Netopia 4000 Software Manual

NNNNeeeettttooooppppiiiiaa

aa

NNNNeeeettttooooppppiiiiaa

®®

4444000000000000----SSSSeeeerrrriiiieeeessss EEEEqqqquuuuiiiippppmmmmeeeennnntt

®®

aa

FFFFiiiirrrrmmmmwwwwaaaarrrreeee UUUUsssseeeerrrr GGGGuuuuiiiiddddee

tt

ee

oo

NNNNeeeettttoo

ppppiiiiaaaa FFFFiiiirrrrmmmmwwwwaaaarrrreeee VVVVeeeerrrrssssiiiioooonnnn 5555....44

44

Copyright

Copyright© 2004, Netopia, Inc. Netopia and the Netopia logo are registered trademarks belonging to Netopia, Inc., registered U.S. Patent and Trademark Ofﬁce. Broadband Without Boundaries and 3-D Reach are trademarks belonging to Netopia, Inc. All other trademarks are the proper ty of their respective owners. All rights reser ved.

Netopia, Inc. 6001 Shellmound Street Emeryville, CA 94608 U.S.A.

Part Number

Netopia part number 6161184-00-01

CCCCoooonnnntttteeeennnnttttss

ss

Contents iii

Chapter 1 — Introduction.......................................................... 1-1

What’s New in Netopia Firmware Version 5.4 ................... 1-1

Console-based Management........................................... 1-2

Netopia Console Menus ................................................. 1-2

Netopia Models ............................................................. 1-3

Screen differences .............................................. 1-3

Connecting through a Telnet Session............................... 1-4

Conﬁguring Telnet software................................... 1-4

Connecting a Console Cable to your Equipment................ 1-5

Navigating through the Console Screens.......................... 1-7

Chapter 2 — WAN and System Conﬁguration .............................2-1

WAN Conﬁguration ......................................................... 2-1

ADSL Line Conﬁguration screen ............................ 2-2

SDSL/IDSL Conﬁguration screen........................... 2-3

G.SHDSL Line Conﬁguration screen....................... 2-6

T1 Line Conﬁguration screen ................................ 2-7

Frame Relay Conﬁguration .............................................. 2-9

Frame Relay DLCI conﬁguration........................... 2-11

Multiple ATM Permanent Virtual Circuits ........................ 2-16

Multiple ATM PVC overview ................................. 2-16

Multiple ATM PVC conﬁguration........................... 2-16

Editing circuits................................................... 2-20

Changing a circuit .............................................. 2-21

Monitoring multiple virtual circuits....................... 2-22

Creating a New Connection Proﬁle................................. 2-24

The Default Proﬁle ....................................................... 2-28

IP parameters (default proﬁle) screen .................. 2-29

Scheduled Connections................................................ 2-29

Viewing scheduled connections........................... 2-30

Adding a scheduled connection........................... 2-31

Set Weekly Schedule.......................................... 2-32

Set Once-Only Schedule ..................................... 2-33

G

iv

Firmware User Guide

Modifying a scheduled connection....................... 2-34

Deleting a scheduled connection......................... 2-34

System Conﬁguration Screens ...................................... 2-35

System conﬁguration features............................. 2-35

IP Setup............................................................ 2-36

Filter Sets ......................................................... 2-36

IP Address Serving............................................. 2-36

Network Address Translation (NAT)...................... 2-36

Stateful Inspection ﬁrewall ................................. 2-37

Date and time ................................................... 2-42

Console Conﬁguration ........................................ 2-43

SNMP (Simple Network Management Protocol)..... 2-43

Security............................................................. 2-43

Upgrade Feature Set .......................................... 2-43

RFC-1483 Transparent Bridging........................... 2-44

Logging ............................................................. 2-46

Chapter 3 — Multiple Network Address Translation ...................3-1

Overview ....................................................................... 3-1

Features ............................................................. 3-2

Supported trafﬁc ................................................. 3-5

Support for Microsoft Network (MSN) Messenger ... 3-5

Support for AOL Instant Messenger (AIM)

File Transfer ........................................................ 3-5

MultiNAT Conﬁguration ................................................... 3-6

Easy Setup Proﬁle conﬁguration ............................ 3-6

Server Lists and Dynamic NAT conﬁguration........... 3-7

IP setup .............................................................. 3-7

Modifying map lists............................................ 3-13

Adding Server Lists...................................................... 3-15

Modifying server lists ......................................... 3-18

Deleting a server ............................................... 3-20

Binding Map Lists and Server Lists ............................... 3-21

Contents v

IP proﬁle parameters.......................................... 3-21

IP Parameters (WAN Default Proﬁle) .................... 3-23

NAT Associations......................................................... 3-25

IP Passthrough ............................................................ 3-27

MultiNAT Conﬁguration Example.................................... 3-31

Chapter 4 — Virtual Private Networks (VPNs)............................4-1

Overview ....................................................................... 4-1

About PPTP Tunnels ....................................................... 4-4

PPTP conﬁguration ............................................... 4-4

About IPsec Tunnels....................................................... 4-7

About ATMP Tunnels....................................................... 4-8

ATMP conﬁguration .............................................. 4-8

Encryption Support ...................................................... 4-10

MS-CHAP V2 and 128-bit strong encryption ......... 4-11

ATMP/PPTP Default Proﬁle............................................ 4-11

VPN QuickView ............................................................ 4-13

Dial-Up Networking for VPN ........................................... 4-14

Installing Dial-Up Networking............................... 4-14

Creating a new Dial-Up Networking proﬁle ............ 4-15

Conﬁguring a Dial-Up Networking proﬁle ............... 4-16

Installing the VPN Client ............................................... 4-17

Windows 95 VPN installation .............................. 4-17

Windows 98 VPN installation .............................. 4-18

Connecting using Dial-Up Networking................... 4-19

Allowing VPNs through a Firewall ................................... 4-19

PPTP example.................................................... 4-20

ATMP example................................................... 4-22

Windows Networking Broadcasts................................... 4-25

G

Chapter 5 — Internet Key Exchange (IKE) IPsec

Key Management for VPNs ...................................5-1

Overview ....................................................................... 5-1

Internet Key Exchange (IKE) Conﬁguration........................ 5-2

vi

Firmware User Guide

Adding an IKE Phase 1 Proﬁle ............................... 5-4

Changing an IKE Phase 1 Proﬁle ........................... 5-8

Key Management........................................................... 5-9

IPsec WAN Conﬁguration Screens ................................. 5-18

IPsec Manual Key Entry................................................ 5-19

VPN Quickview................................................... 5-20

WAN Event History Error Reporting ...................... 5-21

Chapter 6 — IP Setup ...............................................................6-1

IP Setup........................................................................ 6-2

IP subnets........................................................... 6-4

Static routes ....................................................... 6-6

RIP-2 MD5 Authentication............................................. 6-10

Overview ........................................................... 6-10

Authentication conﬁguration................................ 6-10

Connection Proﬁles and Default Proﬁle ................ 6-16

IP Address Serving ...................................................... 6-17

IP Address Pools................................................ 6-20

DHCP NetBIOS Options ...................................... 6-22

More Address Ser ving Options...................................... 6-24

Conﬁguring the IP Address Server options ........... 6-25

DHCP Relay Agent........................................................ 6-30

Connection Proﬁles ...................................................... 6-32

Multicast Forwarding.................................................... 6-34

Chapter 7 — Line Backup .........................................................7-1

External Dial Backup Suppor t ......................................... 7-2

Conﬁguring External Dial Backup ..................................... 7-2

WAN Conﬁguration ......................................................... 7-2

Backup Conﬁguration screen ................................ 7-5

Connection Proﬁles ........................................................ 7-7

Using Scheduled Connections with Backup ...................... 7-8

Management/Statistics................................................ 7-10

QuickView ................................................................... 7-12

Contents vii

Event Logs .................................................................. 7-12

SNMP Support ............................................................ 7-13

Backup Default Gateway............................................... 7-13

Backup Conﬁguration screen .............................. 7-13

IP Setup screen ................................................. 7-15

Backup Management/Statistics .......................... 7-16

QuickView ......................................................... 7-17

Chapter 8 — Voice Conﬁguration............................................... 8-1

Introduction................................................................... 8-1

Explanation of terms ............................................ 8-1

Conﬁguring the Voice Features ........................................ 8-2

Chapter 9 — Monitoring Tools...................................................9-1

Quick View Status Overview............................................ 9-1

General status..................................................... 9-2

Current status ..................................................... 9-3

Status lights........................................................ 9-3

Statistics & Logs ........................................................... 9-4

Event Histories .............................................................. 9-4

IP Routing Table............................................................. 9-7

General Statistics .......................................................... 9-7

System Information........................................................ 9-9

Simple Network Management Protocol (SNMP) - V2c ...... 9-10

Enterprise-speciﬁc SNMP Changes ...................... 9-10

The SNMP Setup screen..................................... 9-11

SNMP traps....................................................... 9-12

G

Chapter 10 — Security ...........................................................10-1

Suggested Security Measures....................................... 10-1

Console Tiered Access – Two Password Levels .............. 10-2

UPnP Support.................................................... 10-2

Superuser conﬁguration ..................................... 10-3

Limited user conﬁguration .................................. 10-4

viii

Firmware User Guide

Advanced Security Options ................................. 10-5

User access password ....................................... 10-7

User menu differences....................................... 10-8

User Accounts ........................................................... 10-15

Telnet Access ............................................................ 10-17

About Filters and Filter Sets........................................ 10-18

What’s a ﬁlter and what’s a ﬁlter set? ............... 10-18

How ﬁlter sets work ......................................... 10-18

How individual ﬁlters work ................................ 10-20

Design guidelines ............................................ 10-25

Working with IP Filters and Filter Sets.......................... 10-26

Adding a ﬁlter set............................................. 10-27

Deleting a ﬁlter set .......................................... 10-31

A sample ﬁlter set............................................ 10-31

Policy-based Routing using Filtersets........................... 10-34

TOS ﬁeld matching........................................... 10-35

Firewall Tutorial ......................................................... 10-37

General ﬁrewall terms ...................................... 10-37

Basic IP packet components............................. 10-37

Basic protocol types......................................... 10-37

Firewall design rules ........................................ 10-38

Filter basics..................................................... 10-40

Example ﬁlters................................................. 10-41

Conﬁguration Management ......................................... 10-44

TFTP and X-Modem........................................... 10-47

Call Filtering .............................................................. 10-48

Chapter 11 — Utilities and Diagnostics ...................................11-1

Ping ............................................................................ 11-2

Trace Route................................................................. 11-4

Telnet Client ................................................................ 11-5

Factory Defaults .......................................................... 11-6

Transferring Conﬁguration and Firmware Files with TFTP.. 11-6

Contents ix

Updating ﬁrmware .............................................. 11-7

Downloading conﬁguration ﬁles ........................... 11-8

Uploading conﬁguration ﬁles ............................... 11-9

Transferring Conﬁguration and Firmware Files

with XMODEM.............................................................. 11-9

Updating ﬁrmware ............................................ 11-10

Downloading conﬁguration ﬁles ......................... 11-11

Uploading conﬁguration ﬁles ............................. 11-11

Restarting the System ............................................... 11-12

T1 Line Statistics and Diagnostics .............................. 11-12

Appendix A — Troubleshooting..................................................A-1

Conﬁguration Problems .................................................. A-1

Console connection problems ............................... A-2

Network problems................................................ A-2

How to Reset the Router to Factory Defaults.................... A-3

Power Outages .............................................................. A-3

Technical Support .......................................................... A-4

How to reach us .................................................. A-4

G

Appendix B — Understanding IP Addressing ..............................B-1

What is IP?.................................................................... B-1

About IP Addressing ....................................................... B-1

Subnets and subnet masks .................................. B-2

Example: Using subnets on a Class C IP internet ... B-3

Example: Working with a Class C subnet................ B-5

Distributing IP Addresses ............................................... B-5

Technical note on subnet masking ........................ B-6

Conﬁguration ....................................................... B-7

Manually distributing IP addresses ........................ B-8

Using address serving.......................................... B-8

Tips and rules for distributing IP addresses ........... B-9

Nested IP Subnets....................................................... B-11

Broadcasts.................................................................. B-14

x

Firmware User Guide

Packet header types .......................................... B-14

Appendix C — Binary Conversion Table......................................C-1

Index

Introduction 1-1

CCCChhhhaaaapppptttteeeerrrr 11

IIIInnnnttttrrrroooodddduuuuccccttttiiiioooonn

This

Firmware User Guide

Your Netopia equipment offers advanced conﬁguration features in addition to Easy Setup. The advanced feature screens are accessed through the Main Menu of the console conﬁguration screen. This documents the advanced features, including advanced testing, security, monitoring, and conﬁguration features. This

Firmware User Guide

Netopia Router

Started

Note:

for the current release, Netopia Firmware Version 5.4. Such descriptions supersede the descriptions of the corresponding features given in the original

guide before reading this

This

11

nn

covers the advanced features of the Netopia 4000-Series Router and IAD families.

Firmware User Guide

should be used as a companion to the Easy Setup conﬁguration instructions in the

Getting Started

Guide

also includes descriptions of new features and changes to the functionality of the ﬁrmware

guide or the applicable

Firmware User Guide

User’s Reference Guide

.

, if any, accompanying your product.

. You should read the

Getting

What’s New in Netopia Firmware Version 5.4

New in Netopia Firmware Version 5.4 are the following features:

Multiple Data Link Encapsulation support on ATM-based WAN interfaces

■

See “Multiple Data Link Encapsulation Settings” on page 2-25.

Stateful Inspection Firewall

■

See “Stateful Inspection ﬁrewall” on page 2-37.

■

IP Passthrough support

See “IP Passthrough” on page 3-27.

■

Universal Plug-and-Play support (UPnP™)

See “UPnP Support” on page 10-2.

1-2 Firmware User Guide

Console-based Management

Console-based management is a fast menu-driven interface for the capabilities built into the Netopia Firmware Version 5.4. Console-based management provides access to a wide variety of features that the router suppor ts. You can customize these features for your individual setup. This chapter describes how to access the console-based management screens.

