remove a LAN subnet...................................................................78

Manage VLANs...................................................................................79

VLAN concepts...............................................................................79

Port-based VLAN concepts...........................................................79

Insight Instant VPN Router BR500

Management VLAN concepts......................................................80

Add a VLAN....................................................................................81

Change a VLAN..............................................................................82

Change the PVID for a LAN port..................................................83

Remove a VLAN..............................................................................84

Manage reserved LAN IP addresses................................................85

Reserve a LAN IP Address for a LAN subnet..............................85

Change a reserved IP address for a LAN subnet.......................86

Remove a reserved IP address entry for a LAN subnet.............87

Add and manage IPv4 static routes.................................................87

Add an IPv4 static route................................................................88

Change an IPv4 static route..........................................................89

Remove an IPv4 static route..........................................................90

Enable an IPTV bridge for a port group or VLAN tag group........91

Enable an IPTV bridge for a port group......................................91

Enable an IPTV bridge for a VLAN tag group............................92

Chapter 5 Optimize Performance

Use Dynamic QoS to optimize Internet traffic management........95

Enable Dynamic QoS and set the Internet bandwidth..............95

Enable or disable the automatic update of the QoS database.96

Manually update the QoS database on the router....................97

Improve network connections with Universal Plug and Play........98

Chapter 6 Maintain the Router

Check for new firmware and update the router...........................101

Change the admin password..........................................................102

Set up password recovery...............................................................103

Recover the admin password.........................................................104

Manage the configuration file of the router..................................105

Back up the router configuration file.........................................105

Restore the router configuration settings.................................106

Return the router to its factory default settings............................107

Use the Reset button...................................................................107

Erase the settings.........................................................................108

Manage the activity log...................................................................109

Specify which activities the router logs.....................................109

View or clear the logs..................................................................110

Monitor and meter Internet traffic..................................................111

Start the traffic meter without traffic restrictions......................111

Restrict Internet traffic by volume..............................................112

Restrict Internet traffic by connection time...............................113

View the Internet traffic volume and statistics..........................114

Unblock the traffic meter after the traffic limit is reached......115

Insight Instant VPN Router BR500

Chapter 7 Monitor the router and the router network

View devices currently on the network..........................................118

Display the network map and VPN map........................................119

View VPN groups and VPN devices in a VPN network of an Insight

managed router................................................................................119

Check the Internet connection status and manage the

connection.........................................................................................121

Display the port statistics.................................................................123

Display the router status, CPU and memory usage, and

temperature......................................................................................123

Display the WAN traffic processed on the router........................124

Monitor the router throughput.......................................................125

Chapter 8 Set Up VPN Connections

About Instant VPN connections......................................................127

Set up an IPSec VPN connection....................................................127

Add an IPSec VPN policy on the router....................................129

Customize Phase 1 and Phase 2 settings for an IPSec policy.131

Enable or disable an IPSec VPN tunnel.....................................134

Change an existing IPSec VPN policy.......................................135

Remove an existing IPSec VPN policy.......................................136

Set up an OpenVPN connection....................................................136

Enable and configure OpenVPN on the router.......................137

Install OpenVPN client software on a remote client................138

Install the OpenVPN client utility and VPN configuration files

on a Windows-based computer............................................139

Install the OpenVPN client utility and VPN configuration files

on a Mac...................................................................................140

Install the OpenVPN client utility and VPN configuration files

on an iOS device.....................................................................141

Install the OpenVPN client utility and VPN configuration files

on an Android device.............................................................142

Chapter 9 Manage Port Forwarding and Port Triggering Traffic Rules

Manage port forwarding to a local server for services and

applications.......................................................................................144

Forward incoming traffic for a default service or application.144

Add a port forwarding rule for a custom service or

application....................................................................................145

Change a port forwarding rule..................................................146

Remove a port forwarding rule..................................................147

Application example: Make a local web server public...........148

Insight Instant VPN Router BR500

How the router implements a port forwarding rule................149

Manage port triggering for services and applications................149

Add a port triggering rule..........................................................150

Change a port triggering rule....................................................151

Remove a port triggering rule....................................................152

Specify the time-out for port triggering....................................153

Disable port triggering...............................................................154

Application example: Port triggering for Internet Relay Chat.154

Chapter 10 Troubleshooting

Reboot the router from the local browser interface....................157

Quick tips...........................................................................................157

Sequence to restart your network.............................................157

Check Ethernet cable connections............................................158

Network settings..........................................................................158

Troubleshoot with the LEDs............................................................158

Standard LED behavior when the router is powered on........158

Power LED is off...........................................................................159

Power LED stays amber..............................................................159

WAN LED or LAN LEDs are off...................................................159

You cannot log in to the router.......................................................160

You cannot access the Internet.......................................................161

Check the WAN IP address........................................................161

Troubleshoot PPPoE....................................................................163

Troubleshoot Internet browsing................................................164

Changes are not saved....................................................................164

Troubleshoot your network using the ping utility of your

computer...........................................................................................165

Test the LAN path from your computer to the router.............165

Test the path from your computer to a remote device...........166

Appendix A Supplemental information

Factory settings.................................................................................168

Technical specifications...................................................................170

Set Up and Access the Router

This user manual is for the NETGEAR Insight Instant VPN Router BR500, in this manual referred to as the router.

The router is designed to provide firewall and VPN gateway functionality for small business environments with up to 50 users. A pair of routers can provide VPN functionality to users between remote sites. A VPN group with up to three routers can provide a complete meshed network between three locations.

The router functionality includes Network Address Translation (NAT) routing and classical routing, a configurable firewall, VLANs for guest networks and better network segmentation, and IPv6.

This chapter describes how you can connect the router to the Internet and how you can access and log in to the router.

The chapter contains the following sections:

• About this user manual and NETGEAR Insight

• Limitation for a Mac VPN client

• Set up the BR500 router with an Internet connection

• Router management options

• Log in to the local browser interface

• Change the language of the local browser interface

• Add the router to an Insight managed network

• Access Insight to manage the router

Note: This user manual complements the installation guide and hardware installation guide that you can download by visiting netgear.com/support/download/.

Note: For more information about the topics that are covered in this manual, visit the support website at netgear.com/support/.

Note: Firmware updates with new features and bug fixes are made available from time to time at netgear.com/support/download/. You can check for and download new firmware manually. If the features or behavior of your product does not match what is described in this manual, see the latest firmware release notes for your switch model.

Insight Instant VPN Router BR500

About this user manual and NETGEAR Insight

This user manual describes the router’s local browser–based management interface, in this manual referred to as the local browser interface. That is, this manual describes the tasks that you can perform using the local browser interface. However, the router is designed to function with NETGEAR Insight as an Insight managed device and to provide virtual private networking (VPN) using the NETGEAR Insight mobile app and Cloud Portal.

For information about NETGEAR Insight and how you can use the NETGEAR Insight mobile app and Cloud Portal to discover the router, add it to an Insight network, and use Insight and the router to set up VPN connections, see the NETGEAR knowledge base articles at netgear.com/support/ and the Insight user manual at downloads.netgear.com/files/GDC/Insight/Insight_UM_EN.pdf.

For general information about NETGEAR Insight, visit netgear.com/insight.

Limitation for a Mac VPN client

If you use a NETGEAR Insight Instant VPN configuration, the Mac VPN client does not function in a client-to-gateway VPN connection.

Set up the BR500 router with an Internet connection

You can set up the router in two ways:

Single router providing Internet access. If the BR500 router is the single router in

• your network, connect the router directly to a modem, such as a DSL or cable modem that is connected to the Internet, and set up the Internet connection. See Set up the BR500 router to connect to a modem on page 10.

Secondary router connected to an existing LAN. If another router provides the

• Internet connection, connect the BR500 router to the LAN that is broadcast by the

other router and set up the Internet connection of the BR500 router. See Set up the BR500 router to connect to the LAN of an existing router on page 13.

User Manual9Set Up and Access the Router

Insight Instant VPN Router BR500

Set up the BR500 router to connect to a modem

If the BR500 router is the single router in your network, connect the router directly to a modem, such as a DSL or cable modem that is connected to the Internet, and set up the Internet connection. Before you start, locate your Internet service provider (ISP) configuration information.

After you physically connect the router, you can let the NETGEAR installation assistant set up your router automatically. For DSL service, you might need the following information to set up the Internet connection for your router:

The ISP configuration information for your DSL account.

•

The ISP login name and password.

•

Fixed or static IP address setting (special deployment by the ISP; this setting is rare).

•

The NETGEAR installation assistant runs on any device with a web browser. Installation and basic setup takes about 15 minutes to complete.

To connect the BR500 router to a modem anduse the NETGEAR installation assistant to automatically get an Internet connection:

Unplug the modem’s power, leaving the modem connected to the wall jack for your Internet service.

If the modem uses a battery backup, remove the battery.

2. Using an Ethernet cable, connect the modem to the Internet WAN port on the router.

3. Plug in and turn on the modem. If the modem uses a battery backup, put the battery back in before you turn on the

modem.

4. Connect the router to power. After you connect the router to power, the Power LED on the front panel blinks green

and then lights solid green.

If the Power LED does not light at all, press the Power On/Off button.

Use a computer or mobile device to connect to the local browser interface of the router by doing one of the following:

Use a computer with a wired Ethernet connection. Do the following:

•

Configure a computer to obtain an IP address automatically using DHCP.

b. Connect the computer with an Ethernet cable to a LAN port on the router.

You can use LAN port 1, 2, 3, or 4. The conmputer receives an IP address from the router.

User Manual10Set Up and Access the Router

Insight Instant VPN Router BR500

Use a mobile device to connect to the router over WiFi. Do the following:

•

Configure a WiFi access point to obtain an IP address automatically using DHCP.

b. Connect the access point with an Ethernet cable to a LAN port on the router.

You can use LAN port 1, 2, 3, or 4. The access point receives an IP address from the router.

c. Connect your mobile device to the access point.

6. From the computer or mobile device, launch a web browser and enter https://www.routerlogin.net in the address field.

You can also enter https://www.routerlogin.com or enter the IP address in this format: https://192.168.1.1. The default IP address for the router is 192.168.1.1.

For security, we recommend that you enter https rather than http. However, if you enter http, the browser automatically redirects your request to https. Your browser might display a security message, which you can ignore (also see the following step).

If the browser does not display the login window, do the following:

• Your browser displays a security message and does not let you proceed. Consider

the following examples:

Google Chrome. If Google Chrome displays a Your connection is not private

•

message, click the ADVANCED link. Then, click the Proceed to 192.168.1.1 (unsafe) link, in which x.x.x.x represents the IP address of the switch, and install a security certificate.

Apple Safari. If Apple Safari displays a This connection is not private message,

•

click the Show Details button. Then, click the visit this website link. If a warning pop-up window opens, click the Visit Website button. If another pop-up window opens to let you confirm changes to your certificate trust settings, enter your Mac user name and password and click the Update Setting button.

Mozilla Firefox. If Mozilla Firefox displays a Your connection is not secure

•

message, click the ADVANCED button. Then, click the Add Exception button. In the pop-up window that opens, click the Confirm Security Exception button and install a security certificate

Microsoft Internet Explore. If Microsoft Internet Explorer displays a There is

•

a problem with this website’s security certificate message, click the Continue to this website (not recommended) link and install a security certificate.

Microsoft Edge. If Microsoft Edge displays a There is a problem with this

•

website’s security certificate message or a similar warning, select Details > Go on to the webpage and install a security certificate.

User Manual11Set Up and Access the Router

Insight Instant VPN Router BR500

•

If you use a wired Ethernet connection, make sure that the computer is connected to one of the LAN Ethernet ports of the router.

•

If you use a mobile device, make sure that mobile device is connected to the access point and that the access point is connected to one of the LAN Ethernet ports of the router.

• Make sure that the router is receiving power and that its Power LED is lit.

• Close and reopen the browser or clear the browser cache.

•

If you use a wired Ethernet connection, if the computer is set to a static or fixed IP address (this setting is uncommon), change it to obtain an IP address automatically from the router.

•

If you use a mobile device, if the access point to which your device is connected is set to a static or fixed IP address (this setting is uncommon), change it to obtain an IP address automatically from the router.

In the login window, enter admin for the user name and password for the password. The NETGEAR installation assistant starts and searches your Internet connection for

servers and protocols to determine your Internet configuration. NETGEAR installation assistant guides you through connecting the router to the Internet and setting up a new admin password for the router.

Note: If you prefer to set up the Internet connection of your router manually, see Manually set up the router Internet connection on page 22.

When the router connects to the Internet, the Internet WAN LED lights solid green.

If the router does not connect to the Internet, do the following: a. Review your settings. Make sure that you selected the correct options and typed

everything correctly.

Contact your ISP to verify that you are using the correct configuration information.

Read You cannot access the Internet on page 161. If problems persist, register your product and contact NETGEAR technical support.

Note: The NETGEAR installation assistant runs only the first time that you set up the router.

Note: The Setup Wizard is a tool with a similar function. For information on running the Setup Wizard, see Use the Internet Setup Wizard on page 21.

User Manual12Set Up and Access the Router

Insight Instant VPN Router BR500

Set up the BR500 router to connect to the LAN of an existing router

If another router provides the Internet connection, connect the BR500 router to the LAN that is broadcast by the other router and set up the Internet connection for the BR500 router.

After you physically connect the router, you can let the NETGEAR installation assistant set up your router automatically. By default, the DHCP client of the BR500 router is enabled so that the BR500 router receives an IP address from the other router in your network.

The NETGEAR installation assistant runs on any device with a web browser. Installation and basic setup takes about 15 minutes to complete.

To set up the BR500 router to connect to the LAN of another router and get an Internet connection:

Connect an Ethernet cable from the Internet WAN port on the BR500 router to a LAN port on a switch or hub that is connected to the LAN of the other router.

You can also connect the Ethernet cable directly to a LAN port on the other router.

2. Connect the router to power. After you connect the router to power, the Power LED on the front panel first blinks

green and then lights solid green.