This section covers the following topics:

■

“Netopia Console Menus” on page 1-2

“Netopia Models” on page 1-3

■

“Connecting through a Telnet Session” on page 1-4

■

“Connecting a Console Cable to your Equipment” on page 1-5

■

“Navigating through the Console Screens” on page 1-7

Netopia Console Menus

Console-based management screens contain the main entry points to the Netopia Firmware Version 5.4 conﬁguration and monitoring features. The entry points are displayed in the Main Menu shown below:

Netopia Data Router Netopia IAD

Netopia Router

Easy Setup...

WAN Configuration...

System Configuration...

Utilities & Diagnostics...

Statistics & Logs...

Quick Menus...

Quick View...

Return/Enter goes to Easy Setup -- minimal configuration. You always start from this main screen.

The

■

Easy Setup

menus display and permit changing the values contained in the default connection proﬁle.

Netopia IAD

Easy Setup...

WAN Configuration...

System Configuration...

Voice Configuration...

Utilities & Diagnostics...

Statistics & Logs...

Quick Menus...

Quick View...

Return/Enter goes to Easy Setup -- minimal configuration. You always start from this main screen.

You can use Easy Setup to initially conﬁgure the router directly through a console session.

Easy Setup menus contain up to ﬁve descendant screens for viewing or altering these values. The number of screens depends on whether you have optional features installed.

The

Getting Started

■

The

WAN Conﬁguration

manual describes the Easy Setup menus to get you up and running quickly.

menu displays and permits changing your connection proﬁle(s), Vir tual Private

Networks (VPNs) and default proﬁle, creating or deleting additional connection proﬁles, and conﬁguring or

Introduction 1-3

reconﬁguring the manner in which you may be using the router to connect to more than one ser vice provider or remote site. See “WAN Conﬁguration,” beginning on page 2-1. See also Chapter 4, “Virtual

Private Networks (VPNs).”

The

■

System Conﬁguration

menus display and permit changing:

• IP Setup • Filter Sets • IP Address Serving

• Network Address Translation (NAT) • Stateful Inspection • Date and Time

• Console Conﬁguration • SNMP (Simple Network

• Security

Management Protocol)

• Upgrade Feature Set • Change Device to a Bridge • Logging

See “System Conﬁguration Screens,” beginning on page 2-35.

■

For IADs, the

Voice Conﬁguration

menus provide the tools for conﬁguring the voice telephone features

available in Netopia Firmware Version 5.4. See Chapter 8, “Voice Conﬁguration.”

The

■

Utilities & Diagnostics

menus provide a selection of seven tools for monitoring and diagnosing the router's behavior, as well as for updating the ﬁrmware and rebooting the system. See Chapter 11, “Utilities

and Diagnostics.”

■

The

Statistics & Logs

menus display nine sets of tables and device logs that show information about your

router, your network, and their history. See “Statistics & Logs,” beginning on page 9-4.

The

■

Quick Menus

screen is a shortcut entry point to the most commonly used conﬁguration menus that

are accessed through the other menu entr y points.

■

The

Quick View

menu displays at a glance current real-time operating information about your router. See

“Quick View Status Overview” on page 9-1.

Netopia Models

This

Firmware User Guide

information in this guide will only apply to a speciﬁc model.

Screen differences

Because different Netopia 4000-Series models offer many different features and interfaces, the options shown on some screens in this

These differences are noted throughout the manual.

covers all of the Netopia 4000-Series Router and IAD models. However some

Firmware User Guide

may not appear on your own particular model’s console screen.

1-4 Firmware User Guide

Connecting through a Telnet Session

Features of the Netopia Firmware Version 5.4 can be conﬁgured through the console screens.

Before you can access the console screens through Telnet, you must have:

A network connection locally to the router or IP access to the router.

■

Note:

Alternatively, you

may

have a direct serial console cable connection using a provided console cable and the Console port on the back of the router. Some models do not have a console port. For more information on attaching the console cable, see “Connecting a Console Cable to your Equipment” on page 1-5.

Telnet software installed on the computer you will use to conﬁgure the router

■

Conﬁguring Telnet software

If you are conﬁguring your device using a Telnet session, your computer must be running a Telnet software program.

■

If you connect a PC with Microsoft Windows, you can use a Windows Telnet application or simply run Telnet from the Start menu.

If you connect a Macintosh computer, you can use the NCSA Telnet program supplied on the Netopia CD.

■

You install NCSA Telnet by simply dragging the application from the CD to your hard disk. Mac OS X users can run Telnet in the Terminal application, found in the Mac OS X Utilities folder.

Introduction 1-5

Connecting a Console Cable to your Equipment

Many Netopia models include a serial console port labeled “Console” on the back panel. You can perform all of the system conﬁguration activities for your Netopia equipment through a local serial console connection, if available, using terminal emulation software, such as HyperTerminal provided with Windows 95, 98, 2000, or NT on the PC, or ZTerm, included on the Netopia CD, for Macintosh computers.

You attach the Netopia device to either a PC or Macintosh computer via the serial port on the computer. (On a Macintosh computer, the serial port is called the Modem por t or Printer por t. Since Macintosh computers have different serial bus connectors, you may need a USB-to-DB-9 or USB-to-serial adapter. These are available from a variety of third-party manufacturers.) This connection lets you use the computer to conﬁgure and monitor the Router via the console screens.

Example back panel

DSL

4321

Ethernet

Console Power

Console connection port

DB-9 (male)

To connect to your computer for serial console communication, use a console cable appropriate to your platform:

A DB-9 connector end attaches to a PC.

■

A DB-9 end of the Console cable attaches to the Console port.

If you connect a PC with Microsoft Windows 95, 98, 2000, or NT, you can use the HyperTerminal

■

application bundled with the operating system.

■

If you connect a Macintosh computer, you can use the ZTerm terminal emulation program on the supplied Netopia CD.

1-6 Firmware User Guide

Launch your terminal emulation software and conﬁgure the communications software for the values shown in the table below. These are the default communication parameters that the Netopia Firmware Version 5.4 uses.

Parameter Suggested Value

Terminal type

PC

: ANSI-BBS

Mac

: ANSI, VT-100, or VT-200

Data bits 8

Parity None

Stop bits 1

Speed 9600 - 57600 bits per second

Flow Control None

Note:

The router ﬁrmware contains an autobaud detection feature. If you are at any screen on the serial console, you can change your baud rate and press Return (HyperTerminal for the PC requires a disconnect). The new baud rate is displayed at the bottom of the screen.

Introduction 1-7

Navigating through the Console Screens

Use your keyboard to navigate the Netopia Firmware Version 5.4’s conﬁguration screens, enter and edit information, and make choices. The following table lists the keys to use to navigate through the console screens.

To... Use These Keys...

Move through selectable items in a screen or pop-up menu Up, Down, Left, and Right Arrow

Set a change to a selected item or open a pop-up menu of options for a selected item like entering an upgrade key

Change a toggle value (Yes/No, On/Off) Tab

Restore an entry or toggle value to its previous value Esc

Move one item up Up arrow or Control + K

Move one item down Down arrow or Control + O

Display a dump of the device event log Control + E

Display a dump of the WAN event log Control + F

Refresh the screen Control + L

To help you ﬁnd your way to particular screens, some sections in this guide begin with a graphical path guide similar to the following example:

Main

Menu

System

Configuration

Return or Enter

IP Setup

This particular path guide shows how to get to the Network Protocols Setup screens. The path guide represents these steps:

1. Beginning in the Main Menu, select System Conﬁguration and press Return. The System Conﬁguration screen appears.

2. Select IP Setup and press Return. The IP Setup screen appears.

To go back in this sequence of screens, use the Escape key.

1-8 Firmware User Guide

WAN and System Conﬁguration 2-1

CCCChhhhaaaapppptttteeeerrrr 22

WWWWAAAANNNN aaaannnndddd SSSSyyyysssstttteeeemmmm CCCCoooon

This chapter describes how to use the console-based management screens to access and conﬁgure advanced features of your equipment. You can customize these features for your individual setup. These menus provide a powerful method for experienced users to set up their router’s connection proﬁles and system conﬁguration.

This section covers the following topics:

■ “WAN Conﬁguration” on page 2-1

■ “ADSL Line Conﬁguration screen” on page 2-2

■ “SDSL/IDSL Conﬁguration screen” on page 2-3

■ “G.SHDSL Line Conﬁguration screen” on page 2-6

■ “T1 Line Conﬁguration screen” on page 2-7

■ “Frame Relay Conﬁguration” on page 2-9

■ “Multiple ATM Permanent Virtual Circuits” on page 2-16

22

nnnffffiiiigggguuuurrrraaaattttiiiioooonn

nn

■ “Creating a New Connection Proﬁle” on page 2-24

■ “The Default Proﬁle” on page 2-28

■ “Scheduled Connections” on page 2-29

■ “System Conﬁguration Screens” on page 2-35

WAN Conﬁguration

To conﬁgure your Wide Area Network (WAN) connection, navigate to the WAN Conﬁguration screen from the Main Menu and select WAN (Wide Area Network) Setup.

Main

Menu

The Line Conﬁguration screen appears. The Line Conﬁguration screen will be appropriate to the type of WAN interface supported by your particular router model.

WAN

Configuration

WAN

Setup

2-2 Firmware User Guide

ADSL Line Conﬁguration screen

The ADSL Line Conﬁguration screen is shown below:

ADSL Line Configuration

Circuit Type... Multimode Trellis Coding Enabled: On

Signaling Mode... FDM Fast Retrain Enabled: On

Data Link Encapsulation... RFC1483

1. Select Circuit Type and from the pop-up menu choose the type of circuit to which you will be connecting: Multimode, T1.413, G.dmt/G.lite, or ADI.

2. Select Trellis Coding Enabled. Toggle it to On (the default) or Off.

3. Select Signaling Mode and choose Echo Cancellation or FDM (the default).

4. If you selected Multimode Circuit Type, the Fast Retrain Enabled ﬁeld appears. Toggle it to On (the default) or Off.

5. Select Data Link Encapsulation and press Return. The pop-up menu will offer you the choice of PPP or RFC1483.

6. Press Escape to return to the WAN Conﬁguration screen.

For multiple permanent vir tual circuit (PVC) conﬁgurations, see “Multiple ATM Permanent Vir tual Circuits” on

page 2-16.

SDSL/IDSL Conﬁguration screen

The SDSL/IDSL Line Conﬁguration screen is shown below:

Data Link Encapsulation... PPP PPP Mode... VC Multiplexed

WAN and System Conﬁguration 2-3

Return/Enter to select <among/between> ... Enter Information supplied to you by your telephone company.

■ Select a Line Type from the pull-down menu. You can choose SDSL-ATM, SDSL-HDLC, IDSL, or IDSL-CM.

For IDSL connections, choose IDSL if your service provider uses most common central ofﬁce equipment; choose IDSL-CM if your service provider uses Copper Mountain equipment. If you choose either IDSL type, the router must reboot and you will see a warning screen to conﬁrm your choice.

IDSL conﬁguration offers different options. See “IDSL Line Conﬁguration screen” on page 2-5.

■ The Operation Mode pull-down menu allows you to select the type of SDSL-ATM DSLAM to which you will be

connecting: Generic, Lucent, Nokia EOC Fast, Nokia Fixed, Paradyne, Nortel UE IMAS or Newbridge.

2-4 Firmware User Guide

Data Link Encapsulation... RFC1483 RFC1483 Mode... Routed 1483

Some of these selections will reset the defaults for the remaining options in this screen. You will be challenged to conﬁrm your choice. The SDSL-HDLC and IDSL Line Types do not offer these choices.

■ The Data Rate Mode pull-down menu allows you to select either Hunt or Locked mode.

■ If you choose Hunt, the router will cycle through the speeds available and attempt to connect at the

highest available speed. This hunt will take a few minutes. When a negotiated speed is determined, the router will remember that speed and use it as the star ting point for the next time a connection is attempted.

■ If you choose Locked, the Data Rate you select in the next menu will always be used.

■ The Data Rate pull-down menu allows you to select the data rate for your connection. This is usually

assigned by your Service provider.

■ Your Data Link Encapsulation may be either PPP or RFC1483, as assigned by your Service Provider.

■ If you are using PPP, the PPP Mode menu offers either VC Multiplexed or LLC SNAP.

■ If you are using RFC1483, the RFC1483 Mode menu offers either Bridged 1483 or Routed 1483.

Bridged 1483 displays a PPP over Ethernet (PPPoE) toggle item that can be toggled either On or Off.

IDSL Line Conﬁguration screen

The IDSL Line Conﬁguration screen is shown below:

IDSL Line Configuration

Line Type... IDSL

Data Rate (kbps)... 144 (2B+D)

Data Link Encapsulation... PPP

WAN and System Conﬁguration 2-5

Return/Enter to select <among/between> ... Enter information supplied to you by your ISDN phone company.

■ For IDSL lines, the Data Rate (kbps) pull-down menu offers 64 (B1), 64 (B2), 128 (B1+B2), or 144

(2B+D).

■ The Data Link Encapsulation pull-down menu offers PPP, HDLC, or Frame Relay.

■ If you are using Frame Relay, a PPP over Frame Relay Enabled option appears and allows you to tog-

gle it either On or Off.

■ If you enable PPP over Frame Relay, the DLCI and LMI ﬁelds appear.

The DLCI ﬁeld is editable; the default is 16. The LMI pull-down menu offers the choices None, ANSI (Annex D), CCITT (Annex A), or LMI.

2-6 Firmware User Guide

G.SHDSL Line Conﬁguration screen

The G.SHDSL Line Conﬁguration screen is shown below:

DSL Line Configuration

Regional Setting... Annex A

Cell Format... Scrambled Unused Cell Format... Idle

Data Link Encapsulation... RFC1483 RFC1483 Mode... Bridged 1483 PPP over Ethernet (PPPoE): Off

Each access concentrator (DSLAM) has a different set of defaults and other parameters.

Your service provider should supply you with the appropriate information about the type and capabilities of the access concentrator equipment they use.

■ Select Regional Setting and from the pop-up menu select either Annex A or Annex B. North American users

select Annex A; non-North American users select Annex B.

■ Select Cell Format and from the pop-up menu select either Scrambled (the default) or Unscrambled. This

setting must match the format used by your ser vice provider. Scrambled is the most common, so you probably do not need to change it unless your provider speciﬁcally tells you to do so.

■ Select Unused Cell Format and from the pop-up menu select either Idle (the default) or Empty. This setting

must match the format used by your ser vice provider. Idle is the most common, so you probably do not need to change it unless your provider speciﬁcally tells you to do so.

■ Select Data Link Encapsulation and from the pop-up menu choose your DLE.

■ If you selected RFC1483, the next pop-up menu RFC1483 Mode offers the choice of Bridged 1483 or

Routed 1483. If you select Bridged 1483, a new option PPP over Ethernet (PPPoE) appears. You can then toggle PPPoE On or Off. Choosing Routed 1483 hides the PPPoE option.

■ If you selected PPP, the next pop-up menu PPP Mode offers the choice of VC Multiplexed or LLC SNAP.

T1 Line Conﬁguration screen

The T1 Line Conﬁguration screen is shown below:

T1 Line Configuration

Operation Mode... HDLC Line Encoding... B8ZS Framing Mode... ESF Transmit ANSI PRMs: No AutoDetect DS0 Channels: No Number of DS0 Channels: 1 First DS0 Channel: 1

Buildout (-dB)... 0-0.6 Channel Data Rate... Nx64k

Data Link Encapsulation... Frame Relay PPP over Frame Relay Enabled: Off

WAN and System Conﬁguration 2-7

Return/Enter goes to new screen. Enter Information supplied to you by your telephone company.

■ Select Operation Mode and press Return. From the pop-up menu, highlight the mode your telephone

service provider uses: HDLC (Cisco), CM-HDLC (Copper Mountain), or ATM. The default setting is HDLC. Press Return.

■ Select Line Encoding and press Return. From the pop-up menu, highlight the encoding your telephone

service provider uses: B8ZS or AMI. The default setting is B8ZS. Press Return.

■ Select Framing Mode and press Return. From the pop-up menu, highlight either ESF or D4, depending on

the framing mode that your telephone service provider advises you to use. The default setting is ESF. Press Return.

■ If you selected ESF framing mode, toggle Transmit ANSI PRMs either No (the default) or Yes. If you

selected D4 framing mode, this option is not available.

■ Select AutoDetect DS0 Channels. Netopia routers whose model number ends in “-T” may be able to use

the auto detection feature. Toggle this item to Yes if your service provider uses equipment that supports DS0 channel auto detection. Otherwise accept the default No.

■ Select Number of DS0 Channels and enter the number of DS0 channels that you and your telephone

service provider have determined are necessary for your T1 line. The default setting for DS0 Channels is 1 (one). Press Return.

Note: Each DS0 channel represents a 56k or 64k increment in bandwidth. Selecting a number less than the maximum of 24 speciﬁes a fractional T1 interface.

For fractional T1, you can also specify in the check box whether the DS0 channels are contiguous or alternating.

■ Select First DS0 Channel and enter the number of the ﬁrst active DS0 channel you will be using. The

2-8 Firmware User Guide

default setting is 1 (one). Press Return.

Note: You can change the First DS0 Channel number, which has a valid range from one to the maximum number minus the number of active channels. If the number of active DS0 channels is 24 (maximum), First DS0 Channel is hidden.

If you specify a number of DS0 channels less than the maximum, a Contiguous Channels item appears. For fractional-T1, you can specify whether the DS0 channels are contiguous or alternating by toggling Contiguous Channels to Yes or No.

■ Select Buildout (-dB) and press Return. From the pop-up menu, highlight the line buildout, which is the

transmit attenuation of the line that you will be using. The choices in the menu include Auto, 0-0.6, 7.5,

15.0, 22.5, and None. The default setting is 0-0.6. Press Return.

If Automatic is chosen, the attenuation of the transmission will be set to match the receiving signal level.

■ Select Channel Data Rate and highlight the data rate speciﬁed by your service provider. The channel data

rate choices are Nx56k or Nx64k. The default is Nx64k. Press Return.

■ Select Data Link Encapsulation and highlight the method of encapsulation that you want to use from the

pop-up menu. The choices offered are PPP, HDLC (Cisco), RFC 1483, and Frame Relay. The default setting is Frame Relay. Press Return.

The screen will offer different options depending on your selection.

T1 Line Configuration

Operation Mode... Normal Line Encoding... B8ZS Framing Mode... ESF

Number of DS0 Channels: 1 First DS0 Channel: 1

Channel Data Rate... Nx64k

Data Link Encapsulation... Frame Relay PPP over Frame Relay Enabled: On DLCI: 16 LMI: None

TO MAIN MENU NEXT SCREEN

Return/Enter takes you back to previous screen. Enter Information supplied to you by your telephone company.

RFC 1483 Options

T1 Line Configuration

Operation Mode... Normal Line Encoding... B8ZS Framing Mode... ESF

Number of DS0 Channels: 1 First DS0 Channel: 1

T1 Line Configuration

Operation Mode... Normal Line Encoding... B8ZS Framing Mode... ESF

Number of DS0 Channels: 1 First DS0 Channel: 1

Channel Data Rate... Nx64k

Data Link Encapsulation... PPP PPP Mode... VC Multiplexed

TO MAIN MENU NEXT SCREEN

Return/Enter takes you back to previous screen. Enter Information supplied to you by your telephone company.

ATM Operation Mode Options

T1 Line Configuration

Operation Mode... ATM Line Encoding... B8ZS Framing Mode... ESF

Number of DS0 Channels: 1 First DS0 Channel: 1

PPP OptionsFrame Relay Options

Channel Data Rate... Nx64k

Data Link Encapsulation... RFC1483 RFC1483 Mode... Bridged 1483 PPP over Ethernet (PPPoE): Off

TO MAIN MENU NEXT SCREEN

Return/Enter goes to new screen. Enter Information supplied to you by your telephone company.

Data Link Encapsulation... RFC1483 RFC1483 Mode... Bridged 1483 PPP over Ethernet (PPPoE): Off Data Circuit VPI (0-255): 0 Data Circuit VCI (32-65535): 35

TO MAIN MENU NEXT SCREEN

Return/Enter goes to new screen. Enter Information supplied to you by your telephone company.

WAN and System Conﬁguration 2-9

Note: If you used Easy Setup to conﬁgure your router, you have already created a connection proﬁle called Easy Setup Proﬁle. If you return to the Easy Setup menus and change the Data Link Encapsulation method you set up in this step, the Easy Setup Data Link Encapsulation method will override this one and change the default data link encapsulation method in use.

You are now ﬁnished conﬁguring the Line Conﬁguration screen. Press the Escape key to return to the WAN Conﬁguration screen.

Note: If you selected Frame Relay as your data link encapsulation method, see “Frame Relay Conﬁguration”

on page 2-9 for more information.

Frame Relay Conﬁguration

If you chose Frame Relay as your data link encapsulation type you can now conﬁgure the Frame Relay options from the WAN Conﬁguration menu.

WAN Configuration

WAN (Wide Area Network) Setup...

Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile...

Default Profile...

Frame Relay Configuration... Frame Relay DLCI Configuration...

Return/Enter for WAN line configuration. From here you will configure yours and the remote sites' WAN information.

From the WAN Conﬁguration screen, select WAN Setup, then select the Frame Relay Conﬁguration option and press Return. The Frame Relay Conﬁguration screen appears.

2-10 Firmware User Guide

Frame Relay Configuration

LMI Type... ANSI (Annex D) T391 (Polling Interval in secs): 10 N391 (Polls/Full Status Cycles): 6 N392 (Error Threshold): 3 N393 (Monitored Event Window): 4

Tx Injection Management... Standard Default CIR: 64000 Default Bc: 64000 Default Be: 0

Congestion Management Enabled: No

Maximum Tx Frame Size: 1520

Return/Enter goes to new screen. Enter Information supplied to you by your telephone company.

1. Select LMI Type (Link Management Type) and press Return. From the pop-up menu, highlight either ANSI (Annex D), CCITT (Annex A), LMI, or None. The default is None. Press Return.

See “Frame Relay DLCI conﬁguration” on page 2-11 for instructions.

Specifying the Link Management Type is the ﬁrst step in conﬁguring Frame Relay.

■ If you select an LMI Type (Link Management Type) other than None, the T391 option speciﬁes the

number of seconds between the Status Enquiry messages. The default setting is 10.

■ The N391 option speciﬁes the frequency of full status polls, in increments of the basic (T391) polling

cycle. The default setting is 6.

■ The N392 option speciﬁes the maximum number of (link reliability, protocol, and sequence number)

error events that can occur within the N393 sliding window. If an N392 threshold is exceeded, the switch declares the Netopia Router inactive. The default setting is 3.

■ The N393 option allows the user to specify the width of the sliding N392 monitored event window. The

default setting is 4.

2. Select Tx Injection Management and press Return. From the pop-up menu, highlight Standard if you want the frames on your line that exceed the conﬁgured service parameters to be dropped at the router, Buffered if you want the frames on your line that exceed the link capacity to be delayed until the link is less busy, or None if you want all of the frames on your line to be transmitted. Press Return.

Note: If you select None as the Tx Injection Management type, the three Tx Injection Management options listed below will remain hidden. Go to step 4.

If you select Standard or Buffered as the Tx Injection Management type, then the Default CIR, Bc, and Be values will appear (in the corresponding ﬁelds below the Tx Injection Management ﬁeld) in order for you to deﬁne the parameters of the management algorithm.

■ The Default CIR (CIR also referred to as Committed Information Rate) represents the average capacity

available to a given PVC (Permanent Vir tual Circuit) or DLCI (Data Link Connection Identiﬁer). This set-

WAN and System Conﬁguration 2-11

ting defaults to 64000, but you may modify the capacity rate if this setting will not be applicable to you.

■ The Default Bc (Bc also referred to as Committed Burst Size) represents the maximum amount of data

that your Frame Relay service provider agrees to transfer from a given PVC (Permanent Virtual Circuit) or DLCI (Data Link Connection Identiﬁer). This setting defaults to 64000, but you may change the capacity rate if necessary.

■ The Default Be (Be also referred to as Excess Burst Size) represents the maximum amount of data

that your Frame Relay service provider will attempt to deliver to a given PVC (Permanent Vir tual Circuit) or DLCI (Data Link Connection Identiﬁer). This setting defaults to 0, but you may change the capacity rate if necessary.

Note: Some Frame Relay service providers allow for over-subscription of the DLCIs, which occurs when the total number of CIRs for all PVCs exceeds the line rate setup.

3. Select Congestion Management Enabled and toggle to Yes or No depending on whether you use this selection. Press Return.

If Congestion Management is enabled, this option causes the Netopia Router to use in-bound FECNs (Forward Explicit Congestion Notiﬁcation). This feature is designed to notify you that congestion avoidance procedures should be initiated where applicable for traf ﬁc in the same direction as the received frame. It indicates that the frame in question has encountered congested resources.

Note: The Congestion Management Enabled ﬁeld will only appear if Standard or Buffered is selected as the option from the Tx Injection Management ﬁeld.

4. Select Maximum Tx Frame Size and press Return. The default is automatically set to a value suitable for encapsulating a full Ethernet packet’s transmission load; however you can change the Maximum Frame Size to suit your network’s transmission load. Press Return.

You are now ﬁnished conﬁguring the Frame Relay Conﬁguration screen. Press the Escape key to return to the WAN Conﬁguration screen. If you need to conﬁgure your DLCIs, go to the next section.

Frame Relay DLCI conﬁguration

If you selected None as your LMI Type then you will need to manually conﬁgure your DLCIs.

A Frame Relay DLCI is a set of parameters that tells the Netopia Router how to initially connect to a remote destination.

The Netopia Router supports up to 16 different Frame Relay DLCI proﬁles.

Each Frame Relay DLCI conﬁguration you set up allows the Netopia Router to connect your network to another network that uses IP over Frame Relay.

2-12 Firmware User Guide

To go to the Frame Relay DLCI conﬁguration screen, select Frame Relay DLCI Conﬁguration in the WAN Conﬁguration screen.

Frame Relay DLCI Configuration

Display/Change DLCIs...

Add DLCI...

Delete DLCI...

Add, delete, and modify DLCIs from here.

Displaying a Frame Relay DLCI conﬁguration table

To display a view-only table of the Frame Relay DLCIs, select Display/Change DLCIs in the Frame Relay DLCI Conﬁguration screen, and press Return.

The Frame Relay DLCI Conﬁguration table is a handy way to quickly view the DLCI names and DLCI numbers that you attribute to your Frame Relay proﬁles.

Frame Relay DLCI Configuration +-DLCI Name----------DLCI Number-+ +--------------------------------+ | | | DLCI 16 16 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +--------------------------------+

Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.

WAN and System Conﬁguration 2-13

Changing a Frame Relay DLCI conﬁguration

To modify a Frame Relay DLCI conﬁguration, select Display/Change DLCIs in the Frame Relay DLCI Conﬁguration screen.

Select a DLCI Name from the table and press Return to go to the Change DLCI screen. The parameters in this screen are the same as the parameters in the Add DLCI screen. To ﬁnd out how to set them, see “Adding a

Frame Relay DLCI conﬁguration” on page 2-14.

Change DLCI

DLCI Name: DLCI 33

DLCI Enabled: Yes

DLCI Number (16-991): 32

Remote IP Address: 2.0.0.2

2-14 Firmware User Guide

Adding a Frame Relay DLCI conﬁguration

To add a new Frame Relay DLCI, select Add DLCI in the Frame Relay DLCI Conﬁguration screen and press Return. The Add DLCI screen appears.

Add DLCI

DLCI Name: DLCI 16

DLCI Enabled: Yes

DLCI Number (16-991): 16

Remote IP Address: 0.0.0.0

Data Flow Parameters---------------Use Default---------Value--- CIR: Yes Bc: Yes Be: Yes

ADD DLCI NOW CANCEL

Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Here you configure the parameters for a single DLCI (Data Link Circuit ID).

1. Select DLCI Name and enter a name for this individual Frame Relay DLCI proﬁle. It can be any name you want. For example: the name of your ISP or remote branch you’re connecting to such as the corporate headquarters of your company.

Note: The Netopia Router allows Frame Relay DLCIs to be named, so that you can easily reference and differentiate them. This is accomplished by giving a DLCI Name to a DLCI Number.

2. Select DLCI Enabled and toggle it to Yes to activate the proﬁle. If you disable this proﬁle, the Netopia Router will automatically disable and block access to a speciﬁc remote DLCI.