If the Power LED does not light at all, press the Power On/Off button.

Use a computer or mobile device to access the local browser interface of the router by doing one of the following:

Use a computer with a wired Ethernet connection. Do the following:

•

Configure a computer to obtain an IP address automatically using DHCP.

b. Connect the computer with an Ethernet cable to a LAN port on the router.

You can use LAN port 1, 2, 3, or 4. The computer receives an IP address from the router.

Use a mobile device to connect to the router over WiFi. Do the following:

•

Configure a WiFi access point to obtain an IP address automatically using DHCP.

b. Connect the access point with an Ethernet cable to a LAN port on the router.

You can use LAN port 1, 2, 3, or 4. The access point receives an IP address from the router.

c. Connect your mobile device to the access point’s WiFi network.

User Manual13Set Up and Access the Router

Insight Instant VPN Router BR500

4. From the computer or mobile device, launch a web browser and enter https://www.routerlogin.net in the address field.

You can also enter https://www.routerlogin.com or enter the IP address in this format: https://192.168.1.1. The default IP address for the router is 192.168.1.1.

If the browser does not display the login window, do the following:

• Your browser displays a security message and does not let you proceed. Consider

the following examples:

Google Chrome. If Google Chrome displays a Your connection is not private

•

message, click the ADVANCED link. Then, click the Proceed to 192.168.1.1 (unsafe) link, in which x.x.x.x represents the IP address of the switch, and install a security certificate.

Apple Safari. If Apple Safari displays a This connection is not private message,

•

Mozilla Firefox. If Mozilla Firefox displays a Your connection is not secure

•

message, click the ADVANCED button. Then, click the Add Exception button. In the pop-up window that opens, click the Confirm Security Exception button and install a security certificate

Microsoft Internet Explore. If Microsoft Internet Explorer displays a There is

•

a problem with this website’s security certificate message, click the Continue to this website (not recommended) link and install a security certificate.

Microsoft Edge. If Microsoft Edge displays a There is a problem with this

•

website’s security certificate message or a similar warning, select Details > Go on to the webpage and install a security certificate.

•

If you use a wired Ethernet connection, make sure that the computer is connected to one of the LAN Ethernet ports of the router.

•

If you use a mobile device, make sure that mobile device is connected to the access point and that the access point is connected to one of the LAN Ethernet ports of the router.

• Make sure that the router is receiving power and that its Power LED is lit.

• Close and reopen the browser or clear the browser cache.

User Manual14Set Up and Access the Router

Insight Instant VPN Router BR500

•

If you use a wired Ethernet connection, if the computer is set to a static or fixed IP address (this setting is uncommon), change it to obtain an IP address automatically from the router.

•

In the login window, enter admin for the user name and password for the password. The NETGEAR installation assistant starts and searches your Internet connection for

Note: If you prefer to set up the Internet connection of your router manually, see Manually set up the router Internet connection on page 22.

When the router connects to the Internet, the Internet WAN LED lights solid green.

If the router does not connect to the Internet, do the following: a. Review your settings. Make sure that you selected the correct options and typed

everything correctly.

b. Make sure that the other router is connected to the Internet.

Read You cannot access the Internet on page 161. If problems persist, register your product and contact NETGEAR technical support.

Note: The NETGEAR installation assistant runs only the first time that you set up the router.

Note: The Setup Wizard is a tool with a similar function. For information on running the Setup Wizard, see Use the Internet Setup Wizard on page 21.

Router management options

The router provides management options (which are not mutually exclusive) that let you discover the router on the network and configure, monitor, and control the router:

Local browser–based management interface. You must access the local

• browser–based management interface, in this manual referred to as the local browser interface, to set up the WAN (Internet) connection and other settings of the router.

User Manual15Set Up and Access the Router

Insight Instant VPN Router BR500

NETGEAR Insight mobile app. After you set up the WAN connection of the router

• using the local browser interface, you can use the NETGEAR Insight mobile app to discover the router on the network and add the router to the NETGEAR Insight app. Doing so allows you to set up the router in the network and manage and monitor the router remotely from your smartphone. You can choose from four methods to add the router to the NETGEAR Insight app: You can scan your network for the router, scan the QR code or the barcode of the router, or add the serial number of the router (see Add the router to an Insight managed network on page 18).

Insight Cloud portal. As an Insight Premium or Pro user, after you set up the WAN

• connection of the router using the local browser interface, you can use the NETGEAR

Insight Cloud portal to set up the router in the network, perform advanced remote management, monitor the router, analyze the router and network usage, and, if necessary, troubleshoot the router and the network.

Note: For more information about NETGEAR Insight, visit netgear.com/insight, see the NETGEAR knowledge base articles at netgear.com/support/, and see the Insight user manual at downloads.netgear.com/files/GDC/Insight/Insight_UM_EN.pdf.

Log in to the local browser interface

After you set up the router and the router is connected to the Internet, you can view and change the router settings by connecting to the local browser–based management interface, in this manual referred to as the local browser interface.

To access the local browser interface, the procedures in this manual use https://www.routerlogin.net. You can also enter https://www.routerlogin.com or enter the IP address in this format: https://192.168.1.1. The default IP address for the router is 192.168.1.1.

For security, we recommend that you enter https rather than http. However, if you enter http, the browser automatically redirects your request to https.

Your browser might display a security message, which you can ignore. Consider the following examples:

Google Chrome. If Google Chrome displays a Your connection is not private

• message, click the ADVANCED link. Then, click the Proceed to 192.168.1.1 (unsafe) link, in which x.x.x.x represents the IP address of the switch, and install a security certificate.

Apple Safari. If Apple Safari displays a This connection is not private message, click

• the Show Details button. Then, click the visit this website link. If a warning pop-up window opens, click the Visit Website button. If another pop-up window opens to let you confirm changes to your certificate trust settings, enter your Mac user name and password and click the Update Setting button.

User Manual16Set Up and Access the Router

Insight Instant VPN Router BR500

Mozilla Firefox. If Mozilla Firefox displays a Your connection is not secure message,

• click the ADVANCED button. Then, click the Add Exception button. In the pop-up

window that opens, click the Confirm Security Exception button and install a security certificate

Microsoft Internet Explore. If Microsoft Internet Explorer displays a There is a

•

problem with this website’s security certificate message, click the Continue to this website (not recommended) link and install a security certificate.

Microsoft Edge. If Microsoft Edge displays a There is a problem with this website’s

•

security certificate message or a similar warning, select Details > Go on to the webpage and install a security certificate.

Note: If the router detects a conflict with a WAN IP address, it changes its IP address

to 10.0.0.1 or 172.16.5.1.

To log in to the local browser interface:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays. You can now monitor and change the settings of the router.

Change the language of the local browser interface

By default, the language of the local browser interface is set to English. However, you can set the language to a specific one.

To change the language of the local browser interface:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net.

User Manual17Set Up and Access the Router

Insight Instant VPN Router BR500

Your browser might display a security message, which you can ignore. For more information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

At the top of the page, from the Language menu, select a language. The language changes.

Add the router to an Insight managed network

When the router is connected to the Internet, the router can communicate with the Insight cloud and you can add the router to an Insight managed network.

To use the NETGEAR Insight mobile app to add the router to an Insight managed network:

On your iOS or Android mobile device, visit the app store, search for NETGEAR Insight, and download the app.

2. Open the NETGEAR Insight app on your mobile device.

If you did not set up a NETGEAR account yet, tap Create NETGEAR Account and follow the onscreen instructions.

4. To log in to your NETGEAR account, enter your credentials and tap LOG IN.

Name your network and specify a device admin password that applies to all devices that you add to this network.

6. Tap the Next button.

User Manual18Set Up and Access the Router

Insight Instant VPN Router BR500

To add the router to your account, use one of the following options:

If the router is connected through a WiFi access point to the same WiFi network

•

as the NETGEAR Insight app, scan the network so that Insight can find the router and you can add it to your Insight account.

If the router is not connected to the same WiFi network as the NETGEAR Insight

•

app, do one of the following, using the information that is on the router label:

- Scan the serial number bar code.

- Scan the QR code. (The QR code is located on the router label and is displayed at the upper right corner of the Dashboard in the local browser interface.)

- Enter the serial number manually.

Note: You might be prompted to connect the router to power and to an uplink. Since you already did this, tap the Next button.

The NETGEAR Insight app discovers the router and registers it on the network that you named earlier in this procedure. When the router is connected to the Insight cloud and registered, the Cloud LED lights solid blue.

You can now select the router to configure and manage it or you can use the NETGEAR Insight app to access the router later to view or change the configuration settings.

For more information about how to connect a NETGEAR Insight managed device to an existing network, visit https://kb.netgear.com/000044341.

For more information about NETGEAR Insight, visit netgear.com/insight, see the NETGEAR knowledge base articles at netgear.com/support/, and see the Insight user manual at downloads.netgear.com/files/GDC/Insight/Insight_UM_EN.pdf.

Access Insight to manage the router

After you add the router to an Insight managed network (see Add the router to an Insight managed network on page 18), you can manage the router through one of the following methods:

Cloud access from a mobile device. After initial configuration, as long as your

• router is on a network with an Internet connection, you can access the router through the cloud using the Insight mobile app.

Insight Cloud Portal. The Insight Cloud Portal is available for Insight Premium and

• Insight Pro subscribers to set up, manage, and monitor their Insight network and devices. Visit insight.netgear.com/#/login.

User Manual19Set Up and Access the Router

Specify Your Internet Settings Manually

Usually, the quickest way to set up the Internet connection is to allow the NETGEAR installation assistant to detect the Internet connection when you first set up and access the router with a web browser. You can also customize or specify your Internet settings manually

This chapter contains the following sections:

• Use the Internet Setup Wizard

• Manually set up the router Internet connection

• Specify IPv6 Internet connections

• Change the MTU size

• Set Up and Manage Dynamic DNS

Insight Instant VPN Router BR500

Use the Internet Setup Wizard

You can use the Setup Wizard to detect your Internet settings and automatically set up your router. Although the functionality is similar, the Setup Wizard is not the same as the NETGEAR installation assistant that runs the first time that you connect to your router to set it up.

To use the Setup Wizard:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup Wizard. The Setup Wizard page displays.

5. Select the Yes radio button. If you select the No radio button, you are taken to the WAN Setup page (see Manually

set up the router Internet connection on page 22) when you click the Next button.

6. Click the Next button. The Setup Wizard searches your Internet connection for servers and protocols to

determine your Internet configuration. When the router connects to the Internet, you are prompted to change the admin password.

Manually

User Manual21Specify Your Internet Settings

Insight Instant VPN Router BR500

Manually set up the router Internet connection

You can view or change the router’s Internet connection settings.

Specify a dynamic or fixed IP address Internet connection without a login

To specify or view the settings for an ISP or LAN Internet connection that uses a dynamic or fixed IP address and that does not require a login:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > WAN Setup. The WAN Setup page displays.

5. Select the No radio button. This is the default setting.

If your Internet connection requires an account name (or host name), do the following: a. Click the Edit button.

The Edit Device Name slide-out panel opens.

In the Device Name field, enter the account name. The account name is the same as the device name, which, by default, is BR500.

c. Click the Apply button.

Your settings are saved.

Manually

User Manual22Specify Your Internet Settings

Insight Instant VPN Router BR500

If your Internet connection requires a domain name, enter it in the Domain Name (If Required) field.

For the other sections on this page, the default settings usually work, but you can change them.

8. Select an Internet IP Address radio button:

• Get Dynamically. Depending on your router connection, your ISP uses DHCP to

automatically assign your IP address, or another router on the LAN does so.

•

Use Static IP Address. Depending on your router connection, do one of the

following:

Your router connects to a modem. Enter the IP address, IP subnet mask, and

• the gateway IP address that your ISP assigned. The gateway is the ISP router

to which your router connects.

Your router connects to another router in your network. Enter the IP address

• and IP subnet mask for the LAN subnet of the other router. The gateway is the

same gateway that the other router is using for its LAN subnet.

9. Select a Domain Name Server (DNS) Address radio button:

•

Get Automatically from ISP. Depending on your router connection, your ISP

uses DHCP to assign your DNS servers, or another router on the LAN does so. Your ISP or the other router on the LAN automatically assigns these addresses.

•

Use These DNS Servers. Depending on your router connection, do one of the

following:

Your router connects to a modem. If you know that your ISP requires specific

• servers, select this option. Enter the IP address of your ISP’s primary DNS server. If a secondary DNS server address is available, enter it also.

Your router connects to another router in your network. Enter the same

• DNS servers that the other router is using for its LAN subnet.

10. Select a Router MAC Address radio button:

•

Use Default Address. Use the default router MAC address that displays on the

Dashboard page and the router label.

•

Use Computer MAC Address. If your router connects to a modem, the router

captures and uses the MAC address of the computer that you are now using. You must use the one computer that the ISP allows.

11. Click the Apply button.

Your settings are saved.

Manually

User Manual23Specify Your Internet Settings

Insight Instant VPN Router BR500

12. Click the Test button to test your Internet connection.

If the NETGEAR website does not display within one minute, see You cannot access the Internet on page 161.

Specify a PPPoE Internet connection that uses a login

To specify or view the settings for an ISP Internet connection that uses PPPoE and that requires a login:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > WAN Setup.

The WAN Setup page displays.

5. Select the Yes radio button.

The settings on the page change.

6. From the Internet Service Provider menu, select PPPoE as the encapsulation

method.

In the Login field, enter the login name that your ISP gave you. This login name is often an email address.

In the Password field, enter the password that you use to log in to your Internet service.

If your ISP requires a service name, type it in the Service Name (if Required) field.

10. From the Connection Mode menu, select Always On, Dial on Demand, or Manually Connect.

11.

If you select Dial on Demand from the Connection Mode menu, in the Idle Timeout (In minutes) field, enter the number of minutes until the Internet login times out

User Manual24Specify Your Internet Settings

Manually

Insight Instant VPN Router BR500

This is how long the router keeps the Internet connection active when no one on the network is using the Internet connection. A value of 0 (zero) means never log out. The default is 5 minutes.

12. Select an Internet IP Address radio button:

• Get Dynamically. Your ISP uses DHCP to automatically assign your IP address.

• Use Static IP Address. Enter the IP address, IP subnet mask, and the gateway IP

address that your ISP assigned. The gateway is the ISP router to which your router connects.

13. Select a Domain Name Server (DNS) Address radio button:

•

Get Automatically from ISP. Your ISP uses DHCP to assign your DNS servers.

Your ISP automatically assigns these addresses.

•

Use These DNS Servers. If you know that your ISP requires specific servers, select

this option. Enter the IP address of your ISP’s primary DNS server. If a secondary DNS server address is available, enter it also.

14. Select a Router MAC Address radio button:

•

Use Default Address. Use the default router MAC address that displays on the

Dashboard page and the router label.

•

Use Computer MAC Address. If your router connects to a modem, the router

captures and uses the MAC address of the computer that you are now using. You must use the one computer that the ISP allows.

15. Click the Apply button. Your settings are saved.

16. Click the Test button to test your Internet connection. If the NETGEAR website does not display within one minute, see You cannot access

the Internet on page 161.

Specify a PPTP or L2TP Internet connection that uses a login

To specify or view the settings for an ISP Internet connection that uses PPTP or L2TP and that requires a login:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

Manually

User Manual25Specify Your Internet Settings

Insight Instant VPN Router BR500

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > WAN Setup. The WAN Setup page displays.

5. Select the Yes radio button. The settings on the page change.

6. From the Internet Service Provider menu, select PPTP or L2TP as the encapsulation method.

In the Login field, enter the login name that your ISP gave you. This login name is often an email address.

In the Password field, enter the password that you use to log in to your Internet service.

If your ISP requires a service name, type it in the Service Name (if Required) field.

10. From the Connection Mode menu, select Always On, Dial on Demand, or Manually Connect.

11.

If you select Dial on Demand from the Connection Mode menu, in the Idle Timeout (In minutes) field, enter the number of minutes until the Internet login times out

This is how long the router keeps the Internet connection active when no one on the network is using the Internet connection. A value of 0 (zero) means never log out. The default is 5 minutes.

12.

If your ISP gave you fixed IP addresses and a connection ID or name, enter them in the My IP Address, Subnet Mask, Server Address, Gateway IP Address, and Connection ID/Name fields.

If your ISP did not give you an IP addresses, connection ID, or name, leave these fields blank. The connection ID or name applies to a PPTP service only.

13. Select a Domain Name Server (DNS) Address radio button:

•

Get Automatically from ISP. Your ISP uses DHCP to assign your DNS servers.

Your ISP automatically assigns these addresses.

•

Use These DNS Servers. If you know that your ISP requires specific servers, select

this option. Enter the IP address of your ISP’s primary DNS server. If a secondary DNS server address is available, enter it also.

Manually

User Manual26Specify Your Internet Settings

Insight Instant VPN Router BR500

14. Select a Router MAC Address radio button:

•

Use Default Address. Use the default router MAC address that displays on the

Dashboard page and the router label.

•

Use Computer MAC Address. If your router connects to a modem, the router

captures and uses the MAC address of the computer that you are now using. You must use the one computer that the ISP allows.

15. Click the Apply button. Your settings are saved.

16. Click the Test button to test your Internet connection. If the NETGEAR website does not display within one minute, see You cannot access

the Internet on page 161.

Specify IPv6 Internet connections

You can set up an IPv6 Internet connection if the router does not detect it automatically.

To set up an IPv6 Internet connection:

1. Launch a web browser from a computer or mobile device that is connected to the network.

2. Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more information, see Log in to the local browser interface on page 16. A login window opens.

3. Enter the router user name and password. The default user name is admin. The password is the one that you specified when you set up your router. If you skipped specifying a new password, the default password is password. The user name and password are case-sensitive. The Dashboard displays.

4. Select ADVANCED > IPv6. The IPv6 page displays.

5. From the Internet Connection Type menu, select the IPv6 connection type:

If your ISP did not provide details, select 6to4 Tunnel.

•

Manually

If you are not sure, select Auto Detect so that the router detects the IPv6 type that is in use.

If your Internet connection does not use PPPoE or DHCP, or is not fixed, but is IPv6, select Auto Config.

User Manual27Specify Your Internet Settings

Insight Instant VPN Router BR500

Your Internet service provider (ISP) can provide this information. For more information about IPv6 Internet connection, see the following sections:

Use Auto Detect for an IPv6 Internet connection on page 28

•

Use Auto Detect for an IPv6 Internet connection on page 28

•

Set up an IPv6 6to4 tunnel Internet connection on page 31

•

Set up an IPv6 6rd Internet connection on page 33

•

Set up an IPv6 passthrough Internet connection on page 35

•

Set up an IPv6 fixed Internet connection on page 35

•

Set up an IPv6 DHCP Internet connection on page 37

•

Set up an IPv6 PPPoE Internet connection on page 38

•

6. Click the Apply button. Your settings are saved.

Requirements for entering IPv6 addresses

IPv6 addresses are denoted by eight groups of hexadecimal quartets that are separated by colons. You can reduce any four-digit group of zeros within an IPv6 address to a single zero or omit it. The following errors invalidate an IPv6 address:

More than eight groups of hexadecimal quartets

•

More than four hexadecimal characters in a quartet

•

More than two colons in a row

•

Use Auto Detect for an IPv6 Internet connection

To set up an IPv6 Internet connection through autodetection:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

User Manual28Specify Your Internet Settings

Manually

Insight Instant VPN Router BR500

The Dashboard displays.

4. Select ADVANCED > IPv6. The IPv6 page displays.

5. From the Internet Connection Type menu, select Auto Detect. The page adjusts. The router automatically detects the information in the following

fields:

Connection Type. This field indicates the connection type that is detected.

•

Router’s IPv6 Address on WAN. This field shows the IPv6 address that is acquired

•

for the router’s WAN (or Internet) interface. The number after the slash (/) is the length of the prefix, which is also indicated by the underline (_) under the IPv6 address. If no address is acquired, the field displays Not Available.

Router’s IPv6 Address on LAN. This field shows the IPv6 address that is acquired

•

for the router’s LAN interface. The number after the slash (/) is the length of the prefix, which is also indicated by the underline (_) under the IPv6 address. If no address is acquired, the field displays Not Available.

6. In the LAN Setup section, select an IP Address Assignment radio button:

•

Use DHCP Server. This method passes more information to LAN devices but

some IPv6 systems might not support the DHCPv6 client function.

•

Auto Config. This is the default setting.

This setting specifies how the router assigns IPv6 addresses to the devices on your home network (the LAN).

(Optional) In the LAN Setup section, select the Use This Interface ID check box and specify the interface ID to be used for the IPv6 address of the router’s LAN interface.

If you do not specify an ID here, the router generates one automatically from its MAC address.

8. Select an IPv6 Filtering radio button:

•

Secured. In secured mode, which is the default mode, the router inspects both

TCP and UDP packets.

• Open. In open mode, the router inspects UDP packets only.

9. Click the Apply button. Your settings are saved.

Manually

User Manual29Specify Your Internet Settings

Insight Instant VPN Router BR500

Use Auto Config for an IPv6 Internet connection

To set up an IPv6 Internet connection through autoconfiguration:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > IPv6. The IPv6 page displays.

From the Internet Connection Type menu, select Auto Config. The page adjusts. The router automatically detects the information in the following

fields:

Router’s IPv6 Address on WAN. This field shows the IPv6 address that is acquired

•

Router’s IPv6 Address on LAN. This field shows the IPv6 address that is acquired

•

(Optional) In the DHCP User Class (If Required) field, enter a host name. Most people can leave this field blank, but if your ISP gave you a specific host name,

enter it here.

(Optional) In the DHCP Domain Name (If Required) field, enter a domain name. You can type the domain name of your IPv6 ISP. Do not enter the domain name for

the IPv4 ISP here. For example, if your ISP’s mail server is mail.xxx.yyy.zzz, type xxx.yyy.zzz as the domain name. If your ISP provided a domain name, type it in this field. For example, Earthlink Cable might require a host name of home, and Comcast sometimes supplies a domain name.

User Manual30Specify Your Internet Settings

Manually

Insight Instant VPN Router BR500

8. Select an IPv6 Domain Name Server (DNS) Address radio button:

•

Get Automatically from ISP. Your ISP uses DHCP to assign your DNS servers.

Your ISP automatically assigns these addresses.

•

Use These DNS Servers. If you know that your ISP requires specific servers, select

this option. Enter the IPv6 address of your ISP’s primary DNS server. If a secondary DNS server address is available, enter it also.

9. In the LAN Setup section, select an IP Address Assignment radio button:

•

Use DHCP Server. This method passes more information to LAN devices but

some IPv6 systems might not support the DHCPv6 client function.

•

Auto Config. This is the default setting.

This setting specifies how the router assigns IPv6 addresses to the devices on the LAN of the router.

10.

(Optional) In the LAN Setup section, select the Use This Interface ID check box and specify the interface ID to be used for the IPv6 address of the router’s LAN interface.

If you do not specify an ID here, the router generates one automatically from its MAC address.

11. Select an IPv6 Filtering radio button:

•

Secured. In secured mode, which is the default mode, the router inspects both

TCP and UDP packets.

• Open. In open mode, the router inspects UDP packets only.

12. Click the Apply button. Your settings are saved.

Set up an IPv6 6to4 tunnel Internet connection

The remote relay router is the router to which your router creates a 6to4 tunnel. Make sure that the IPv4 Internet connection is working before you apply the 6to4 tunnel settings for the IPv6 connection.

To set up an IPv6 Internet connection by using a 6to4 tunnel:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

Manually

User Manual31Specify Your Internet Settings

Insight Instant VPN Router BR500

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > IPv6. The IPv6 page displays.

5. From the Internet Connection Type menu, select 6to4 Tunnel. The page adjusts. The router automatically detects the information in the Router’s

IPv6 Address on LAN field. This field shows the IPv6 address that is acquired for the router’s LAN interface. The number after the slash (/) is the length of the prefix, which is also indicated by the underline (_) under the IPv6 address. If no address is acquired, the field displays Not Available.

6. Select a Remote 6to4 Relay Router radio button:

• Auto. Your router uses any remote relay router that is available on the Internet.

This is the default setting.

•

Static IP Address. Enter the static IPv4 address of the remote relay router. Your

IPv6 ISP usually provides this address.

7. Select an IPv6 Domain Name Server (DNS) Address radio button:

•

Get Automatically from ISP. Your ISP uses DHCP to assign your DNS servers.

Your ISP automatically assigns these addresses.

•

Use These DNS Servers. If you know that your ISP requires specific servers, select

this option. Enter the IP address of your ISP’s primary DNS server. If a secondary DNS server address is available, enter it also.

8. In the LAN Setup section, select an IP Address Assignment radio button:

•

Use DHCP Server. This method passes more information to LAN devices but

some IPv6 systems might not support the DHCPv6 client function.

•

Auto Config. This is the default setting.

This setting specifies how the router assigns IPv6 addresses to the devices on your home network (the LAN).

(Optional) In the LAN Setup section, select the Use This Interface ID check box and specify the interface ID to be used for the IPv6 address of the router’s LAN interface.

If you do not specify an ID here, the router generates one automatically from its MAC address.

User Manual32Specify Your Internet Settings

Manually

Insight Instant VPN Router BR500

10. Select an IPv6 Filtering radio button:

•

Secured. In secured mode, which is the default mode, the router inspects both

TCP and UDP packets.

• Open. In open mode, the router inspects UDP packets only.

11. Click the Apply button. Your settings are saved.

Set up an IPv6 6rd Internet connection

The 6rd protocol makes it possible to deploy IPv6 to sites using a service provider’s IPv4 network. 6rd (also referred to as IPv6 rapid deployment) uses the service provider’s own IPv6 address prefix. This limits the operational domain of 6rd to the service provider’s network and is under direct control of the service provider. The IPv6 service provided is equivalent to native IPv6. The 6rd mechanism relies on an algorithmic mapping between the IPv6 and IPv4 addresses that are assigned for use within the service provider’s network. This mapping allows for automatic determination of IPv4 tunnel endpoints from IPv6 prefixes, allowing stateless operation of 6rd.

With a 6rd tunnel configuration, the router follows the RFC5969 standard, supporting two ways to establish a 6rd tunnel IPv6 WAN connection:

Auto Detect mode. In IPv6 Auto Detect mode, when the router receives option 212

• from the DHCPv4 option, autodetect selects the IPv6 as 6rd tunnel setting. The router

uses the 6rd option information to establish the 6rd connection.

Manual mode. Select 6rd Tunnel. If the router receives option 212, the fields are

• automatically completed. Otherwise, you must enter the 6rd settings.

To set up an IPv6 6rd Internet connection:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

Manually

User Manual33Specify Your Internet Settings

Insight Instant VPN Router BR500

4. Select ADVANCED > IPv6. The IPv6 page displays.

5. From the Internet Connection Type menu, select 6rd Tunnel. The page adjusts. The router automatically detects the information in the following

sections:

•

6rd (IPv6 Rapid Development) Configuration. The router detects the service

provider’s IPv4 network and attempts to establish an IPv6 6rd tunnel connection. If the IPv4 network returns 6rd parameters to the router, the page adjusts to display the correct settings in this section.

•

Router’s IPv6 Address on LAN. This field shows the IPv6 address that is acquired

6. Select an IPv6 Domain Name Server (DNS) Address radio button:

•

Get Automatically from ISP. Your ISP uses DHCP to assign your DNS servers.

Your ISP automatically assigns these addresses.

•

Use These DNS Servers. If you know that your ISP requires specific servers, select

this option. Enter the IP address of your ISP’s primary DNS server. If a secondary DNS server address is available, enter it also.