3. Select DLCI Number (16-991) and enter a number for this individual DLCI. Check with your Frame Relay provider to ﬁnd out what numbers are allocated for each of your DLCI proﬁles. The DLCI number range should fall within the range of 16-991.

4. Select Remote IP Address and enter the remote IP address your ISP or network administrator gave you that represents the remote sites IP address for their router. Press Return.

If you selected Standard or Buffered as the Tx Injection Management type in the Frame Relay Conﬁguration screen go to the next bulleted item below. If you selected None in the Frame Relay Conﬁguration screen go to step 6.

Below the Remote IP Address ﬁeld, the following Data Flow Parameters appear:

■ The CIR (Committed Information Rate) represents the average capacity available to a given PVC (Per-

manent Virtual Circuit) or DLCI (Data Link Connection Identiﬁer). The setting defaults to 64000, but you may modify the capacity rate by toggling the selection in the Use Default ﬁeld to No. You can then enter a different capacity rate in the Value ﬁeld.

■ The Bc (Committed Burst Size) represents the maximum amount of data that your Frame Relay service

WAN and System Conﬁguration 2-15

provider agrees to transfer from a given PVC (Permanent Virtual Circuit) or DLCI (Data Link Connection Identiﬁer). The setting defaults to 64000, but you may modify the committed burst size by toggling the selection in the Use Default ﬁeld to No. You can then enter a dif ferent committed burst size in the Value ﬁeld.

■ The Be (Excess Burst Size) represents the maximum amount of data that your Frame Relay ser vice

provider will attempt to deliver to a given PVC (Permanent Vir tual Circuit) or DLCI (Data Link Connection Identiﬁer). The setting defaults to 0, but you may modify the excess burst size by toggling the selection in the Use Default ﬁeld to No. You can then enter a different excess burst size in the Value ﬁeld.

Note: Some Frame Relay service providers allow for over-subscription of the DLCIs, which occurs when the total number of CIRs for all PVCs exceeds the line rate setup.

5. Select ADD DLCI NOW to save the current static Frame Relay DLCI proﬁle that you have just entered, and press Return to go back to the Frame Relay DLCI Conﬁguration screen. Alternately, you can cancel the Frame Relay DLCI proﬁle you have just created by selecting CANCEL to exit the Add DLCI screen.

Deleting a Frame Relay DLCI conﬁguration

To delete a Frame Relay DLCI conﬁguration, select Delete DLCI in the Frame Relay DLCI Conﬁguration screen and press Return to display the Frame Relay DLCI conﬁguration table.

Frame Relay DLCI Configuration +-DLCI Name----------DLCI Number-+ +--------------------------------+ | joe 16 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | | | Are you sure you want to delete this DLCI? | | | | CANCEL CONTINUE | | | | | +------------------------------------------------------------------------+ | | | | | | | | | | | | +--------------------------------+

1. Highlight the Frame Relay DLCI conﬁguration you wish to delete. Press Return.

2. A Frame Relay DLCI Conﬁguration table appears with a prompt asking you if you want to delete the connection proﬁle you have just highlighted. Select CONTINUE if you wish to delete this DLCI or CANCEL if you do not.

You are now ﬁnished conﬁguring the Frame Relay DLCI Conﬁguration screen.

2-16 Firmware User Guide

Multiple ATM Permanent Virtual Circuits

The Netopia Firmware Version 5.4 supports up to eight permanent virtual circuits.

Multiple ATM PVC overview

On cell-based DSL WAN interfaces, the ATM connection between the device and the central ofﬁce equipment (DSLAM) is divided logically into one or more virtual circuits (VCs). A vir tual circuit may be either a permanent virtual circuit (PVC) or a switched virtual circuit (SVC). Netopia devices suppor t PVCs.

VCs are identiﬁed by a Virtual Path Identiﬁer (VPI) and Virtual Channel Identiﬁer (VCI). A VPI is an 8-bit value between 0 and 255, inclusive, while a VCI is a 16-bit value between 0 and 65535, inclusive.

■ Circuits now support attributes in addition to their VPI and VCI values. When conﬁguring a circuit, you can

specify an optional circuit name of up to 14 characters. The circuit name is used only to identify the circuit for management purposes as a convenience to aid in selecting circuits from lists. The default circuit name is “Circuit <n>”, where <n> is some number between one and eight corresponding to the circuit’s position in the list of up to eight circuits.

■ You can also individually enable or disable a circuit without deleting it. This is useful for temporarily

removing a circuit without losing the conﬁgured attributes.

■ In order to function, each circuit must be bound to a Connection Proﬁle or to the Default Proﬁle. Among

other attributes, the proﬁle binding speciﬁes the IP addressing information for use on the circuit. Each circuit must be bound to a distinct Connection Proﬁle. You cannot bind multiple circuits to the same Connection Proﬁle.

Multiple ATM PVC conﬁguration

ATM VPI/VCI Autodetection. You can bind multiple circuits to the same Connection Proﬁle. Netopia Firmware Version 5.4 allows you to have a standard conﬁguration that uses, for example, four VCs (0/35, 0/38, 8/35, 8/38) pointing to the same proﬁle.

The unit will now automatically select the active VC on networks with a VPI/VCI of any of these four values without any custom conﬁguration of the unit. You must, however, manually create these VCs and associate them with the proﬁle you desire.

You conﬁgure Virtual Circuits in the Add/Change Circuit screen.

Main

Menu

WAN

Configuration

ATM Circuits

Configuration

WAN and System Conﬁguration 2-17

ATM Circuits Configuration

Show/Change Circuit... Add Circuit... Delete Circuit...

3. To add a circuit, select Add Circuit and press Return. The Add Circuit screen appears.

Add Circuit

Circuit Name: Circuit 2

Circuit Enabled: Yes

Circuit VPI (0-255): 0

Circuit VCI (32-65535): +-------------+ +-------------+ QoS... | UBR | Peak Cell Rate (0 = line rate): | CBR | +-------------+

Use Connection Profile... Default Profile Use Default Profile for Circuit ADD Circuit NOW CANCEL

■ Enter a name for the circuit in the Circuit Name ﬁeld.

■ Toggle Circuit Enabled to Yes.

■ Enter the Virtual Path Identiﬁer and the Virtual Channel Identiﬁer in the Circuit VPI and Circuit VCI

ﬁelds, respectively.

2-18 Firmware User Guide

Quality of Service (QoS) settings

■ Select the QoS (Quality of Service) setting from the pop-up menu: UBR. or CBR.

UBR: No conﬁguration is needed for UBR VCs. Leave the default value 0 (maximum line rate). CBR: One parameter is required for CBR VCs. Enter the Peak Cell Rate that applies to the VC. This

value should be between 1 and the line rate. You set this value according to speciﬁcations deﬁned by your service provider.

Add Circuit

Circuit Name: Circuit 2

Circuit Enabled: Yes

Circuit VPI (0-255): 0

Circuit VCI (32-65535): 32

QoS... CBR Peak Cell Rate (0 = line rate): 0

Use Connection Profile... Default Profile Use Default Profile for Circuit ADD Circuit NOW CANCEL

Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.

■ The Peak Cell Rate ﬁeld is editable. Netopia Firmware Version 5.4 supports two ATM classes of ser-

vice for data connections: Unspeciﬁed Bit Rate (UBR) and Constant Bit Rate (CBR). You can conﬁgure these classes of service on a per VC basis. The default ATM class of service is UBR.

■ Then, select a Connection Proﬁle for the Circuit. To use the Default Proﬁle, select Use Default Proﬁle

for Circuit and press Return. For other options, select a proﬁle from the Use Connection Proﬁle

pop-up menu.

WAN and System Conﬁguration 2-19

Note: With multiple VCs you must explicitly statically bind the second (and all subsequent) VCs to a proﬁle.

The ﬁrst VC will automatically statically bind according to pre-deﬁned dynamic binding rules when you add the second VC. It will revert back to dynamic binding if the number of VCs is reduced to one; for example, by deleting previously deﬁned VCs.

When the link comes up the router binds the VC dynamically to the ﬁrst suitable Connection Proﬁle or to the Default Proﬁle if there is no Connection Proﬁle conﬁgured.

• If you factory default the router, the VC binds to the Default Proﬁle.

• If you delete a Connection Proﬁle that is statically bound to a VC, the VC binding is set back to the Default

Proﬁle. If there is only one VC deﬁned, the VC dynamically binds to the ﬁrst suitable proﬁle or to the Default Proﬁle. If there are multiple VCs deﬁned, it binds to the Default Proﬁle.

• If you add a second VC, it is initialized to the Default Proﬁle, and the menu screens display the VC

Connection Proﬁle-related items, allowing you to bind to a speciﬁc Connection Proﬁle instead of the Default Proﬁle. In addition, the router statically binds the ﬁrst VC according to the rules used to select a proﬁle for dynamic binding. At this point, each proﬁle uses static binding when the link is brought up.

• If there are no VCs when you add a VC -- for example, if you deleted all your previous VCs and star ted adding

them again -- dynamic binding will occur when the link comes up. If you delete a VC, leaving only one VC, that VC resumes dynamically binding again.

■ Select ADD Circuit NOW and press Return.

4. To display or change a circuit, select Display/Change Circuit, select a circuit from the pop-up menu, and press Return. The ﬁelds are the same as those in the Add Circuit screen.

5. To delete a circuit, select Delete Circuit, select a circuit from the pop-up menu, and press Return. In the conﬁrmation window, select CONTINUE and press Return.

6. Press Escape to return to the WAN Setup menu.

2-20 Firmware User Guide

Editing circuits

You conﬁgure Virtual Circuits in the ATM Circuits Conﬁguration screen. From the Main Menu, navigate to the ATM Circuits Conﬁguration screen.

Main

Menu

ATM Circuits Configuration

Show/Change Circuit... Add Circuit... Delete Circuit...

WAN

Configuration

ATM Circuits

Configuration

Select Show/Change Circuit and press Return.

WAN and System Conﬁguration 2-21

Choosing Show/Change Circuit (or Delete Circuit) displays a pop-up menu that allows you to select the circuit to be modiﬁed or deleted.

Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.

Changing a circuit

If you want to make any changes to the circuit you select, you make them in the Change Circuit screen.

Change Circuit

Circuit Name: Circuit 1

Circuit Enabled: +---------+ +---------+ Traffic Type... | Voice | | Data | Circuit VPI (0-255): +---------+

Circuit VCI (0-65535): 38

Connection Profile is Easy Setup Profile

■ Circuit Name allows you to associate a one- to fourteen-character name with the circuit. The default circuit

name is “Circuit <n>”, where <n> is some number between one and eight corresponding to the circuit’s position in the list of up to eight circuits.

2-22 Firmware User Guide

■ Circuit Enabled allows you to enable or disable the circuit, using the Tab key. The default is enabled.

■ Trafﬁc Type allows you to select which type of trafﬁc will be routed on this circuit, Voice or Data. If you

choose Voice, the Connection Proﬁle is ﬁeld becomes unavailable and does not display.

■ Circuit VPI allows you to specify the Virtual Path Identiﬁer (VPI) value for the circuit. The default VPI value

for both ADSL and cell-based DSL is zero (0).

■ Circuit VCI allows you to specify the Virtual Channel Identiﬁer (VCI) value for the circuit. The default VCI

value depends on the type of DSLAM to which you are connecting.

■ Accessing the Connection Proﬁle Is ﬁeld in the Change Circuit menu depends not on the number of

Connection Proﬁles you have created, but the number of data VCs you have added. (See “Multiple ATM PVC

conﬁguration” on page 2-16.) If you have more than one data VC you can choose how Connection Proﬁles

are associated with VCs, otherwise you get default behavior and the Connection Proﬁle Is ﬁeld cannot be selected.

Monitoring multiple virtual circuits

The General Statistics screen adds a selection for ATM VC Statistics.

To access the ATM VC Statistics screen navigate from the Main Menu to Statistics & Logs then General Statistics.

Main

Menu

The General Statistics screen appears.

General Statistics

Physical I/F-----Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err Ethernet Hub 0 0 0 0 0 0 Aux Async 0 0 0 0 0 0 ATM SDSL 1 22152 5092 403 404 0 0

Network----------Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err IP 0 0 0 0 0 0

VC Traffic Statistics...

Statistics

& Logs

General

Statistics

WAN and System Conﬁguration 2-23

Select VC Trafﬁc Statistics.

The ATM VC Statistics screen appears.

ATM VC Statistics

VPI/VCI------Local IP Addr---------Frames Rx--Frames Tx---Bytes Rx---Bytes Tx

----------------------------------SCROLL UP---------------------------------- 0/39 111.222.333.4 0 0 0 0 8/36 -- 1 0 70 0

---------------------------------SCROLL DOWN----------------------------------

■ To display more information about each circuit associated with the selected WAN module, use the up or

down arrow key to highlight the circuit you want to view. Press Return.

A pop-up window appears, displaying detailed information for the selected circuit.

ATM VC Statistics

View St+---------------------------------------------------------------------+ VPI/VCI+---------------------------------------------------------------------+

-------| | 0/39 | Circuit Name: Circuit 4 | 8/36 | Connection Profile Name: Profile 4 | | | | Bytes Rx: 0 | | Bytes Tx 0 | | | | Frames Rx: 0 Frames Tx: 0 | | Frames Rx Discarded: 0 Frames Tx Discarded: 0 | | | | Errors Rx: 0 | | Errors Tx: 0 | | | | OK | | |

-------+---------------------------------------------------------------------+

2-24 Firmware User Guide

Creating a New Connection Proﬁle

Connection proﬁles are useful for conﬁguring the connection and authentication settings for negotiating a PPP connection on a DSL link. If you are using the PPP data link encapsulation method, you can store your authentication information in the connection proﬁle so that your user name and password (or host name and secret) are transmitted when you attempt to connect.

Connection proﬁles deﬁne the networking protocols necessar y for the router to make a remote connection. A connection proﬁle is like an address book entr y describing how the router is to get to a remote site, or how to recognize and authenticate a connection. To create a new connection proﬁle, you navigate to the WAN Conﬁguration screen from the Main Menu, and select Add Connection Proﬁle.

Main

Menu

The Add Connection Proﬁle screen appears.

Add Connection Profile

Profile Name: Profile 1 Profile Enabled: Yes

Encapsulation Type... RFC1483

RFC1483 Mode... Bridged 1483

IP Profile Parameters...