7. In the LAN Setup section, select an IP Address Assignment radio button:

•

Use DHCP Server. This method passes more information to LAN devices but

some IPv6 systems might not support the DHCPv6 client function.

•

Auto Config. This is the default setting.

This setting specifies how the router assigns IPv6 addresses to the devices on your home network (the LAN).

(Optional) In the LAN Setup section, select the Use This Interface ID check box and specify the interface ID that you want to be used for the IPv6 address of the router’s LAN interface.

If you do not specify an ID here, the router generates one automatically from its MAC address.

9. Select an IPv6 Filtering radio button:

•

Secured. In secured mode, which is the default mode, the router inspects both

TCP and UDP packets.

• Open. In open mode, the router inspects UDP packets only.

10. Click the Apply button.

Manually

User Manual34Specify Your Internet Settings

Insight Instant VPN Router BR500

Your settings are saved.

Set up an IPv6 passthrough Internet connection

In pass-through mode, the router works as a Layer 2 Ethernet switch with two ports (LAN and WAN Ethernet ports) for IPv6 packets. The router does not process any IPv6 header packets.

To set up a pass-through IPv6 Internet connection:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > IPv6. The IPv6 page displays.

5. From the Internet Connection Type menu, select Pass Through. The page adjusts, but no additional fields display.

6. Click the Apply button. Your settings are saved.

Set up an IPv6 fixed Internet connection

To set up a fixed IPv6 Internet connection:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

Manually

User Manual35Specify Your Internet Settings

Insight Instant VPN Router BR500

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > IPv6. The IPv6 page displays.

5. From the Internet Connection Type menu, select Fixed. The page adjusts.

In the WAN Setup section, specify the fixed IPv6 addresses for the WAN connection:

IPv6 Address/Prefix Length. The IPv6 address and prefix length of the router

•

WAN interface.

Default IPv6 Gateway. The IPv6 address of the default IPv6 gateway for the

•

router’s WAN interface.

Primary DNS Server. The primary DNS server that resolves IPv6 domain name

•

records for the router.

Secondary DNS Server. The secondary DNS server that resolves IPv6 domain

•

name records for the router.

Note: If you do not specify the DNS servers, the router uses the DNS servers that are configured for the IPv4 Internet connection on the WAN Setup page. (See Manually set up the router Internet connection on page 22.)

7. In the LAN Setup section, select an IP Address Assignment radio button:

•

Use DHCP Server. This method passes more information to LAN devices but

some IPv6 systems might not support the DHCPv6 client function.

•

Auto Config. This is the default setting.

This setting specifies how the router assigns IPv6 addresses to the devices on your home network (the LAN).

In the LAN Setup section, in the IPv6 Address/Prefix Length fields, specify the static IPv6 address and prefix length of the router’s LAN interface.

9. Select an IPv6 Filtering radio button:

•

Secured. In secured mode, which is the default mode, the router inspects both

TCP and UDP packets.

• Open. In open mode, the router inspects UDP packets only.

User Manual36Specify Your Internet Settings

Manually

Insight Instant VPN Router BR500

10. Click the Apply button. Your settings are saved.

Set up an IPv6 DHCP Internet connection

To set up an IPv6 Internet connection with a DHCP server:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > IPv6. The IPv6 page displays.

5. From the Internet Connection Type menu, select DHCP. The page adjusts. The router automatically detects the information in the following

fields:

Router’s IPv6 Address on WAN. This field shows the IPv6 address that is acquired

•

Router’s IPv6 Address on LAN. This field shows the IPv6 address that is acquired

•

(Optional) In the User Class (If Required) field, enter a host name. Most people can leave this field blank, but if your ISP gave you a specific host name,

enter it here.

(Optional) In the Domain Name (If Required) field, enter a domain name.

Manually

User Manual37Specify Your Internet Settings

Insight Instant VPN Router BR500

You can type the domain name of your IPv6 ISP. Do not enter the domain name for the IPv4 ISP here. For example, if your ISP’s mail server is mail.xxx.yyy.zzz, type xxx.yyy.zzz as the domain name. If your ISP provided a domain name, type it in this field. For example, Earthlink Cable might require a host name of home, and Comcast sometimes supplies a domain name.

8. Select an IPv6 Domain Name Server (DNS) Address radio button:

•

Get Automatically from ISP. Your ISP uses DHCP to assign your DNS servers.

Your ISP automatically assigns these addresses.

•

Use These DNS Servers. If you know that your ISP requires specific servers, select

this option. Enter the IP address of your ISP’s primary DNS server. If a secondary DNS server address is available, enter it also.

9. In the LAN Setup section, select an IP Address Assignment radio button:

•

Use DHCP Server. This method passes more information to LAN devices but

some IPv6 systems might not support the DHCPv6 client function.

•

Auto Config. This is the default setting.

This setting specifies how the router assigns IPv6 addresses to the devices on your home network (the LAN).

10.

(Optional) In the LAN Setup section, select the Use This Interface ID check box and specify the interface ID to be used for the IPv6 address of the router’s LAN interface.

If you do not specify an ID here, the router generates one automatically from its MAC address.

11. Select an IPv6 Filtering radio button:

•

Secured. In secured mode, which is the default mode, the router inspects both

TCP and UDP packets.

• Open. In open mode, the router inspects UDP packets only.

12. Click the Apply button. Your settings are saved.

Set up an IPv6 PPPoE Internet connection

To set up a PPPoE IPv6 Internet connection:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

User Manual38Specify Your Internet Settings

Manually

Insight Instant VPN Router BR500

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > IPv6. The IPv6 page displays.

5. From the Internet Connection Type menu, select PPPoE. The page adjusts. The router automatically detects the information in the following

fields:

Router’s IPv6 Address on WAN. This field shows the IPv6 address that is acquired

•

Router’s IPv6 Address on LAN. This field shows the IPv6 address that is acquired

•

Either select the Use the same Login information as IPv4 PPPoE check box, or specify the PPPoE settings for IPv6:

•

Password. Enter the password for the ISP connection.

•

Service Name (If Required). Enter a service name. If your ISP did not provide a

•

service name, leave this field blank.

Note: The default setting of the Connection Mode menu is Always On to provide a steady IPv6 connection. The router never terminates the connection. If the connection is terminated, for example, when the modem is turned off, the router attempts to reestablish the connection immediately after the PPPoE connection becomes available again.

7. Select an IPv6 Domain Name Server (DNS) Address radio button:

•

Get Automatically from ISP. Your ISP uses DHCP to assign your DNS servers.

Your ISP automatically assigns these addresses.

Manually

User Manual39Specify Your Internet Settings

Insight Instant VPN Router BR500

•

Use These DNS Servers. If you know that your ISP requires specific servers, select

this option. Enter the IP address of your ISP’s primary DNS server. If a secondary DNS server address is available, enter it also.

8. In the LAN Setup section, select an IP Address Assignment radio button:

•

Use DHCP Server. This method passes more information to LAN devices but

some IPv6 systems might not support the DHCv6 client function.

•

Auto Config. This is the default setting.

This setting specifies how the router assigns IPv6 addresses to the devices on your home network (the LAN).

(Optional) In the LAN Setup section, select the Use This Interface ID check box and specify the interface ID to be used for the IPv6 address of the router’s LAN interface.

If you do not specify an ID here, the router generates one automatically from its MAC address.

10. Select an IPv6 Filtering radio button:

•

Secured. In secured mode, which is the default mode, the router inspects both

TCP and UDP packets.

• Open. In open mode, the router inspects UDP packets only.

11. Click the Apply button. Your settings are saved.

Change the MTU size

The maximum transmission unit (MTU) is the largest data packet a network device transmits. When one network device communicates across the Internet with another, the data packets travel through many devices along the way. If a device in the data path uses a lower MTU setting than the other devices, the data packets must be split or “fragmented” to accommodate the device with the smallest MTU.

The best MTU setting for router equipment is often the default value. In some situations, changing the value fixes one problem but causes another. Leave the MTU unchanged unless one of these situations occurs:

You experience problems connecting to your ISP or other Internet service, and the

• technical support of either the ISP or router recommends changing the MTU setting. These web-based applications might require an MTU change:

A secure website that does not open, or displays only part of a web page

- Yahoo email

User Manual40Specify Your Internet Settings

Manually

Insight Instant VPN Router BR500

- MSN portal

You use VPN and experience severe performance problems.

•

You used a program to optimize MTU for performance reasons and now you are

• experiencing connectivity or performance problems.

Note: An incorrect MTU setting can cause Internet communication problems. For example, you might not be able to access certain websites, frames within websites, secure login pages, or FTP or POP servers.

To change the MTU size:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Firewall > Basic Setup. The firewall Basic Setup page displays.

In the MTU Size field, enter a value from 616 to 1500. The default size is 1500 bytes.

6. Click the Apply button. Your settings are saved.

If you suspect an MTU problem, a common solution is to change the MTU to 1400. If you are willing to experiment, you can gradually reduce the MTU from the maximum value of 1500 until the problem goes away. The following table describes common MTU sizes and applications.

Manually

User Manual41Specify Your Internet Settings

Table 1. Common MTU sizes

ApplicationMTU

Insight Instant VPN Router BR500

1500

The largest Ethernet packet size. This setting is typical for connections that do not use PPPoE or VPN and is the default value for NETGEAR routers, adapters, and switches.

Used in PPPoE environments.1492

Maximum size to use for pinging. (Larger packets are fragmented.)1472

Used in some DHCP environments.1468

Used in PPTP environments or with VPN.1436

Set Up and Manage Dynamic DNS

Internet service providers (ISPs) assign IP addresses to identify each Internet account. Most ISPs use dynamically assigned IP addresses. This means that the IP address can change at any time. You can use the IP address to access your network remotely, but most people do not know what their IP address is or when this address changes.

To make it easier to connect when you use OpenVPN, you can get a free account with a Dynamic DNS service that lets you use a domain name to access your home network. To use this account, you must set up the router to use Dynamic DNS. Then the router notifies the Dynamic DNS service provider whenever its IP address changes. When you access your Dynamic DNS account, the service finds the current IP address of your home network and automatically connects you.

If your ISP assigns a private WAN IP address (such as 192.168.x.x or 10.x.x.x), the Dynamic DNS service does not work because private addresses are not routed on the Internet.

Note: If you use the router for VPN connections in an Insight managed network with the NETGEAR Insight mobile app or Cloud Portal, the router doesn’t require a static IP address and doesn’t need to use Dynamic DNS.

Set up a new Dynamic DNS account

NETGEAR offers you the opportunity to set up and register for a free Dynamic DNS account.

To set up Dynamic DNS and register for a free NETGEAR account:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net.

User Manual42Specify Your Internet Settings

Manually

Insight Instant VPN Router BR500

Your browser might display a security message, which you can ignore. For more information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Dynamic DNS. The Dynamic DNS page displays.

5. Select the Use a Dynamic DNS Service check box.

6. From the Service Provider menu, select NETGEAR.

7. Select the No radio button.

In the Host Name field, enter the name that you want to use for your URL. The host name is sometimes called the domain name. Your free URL includes the

host name that you specify and ends with mynetgear.com. For example, enter MyName.mynetgear.com.

In the Email field, enter the email address that you want to use for your account.

10.

In the Password (6-32 characters) field, enter the password that you want to use for your account.

11. Click the Register button.

12.

Follow the onscreen instructions to register for your NETGEAR Dynamic DNS service.

Specify a DNS account that you already created

If you already created a Dynamic DNS account with NETGEAR, No-IP, or Dyn, you can set up the router to use your account.

To set up Dynamic DNS if you already created an account:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

Manually

User Manual43Specify Your Internet Settings

Insight Instant VPN Router BR500

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Dynamic DNS. The Dynamic DNS page displays.

5. Select the Use a Dynamic DNS Service check box.

6. From the Service Provider menu, select your provider.

7. Select the Yes radio button.

In the Host Name field, enter the host name (sometimes called the domain name) for your account.

Depending on the type of account, specify your user name or email address:

•

For a No-IP or Dyn account, in the User Name field, enter the user name for your account.

•

For a NETGEAR account, in the Email field, enter the email address for your account.

10.

In the Password field, enter the password for your Dynamic DNS account.

11. Click the Apply button. Your settings are saved.

12.

To verify that your Dynamic DNS service is enabled in the router, click the Show Status button.

A message displays the Dynamic DNS status.

Change the Dynamic DNS settings

You can change the settings for your Dynamic DNS account.

To change your settings:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

Manually

User Manual44Specify Your Internet Settings

Insight Instant VPN Router BR500

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Dynamic DNS. The Dynamic DNS page displays.

5. Change your DDNS account settings as necessary.

6. Click the Apply button. Your settings are saved.

Manually

User Manual45Specify Your Internet Settings

Manage the Firewall and Security

The router comes with a built-in firewall that helps to protect your network from unwanted intrusions from the Internet and lets you control access to the Internet.

This chapter includes the following sections:

• Manage the basic firewall settings

• Allow or block device access to your network

• Specify keywords and domains to block Internet sites

• Block specific services and applications from the Internet

• Set up a schedule for blocking

• Manage custom firewall traffic rules

Insight Instant VPN Router BR500

Manage the basic firewall settings

The basic firewall settings let you manage port scan protection and denial of service (DoS) protection, specify whether the router can respond to a ping from the WAN port, set up a DMZ server, and manage IGMP proxying, NAT filtering, and the application-level gateway (ALG) for the Session Initiation Protocol (SIP).

For information about the MTU size, which is another basic firewall setting, see Change the MTU size on page 40.

Manage port scan protection and denial of service protection

Port scan protection and denial of service (DoS) protection can protect your LAN against attacks such as Syn flood, Smurf Attack, Ping of Death, and many others. By default, DoS protection is enabled and a port scan is rejected.

You can also enable the router to respond to a ping to its WAN (Internet) port. This feature allows your router to be discovered. Enable this feature only as a diagnostic tool or if a specific reason exists.

To change the default WAN security settings:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Firewall > Basic Setup. The Basic Setup page displays.