COMMIT CANCEL

WAN

Configuration

Add Connection

Profile

Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new Conn. Profile. Finished? COMMIT or CANCEL to exit.

On a Netopia Router you can add up to 15 more connection proﬁles, for a total of 16, but you can only use one at a time, unless you are using VPNs.

1. Select Proﬁle Name and enter a name for this connection proﬁle. It can be any name you wish. For example: the name of your ISP.

2. Toggle Proﬁle Enabled to Yes or No. The default is Yes. You can toggle it to No, if you want to disable it later.

3. Select Encapsulation Type and press Return. The pop-up menu offers the possible data link encapsulation methods for connection proﬁles used for a variety of purposes: PPP, RFC1483, ATMP, PPTP, IPsec, or L2TP.

WAN and System Conﬁguration 2-25

Multiple Data Link Encapsulation Settings

4. Select Encapsulation Options and press Return.

❥ If you selected ATMP, PPTP, L2TP, or IPSec, see Chapter 4, “Vir tual Private Networks (VPNs).”

❥ If you selected PPP or RFC1483, the screen offers different options:

Add Connection Profile

Profile Name: Profile 1 Profile Enabled: Yes

Encapsulation Type... +--------------+ +--------------+ RFC1483 Mode... | Bridged 1483 | | Routed 1483 | +--------------+

IP Profile Parameters...

COMMIT CANCEL

❥ If you selected RFC1483, the screen allows you

to choose Bridged 1483 or Routed 1483.

Add Connection Profile

Profile Name: Profile 1 Profile Enabled: Yes

Encapsulation Type... PPP Underlying Encapsulation... None PPP Mode... VC Multiplexed Encapsulation Options...

IP Profile Parameters...

Interface Group... Primary

COMMIT CANCEL

Configure a new Conn. Profile. Finished? COMMIT or CANCEL to exit.

❥ If you selected PPP, the screen allows you to

choose PPPoE or None as the Underlying Encapsulation.

❥ If you choose None, the PPP Mode offers the

choice of VC Multiplexed or LLC SNAP.

If you are using PPP, when you select Encapsulation Options, the Datalink (PPP/MP) Options screen appears. (RFC1483 does not require these options and does not offer the menu selection.)

2-26 Firmware User Guide

Datalink (PPP/MP) Options

Data Compression... Standard LZS

Send Authentication... PAP

Send User Name: Send Password: Receive User Name: Receive Password:

❥ Data Compression defaults to Standard LZS. You

can select Ascend LZS, if you are connecting to compatible equipment, or None from the pull-down menu.

❥ The Send Authentication pull-down menu lets

you select PAP, CHAP, or None.

❥ Selecting PAP or CHAP allows you to enter your

authentication credentials for both sending and receiving connections.

PAP requires a User Name and Password; CHAP requires a Host Name and Secret. The screen changes to accommodate your selection.

Datalink (PPP/MP) Options

Data Compression... Standard LZS

Send Authentication... PAP

Send User Name: Send Password: Receive User Name: Receive Password:

Dial on Demand: Yes

❥ If you are creating a Backup proﬁle (suppor ted

models only), and have selected Backup as the Interface Group in the previous screen, you can toggle Dial on Demand to Yes (the default) or No. See “Line Backup” on page 7-1 for more information.

Return to the Add Connection Proﬁle screen by pressing Escape.

5. Select IP Proﬁle Parameters and press Return. The IP Proﬁle Parameters screen appears.

WAN and System Conﬁguration 2-27

IP Profile Parameters

Address Translation Enabled: Yes IP Addressing... Numbered

NAT Map List... Easy-PAT List NAT Server List... Easy-Servers

Local WAN IP Address: 0.0.0.0 Local WAN IP Mask: 0.0.0.0

Filter Set... Remove Filter Set

RIP Profile Options...

6. Toggle or enter any IP Parameters you require and return to the Add Connection Proﬁle screen by pressing Escape. For more information, see “IP Setup” on page 6-2.

7. Select COMMIT and press Return. Your new Connection Proﬁle will be added.

If you want to view the Connection Proﬁles in your device, return to the WAN Conﬁguration screen, and select Display/Change Connection Proﬁle. The list of Connection Proﬁles is displayed in a scrolling pop-up screen.

WAN Configuration +-Profile Name---------------------IP Address------+ +--------------------------------------------------+ | Easy Setup Profile 255.225.255.255 | | Profile 1 0.0.0.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +--------------------------------------------------+

2-28 Firmware User Guide

The Default Proﬁle

If you are using RFC1483 data link encapsulation, the Default Proﬁle screen controls whether or not the DSL link will come up without an explicitly conﬁgured connection proﬁle. (PPP datalink encapsulation does not support a default proﬁle, and the corresponding menu item is unavailable.) See “Connection Proﬁles” on

page 6-32 for more information.

You access the Default Proﬁle screen from the Main Menu by selecting WAN Conﬁguration and then selecting Default Proﬁle.

Main

Menu

The Default Proﬁle screen appears.

WAN Default Profile

Must Match a Defined Profile: No

IP Parameters...

WAN

Configuration

WAN

Default Profile

■ You can set Must Match a Deﬁned Proﬁle item to Ye s or No (the default). This item controls whether or

not the DSL link will come up without an explicitly conﬁgured connection proﬁle. If your ISP is ser ving you a dynamic IP Address, you need not explicitly conﬁgure a connection proﬁle, and the default behavior of the router will be to connect automatically once it is powered on.

WAN and System Conﬁguration 2-29

IP parameters (default proﬁle) screen

If you are using RFC1483 datalink encapsulation, the IP Parameters (Default Proﬁle) screen allows you to conﬁgure various IP parameters for DSL connections established without an explicitly conﬁgured connection proﬁle:

IP Parameters (Default Profile)

Address Translation Enabled: No

Filter Set (Firewall)... Remove Filter Set

Receive RIP: Both Transmit RIP: Off

Return/Enter accepts * Tab toggles * ESC cancels.

For an DSL link, Network Address Translation (NAT) is disabled by default in the Default Proﬁle. You can enable it by toggling to Yes. For details on setting up IP Parameters see “IP Setup” on page 6-2.

Scheduled Connections

Scheduled connections are useful for PPPoE, PPTP, and ATMP connection proﬁles.

To go to the Scheduled Connections screen, from the WAN Conﬁguration screen select Advanced Connection Options and then select Scheduled Connections.

Main

Menu

WAN

Configuration

Advanced

Connection Options

Scheduled

Connections

2-30 Firmware User Guide

Scheduled Connections

Display/Change Scheduled Connection...

Add Scheduled Connection...

Delete Scheduled Connection...

Navigate from here to add/modify/change/delete Scheduled Connections.

Viewing scheduled connections

To display a table of scheduled connections, select Display/Change Scheduled Connection in the Scheduled Connections screen. Each scheduled connection occupies one row of the table.

Scheduled Connections

+-Days----Begin At---HH:MM---When----Conn. Prof. Name----Enabled-----+ +--------------------------------------------------------------------+ | mtWtfss 08:30PM 06:00 weekly Profile 01 No | | | | | | | | | | | +--------------------------------------------------------------------+

The ﬁrst column in the table shows a one-letter representation of the Days of the week, from Monday (M or m) to Sunday (S or s). If a letter representing a day is capitalized, the connection will be activated on that day; a lower-case letter means that the connection will not be activated on that day. If the scheduled connection is conﬁgured for a once-only connection, the word “once” will appear instead of the days of the week.

WAN and System Conﬁguration 2-31

The other columns show:

■ The time of day that the connection will Begin At

■ The duration of the connection (HH:MM)

■ Whether it’s a recurring Weekly connection or used Once Only

■ Which connection proﬁle (Conn. Prof.) is used to connect

■ Whether the scheduled connection is currently Enabled

The router checks the date and time set in scheduled connections against the system date and time.

Adding a scheduled connection

To add a new scheduled connection, select Add Scheduled Connection in the Scheduled Connections screen and press Return. The Add Scheduled Connection screen appears.

Add Scheduled Connection

Scheduled Connection Enable: On

How Often... Weekly

Schedule Type... Forced

Set Weekly Schedule...

Use Connection Profile...

ADD SCHEDULED CONNECTION CANCEL

Scheduled Connections dial remote Networks on a Weekly or Once-Only basis.

Follow these steps to conﬁgure the new scheduled connection:

■ To activate the connection, select Scheduled Connection Enable and toggle it to On. You can make the

scheduled connection inactive by toggling Scheduled Connection Enable to Off.

■ Decide how often the connection should take place by selecting How Often and choosing Weekly or Once

Only from the pop-up menu.

■ The Schedule Type allows you to set the exact weekly schedule or once-only schedule.

Options are:

■ Forced Up, meaning that this connection will be maintained whether or not there is a demand call on

the line.

■ Forced Down, meaning that this connection will be torn down or blocked whether or not there is a

2-32 Firmware User Guide

demand call on the line.

■ Demand-Allowed, meaning that this schedule will permit a demand call on the line.

■ Demand-Blocked, meaning that this schedule will prevent a demand call on the line.

■ Periodic, meaning that the connection is retried several times during the scheduled time.

■ If How Often is set to Weekly, the item directly below How Often reads Set Weekly Schedule. If How Often

is set to Once Only, the item directly below How Often reads Set Once-Only Schedule.

Set Weekly Schedule

If you set How Often to Weekly, select Set Weekly Schedule and go to the Set Weekly Schedule screen.

■ Select the days for the scheduled connection to occur and toggle them to Yes.

Set Weekly Schedule

Monday: No Tuesday: No Wednesday: No Thursday: No Friday: No Saturday: No Sunday: No

Scheduled Window Start Time: 11:50 AM or PM: AM

Scheduled Window Duration Per Day: 00:00

■ Select Scheduled Window Start Time and enter the time to initiate the scheduled connection.

■ You must enter the time in the format H:M, where H is a one- or two-digit number representing the hour and

M is a one- or two-digit number representing the minutes. The colon is mandator y. For example, the entry 1:3 (or 1:03) would be accepted as 3 minutes after one o’clock. The entry 7:0 (or 7:00) would be accepted as seven o’clock, exactly. The entries 44, :5, and 2: would be rejected.

■ Select AM or PM and choose AM or PM from the pop-up menu.

■ Select Scheduled Window Duration Per Day and enter the maximum duration allowed for this scheduled

connection, per call.

You are ﬁnished conﬁguring the weekly options. Return to the Add Scheduled Connection screen to continue.

WAN and System Conﬁguration 2-33

Set Once-Only Schedule

If you set How Often to Once Only, select Set Once-Only Schedule and go to the Set Once-Only Schedule screen.

Set Once-Only Schedule

Place Call on (MM/DD/YY): 05/07/1998

Scheduled Window Start Time: 11:50 AM or PM: AM

Scheduled Window Duration: 00:00

■ Select Place Call On (Date) and enter a date in the format MM/DD/YY or MM/DD/YYYY (month, day,

year).

Note: You must enter the date in the format speciﬁed. The slashes are mandatory. For example, the entry 5/7/98 would be accepted as May 7, 1998. The entry 5/7 would be rejected.

■ Select Scheduled Window Start Time and enter the time to initiate the scheduled connection.

Note: You must enter the time in the format H:M, where H is a one- or two-digit number representing the

hour and M is a one- or two-digit number representing the minutes. The colon is mandator y. For example, the entry 1:3 (or 1:03) would be accepted as 3 minutes after one o’clock. The entry 7:0 (or 7:00) would be accepted as seven o’clock, exactly. The entries 44, :5, and 2: would be rejected.

■ Select AM or PM and choose AM or PM.

■ Select Scheduled Window Duration and enter the maximum duration allowed for this scheduled

connection. Use the same format restrictions noted above.

You are ﬁnished conﬁguring the once-only options. Return to the Add Scheduled Connection screen to continue.

■ In the Add Scheduled Connection screen, select Use Connection Proﬁle and choose from the list of

connection proﬁles you have already created. A scheduled connection must be associated with a connection proﬁle to be useful. The connection proﬁle becomes active during the times speciﬁed in the associated scheduled connection, if any exists.

■ Select ADD SCHEDULED CONNECTION to save the current scheduled connection. Select CANCEL to exit

the Add Scheduled Connection screen without saving the new scheduled connection.

2-34 Firmware User Guide

Modifying a scheduled connection

To modify a scheduled connection, select Display/Change Scheduled Connection in the Scheduled Connections screen to display a table of scheduled connections.

Select a scheduled connection from the table and press Return. The Change Scheduled Connection screen appears. The parameters in this screen are the same as the ones in the Add Scheduled Connection screen (except that ADD SCHEDULED CONNECTION and CANCEL do not appear). To ﬁnd out how to set them, see

“Adding a scheduled connection” on page 2-31.

Deleting a scheduled connection

To delete a scheduled connection, select Delete Scheduled Connection in the Scheduled Connections screen to display a table of scheduled connections.

Select a scheduled connection from the table and press the Return key to delete it. To exit the table without deleting the selected scheduled connection, press the Escape key.

WAN and System Conﬁguration 2-35

System Conﬁguration Screens

System conﬁguration features

The Netopia Firmware Version 5.4 default settings may be all you need to conﬁgure your Router. Some users, however, require advanced settings or prefer manual control over the default selections. For these users, Netopia Firmware Version 5.4 provides system conﬁguration options.

“IP Setup” on page 2-36 “Filter Sets” on page 2-36

“IP Address Serving” on page 2-36 “Network Address Translation (NAT)” on page 2-36

“Date and time” on page 2-42 “Stateful Inspection ﬁrewall” on page 2-37

“SNMP (Simple Network Management Protocol)” on page 2-43

“Upgrade Feature Set” on page 2-43 “Security” on page 2-43

“Logging” on page 2-46 “RFC-1483 Transparent Bridging” on page 2-44

To help you determine whether you need to use the system conﬁguration options, review the following requirements. If you have one or more of these needs, use the system conﬁguration options described in later chapters.

■ System conﬁguration of dynamic IP address distribution through DHCP or BootP

■ Greater network security through the use of ﬁlters

■ Use of Network Time Protocol

To access the system conﬁguration screens, select System Conﬁguration in the Main Menu, then press Return.

“Console Conﬁguration” on page 2-43

2-36 Firmware User Guide

The System Conﬁguration menu screen appears:

System Configuration

IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)...

Date and Time...