5. To enable a port scan and disable DoS protection, select the Disable Port Scan and DoS Protection check box.

6. To enable the router to respond to a ping on its WAN port, select the Respond to Ping on Internet Port check box.

User Manual47Manage the Firewall and

Security

Insight Instant VPN Router BR500

7. Click the Apply button. Your settings are saved.

Set up a default DMZ server

A default DMZ server is helpful when you are using some Internet services and videoconferencing applications that are incompatible with Network Address Translation (NAT). The router is programmed to recognize some of these applications and to work correctly with them, but other applications might not function well. In some cases, one local computer can run the application correctly if the IP address for that computer is entered as the default DMZ server.

WARNING: DMZ servers pose a security risk. A computer designated as the default

DMZ server loses much of the protection of the firewall and is exposed to exploits from the Internet. If compromised, the DMZ server computer can be used to attack other computers on your network.

The router usually detects and discards incoming traffic from the Internet that is not a response to one of your local computers or a service or application for which you set up a port forwarding or port triggering rule (see Manage Port Forwarding and Port Triggering Traffic Rules on page 143). Instead of discarding this traffic, you can direct the router to forward the traffic to one computer on your network. This computer is called the default DMZ server.

To set up a default DMZ server:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Firewall > Basic Setup. The Basic Setup page displays.

Select the Default DMZ Server check box.

Security

User Manual48Manage the Firewall and

Insight Instant VPN Router BR500

Enter the LAN IP address of the computer that must function as the DMZ server.

7. Click the Apply button. Your settings are saved.

Manage IGMP proxying

IGMP proxying allows a computer or mobile device on the LAN to receive the multicast traffic it is interested in from the Internet. If you do not need this feature, leave it disabled, which is the default setting.

To enable IGMP proxying:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Firewall > Basic Setup. The Basic Setup page displays.

5. Clear the Disable IGMP Proxying check box. By default, this check box is selected and IGMP proxying is disabled.

6. Click the Apply button. Your settings are saved.

Manage NAT filtering

Network Address Translation (NAT) determines how the router processes inbound traffic. Secured NAT protects computers on the LAN from attacks from the Internet but might prevent some Internet services, point-to-point applications, or multimedia

User Manual49Manage the Firewall and

Security

Insight Instant VPN Router BR500

applications from working. Open NAT provides a much less secured firewall but allows almost all Internet applications to work. Secured NAT is the default setting.

To change the default NAT filtering settings:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Firewall > Basic Setup. The Basic Setup page displays.

5. Select a NAT Filtering radio button:

•

Secured. Provides a secured firewall to protect the computers on the LAN from

attacks from the Internet but might prevent some Internet services, point-to-point applications, or multimedia applications from functioning. By default, the Secured radio button is selected.

•

Open. Provides a much less secured firewall but allows almost all Internet

applications to function.

6. Click the Apply button. Your settings are saved.

Manage the SIP application-level gateway

The application-level gateway (ALG) for the Session Initiation Protocol (SIP) is enabled by default for enhanced address and port translation. However, some types of VoIP and video traffic might not work well when the SIP ALG is enabled. For this reason, the router provides the option to disable the SIP ALG.

To change the default SIP ALG setting:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net.

User Manual50Manage the Firewall and

Security

Insight Instant VPN Router BR500

Your browser might display a security message, which you can ignore. For more information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Firewall > Basic Setup. The Basic Setup page displays.

5. To disable the SIP ALG, select the Disable SIP ALG check box. The SIP ALG is enabled by default.

6. Click the Apply button. Your settings are saved.

Allow or block device access to your network

You can use device access control to block or allow access to your network. You define access by selecting or specifying the MAC addresses of the wired devices that either can access your entire network or are blocked from accessing your entire network.

Enable and manage network access control

When you enable access control, you must select whether new devices are allowed to access the network or are blocked from accessing the network. By default, currently connected devices are allowed to access the network, but you can also block these devices from accessing the network.

To set up network access control:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

Security

User Manual51Manage the Firewall and

Insight Instant VPN Router BR500

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Firewall > Access Control. The Access Control page displays.

5. Select the Turn on Access Control check box. You must select this check box before you can specify an access rule and use the

Allow and Block buttons. When the Turn on Access Control check box is cleared, all devices are allowed to connect, even if a device is in the list of blocked devices.

6. Click the Apply button. Your settings are saved.

Select an access rule for new devices:

•

Allow all new devices to connect. With this setting, if you add a new device, it

can access your network. You do not need to enter its MAC address on this page. We recommend that you leave this radio button selected.

•

Block all new devices from connecting. With this setting, if you add a new device,

before it can access your network, you must enter its MAC address in the allowed list. For more information, see Manage network access control lists on page 53.

The access rule does not affect previously blocked or allowed devices. It applies only to devices joining your network in the future after you apply these settings.

To manage access for currently connected computers and devices, do the following: a.

If you blocked all new devices, you can allow the computer or device that you are currently using to continue to access the network. Select the check box next to your computer or device in the table, and click the Allow button.

To change the allow or block settings for other computers and devices, select the check box next to the computer or device in the table, and click either the Allow button or the Block button.

9. Click the Apply button. Your settings are saved.

Security

User Manual52Manage the Firewall and

Insight Instant VPN Router BR500

Manage network access control lists

You can use access control to block or allow device access to your network. An access control list (ACL) functions with the MAC addresses of wired and mobile devices that can either access your entire network or are blocked from accessing your entire network.

The router can detect the MAC addresses of devices that are connected to the network and list the MAC addresses of devices that were connected to the network.

Each network device owns a MAC address, which is a unique 12-character physical address, containing the hexadecimal characters 0–9, a–f, or A–F (uppercase or lowercase) only, and separated by colons (for example, 00:09:AB:CD:EF:01). Typically, the MAC address is on the label of a device. If you cannot see the label, you can display the MAC address using the network configuration utilities of the computer. You might also find the MAC addresses of devices that are connected to the router on the Access Control page of the local browser interface (see Add a device to or remove it from the allowed list on page 53 and Add a device to or remove it from the blocked list on page 54).

Add a device to or remove it from the allowed list

If you set up an access list that blocks all new devices from accessing your network, you must specify which devices are allowed to access your network.

To add or remove a device that is allowed:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Firewall > Access Control. The Access Control page displays.

Click the View list of allowed devices not currently connected to the network link.

A table displays the detected device name, MAC address, and connection type of the devices that are not connected but allowed to access the network.

User Manual53Manage the Firewall and

Security

Insight Instant VPN Router BR500

To add a device to the allowed list, do the following: a. Click the Add button.

The Add Allowed Device slide-out panel opens.

Enter the MAC address and device name for the device that you want to allow.

c. In the Add Allowed Device slide-out panel, click the Apply button.

The device is added to the allowed list on the Access Control page.

To remove a device from the allowed list, do the following: a.

Select the check box for the device.

b. Click the Delete button.

The device is removed from the allowed list.

8. Click the Apply button. Your settings are saved.

Add a device to or remove it from the blocked list

If you set up an access list that allows all new devices to access your network but you want to block some devices, you must specify the devices that you want to block.

To add or remove a device that is blocked:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Firewall > Access Control. The Access Control page displays.

Click the View list of blocked devices not currently connected to the network link.

User Manual54Manage the Firewall and

Security

Insight Instant VPN Router BR500

A table displays the detected device name, MAC address, and connection type of the devices that are not connected and are blocked from accessing the network.

To add a device to the blocked list, do the following: a. Click the Add button.

The Add Blocked Device slide-out panel opens.

Enter the MAC address and device name for the device that you want to block.

c. In the Add Blocked Device slide-out panel, click the Apply button.

The device is added to the blocked list on the Access Control page.

To remove a device from the blocked list, do the following: a.

Select the check box for the device.

b. Click the Delete button.

The device is removed from the blocked list.

8. Click the Apply button. Your settings are saved.

Specify keywords and domains to block Internet sites

You can block keywords and domains (websites) to prevent certain types of HTTP traffic from accessing your network. By default, keyword blocking is disabled and no domains are blocked.

Set up keyword and domain blocking

You can set up blocking of specific keywords and domains to occur continuously or according to a schedule.

To set up keyword and domain blocking:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

Security

User Manual55Manage the Firewall and

Insight Instant VPN Router BR500

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Security > Block Sites. The Block Sites page displays.

Specify a keyword blocking option:

• Per Schedule. Use keyword blocking according to a schedule that you set.

For more information, see Set up a schedule for blocking on page 63.

• Always. Use keyword blocking continuously.

In the Type keyword or domain name here field, enter a keyword or domain. Here are some sample entries:

Specify XXX to block http://www.badstuff.com/xxx.html.

•

Specify the domain suffix (for example, .edu or .gov) if you want to allow only

•

sites with domain suffixes such as .edu or .gov.

Enter a period (.) to block all Internet browsing access.

•

7. Click the Add keyword button. The keyword or domain is added to the Block sites containing these keywords

or domain names field (which is also referred to as the blocked list).

8. To add more keywords or domains, repeat the previous two steps. The keyword list supports up to 32 entries.

9. Click the Apply button. Your settings are saved.

Specify a trusted device

You can exempt one trusted device from blocking and logging. The device that you exempt must be assigned a fixed (static) IP address.

To specify a trusted device:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net.

User Manual56Manage the Firewall and

Security

Insight Instant VPN Router BR500

Your browser might display a security message, which you can ignore. For more information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Security > Block Sites. The Block Sites page displays.

5. Scroll down and select the Allow trusted IP address to visit blocked sites check box.

In the Trusted IP Address field, enter the IP address of the trusted device. The first three octets of the IP address are automatically populated and depend on

the IP address that is assigned to the DHCP server of the router (see Manage the DHCP server address pool for a LAN subnet on page 73).

7. Click the Apply button. Your settings are saved.

Remove a keyword or domain from the blocked list

If you no longer need a keyword or domain on the blocked list, you can remove the keyword or domain.

To remove a keyword or domain from the blocked list:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

User Manual57Manage the Firewall and

Security

Insight Instant VPN Router BR500

4. Select ADVANCED > Security > Block Sites. The Block Sites page displays.

In the Block sites containing these keywords or domain names field, select the keyword or domain.

6. Click the Delete keyword button. The keyword or domain is removed from the blocked list.

7. Click the Apply button. Your settings are saved.

Remove all keywords and domains from the blocked list

You can simultaneously remove all keywords and domains from the blocked list.

To remove all keywords and domains from the blocked list:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Security > Block Sites. The Block Sites page displays.

5. Click the Clear List button. All keywords and domains are removed from the blocked list.

6. Click the Apply button. Your settings are saved.

Security

User Manual58Manage the Firewall and

Insight Instant VPN Router BR500

Block specific services and applications from the Internet

You can add service blocking rules to prevent access from your LAN to specific services and applications on the Internet. In addition, you can specify if a blocking rule applies to one user, a range of users, or all users on your LAN. The router lists many default services and applications that you can use in blocking rules. You can also add a service blocking rule for a custom service or application.

Add a service blocking rule for a predefined service or application

The router lists many predefined services and applications that you can use in outbound rules.

You can add a service blocking rule to prevent access to a specific service or application on the Internet.

To add a service blocking rule:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Security > Block Services. The Block Services page displays.

In the Services Blocking section, specify how the router applies outbound rules:

• Per Schedule. Use keyword blocking according to a schedule that you set.

For more information, see Set up a schedule for blocking on page 63.

• Always. Use keyword blocking continuously.

Security

User Manual59Manage the Firewall and

Insight Instant VPN Router BR500

6. Click the Add button. The Add Services Blocking slide-out panel opens.

7. From the Service Type menu, select the service or application to be covered by this rule.

The Protocol, Starting Port, and Ending Port fields are automatically populated when you select the service or application.

Note: If the service or application does not display in the list, you can add it by selecting User Defined from the Service Type menu (see Add a service blocking rule for a custom service or application on page 60).

Specify which devices on your LAN are affected by the rule, based on their IP addresses:

•

Only This IP Address. Enter the required IP address in the fields to apply the rule

to a single device on your LAN.

•

IP Address Range. Enter the required start and end IP addresses in the fields to

apply the rule to a range of devices.

• All IP Addresses. All computers and devices on your LAN are covered by this

rule. By default, the All IP Addresses radio button is selected.

9. Click the Add button. The new rule is added to the Service Table on the Block Services page.

Add a service blocking rule for a custom service or application

If the service or application is not predefined, you can add a service blocking rule for a custom service or application.

To add service blocking rule for a custom service or application:

Find out which protocol and port number or range of numbers the service or application uses.

You can usually find this information by contacting the publisher of the service or application or through online user or news groups.

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net.

Security

User Manual60Manage the Firewall and

Insight Instant VPN Router BR500

Your browser might display a security message, which you can ignore. For more information, see Log in to the local browser interface on page 16.

A login window opens.

4. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

5. Select ADVANCED > Security > Block Services. The Block Services page displays.

The first time that you add an outbound firewall rule, in the Services Blocking section, specify how the router applies outbound rules:

• Per Schedule. Use keyword blocking according to a schedule that you set.

For more information, see Set up a schedule for blocking on page 63.

• Always. Use keyword blocking continuously.

7. Click the Add button. The Add Services Blocking slide-out panel opens.

From the Service Type menu, select User Defined.

Specify a new service blocking rule by selecting a protocol, defining the ports, and defining a name:

Protocol. From the menu, select the protocol (TCP or UDP) that is associated

•

with the service or application. If you are unsure, select TCP/UDP.

Starting Port. In the field, enter the start port for the service or application.

•

Ending Port. In the field, enter one of the following:

•

If the service or application uses a range of ports, enter the end port for the range.

If the service or application uses a single port, repeat the port number that you entered in the Starting Port field.

Service Type/User Defined. In the field, enter the name of the custom service

•

or application.

10.

Specify which devices on your LAN are affected by the rule, based on their IP addresses:

Security

User Manual61Manage the Firewall and

Insight Instant VPN Router BR500

•

Only This IP Address. Enter the required address in the fields to apply the rule

to a single device on your LAN.