Console Configuration... SNMP (Simple Network Management Protocol)...

Security...

Upgrade Feature Set...

Change Device to a Bridge...

Logging...

Use this screen if you want options beyond Easy Setup.

IP Setup

These screens allow you to conﬁgure your network’s use of the IP networking protocol.

■ Details are given in “IP Setup” on page 6-2.

Filter Sets

These screens allow you to conﬁgure security on your network by means of ﬁlter sets and a basic ﬁrewall.

■ Details are given in “Security” on page 10-1.

IP Address Serving

These screens allow you to conﬁgure IP address ser ving on your network by means of DHCP, WANIP, and BootP.

■ Details are given in “IP Address Ser ving” on page 6-17.

Network Address Translation (NAT)

These screens allow you to conﬁgure the Multiple Network Address Translation (MultiNAT) features.

■ Details are given in “Multiple Network Address Translation” on page 3-1.

WAN and System Conﬁguration 2-37

Stateful Inspection ﬁrewall

Stateful inspection ﬁrewall is a security feature that prevents unsolicited inbound access when NAT is disabled. You can conﬁgure UDP and TCP “no-activity” periods that will also apply to NAT time-outs if stateful inspection is enabled on the interface. Stateful Inspection parameters are active on a WAN interface only if enabled on your Gateway. Stateful inspection can be enabled on a proﬁle whether NAT is enabled or not.

Stateful Inspection

UDP no-activity timeout (sec): 180

TCP no-activity timeout (sec): 14400

Add Exposed Address List...

Exposed Address Associations...

Return/Enter goes to new screen. Return/Enter to configure Xposed IP addresses.

■ UDP no-activity time-out: The time in seconds after which a UDP session will be terminated, if there is no

trafﬁc on the session.

■ TCP no-activity time-out: The time in seconds after which an TCP session will be terminated, if there is no

trafﬁc on the session.

■ Exposed Addresses: The hosts speciﬁed in Exposed addresses will be allowed to receive inbound traf ﬁc

even if there is no corresponding outbound trafﬁc. This is active only if NAT is disabled on an WAN interface.

2-38 Firmware User Guide

Stateful Inspection Options

Enable and conﬁgure stateful inspection on a WAN interface.

IP Profile Parameters

Address Translation Enabled: Yes IP Addressing... Numbered NAT Map List... Easy-PAT List NAT Server List... Easy-Servers NAT Options... Stateful Inspection Enabled: No

Local WAN IP Address: 0.0.0.0 Local WAN IP Mask: 0.0.0.0

Filter Set... Remove Filter Set

RIP Profile Options...

Return/Enter to select <among/between> ... Configure IP requirements for a remote network connection here.

When you create or modify a Connection Proﬁle, the IP Proﬁle Parameters screen allows you to enable Stateful Inspection on that proﬁle by toggling Stateful Inspection Enabled to Yes . By default, this is turned of f (No). If you enable Stateful Inspection, the Stateful Inspection Options ﬁeld appears.

IP Profile Parameters

Address Translation Enabled: No IP Addressing... Numbered

Stateful Inspection Enabled: Yes Stateful Inspection Options... Local WAN IP Address: 0.0.0.0 Local WAN IP Mask: 0.0.0.0

Filter Set... Remove Filter Set

RIP Profile Options...

Configure IP requirements for a remote network connection here.

Select Stateful Inspection Options and press Return. The Stateful Inspection Parameters screen appears.

WAN and System Conﬁguration 2-39

Stateful Inspection Parameters

Max. TCP Sequence Number Difference: 0

Enable default mapping to router: No

Deny Fragmented Packets: No

Exposed Address List...

Enter max. allowed TCP sequence number difference (1 - 65535), 0 to disable.

■ Max. TCP Sequence Number Difference: Enter a value in this ﬁeld. This value represents the maximum

sequence number difference allowed between subsequent TCP packets. If this number is exceeded, the packet is dropped. The acceptable range is 0 – 65535. A value of 0 (zero) disables this check.

■ Enable default mapping to router: This is disabled by default. Toggling this option to Yes will allow the

router to respond to trafﬁc received on this inter face, for example, ICMP Echo requests.

Note: If Stateful Inspection is enabled on a base connection proﬁle (for example, for PPP, RFC1483

bridged/routed, or PPPoE), Enable default mapping to router must be yes to allow inbound VPN terminations. (for example. for PPTP/ATMP client access to the router)

■ Deny Fragmented Packets: Toggling this option to Yes causes the router to discard fragmented packets on

this interface.

■ You can apply these parameters to your Exposed Address lists by selecting your Exposed Address List

from the pop-up menu,

2-40 Firmware User Guide

Up/Down Arrows to select, then Return/Enter; ESC to cancel.

Exposed Addresses

You can specify the IP addresses you want to expose by selecting Add Exposed Address List and pressing Return. The Add Exposed Address List screen appears.

Add Exposed Address List

Exposed Address List Name: my_xposed_addr_list

Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.

Add, Edit, or delete exposed addresses options are active only if NAT is disabled on an WAN interface. The hosts speciﬁed in exposed addresses will be allowed to receive inbound trafﬁc even if there is no corresponding outbound traf ﬁc.

Change Exposed Address Range ("my_xposed_list")

First Exposed Address: 192.168.1.10

Last Exposed Address: +-------------+ +-------------+ Protocol... | TCP and UDP | | TCP | Port Start: | UDP | | ANY | Port End: +-------------+

CHANGE EXPOSED ADDRESS RANGE CANCEL

■ Start Address: Start IP Address of the exposed host range.

WAN and System Conﬁguration 2-41

■ End Address: End IP Address of the exposed host range

■ Protocol: Select the Protocol of the trafﬁc to be allowed to the host range from the pull-down menu.

Options are Any, TCP, UDP, or TCP/UDP.

■ Start Port: Star t por t of the range to be allowed to the host range. The acceptable range is from 1 - 65535

■ End Port: Protocol of the trafﬁc to be allowed to the host range. The acceptable range is from 1 - 65535

You can edit or delete exposed address lists by selecting Show/Change Exposed Address List or Delete Exposed Address List. A list of previously conﬁgured exposed addresses appears.

Add Exposed Address List +------Exposed Address Range---------Protocol-------------------+ +---------------------------------------------------------------+ | 192.168.1.10 192.168.1.12 TCP and UDP | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +---------------------------------------------------------------+

Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.

This allows you to select an exposed address list for editing or deletion.

2-42 Firmware User Guide

Date and time

You can set the system’s date and time parameters in the Set Date and Time screen.

Select Date and Time in the System Conﬁguration screen and press Return. The Set Date and Time screen appears.

Set Date and Time

NTP (Network Time Prot.) Enabled: On Time Server Host Name/IP Address 204.152.184.72 Time Zone... GMT -8:00 Pacific Standard Time NTP Update Interval (HHHH:MM) 0:00

System Date Format: MM/DD/YY

System Time Format: AM/PM

Follow these steps to set the system’s date and time:

1. Toggle NTP (Network Time Prot.) Enabled to On to synchronize the Router’s time and date with a network server. Toggle this ﬁeld to Of f to manually set the time and date; the options in this screen will change to allow you to manually enter the time and date parameters.

Note: If time and date are manually set, that information will be lost upon reboot or loss of power.

2. Enter the IP address of the time server in the ﬁeld Time Server Host Name/IP Address.

3. Select the Router’s time zone from the Time Zone pop-up menu and press Return.

4. In the NTP Update Interval ﬁeld, enter how often to synchronize with the time ser ver, using the format HHHH:MM where H is hours and M is minutes.

5. Select a System Date Format; the options are MM/DD/YY, DD/MM/YY, and YY/MM/DD, where M is month, D is day, and Y is year.

6. Select a System Time Format, either AM/PM or 24hrs.

7. Press Escape to return to the System Conﬁguration menu.

Note: NTP can be blocked by some ﬁrewall conﬁgurations. To ensure that this feature works, create a ﬁlterset

rule to allow UDP por t 123 to be open.

WAN and System Conﬁguration 2-43

Console Conﬁguration

You can change the default terminal communications parameters to suit your requirements.

To go to the Console Conﬁguration screen, select Console Conﬁguration in the System Conﬁguration screen.

Console Configuration

Baud Rate... 57600

SET CONFIG NOW CANCEL

Follow these steps to change a parameter’s value:

1. Select 57600, 38400, 19200, or 9600.

2. Select SET CONFIG NOW to save the new parameter settings. Select CANCEL to leave the parameter unchanged and exit the Console Conﬁguration screen.

SNMP (Simple Network Management Protocol)

These screens allow you to monitor and conﬁgure your network by means of a standard Simple Network Management Protocol (SNMP) agent.

■ Details are given in “Simple Network Management Protocol (SNMP) - V2c” on page 9-10.

Security

These screens allow you to add users and deﬁne passwords on your network.

■ Details are given in “Security” on page 10-1.

Upgrade Feature Set

You can upgrade your Router by adding new feature sets through the Upgrade Feature Set utility.

See the release notes that came with your router or feature set upgrade, or visit the Netopia Web site at www.netopia.com for information on new feature sets, how to obtain them, and how to install them on your Router.

2-44 Firmware User Guide

RFC-1483 Transparent Bridging

This feature allows you to turn off the routing features and use your device as a bridge. If you select this option, the device will restart itself, and reset all the settings to factor y defaults. Any conﬁgurations you have made will be erased. Use this feature with caution. If you decide to reinstate the routing capabilities, you must reconﬁgure the device from scratch.

From the Main Menu, select System Conﬁguration.

System Configuration

IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)...

Date and Time...

Console Configuration... SNMP (Simple Network Management Protocol)...

Security...

Upgrade Feature Set...

Change Device to a Bridge...

Logging...

Use this screen if you want options beyond Easy Setup.

Select Change Device to a Bridge and press Return. You will be challenged to conﬁrm this choice.

+----------------------------------------------------+ +----------------------------------------------------+ | This change requires a reboot and will result | | in Factory Defaulting the device. | | | | CANCEL CONTINUE | | | +----------------------------------------------------+

If you chose CONTINUE, the device will reboot and restar t in bridge mode. Routing features will be disabled and the console menus corresponding conﬁguration items, such as Easy Setup, will be removed.

WAN and System Conﬁguration 2-45

Netopia Router

WAN Configuration...

System Configuration...

Utilities & Diagnostics...

Statistics & Logs...

Quick View...

You can reinstate router mode by returning to the System Conﬁguration menu.

System Configuration

Management IP Setup... Filter Sets...

Date and Time...

Console Configuration... SNMP (Simple Network Management Protocol)...

Security...

Upgrade Feature Set...

Change Device to a Router...

Logging...

Use this screen if you want options beyond Easy Setup.

Select Change Device to a Router.

Press Return, conﬁrm your choice, and the device will restar t in router mode. Bridged Frame-Relay. Note: Netopia Firmware Version 5.4 now supports additional Frame Relay conﬁguration

options when the Netopia device is operating in bridged mode. Bridged Frame Relay (RFC 2427) is an extension of the existing onboard Frame Relay capability. Frame Relay-capable Netopia routers (ex: T-1, IDSL) may be run in bridged mode, with the WAN handling Frame Relay packets that are bridged to the Ethernet inter face. For these models, LMI, multiple DLCIs, etc. can be conﬁgured. If you choose to run the router in bridged mode, and select Frame Relay as the data link encapsulation method in the WAN (Wide Area Network) Setup menu, the WAN Conﬁguration menu now offers options to conﬁgure Frame Relay and Frame Relay DLCIs.

2-46 Firmware User Guide

Logging

You can conﬁgure a UNIX-compatible syslog client to report a number of subsets of the events entered in the router’s WAN Event History. See “WAN Event History” on page 9-5.

Select Logging from the System Conﬁguration menu.

The Logging Conﬁguration screen appears.

Logging Configuration

WAN Event Log Options Log Boot and Errors: Yes Log Line Specific: Yes Log Connections: Yes Log PPP, DHCP, CNA: Yes Log IP: Yes

Syslog Parameters Syslog Enabled: No Hostname or IP Address: Facility... Local 0

By default, all events are logged in the event history.

■ By toggling each event descriptor to either Yes or No, you can determine which ones are logged and which

are ignored.

■ You can enable or disable the syslog client dynamically. When enabled, it will report any appropriate and

previously unrepor ted events.

■ You can specify the syslog server’s address either in dotted decimal format or as a DNS name up to 63

characters.

■ You can specify the UNIX syslog Facility to use by selecting the Facility pop-up.

■ Erase the log by selecting DUMP WAN LOG

WAN and System Conﬁguration 2-47

You will need to install a Syslog client daemon program on your PC and conﬁgure it to report the WAN events you speciﬁed in the Logging Conﬁguration screen.

The following screen shows a sample syslog dump of WAN events:

May 5 10:14:06 tsnext.netopia.com Link 1 down: PPP PAP failure May 5 10:14:06 tsnext.netopia.com >>Issued Speech Setup Request from our DN: 5108645534 May 5 10:14:06 tsnext.netopia.com Requested Disc. from DN: 917143652500 May 5 10:14:06 tsnext.netopia.com Received Clear Confirm for our DN: 5108645534 May 5 10:14:06 tsnext.netopia.com Link 1 down: Manual disconnect May 5 10:14:06 tsnext.netopia.com >>Issued Speech Setup Request from our DN: 5108645534 May 5 10:14:06 tsnext.netopia.com Requested Disc. from DN: 917143652500 May 5 10:14:06 tsnext.netopia.com Received Clear Confirm for our DN: 5108645534 May 5 10:14:06 tsnext.netopia.com Link 1 down: No answer May 5 10:14:06 tsnext.netopia.com --Device restarted----------------------------------------May 5 10:14:06 tsnext.netopia.com >>Received Speech Setup Ind. from DN: (not supplied) May 5 10:14:06 tsnext.netopia.com Requested Connect to our DN: 5108645534 May 5 10:14:06 tsnext.netopia.com ASYNC: Modem carrier detected (more) Modem reports: 26400 V34 May 5 10:14:06 tsnext.netopia.com >>WAN: 56K Modem 1 activated at 115 Kbps May 5 10:14:06 tsnext.netopia.com Connect Confirmed to our DN: 5108645534 May 5 10:14:06 tsnext.netopia.com PPP: Channel 1 up, Answer Profile name: Default Profile May 5 10:14:06 tsnext.netopia.com PPP: NCP up, session 1, Channel 1 Final (fallback) negotiated auth: Local PAP , Remote NONE May 5 10:14:06 tsnext.netopia.com PPP: PAP we accepted remote, Channel 1 Remote name: guest May 5 10:14:06 tsnext.netopia.com PPP: MP negotiated, session 1 Remote EDO: 06 03 0 000C5700624 0 May 5 10:14:06 tsnext.netopia.com PPP: CCP negotiated, session 1, type: Ascend LZS Local mode: 1, Remote mode: 1 May 5 10:14:06 tsnext.netopia.com PPP: BACP negotiated, session 1 Local MN: FFFFFF FF, Remote MN: 00000001 May 5 10:14:06 tsnext.netopia.com PPP: IPCP negotiated, session 1, rem:

192.168.10.100 local: 192.168.1.1 May 5 10:14:06 tsnext.netopia.com >>WAN: 56K Modem 1 deactivated May 5 10:14:06 tsnext.netopia.com Received Clear Ind. from DN: 5108645534, Cause: 0 May 5 10:14:06 tsnext.netopia.com Issued Clear Response to DN: 5108645534 May 5 10:14:06 tsnext.netopia.com Link 1 down: Remote clearing May 5 10:14:06 tsnext.netopia.com PPP: IPCP down, session 1 May 5 10:14:06 tsnext.netopia.com >>Received Speech Setup Ind. from DN: (not supplied)

2-48 Firmware User Guide

Multiple Network Address Translation 3-1

CCCChhhhaaaapppptttteeeerrrr 33

MMMMuuuullllttttiiiipppplllleeee NNNNeeeettttwwwwoooorrrrkkkk AA

Netopia Firmware Version 5.4 offers advanced Multiple Network Address Translation functionality.

You should read this chapter completely before attempting to conﬁgure any of the advanced NAT features.

This chapter covers the following topics:

■ Overview on page 3-1

■ MultiNAT Conﬁguration on page 3-6

■ Easy Setup Proﬁle conﬁguration on page 3-6

■ Server Lists and Dynamic NAT conﬁguration on page 3-7

■ Adding Server Lists on page 3-15

■ Binding Map Lists and Server Lists on page 3-21

■ NAT Associations on page 3-25

■ IP Passthrough on page 3-27

33

A

Addddddddrrrreeeessssssss TTTTrrrraaaannnnssssllllaaaattttiiiioooonnnn

■ MultiNAT Conﬁguration Example on page 3-31

Overview

NAT (Network Address Translation) is a means of mapping one or more IP addresses and/or IP service ports into different values. This mapping serves two functions:

■ It allows the addresses of many computers on a LAN to be represented to the public Internet by only one or

a few addresses, saving you money.

■ It can be used as a security feature by obscuring the true addresses of important machines from potential

hackers on the Internet.

To help you understand some of the concepts discussed here, it may be helpful to introduce some NAT terminology.

The term mapping refers to rules that associate one or more private addresses on the Netopia Router’s LAN to one or more public addresses on the Netopia Routers WAN interface (typically the Internet).

The terms private and internal refer to addresses on the Netopia Router’s LAN. These addresses are considered private because they are protected or obscured by NAT and cannot be directly accessed from the WAN (or Internet) side of the Netopia Router unless speciﬁcally conﬁgured otherwise.

The terms public and external refer to the WAN (or Internet) side of the Netopia Router.

3-2 Firmware User Guide

Features

MultiNAT features can be divided into several categories that can be used simultaneously in different combinations on a per-Connection Proﬁle basis.

The following is a general description of these features:

Port Address Translation

The simplest form of classic Network Address Translation is PAT (Port Address Translation). PAT allows a group of computers on a LAN, such as might be found in a home or small ofﬁce, to share a single Internet connection using one IP address. The computers on the LAN can surf the Web, read e-mail, download ﬁles, etc., but their individual IP addresses are never exposed to the public network. Instead, a single IP address acts as the source IP address of trafﬁc originating from the LAN. The Netopia Router allows you to deﬁne multiple PAT mappings, which can be individually mapped to different public IP addresses. This offers more control over the access permitted to users on the LAN.

A limitation of PAT is that communication must be initiated from the internal network. A user on the external side cannot access a machine behind a PAT connection. A PAT enhancement is the ability to deﬁne multiple PAT mappings. Each of these can optionally map to a section or range of IP addresses of the internal network. PAT mapping allows only internal users to initiate trafﬁc ﬂow between the internal and external networks.

Server lists

Server lists, previously known as exported services, make it possible to provide access from the public network to hosts on the LAN. Server lists allow you to deﬁne particular services, such as Web, ftp, or e-mail, which are available via a public IP address. You deﬁne the type of service you would like to make available and the internal IP address to which you would like to provide access. You may also deﬁne a speciﬁc public IP address to use for this service if you want to use an IP other than the WAN IP address of the Netopia Router.

Static mapping

If you want to host your own Website or provide other Internet services to the public, you need more than classic NAT. The reason is noted under Por t Address Translation above – external users cannot initiate trafﬁc to computers on your LAN because external users can never see the real addresses of the computers on your LAN. If you want users outside your LAN to have access, for example, to a Web or FTP server that you host, you need to make a public representation of the real IP addresses of those ser vers.

Static mappings are a way to make one or more private IP addresses fully accessible from the public network via corresponding public IP addresses. Some applications may negotiate multiple TCP connections in the process of communication, which often does not work with traditional PAT. Static mapping offers the ability to use these applications through NAT. Each private IP address is mapped, on a one-to-one basis, to a public IP address that can be accessed from the Internet or public network. As with PAT mappings, you may have multiple static mappings to map a range of private IP addresses to a range of public IP addresses if desired.

Multiple Network Address Translation 3-3

Dynamic mapping

Dynamic mapping, often referred to as many-to-few, offers an extension to the advantages provided by static mapping. Instead of requiring a one-to-one association of public addresses and private addresses, as is required in static mapping, dynamic mapping uses a group of public IP addresses to dynamically allocate static mappings to private hosts that are communicating with the public network. If a host on the private network initiates a connection to the Internet, for example, the Netopia Router automatically sets up a one-to-one mapping of that host’s private IP address to one of the public IP addresses allocated to be used for Dynamic NAT. As long as this host is communicating with the Internet, it will be able to use that address. When trafﬁc from that host ceases, and no trafﬁc is passed from that host for ﬁve minutes, the public address is made available again for other private hosts to use as necessary.

When addresses are returned to the group of available addresses, they are returned to the head of the group, being the most recently used. If that same host requests a connection an hour later, and the same public address is still available, then it will be mapped to the same private host. If a new host, which has not previously requested a connection, initiates a connection it is allocated the last, or oldest, public address available.

Dynamic NAT is a way of sharing a range of public, or exterior, NAT addresses among one or more groups of private, or interior, hosts. This is intended to provide superior support for applications that traditionally have difﬁculty communicating through NAT. Dynamic NAT is intended to provide functionality beyond many-to-one and one-to-one translation. Netopia’s NAT implementation makes it possible to have a static mapping of one public address to one private address, thus allowing applications such as NetMeeting to work by assuring that any trafﬁc sent back to the source IP address is forwarded through to the internal machine.

Static one-to-one mapping works well if you have enough IP addresses for all the workstations on your LAN. If you do not, Dynamic NAT allows machines to make full use of the publicly routable IP addresses provided by the ISP as necessary, on demand. When these public IP addresses are no longer being used by a par ticular workstation, they are returned to a pool of available addresses for other workstations to use.

A common example is a DSL customer’s application. Most DSL ISPs only provide customers with a few IP addresses for use on their network. For networks with more than four or ﬁve machines it is usually mandator y to use NAT. A customer may have 15 workstations on the LAN, all of which need Internet access. The customer is only provided ﬁve IP addresses by their ISP. The customer has eight hosts, which only need to use email and have Web access, but another seven hosts, which use NetMeeting to communicate with clients once or twice a day. NetMeeting will not work unless a static one-to-one mapping exists for the machine running NetMeeting to use for communication. The customer does not have enough IP addresses to create a one-to-one mapping for each of the seven users. This is where dynamic NAT applies.

The customer can conﬁgure four of these addresses to be used for Dynamic NAT. The ﬁfth address is then used for the eight other machines that do not need one-to-one mappings. As each machine conﬁgured to use addresses from the dynamic pool tries to connect to the Internet it is allocated a public IP address to use temporarily. Once the communication has been terminated, that IP address is freed for one of the other six hosts to use.

3-4 Firmware User Guide

Available for Dynamic NAT Used for Normal NAT

172.16.1.25

172.16.1.26

172.16.1.27

172.16.1.28

172.16.1.29

WAN Network

Network Address Translation

LAN Network

192.168.1.16

192.168.1.15

192.168.1.14

192.168.1.13

192.168.1.12

192.168.1.11

192.168.1.10

192.168.1.9

192.168.1.8

192.168.1.7

192.168.1.6

192.168.1.5

192.168.1.4

192.168.1.3

192.168.1.2

Exterior addresses are allocated to internal hosts on a demand, or as-needed, basis and then made available when trafﬁc from that host ceases. Once an internal host has been allocated an address, it will use that address for all trafﬁc. Five minutes after all trafﬁc ceases – no pings, all TCP connections closed, no DNS requests, etc. – the address is put at the head of an available list. If an interior host needs an exterior address an hour later, and the previously used address is still available, it will acquire the same address. If an interior host that has not previously been allocated an exterior address needs one, it will be allocated the last, hence the oldest, exterior address on the available list.

All NAT conﬁgurations are rule-based. This means that trafﬁc passed through NAT from either the public or the private network is compared to the rules and mappings conﬁgured in the Netopia Router in a particular order. The ﬁrst rule that applies to the trafﬁc being initiated is used.

For example, if a connection is initiated from the public network and is destined for a public IP address conﬁgured on the Netopia Router, the following comparisons are made in this order.

1. The Netopia Router ﬁrst checks its internal NAT cache to see if the data is part of a previously initiated connection, if not…

2. The Netopia Router checks the conﬁgured server lists to see if this trafﬁc is intended to be forwarded to an internal host based on the type of ser vice.

3. The Netopia Router then checks to see if there is a static, dynamic, or PAT mapping for the public IP address that the connection is being initiated to.

4. The Netopia Router answers the request itself if the data is destined for the Netopia’s WAN interface IP address. Otherwise the data is discarded.

Multiple Network Address Translation 3-5

Complex maps

Map lists and server lists are completely independent of each other. A Connection Proﬁle can use one or the other or both.

MultiNAT allows complex mapping and requires more complex conﬁguration than in earlier ﬁrmware versions. Multiple mapped interior subnets are supported, and the rules for mapping each of the subnets may be different. The ﬁgure below illustrates a possible multiNAT conﬁguration.

Private Addresses IP HostPublic Addresses NAT Type

206.1.1.1

206.1.1.2

206.1.1.3

206.1.1.4

206.1.1.5

206.1.1.6

206.1.2.1 – 6 LAN Users (possible later)

In order to support this type of mapping, you deﬁne two address ranges. First, you deﬁne a public range which contains the ﬁrst and last public address to be used and the way in which these addresses should be used (PAT, static, or dynamic). You then conﬁgure an address map which deﬁnes the private IP address or addresses to be used and which public range they should be mapped to. You add the address map to the list of address maps which are conﬁgured, creating a map list. The mappings in the map list are order-dependent and are compared in order from the top of the list to the bottom. If a par ticular resource is not available, subordinate mappings can be deﬁned that will redirect trafﬁc.

}

192.168.1.1

192.168.1.253

192.168.1.254

192.168.1.1 – 252

Web/FTP Server E-mail Server

LAN Users

1:1 Static 1:1 Static

1:1 Dynamic

1:Many PAT

1:1 Dynamic

Supported trafﬁc

MultiNat supports the following IP protocols:

■ PAT: TCP/UDP traf ﬁc which does not carry source or destination IP addresses or ports in the data stream

(i.e., HTTP, Telnet, ‘r’ commands, tftp, NFS, NTP, SMTP, NNTP, etc.).

■ Static NAT: All IP protocol trafﬁc which does not carr y or other wise rely on the source or destination IP

addresses in the data stream.

■ Dynamic NAT: All IP protocol trafﬁc which does not carr y or other wise rely on the source or destination IP

addresses in the data stream.

Support for Microsoft Network (MSN) Messenger

Netopia Firmware Version 5.4 provides support for MSN Messenger/Windows Messenger applications via UPnP (see UPnP Support on page 10-2). Normal plain chat always works.

Support for AOL Instant Messenger (AIM) File Transfer

Netopia Firmware Version 5.4 provides Application Level Gateway (ALG) support for AOL Instant Messenger (AIM) ﬁle transfer. This allows AIM users to exchange ﬁles, even when both users are behind NAT. Previously, the ﬁle transfer function would work only if one or neither of the two users were behind NAT.

3-6 Firmware User Guide

Currently there is a restriction that the remote user must be routed to via the WAN interface, otherwise the connections will fail. There is no restriction as to the number of connections.

There is no user conﬁguration required for this feature.

MultiNAT Conﬁguration

You conﬁgure the MultiNAT features through the console menu:

■ For a simple 1-to-many NAT conﬁguration (classic NAT or PAT), use the Easy Setup Proﬁle conﬁguration,

described below.

■ For the more advanced features, such as ser ver lists and dynamic NAT, follow the instructions in:

■ IP setup, described on page 3-7

■ IP proﬁle parameters, described on page 3-21

Easy Setup Proﬁle conﬁguration

The screen below is an example. Depending on the type of router you are using, ﬁelds displayed in this screen may vary.

Connection Profile 1: Easy Setup Profile

Connection Profile Name: Easy Setup Profile

Address Translation Enabled: Yes IP Addressing... Numbered

Local WAN IP Address: 0.0.0.0 Local WAN IP Mask: 255.255.255.0 Remote IP Address: 127.0.0.2 Remote IP Mask: 255.255.255.255

PPP Authentication... PAP Send User Name: tonyf Send Password: ********************

PREVIOUS SCREEN NEXT SCREEN

Return/Enter brings you to next screen.

The Local WAN IP Address is used to conﬁgure a NAT public address range consisting of the Local WAN IP Address and all its ports. The public address map list is named Easy-PAT List and the por t map list is named Easy-Servers.