•

IP Address Range. Enter the required addresses in the start and end fields to

apply the rule to a range of devices.

• All IP Addresses. All computers and devices on your LAN are covered by this

rule. By default, the All IP Addresses radio button is selected.

11. Click the Add button. The new rule is added to the Service Table on the Block Services page.

Change a service blocking rule

You can change an existing service blocking rule.

To change a service blocking rule:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Security > Block Services. The Block Services page displays.

In the Service Table, select the radio button for the rule.

6. Click the Edit button. The Edit Services Blocking slide-out panel opens.

7. Change the settings. For more information about the settings, see Add a service blocking rule for a custom

service or application on page 60.

8. Click the Apply button.

User Manual62Manage the Firewall and

Security

Insight Instant VPN Router BR500

Your settings are saved. The modified rule displays in the Service Table on the Block Services page and the changes go into effect immediately.

Remove a service blocking rule

You can remove a service blocking rule that you no longer need.

To remove a service blocking rule:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Security > Block Services. The Block Services page displays.

In the Service Table, select the radio button for the rule.

6. Click the Delete button. A warning pop-up window opens.

7. Click the OK button. The rule is removed from the Service Table. Custom rules are deleted.

Set up a schedule for blocking

You can set up a schedule that you can apply to keyword and domain blocking, Internet service and application blocking, or both.

The schedule can specify the days and times that these features are active. After you set up the schedule, if you want it to become active, you must apply it to keyword and domain blocking (see Set up keyword and domain blocking on page 55), Internet service and application blocking (see Block specific services and applications from the Internet

User Manual63Manage the Firewall and

Security

Insight Instant VPN Router BR500

on page 59), or both. Without a schedule, you can only enable or disable these features. By default, no schedule is set.

To set up a schedule:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Security > Schedule. The Schedule page displays.

Set up the schedule for blocking:

Days to Block. Select the check box for each day that you want to block access

•

or specify that blocking occurs on every day by selecting the Every Day check box. By default, the Every Day check box is selected.

Time of Day to Block. Select a start and end time for blocking in 24-hour format

•

or select the All Day check box for 24-hour blocking. By default, the All Day check box is selected.

6. From the Time Zone menu, select your time zone.

If you live in an area that observes daylight saving time, select the Automatically

adjust for daylight savings time check box.

Note: If the router synchronized its internal clock with a time server on the Internet

and you selected the correct time zone, the Current Time field displays the correct date and time.

8. Click the Apply button. Your settings are saved.

Security

User Manual64Manage the Firewall and

Insight Instant VPN Router BR500

Manage custom firewall traffic rules

A firewall protects one network (the trusted network, such as your LAN) from another (the untrusted network, such as the Internet), while allowing communication between the two. Traffic rules define policies for packets traveling between different zones, for example to reject traffic between certain hosts or to open WAN ports on the router.

The router provides one default outbound traffic rule: It allows all access to the Internet (that is, the WAN). You can add rules to allow access to or prevent access from specific protocols, IP addresses, and MAC addresses on the Internet. For example, you can specify if a traffic rule applies to one user, a range of users, all users on a LAN, or to the WAN. You need networking knowledge to set up traffic rules.

For information about blocking specific keywords, URLs, or sites, see Specify keywords and domains to block Internet sites on page 55. For information about blocking services or applications from the Internet, see Block specific services and applications from the Internet on page 59. These types of blocking are other components of the firewall.

For information about an advanced component of the firewall, see Manage Port Forwarding and Port Triggering Traffic Rules on page 143.

Add a firewall traffic rule

You can add a traffic rule to the firewall to prevent or allow traffic based on its protocol, source, destination, and other criteria.

To add a firewall traffic rule:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

Select ADVANCED > Firewall > Traffic Rules. The Traffic Rules page displays.

Security

User Manual65Manage the Firewall and

Insight Instant VPN Router BR500

5. Click the Add button. The Add Traffic Rule slide-out panel opens.

In the Name field, enter a name for the traffic rule. The name is for identification purposes.

7. From the Protocol menu, select the protocol to which the rule must apply. By default, the selection is ALL and the rule applies to the ICMP, UDP, and TCP

protocols.

Specify the source or sources from which the traffic originates by doing the following: a. Select a Source Zone radio button:

LAN. The traffic originates from the LAN. If you set up more than one LAN

• subnet, select the check box for the LAN. By default, the selection is LAN1.

WAN. The traffic originates from the WAN.

•

If the traffic for the rule must originate from a specific IP address, enter the IP address. Otherwise, leave the default setting of any.

If the traffic for the rule must originate from a specific port, enter the port number. Otherwise, leave the default setting of any.

If the traffic for the rule must originate from a MAC address, enter the MAC address. Otherwise, leave the default setting of any.

Specify the destination or destinations to which the traffic must be sent by doing the following:

a. Select a Destination Zone radio button:

Device (input). The traffic must be sent to the computer or mobile device

• that you are currently using.

LAN. The traffic must be sent to the LAN. If you set up more than one LAN

• subnet, select the check box for the LAN. By default, the selection is LAN1.

WAN. The traffic must be sent to the WAN.

•

If the traffic for the rule must be sent to a specific IP address, enter the IP address. Otherwise, leave the default setting of any.

Security

If the traffic for the rule must be sent to a specific port, enter the port number. Otherwise, leave the default setting of any.

User Manual66Manage the Firewall and

Insight Instant VPN Router BR500

10.

Specify the action for the rule by making a selection from the Action menu:

ACCEPT. Traffic that conforms to the rule is accepted from its origination and

• sent to its destination.

DROP. Traffic that conforms to the rule is dropped.

•

11.

(Optional). In the Extra arguments field, enter arguments that are added to the iptables for the rule.

This is an advanced option and we recommend that you use care adding arguments to this field. Incorrect configuration might cause your Internet connection to go down or to be negatively affected.

12. Click the Apply button.

The new rule is added to the table on the Traffic Rules page and goes into effect immediately.

Change a firewall traffic rule

You can change an existing firewall traffic rule.

To change a firewall traffic rule:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

Select ADVANCED > Firewall > Traffic Rules. The Traffic Rules page displays.

In the table, click the blue pencil icon for the rule. The Edit Traffic Rule slide-out panel opens.

Change the settings for the rule. For more information about the settings, see Add a firewall traffic rule on page 65.

User Manual67Manage the Firewall and

Security

Insight Instant VPN Router BR500

7. Click the Apply button.

The modified rule displays in the table on the Traffic Rules page and the changes go into effect immediately.

Remove a traffic rule

If you no longer need a traffic rule, you can remove it from the firewall.

To remove a traffic rule from the firewall:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

Select ADVANCED > Firewall > Traffic Rules. The Traffic Rules page displays.

In the table, click the red trash can icon for the rule. A warning pop-up window opens.

6. Click the OK button.

The rule is removed from the table.

Remove several or all traffic rules from the firewall

You can simultaneously remove several or all traffic rules from the firewall.

To remove several or all traffic rules from the firewall:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

User Manual68Manage the Firewall and

Security

Insight Instant VPN Router BR500

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

Select ADVANCED > Firewall > Traffic Rules. The Traffic Rules page displays.

Do one of the following:

Remove several rules. Select the check boxes to the left of the rules.

•

Remove all rules. Select the check box in the table heading.

•

6. Click the Delete button.

A warning pop-up window opens.

7. Click the OK button.

The rules are removed from the table.

Security

User Manual69Manage the Firewall and

Manage the LAN and VLAN Settings

This chapter describes how you can manage the local area network (LAN) and virtual LAN (VLAN) settings of the router.

The chapter includes the following sections:

• Change the router network device name

• Manage the default IP address settings and LAN subnets

• Manage VLANs

• Manage reserved LAN IP addresses

• Add and manage IPv4 static routes

• Enable an IPTV bridge for a port group or VLAN tag group

Insight Instant VPN Router BR500

Change the router network device name

The router’s default network device name is the router model number (BR500).

This device name displays in, for example, a file manager when you browse your network.

To change the router network device name:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > LAN Setup.

The LAN Setup page displays for the default LAN subnet (LAN1).

5. Click the Device Name Edit button.

The Edit Device Name slide-out panel opens.

Enter a new name in the Device Name field.

7. Click the Apply button.

Your settings are saved.

Manage the default IP address settings and LAN subnets

The default LAN subnet (LAN1) defines the default LAN IP address settings for the router, including the IP address at which you can access the router over the local browser interface. However, the router can support multiple LAN subnets.

Settings

User Manual71Manage the LAN and VLAN

Insight Instant VPN Router BR500

Change the LAN IP address settings for a LAN subnet

The router is preconfigured to use private IP addresses on the LAN side and to act as a DHCP server. The router’s LAN IP configuration for the default LAN subnet (LAN1) is as follows:

LAN IP address. 192.168.1.1 (this is the same as www.routerlogin.net)

•

Subnet mask. 255.255.255.0

•

VLAN ID. 1

•

These addresses are part of the designated private address range for use in private networks and are suitable for most applications. The IP address and subnet mask identify which addresses are local to a specific device and which must be reached through a gateway or router. If you need a specific IP subnet that one or more devices on the network use, or if competing subnets use the same IP scheme, you can change the LAN IP address settings for the default LAN subnet or add another LAN subnet (see Add a LAN subnet on page 76). If you add another LAN subnet, you must use unique LAN IP address settings and a unique VLAN ID for that subnet.

Note: If you change the default LAN IP address settings, the IP address range for the default DHCP server also changes (see Manage the DHCP server address pool for a LAN subnet on page 73).

To change the LAN IP address settings for a LAN subnet:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > LAN Setup.

The LAN Setup page displays for the default LAN subnet (LAN1).

If you added another LAN subnet (see Add a LAN subnet on page 76) and want to change the IP address settings for that LAN subnet, click the tab for that LAN subnet.

User Manual72Manage the LAN and VLAN

Settings

Insight Instant VPN Router BR500

In the IP Address fields, enter the LAN IP address. If you change the IP address for the default LAN subnet (LAN1), the LAN IP address

for the router changes.

In the IP Subnet Mask fields, enter the LAN subnet mask. If you change the IP subnet mask for the default LAN subnet, the LAN IP subnet mask

for the router changes.

8. Click the Apply button.

Your settings are saved.

If you changed the LAN IP address settings of the default LAN subnet, you are disconnected from the local browser interface.

To reconnect, close your browser, relaunch it, and log in to the router at its new LAN IP address.

Manage the DHCP server address pool for a LAN subnet

By default, the router acts as a Dynamic Host Configuration Protocol (DHCP) server. For each LAN subnet, the router assigns IP, DNS server, and default gateway addresses to all computers that are connected to its LAN subnet.

For a LAN subnet, these addresses must be part of the same IP address subnet as the router’s LAN IP address for that LAN subnet. The DHCP address pool for the default LAN subnet is 192.168.1.2 through 192.168.1.254.

The router delivers the following parameters to any LAN device that requests DHCP:

An IP address from the range that you define

•

Subnet mask

•

Gateway IP address

•

DNS server IP address

•

To specify the DHCP pool of IP addresses that the router assigns for a LAN subnet:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

Settings

User Manual73Manage the LAN and VLAN

Insight Instant VPN Router BR500

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > LAN Setup.

The LAN Setup page displays for the default LAN subnet (LAN1).

If you added another LAN subnet (see Add a LAN subnet on page 76) and want to change the DHCP pool for that LAN subnet, click the tab for that LAN subnet.

6. Make sure that the Use Router as DHCP Server check box is selected.

This check box is selected by default.

Specify the range of IP addresses that the router assigns for the LAN subnet:

In the Starting IP Address field, enter the lowest number in the range.

• This IP address must be in the same LAN subnet.

In the Ending IP Address field, enter the number at the end of the range of IP

• addresses. This IP address must be in the same LAN subnet.

8. Click the Apply button.

Your settings are saved.

Disable the DHCP server for a LAN subnet

By default, the router functions as a DHCP server for the default LAN subnet (LAN1). The router assigns IP, DNS server, and default gateway addresses to all devices connected to the LAN. The assigned default gateway address is the LAN address of the router.

You can use another device on your network as the DHCP server or specify the network settings of all your computers.

Note: If you disable the DHCP server for the default LAN subnet and do not specify another DHCP server in another LAN subnet or no other DHCP server is available on your network, you must set your computer IP addresses manually so that they can access the router.

Settings

User Manual74Manage the LAN and VLAN

Insight Instant VPN Router BR500

To disable the DHCP server for a LAN subnet:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > LAN Setup.

The LAN Setup page displays for the default LAN subnet (LAN1).

If you added another LAN subnet (see Add a LAN subnet on page 76) and want to change the DHCP pool for that LAN subnet, click the tab for that LAN subnet.

6. Clear the Use Router as DHCP Server check box.

7. Click the Apply button.

Your settings are saved.

Manage the Router Information Protocol settings

Router Information Protocol (RIP) lets the router exchange routing information with other routers. By default, RIP is enabled for the default LAN subnet (LAN1) in both directions (in and out) without a particular RIP version. You cannot configure RIP for any other LAN subnets.

To manage the RIP settings:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

Settings

User Manual75Manage the LAN and VLAN

Insight Instant VPN Router BR500

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > LAN Setup.

The LAN Setup page displays for the default LAN subnet (LAN1).

5. From the RIP Direction menu, select the RIP direction:

• Both. The router broadcasts its routing table periodically and incorporates

information that it receives. This is the default setting.

• Out Only. The router broadcasts its routing table periodically but does not

incorporate the RIP information that it receives.

•

In Only. The router incorporates the RIP information that it receives but does not

broadcast its routing table.

6. From the RIP Version menu, select the RIP version:

•

Disabled. The RIP version is disabled. This is the default setting.

•

RIP-1. This format is universally supported. It is adequate for most networks, unless

you are using an unusual network setup.

•

RIP-2. This format carries more information. Both RIP-2B and RIP-2M send the

routing data in RIP-2 format. RIP-2B uses subnet broadcasting. RIP-2M uses multicasting.

7. Click the Apply button.

Your settings are saved.

Add a LAN subnet

The router includes one default LAN subnet (LAN1), but you can add multiple LAN subnets. Each LAN subnet requires unique LAN IP address settings and a unique VLAN ID (see Add a VLAN on page 81).

To add a LAN subnet:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

Settings

User Manual76Manage the LAN and VLAN

Insight Instant VPN Router BR500

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > LAN Setup.

The LAN Setup page displays for the default LAN subnet (LAN1).

5. Click the Add Subnet button.

The Add New Subnet slide-out panel opens.

The LAN Name field and MAC Address field are automatically populated.

In the IP Address fields, enter the LAN IP address. By default, the third octet of the IP address increases by one for each LAN subnet

that you add. For example, the default IP address for LAN2 is 192.168.2.1, the default IP address for LAN3 is, 192.168.3.1, and so on. However, you can use any LAN IP address, provided that the IP address differs from the one for the default LAN subnet (LAN1) or any other LAN subnet that you added.

In the IP Subnet Mask fields, enter the LAN subnet mask.

If you want to use the DHCP server for the LAN subnet, select the Use Router as DHCP Server check box and specify the range of IP addresses that the router assigns for the LAN subnet:

In the Starting IP Address field, enter the lowest number in the range.

• This IP address must be in the same LAN subnet.

In the Ending IP Address field, enter the number at the end of the range of IP

• addresses. This IP address must be in the same LAN subnet.

In the VLAN ID field, enter a VLAN ID. The ID must be unique and cannot be used by any other LAN subnet (see Add a

VLAN on page 81).

10.

(Optional) In the Description field, enter a description for the LAN subnet. The description is for identification purposes.

11. Click the Apply button.

The new LAN subnet is added.

Settings

User Manual77Manage the LAN and VLAN

Insight Instant VPN Router BR500

Remove a LAN subnet

If you no longer need a LAN subnet, you can remove it. Before you remove it, make sure that no clients are connected to the LAN subnet. You cannot remove the default LAN subnet (LAN1).

Note: If you added two LAN subnets, LAN2 and LAN3, and you remove LAN2, the old LAN3 becomes the new LAN 2. That is, the name changes from LAN3 to LAN2.

To remove a LAN subnet:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > LAN Setup.

The LAN Setup page displays for the default LAN subnet (LAN1).

Click the tab for that the LAN subnet that you want to remove.

6. Scroll to the bottom and click the Delete button.

A warning pop-up window opens.

7. Click the OK button.

The LAN subnet is removed.

Settings

User Manual78Manage the LAN and VLAN

Insight Instant VPN Router BR500

Manage VLANs

The router supports virtual LANs (VLANs). This section describes how you can manage them.

VLAN concepts

You can define a local area network (LAN) as a broadcast domain. Hubs, bridges, switches, and WiFi access points in the same physical segment or segments connect all end nodes. End nodes can communicate with each other without a router. Routers connect LANs, routing the traffic to each appropriate port.

A virtual LAN (VLAN) is a local area network that maps devices on a basis other than geographic location, for example, by department, type of user, or primary application. Traffic that flows between different VLANs must go through a router, just as if the VLANs were on two separate LANs.

A VLAN is a group of network devices (computers, servers, and other resources) that behave as if they are connected to a single network segment, even though they might not be. For example, the marketing personnel might be located throughout a building, but if they are all assigned to a single VLAN, they can share resources and bandwidth as if they are connected to the same segment. The resources of other departments can be invisible to the marketing VLAN members, accessible to all, or accessible only to specific individuals, depending on how you set up the VLAN.

VLANs provide a number of advantages:

VLANs let you easily segment your network. You can group users who

• communicate most frequently with each other in a common VLAN, regardless of

physical location. Each group’s traffic is contained largely within the VLAN, reducing extraneous traffic and improving the efficiency of the whole network.

VLANS are easy to manage. You can quickly add or change network nodes and

• make other network changes through the Insight mobile app or Cloud Portal.

VLANs provide increased performance. VLANs free up bandwidth by limiting

• node-to-node and broadcast traffic throughout the network.

VLANs enhance network security. VLANs create virtual boundaries that can be

• crossed only through a router. Therefore, you can use standard, router-based security measures to restrict access to a VLAN.

Port-based VLAN concepts

The router supports port-based VLANs. Port-based VLANs help to confine broadcast traffic to the LAN ports. Even though a LAN port can be a member of more than one

User Manual79Manage the LAN and VLAN

Settings

Insight Instant VPN Router BR500

VLAN, you can assign a single VLAN ID only as the port VLAN identifier (PVID). By default, all four LAN ports of the router are assigned to the default VLAN, or VLAN 1, and all untagged traffic is routed through the default VLAN. Therefore, by default, all four LAN ports are assigned the default PVID 1. However, you can change the configuration of VLAN 1 and you can assign another PVID to a LAN port. You cannot delete VLAN 1 because it is the management VLAN (see Management VLAN concepts on page 80).

Note: The WAN port is an untagged member of default VLAN 2. You cannot change or delete VLAN 2.

The following applies to VLANs on the router:

A LAN port is assigned to at least one VLAN but you can assign it to multiple VLANs.

•

When you assign a LAN port to multiple VLANs, you can use the port as a trunk port

• to connect the router to a switch, access point, or other router.

You can assign a LAN port as a tagged member of multiple VLANs. However, a LAN

• port can be an untagged member of a single VLAN only. (By default, all LAN ports

are untagged members of VLAN 1.)

The router treats incoming packets in the following ways:

If an untagged packet enters a port, it is automatically tagged with the port’s default

• VLAN ID. Each port is assigned a default VLAN ID (the PVID) that you can configure.

The default setting is 1.

If a tagged packet enters a port, the tag for that packet is unaffected by the default

• VLAN ID. The packet proceeds to the VLAN that is specified by the VLAN ID in the packet.

If a packet enters through a port that is a member of the VLAN that is specified by

• the VLAN ID in the packet, the packet can be sent to other ports with the same VLAN ID.

If a packet enters through a port that is not a member of the VLAN that is specified

• by the VLAN ID in the packet, the packet is dropped.

Packets that leave the switch are either tagged or untagged, depending on the VLAN

• to which the port belongs.

Management VLAN concepts

A management VLAN is a much smaller network that is contained within your regular network. The primary benefit of using a management VLAN is improved network security. When all management traffic is on a separate VLAN, it is much harder for unauthorized users to make changes to your network or monitor network traffic.

Settings

User Manual80Manage the LAN and VLAN

Insight Instant VPN Router BR500

Another potential benefit is that a management VLAN can help you minimize the impact of a broadcast storm on other VLANs by giving you a separate path to access your network.

On the router, the management VLAN (VLAN 1) is also the native or default VLAN. By default, all ports are members of the default VLAN. For the management VLAN to be secure, it must be used only for controlling and managing your network devices. We recommend that you restrict access to the management VLAN and configure other VLANs to carry all regular network traffic.

If you decide to restrict access to the management VLAN, especially with an access control list (ACL), make sure that you make your computer or device a member of the VLAN and add its MAC address to the ACL (if applicable). Otherwise, you must log in from an allowed device or lose access to the management functions of the switch. If you are unable to log in on an allowed device, you must reset the router to factory default settings to regain management access.

Add a VLAN

The router includes two default VLANs:

VLAN 1. The default VLAN for the LAN, which includes all four LAN ports as untagged

• members. You can change this VLAN but you cannot remove it.

VLAN 2. The default VLAN for the WAN, which includes the WAN port as an untagged

• member. You cannot change or remove this VLAN.

You can add more VLANs.

To add a VLAN:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > VLAN. The VLAN page displays.

Settings

User Manual81Manage the LAN and VLAN

Insight Instant VPN Router BR500

5. Click the Add button. The Add VLAN slide-out panel opens.

In the VLAN ID field, enter a VLAN ID. The ID must be in the range from 3 to 4094. (IDs 1 and 2 are already in use.)

In the Name field, enter a name for the VLAN. The name is for identification purposes.

Specify the port members of the VLAN by doing the following: a.

Select the check boxes for the ports the must be members of the VLAN.

From the menu for each port, select TAG or UNTAG.

Note: By default, all ports are untagged members of VLAN 1. Before you can add a port as an untagged member to a VLAN, you must first make the port a tagged member of VLAN 1.

(Optional) In the Description field, enter a description for the VLAN. The description is for identification purposes.

10. Click the Apply button. The new VLAN is added to the table on the VLAN page.

Change a VLAN

You can change an existing VLAN, including VLAN 1 (the default VLAN for the LAN).

To change a VLAN:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

User Manual82Manage the LAN and VLAN

Settings

Insight Instant VPN Router BR500

4. Select ADVANCED > VLAN. The VLAN page displays.

In the table, click the blue pencil icon for the VLAN. The Edit VLAN slide-out panel opens.

Change the settings for the VLAN. For more information about the settings, see Add a VLAN on page 81.

7. Click the Apply button. The modified VLAN displays in the table on the VLAN page.

Change the PVID for a LAN port

By default, all LAN ports are assigned a PVID of 1 because they are members of VLAN 1. (The WAN port is assigned a PVID of 2, and you cannot change that PVID.)

You can change the PVID for a LAN port only after you add the LAN port to a second VLAN, that is, a VLAN other than VLAN 1 (see Add a VLAN on page 81).

To change the PVID for a LAN port:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > VLAN. The VLAN page displays.

5. Click the Ports tab. The Ports page displays.

From the menu for a LAN port, select another VLAN ID.

7. Click the Apply button.

Settings

User Manual83Manage the LAN and VLAN

Insight Instant VPN Router BR500

Your settings are saved.

Remove a VLAN

If you no longer need a VLAN, you can remove it. You cannot remove VLAN 1 and VLAN 2.

To remove a VLAN:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > VLAN. The VLAN page displays.

In the table, click the red trash can icon for VLAN. A warning pop-up window opens.

6. Click the OK button. The VLAN is removed from the table.

Settings

User Manual84Manage the LAN and VLAN

Insight Instant VPN Router BR500

Manage reserved LAN IP addresses

When you specify a reserved IP address for a device on a LAN subnet, that device always receives the same IP address each time it accesses the router’s DHCP server on that LAN subnet.

Reserve a LAN IP Address for a LAN subnet

You can assign a reserved IP address for a device such as a computer or server that requires permanent IP settings.

To reserve an IP address for a LAN subnet:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > LAN Setup. The LAN Setup page displays for the default LAN subnet (LAN1).

If you added another LAN subnet (see Add a LAN subnet on page 76) and want to reserve a LAN IP address for that LAN subnet, click the tab for that LAN subnet.

6. Above the Address Reservation table, click the Add button. The Add Address Reservation slide-out panel opens.

Either select the radio button for an attached device that displays in the table or specify the reserved IP address settings in the following fields:

• IP Address. Enter the IP address to assign to the computer or device.

Enter an IP address in the router’s LAN subnet, such as 192.168.1.x.

•

MAC Address. Enter the MAC address of the computer or device.

•

Device Name. Enter the name of the computer or device.

Settings

User Manual85Manage the LAN and VLAN

Insight Instant VPN Router BR500

8. Click the Add button. The reserved address is entered into the Address Reservation table on the LAN

Setup page for the LAN subnet.

The reserved address is not assigned until the next time the computer or device contacts the router’s DHCP server. Reboot the computer or device, or access its IP configuration and force a DHCP release and renew.

Change a reserved IP address for a LAN subnet

You can change an existing reserved IP address entry for a LAN subnet.

To change a reserved IP address entry for a LAN subnet:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > LAN Setup. The LAN Setup page displays for the default LAN subnet (LAN1).

If you added another LAN subnet (see Add a LAN subnet on page 76) and want to change a reserved LAN IP address for that LAN subnet, click the tab for that LAN subnet.

In the Address Reservation section, select the radio button for the reserved address.

7. Click the Edit button. The Edit Address Reservation slide-out panel opens.

8. Change the settings.

9. Click the Apply button. Your settings are saved.

Settings

User Manual86Manage the LAN and VLAN

Insight Instant VPN Router BR500

Remove a reserved IP address entry for a LAN subnet

You can remove a reserved IP address entry that you no longer need.

To remove a reserved IP address entry for a LAN subnet:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select BASIC > Setup > LAN Setup. The LAN Setup page displays for the default LAN subnet (LAN1).

If you added another LAN subnet (see Add a LAN subnet on page 76) and want to remove a LAN IP address entry for that LAN subnet, click the tab for that LAN subnet.

In the Address Reservation table, select the radio button for the reserved address.

7. Click the Delete button. A warning pop-up window opens.

8. Click the OK button. The IP address entry is removed.

Add and manage IPv4 static routes

Static routes provide detailed routing information to your router. Typically, you do not need to add static routes. You must configure static routes only for unusual cases such as when you use multiple routers or multiple IP subnets on your network.

As an example of when a static route is needed, consider the following case:

Your primary Internet access is through an ADSL modem to an ISP.

•

You use an ISDN router on your home network for connecting to the company where

• you are employed. This router’s address on your LAN is 192.168.1.100.

User Manual87Manage the LAN and VLAN

Settings

Insight Instant VPN Router BR500

Your company’s network address is 134.177.0.0.

•

When you first configured your router, two implicit static routes were created. A default route was created with your ISP as the gateway and a second static route was created to your local network for all 192.168.1.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 network, your router forwards your request to the ISP. The ISP forwards your request to the company where you are employed, and the request is likely to be denied by the company’s firewall.

In this case, you must define a static route, instructing your router that 134.177.0.0 is accessed through the ISDN router at 192.168.1.100. Here is an example:

Through the destination IP address and IP subnet mask, specify that this static route

• applies to all 134.177.x.x addresses.

Through the gateway IP address, specify that all traffic for these addresses is

• forwarded to the ISDN router at 192.168.1.100.

A metric value of 1 works fine because the ISDN router is on the LAN.

•

Add an IPv4 static route

You can add an IPv4 static route to a destination IP address and specify the subnet mask, gateway IP address, and metric.

To add an IPv4 static route:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Static Routes. The Static Routes page displays.

5. Click the Add button. The Add IP Static Route slide-out panel opens.

Settings

User Manual88Manage the LAN and VLAN

Insight Instant VPN Router BR500

In the Name field, enter a name for the route. The name is for identification purposes.

7. To make the route private, select the Private check box. A private static route is not reported in RIP.

To prevent the route from becoming active after you click the Apply button, clear the Active check box.

In some situations, you might want to set up a static route but keep it disabled until a later time. By default, the Active check box is selected and a route becomes active after you click the Apply button.

Enter the route IP address and metric settings in the following fields:

Destination IP Address. Enter the IP address for the final destination of the route.

•

IP Subnet Mask. Enter the IP subnet mask for the final destination of the route.

•

If the destination is a single host, enter 255.255.255.255.

Gateway IP Address. Enter the IP address of the gateway.

•

The IP address of the gateway must be on the same LAN subnet as the router.

Metric. Enter a number from 1 through 15.

•

This value represents the number of routers between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1.

10. Click the Apply button. Your settings are saved. The static route is added to the table on the Static Routes

page.

Change an IPv4 static route

You can change an IPv4 static route.

To change an IPv4 static route:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

Settings

User Manual89Manage the LAN and VLAN

Insight Instant VPN Router BR500

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Static Routes. The Static Routes page displays.

In the Static Routes table, select the radio button for the route.

6. Click the Edit button. The Edit IPv4 Static Route slide-out panel opens.

Change the settings for the route. For more information about the settings, see Add an IPv4 static route on page 88.

8. Click the Apply button. The route settings are updated in the table on the Static Routes page.

Remove an IPv4 static route

You can remove an existing IPv4 static route that you no longer need.

To remove an IPv4 static route:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > Static Routes. The Static Routes page displays.

In the Static Routes table, select the radio button for the route.

6. Click the Delete button.

Settings

User Manual90Manage the LAN and VLAN

Insight Instant VPN Router BR500

A warning pop-up window opens.

7. Click the OK button. The route is removed from the table on the Static Routes page.

Enable an IPTV bridge for a port group or VLAN tag group

Some devices, such as an Internet Protocol television (IPTV), cannot function behind the router’s Network Address Translation (NAT) service or firewall. Based on what your Internet service provider (ISP) requires, for the device to connect to the ISP’s network directly, you can enable a bridge either between the device and the router’s WAN (Internet) port or between the device and a VLAN tag group.

Note: If your ISP provides directions on how to set up a bridge for IPTV and Internet service, follow those directions.

Enable an IPTV bridge for a port group

If an IPTV device is connected to a LAN port, your ISP might require you to set up a bridge for a port group for the router’s Internet interface.

A bridge with a port group allows packets that are sent between the IPTV device and the router WAN port to circumvent the router’s NAT service, which otherwise could drop the packets.

To enable the IPTV bridge for a port group:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > IPTV.

User Manual91Manage the LAN and VLAN

Settings

Insight Instant VPN Router BR500

The IPTV page displays.

Select the Enable VLAN/Bridge group check box. The page expands.

6. Select the By bridge group radio button. The page adjusts.

Select the check box for the wired (LAN) port to which the IPTV device is connected. You must select at least one LAN port. You can select more than one LAN port.

8. Click the Apply button. Your settings are saved.

Enable an IPTV bridge for a VLAN tag group

If an IPTV device is connected to a LAN port, your ISP might require you to set up a bridge for a VLAN tag group for the router’s WAN port.

If you are subscribed to IPTV service, the router might require VLAN tags to distinguish between the Internet traffic and the IPTV traffic. A bridge with a VLAN tag group allows packets that are sent between the IPTV device and the router WAN port to circumvent the router’s NAT service, which otherwise could drop the packets.

IMPORTANT: You can either add one or more custom VLANs (that is, any VLAN other than default VLAN 1 and VLAN 2) or you can set up an IPTV bridge for a VLAN tag group. You cannot do both on the router because these features are not compatible. If you added custom VLANs (see Add a VLAN on page 81), you must first remove those VLANs (see Remove a VLAN on page 84) before you can enable the IPTV bridge for a VLAN tag group.

The router includes a default VLAN tag group with the name Internet, with VLAN ID 10, and with all LAN ports and the WAN port as members. If you enable the IPTV bridge for a VLAN tag group, this default VLAN tag group is also enabled.

You can add custom VLAN tag groups and assign a VLAN ID, priority value, and ports to each VLAN tag group.

To enable the IPTV bridge for a VLAN tag group:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

User Manual92Manage the LAN and VLAN

Settings

Insight Instant VPN Router BR500

A login window opens.

3. Enter the router user name and password. The user name is admin. The password is the one that you specified when you set

up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > IPTV. The IPTV page displays.

Select the Enable VLAN/Bridge group check box. The page expands.

6. Select the By VLAN tag group radio button. The page adjusts and the default VLAN tag group displays.

To add a custom VLAN tag group, do the following: a. Click the Add button.

The Add VLAN Rule slide-out panel opens.

Specify the settings in the following fields:

Name. Enter a name for the VLAN tag group.

• The name is for identification purposes.

VLAN ID. Enter a value from 1 to 4094.

•

Priority. Enter a value from 0 to 7.

•

Select the check box for the LAN port to which the device is connected. You must select at least one LAN port. You can select more than one LAN port.

8. Click the Apply button.

Your settings are saved. If you added a VLAN tag group, the group is added to the table on the Enable VLAN/Bridge group page.

Settings

User Manual93Manage the LAN and VLAN

Optimize Performance

You can set up the router to dynamically optimize performance for sevices and applications such as Internet gaming, high-definition video streaming, and VoIP communication.

This chapter includes the following sections:

• Use Dynamic QoS to optimize Internet traffic management

• Improve network connections with Universal Plug and Play

Insight Instant VPN Router BR500

Use Dynamic QoS to optimize Internet traffic management

Dynamic Quality of Service (QoS) helps improve your router’s Internet traffic management capabilities through better application and device identification, bandwidth allocation, and traffic prioritization techniques. Dynamic QoS resolves traffic congestion when the Internet bandwidth is limited and different demands compete for bandwidth.

Note: QoS does not increase your total Internet bandwidth or throughput. QoS just prioritizes the way the bandwidth and throughput are used.

Enable Dynamic QoS and set the Internet bandwidth

Because Dynamic QoS might not be suitable for all situations, it is disabled by default.

To enable Dynamic QoS:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > QoS Setup.

The QoS Setup page displays.

5. Select the Dynamic QoS check box.

After your Internet bandwidth is established, Dynamic QoS enables the router to automatically prioritize traffic by application and device.

User Manual95Optimize Performance

Insight Instant VPN Router BR500

To specify your Internet bandwidth, do one of the following (although we recommend that you use the automatic speed test):

Use the automatic speed test. Do the following:

•

a. Make sure that the Let Speedtest detect my Internet bandwidth radio

button is selected. By default, this radio button is selected.

b. For more accurate speed test results, make sure that no other devices are

accessing the Internet while your perform the automatic speedtest.

c. Click the Take a Speedtest button.

Speedtest determines your Internet bandwidth. The test make take up to one of minute. A pop-up window opens.

d. To apply the detected Internet bandwidth settings, click the Yes button.

Manually set the Internet bandwidth. Do the following:

• a.

Select the I want to define my Internet bandwidth radio button. A warning pop-up window opens.

b. Click the OK button.

In the Download Speed (Mbps) field, enter the download speed.

In the Upload Speed (Mbps) field, enter the upload speed.

7. Click the Apply button.

A warning pop-up window opens.

8. Click the OK button.

Your settings are saved.

Enable or disable the automatic update of the QoS database

The router uses a QoS database of the most popular applications and services to implement Dynamic QoS. By default, the router automatically updates this database. You can turn off this feature and manually update the database.

To enable or disable the automatic update of the QoS database:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net.

User Manual96Optimize Performance

Insight Instant VPN Router BR500

Your browser might display a security message, which you can ignore. For more information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > QoS Setup.

The QoS Setup page displays.

If you are using Dynamic QoS, by default, the Automatically update performance optimization database check box is selected.

Select or clear the Automatically update performance optimization database check box.

6. Click the Apply button.

Your settings are saved.

Manually update the QoS database on the router

The router uses a QoS database of the most popular applications and services to implement Dynamic QoS. By default, the router automatically updates this database when you enable Dynamic QoS, but if you turned off the automatic update feature, you can manually update the database.

To manually update the QoS database:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

User Manual97Optimize Performance

Insight Instant VPN Router BR500

4. Select ADVANCED > QoS Setup.

The QoS Setup page displays. The version and release date of the installed database display.

5. Click the Update Now button.

The router checks for the newest version of the database and downloads it.

6. Click the Apply button.

Your settings are saved.

Improve network connections with Universal Plug and Play

Universal Plug and Play (UPnP) helps devices such as Internet appliances and computers access the network and connect to other devices as needed. UPnP devices can automatically discover the services from other registered UPnP devices on the network.

If the router must support applications such as multiplayer gaming, peer-to-peer connections, or real-time communications such as instant messaging, enable UPnP.

To enable Universal Plug and Play:

Launch a web browser from a computer or mobile device that is connected to the router network.

Enter https://www.routerlogin.net. Your browser might display a security message, which you can ignore. For more

information, see Log in to the local browser interface on page 16.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The password is the one that you specified when you set up your router. If you didn’t change the password, enter password. The user name and password are case-sensitive.

The Dashboard displays.

4. Select ADVANCED > UPnP.

The UPnP page displays.

5. Make sure that the Turn UPnP On check box is selected.

User Manual98Optimize Performance

Insight Instant VPN Router BR500

By default, this check box is selected. If the Turn UPnP On check box is cleared, the router does not allow any device to automatically control router resources, such as port forwarding.

6. Type the advertisement period in minutes. The advertisement period specifies how often the router broadcasts its UPnP

information. This value can range from 1 to 1440 minutes. The default period is 30 minutes. Shorter durations ensure that control points receive current device status at the expense of more network traffic. Longer durations can compromise the freshness of the device status but can significantly reduce network traffic.

7. Type the advertisement time to live in hops. The time to live for the advertisement is measured in hops (steps) for each UPnP

packet sent. Hops are the steps a packet takes between routers. The number of hops can range from 1 to 255. The default value for the advertisement time to live is 4 hops, which is fine for most networks. If you notice that some devices are not being updated or reached correctly, it might be necessary to increase this value.

8. Click the Apply button. The UPnP Portmap Table displays the IP address of each UPnP device that is accessing

the router and which ports (internal and external) that device opened. The UPnP Portmap Table also displays what type of port is open and whether that port is still active for each IP address.

To refresh the information in the UPnP Portmap Table, click the Refresh button.

User Manual99Optimize Performance

Maintain the Router

This chapter describes how you can maintain the router by managing the firmware, configuration file, admin password, and logs and by setting up the traffic meter.

The chapter includes the following sections:

• Check for new firmware and update the router

• Change the admin password

• Set up password recovery

• Recover the admin password

• Manage the configuration file of the router

• Return the router to its factory default settings

• Manage the activity log

• Monitor and meter Internet traffic

100

Netgear BR500 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Set Up and Access the Router

About this user manual and NETGEAR Insight

Limitation for a Mac VPN client

Set up the BR500 router with an Internet connection

Set up the BR500 router to connect to a modem

Set up the BR500 router to connect to the LAN of an existing router

Router management options

Log in to the local browser interface

Change the language of the local browser interface

Add the router to an Insight managed network

Access Insight to manage the router

Specify Your Internet Settings Manually

Use the Internet Setup Wizard

Manually set up the router Internet connection

Specify a dynamic or fixed IP address Internet connection without a login

Specify a PPPoE Internet connection that uses a login

Specify a PPTP or L2TP Internet connection that uses a login

Specify IPv6 Internet connections

Requirements for entering IPv6 addresses

Use Auto Detect for an IPv6 Internet connection

Use Auto Config for an IPv6 Internet connection

Set up an IPv6 6to4 tunnel Internet connection

Set up an IPv6 6rd Internet connection

Set up an IPv6 passthrough Internet connection

Set up an IPv6 fixed Internet connection

Set up an IPv6 DHCP Internet connection

Set up an IPv6 PPPoE Internet connection

Change the MTU size

Set Up and Manage Dynamic DNS

Set up a new Dynamic DNS account

Specify a DNS account that you already created

Change the Dynamic DNS settings

Manage the Firewall and Security

Manage the basic firewall settings

Manage port scan protection and denial of service protection

Set up a default DMZ server

Manage IGMP proxying

Manage NAT filtering

Manage the SIP application-level gateway

Allow or block device access to your network

Enable and manage network access control

Manage network access control lists

Add a device to or remove it from the allowed list

Add a device to or remove it from the blocked list

Specify keywords and domains to block Internet sites

Set up keyword and domain blocking

Specify a trusted device

Remove a keyword or domain from the blocked list

Remove all keywords and domains from the blocked list

Block specific services and applications from the Internet

Add a service blocking rule for a predefined service or application

Add a service blocking rule for a custom service or application

Change a service blocking rule

Remove a service blocking rule

Set up a schedule for blocking

Manage custom firewall traffic rules

Add a firewall traffic rule

Change a firewall traffic rule

Remove a traffic rule

Remove several or all traffic rules from the firewall

Manage the LAN and VLAN Settings

Change the router network device name

Manage the default IP address settings and LAN subnets

Change the LAN IP address settings for a LAN subnet

Manage the DHCP server address pool for a LAN subnet

Disable the DHCP server for a LAN subnet

Manage the Router Information Protocol settings

Add a LAN subnet

Remove a LAN subnet

Manage VLANs

VLAN concepts

Port-based VLAN concepts

Management VLAN concepts

Add a VLAN

Change a VLAN