The two map lists, Easy-PAT List and Easy-Servers, are created by default and NAT conﬁguration becomes effective.This will map all your private addresses (0.0.0.0 through 255.255.255.255) to your public address. These map lists are bound to the Easy Setup Proﬁle. See Binding Map Lists and Ser ver Lists on page 3-21.

This is all you need to do if you want to continue to use a single PAT, or 1-to-many, NAT conﬁguration.

Multiple Network Address Translation 3-7

Server Lists and Dynamic NAT conﬁguration

You use the advanced NAT feature sets by ﬁrst deﬁning a series of mapping rules and then grouping them into a list. There are two kinds of lists -- map lists, made up of dynamic, PAT and static mapping rules, and server lists, a list of internal ser vices to be presented to the external world. Creating these lists is a four-step process:

1. Deﬁne the public range of addresses that external computers should use to get to the NAT internal machines. These are the addresses that someone on the Internet would see.

2. Create a List name that will act as a rule or ser ver holder.

3. Create a map or rule that speciﬁes the internal range of NATed addresses and the external range they are to be associated with.

4. Associate the Map or Server List to your WAN interface via a Connection Proﬁle or the Default Proﬁle.

The three NAT features all operate completely independently of each other, although they can be used simultaneously on the same Connection Proﬁle.

You can conﬁgure a simple 1-to-many PAT (often referred to simply as NAT) mapping using Easy Setup. More complex setups require conﬁguration using the Network Address Translation item on the IP Setup screen.

An example MultiNAT conﬁguration at the end of this chapter describes some applications for these features. See the MultiNAT Conﬁguration Example on page 3-31.

In order to conﬁgure the router to make ser vers on your LAN visible to the Internet, you use advanced features in the System Conﬁguration screens, described in IP setup.

IP setup

To access the NAT conﬁguration screens, from the Main Menu navigate to IP Setup:

Main

Menu

System

Configuration

IP

Setup

3-8 Firmware User Guide

IP Setup

Ethernet IP Address: 192.168.1.1 Ethernet Subnet Mask: 255.255.255.0 Define Additional Subnets...

Default IP Gateway: 127.0.0.2

Primary Domain Name Server: 0.0.0.0 Secondary Domain Name Server: 0.0.0.0 Domain Name: isp.com

Receive RIP... Both Transmit RIP... Off

Static Routes... IP Address Serving... Network Address Translation (NAT)...

Set up the basic IP attributes of your Netopia in this screen.

Select Network Address Translation (NAT) and press Return.

The Network Address Translation screen appears.

Network Address Translation

Add Public Range... Show/Change Public Range... Delete Public Range...

Add Map List... Show/Change Map List... Delete Map List...

Add Server List... Show/Change Server List... Delete Server List...

NAT Associations...

Return/Enter to configure IP Address redirection.

Public Range deﬁnes an external address range and indicates what type of mapping to apply when using this range. The types of mapping available are dynamic, static and pat.

Map Lists deﬁne collections of mapping rules. A rule maps interior range addresses to exterior range addresses by the mapping techniques deﬁned in the map list.

Server Lists bind internal IP addresses and ports to external IP addresses and ports so that connections initiated from the outside can access an interior server.

Multiple Network Address Translation 3-9

NAT rules

The following rules apply to assigning NAT ranges and server lists:

■ Static public address ranges must not overlap other static, PAT, public addresses, or the public address

assigned to the router’s WAN interface.

■ A PAT public address must not overlap any static address ranges. It may be the same as another PAT

address or server list address, but the por t range must not overlap.

You conﬁgure the ranges of exterior addresses by ﬁrst adding public ranges.

Select Add Public Range and press Return.

The Add NAT Public Range screen appears.

Add NAT Public Range

Range Name: my_first_range

Type... pat

Public Address: 206.1.1.6

First Public Port: 49152

Last Public Port: 65535

ADD NAT PUBLIC RANGE CANCEL

■ Select Range Name and give a descriptive name to this range.

■ Select Type and from the pop-up menu, assign its type. Options are static, dynamic, or pat (the default).

■ If you choose pat as the range type, select Public Address and enter the exterior IP address in the

range you want to assign. Select First and Last Public Port and enter the ﬁrst and last exterior por ts in the range. These are the ports that will be used for trafﬁc initiated from the private LAN to the outside world.

Note: For PAT map lists and server lists, if you use the Public Address 0.0.0.0, the list will acquire its public IP address from the WAN IP address speciﬁed by your WAN IP conﬁguration in the Connection Proﬁle. If that is a static IP address, then the PAT map list and ser ver lists will acquire that address. If it is a negotiated IP address, such as may be assigned via DHCP or PPP, the PAT map list and server lists will acquire that address each time it is negotiated.

■ If you choose dynamic as the range type, a new menu item, First Public Address, becomes visible.

Select First Public Address and enter the ﬁrst exterior IP address in the range you want to assign. Select Last Public Address and enter an IP address at the end of the range.

■ If you choose static as the range type, a new menu item, First Public Address, becomes visible.

3-10 Firmware User Guide

Select First Public Address and enter the ﬁrst exterior IP address in the range you want to assign. Select Last Public Address and enter an IP address at the end of the range.

■ Select ADD NAT PUBLIC RANGE and press Return. The range will be added to your list and you will be

returned to the Network Address Translation screen.

Once the public ranges have been assigned, the next step is to bind interior addresses to them. Because these bindings occur in ordered lists, called map lists, you must ﬁrst deﬁne the list, then add mappings to it.

From the Network Address Translation screen select Add Map List and press Return.

The Add NAT Map List screen appears.

Add NAT Map List

Map List Name: my_map

Add Map...

■ Select Map List Name and enter a descriptive name for this map list. A new menu item, Add Map,

appears.

Multiple Network Address Translation 3-11

■ Select Add Map and press Return. The Add NAT Map screen appears.

Add NAT Map ("my_map")

First Private Address: 192.168.1.1

Last Private Address: 192.168.1.254

Use NAT Public Range...

ADD NAT MAP CANCEL

■ Select First and Last Private Address and enter the ﬁrst and last interior IP addresses you want to assign

to this mapping.

■ Select Use NAT Public Range and press Return. A screen appears displaying the public ranges you have

deﬁned.

Add NAT Map ("my_map") +-Public Address Range------------Type----Name-------------+ +----------------------------------------------------------+ | 0.0.0.0 -- pat Easy-PAT | | 206.1.1.6 -- pat my_first_range | | 206.1.1.1 206.1.1.2 static my_second_range | | <<NEW RANGE...>> | | | | | | | | | | | | | | | | | | | | | | | | | +----------------------------------------------------------+

Select

Up/Down Arrow Keys to select, ESC to cancel, Return/Enter to Delete.

■ From the list of public ranges you deﬁned, select the one that you want to map to the interior range for this

3-12 Firmware User Guide

mapping and press Return.

If none of your preconﬁgured ranges are suitable for this mapping, you can select <<NEW RANGE>> and create a new range. If you choose <<NEW RANGE>>, the Add NAT Public Range screen displays and you can create a new public range to be used by this map. See Add NAT Public Range on page 3-9.

■ The Add NAT Map screen now displays the range you have assigned.

Add NAT Map ("my_map")

First Private Address: 192.168.1.1

Last Private Address: 192.168.1.254

Use NAT Public Range... my_first_range

Public Range Type is: pat Public Range Start Address is: 206.1.1.6

ADD NAT MAP CANCEL

■ Select ADD NAT MAP and press Return. Your mapping is added to your map list.

Multiple Network Address Translation 3-13

Modifying map lists

You can make changes to an existing map list after you have created it. Since there may be more than one map list you must select which one you are modifying.

From the Network Address Translation screen select Show/Change Map List and press Return.

■ Select the map list you want to modify from the pop-up menu.

Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.

The Show/Change NAT Map List screen appears.

Show/Change NAT Map List

Map List Name: my_map

Add Map...

Show/Change Maps...

Delete Map...

3-14 Firmware User Guide

■ Add Map allows you to add a new map to the map list.

■ Show/Change Maps allows you to modify the individual maps within the list.

■ Delete Map allows you to delete a map from the list.

Selecting Show/Change Maps or Delete Map displays the same pop-up menu.

Show/Change NAT Map List +---Private Address Range---------Type----Public Address Range------------+ +-------------------------------------------------------------------------+ | 192.168.1.1 192.168.1.254 pat 206.1.1.6 -- | | 192.168.1.253 192.168.1.254 static 206.1.1.1 206.1.1.2 | | 192.168.1.1 192.168.1.252 dynamic 206.1.1.3 206.1.1.5 | | | | | | | | | | | | | | | | | | | | | | | | | | | +-------------------------------------------------------------------------+

Scroll to the map you want to modify using the arrow keys and press Return.

The Change NAT Map screen appears.

Change NAT Map ("my_map")

First Private Address: 192.168.1.253

Last Private Address: 192.168.1.254

Use NAT Public Range... my_second_range

Public Range Type is: static Public Range Start Address is: 206.1.1.1 Public Range End Address is: 206.1.1.2

CHANGE NAT MAP CANCEL

Make any modiﬁcations you need and then select CHANGE NAT MAP and press Return. Your changes will become effective and you will be returned to the Show/Change NAT Map List screen.

Multiple Network Address Translation 3-15

Adding Server Lists

Server lists, also known as Exports, are handled similarly to map lists. If you want to make a particular server’s port accessible (and it isn’t accessible through other means, such as a static mapping), you must create a server list.

Select Add Server List from the Network Address Translation screen.

The Add NAT Server List screen appears.

Add NAT Server List

Server List Name: my_servers

Add Server...

■ Select Server List Name and type in a descriptive name. A new menu item, Add Server, appears.

3-16 Firmware User Guide

■ Select Add Server and press Return. The Add NAT Server screen appears.

Add NAT Server ("my_servers")

Service...

Server Private IP Address: 192.168.1.45

Public IP Address: 206.1.1.1

ADD NAT SERVER CANCEL

■ Select Service and press Return. A pop-up menu appears listing a selection of commonly exported

services.

ADD NAT SERVER CANCEL

■ Choose the service you want to export and press Return.

You can choose a preconﬁgured service from the list, or deﬁne your own by selecting Other. If you select Other, a screen is displayed that allows you to enter the port number range for your customized ser vice.

Other Exported Port

First Port Number (1..65535): 31337

Last Port Number (1..65535): 31337

OK CANCEL

Multiple Network Address Translation 3-17

■ Enter the First and Last Port Number between por ts 1 and 65535. Select OK and press Return. You

will be returned to the Add NAT Server screen.

■ Enter the Server Private IP Address of the ser ver whose ser vice you are exporting.

Since MultiNAT permits the mapping of multiple private IP addresses to multiple public IP addresses, your ISP or corporate site’s router must be conﬁgured such that it knows that your multiple public addresses are accessible via your router.

If you want to use static mappings to map internal ser vers to public addresses, your ISP or corporate site's router must also be conﬁgured for static routes to these public addresses on the Netopia Router.

■ Enter the Public IP Address to which you are expor ting the ser vice.

Note: For PAT map lists and server lists, if you use the Public Address 0.0.0.0, the list will acquire its public IP address from the WAN IP address speciﬁed by your WAN IP conﬁguration in the Connection Proﬁle. If that is a static IP address, then the PAT map list and ser ver lists will acquire that address. If it is a negotiated IP address, such as may be assigned via DHCP or PPP, the PAT map list and server lists will acquire that address each time it is negotiated.

■ Select ADD NAT SERVER and press Return. The server will be added to your server list and you will be

returned to the Add NAT Server List screen.

Note: In order to use CUSeeMe through the Netopia Router, you must export the ports 7648 and 7649. In

MultiNat, you may use a port range export. Without the export, CUSeeMe will fail to work. This is true unless a static mapping is in place for the host using CUSeeMe. In that case no server list entry is necessary.

3-18 Firmware User Guide

Modifying server lists

Once a server list exists, you can select it for modiﬁcation or deletion.

■ Select Show/Change Server List from the Network Address Translation screen.

■ Select the Server List Name you want to modify from the pop-up menu and press Return.

Network Address Translation +-NAT Server List Name-+ +----------------------+ A| my_servers | S| |.. D| | | | A| | S| | D| | | | A| | S| |. D| | | | | | | | | | | | +----------------------+

Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.

The Show/Change NAT Server List screen appears.

Show/Change NAT Server List

Server List Name: my_servers

Add Server...

Show/Change Server...

Delete Server...

Multiple Network Address Translation 3-19

■ Selecting Show/Change Server or Delete Server displays the same pop-up menu.

Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.

Select any server from the list and press Return. The Change NAT Server screen appears.

Change NAT Server ("My Exports")

Service... smtp

Server Private IP Address: 192.168.1.254

Public IP Address: 206.1.1.1

CHANGE NAT SERVER CANCEL

You can make changes to the server’s ser vice and por t or internal or external address.

Select CHANGE NAT SERVER and press Return. Your changes take effect and you are returned to the Show/Change NAT Server List screen.

3-20 Firmware User Guide

Deleting a server

To delete a server from the list, select Delete Server from the Show/Change NAT Server List menu and press Return.

A pop-up menu lists your conﬁgured servers. Select the one you want to delete and press Return. A dialog box asks you to conﬁrm your choice.

Show/Change NAT Server List +-Internal Address-External Address--Port------------+ +----------------------------------------------------+ Se| 192.168.1.254 206.1.1.6 smtp | | 19+----------------------------------------------+ | | 19+----------------------------------------------+ | Ad| | Are you sure you want to delete this Server? | | | | | | Sh| | CANCEL CONTINUE | | | | | | De| | | | | +----------------------------------------------+ | | | | | | | | | | | | | | | +----------------------------------------------------+

Choose CONTINUE and press Return. The ser ver is deleted from the list.

Multiple Network Address Translation 3-21

Binding Map Lists and Server Lists

Once you have created your map lists and server lists, for most Netopia Router models you must bind them to a proﬁle, either a Connection Proﬁle or the Default Proﬁle. You do this in one of the following screens:

■ the IP proﬁle parameters screen (see below) of the Connection Proﬁle conﬁguration menu

■ the IP Parameters (WAN Default Proﬁle) screen (see page 3-23) of the Default Proﬁle conﬁguration menu

■ the Binding Map Lists and Server Lists screen (see page 3-21)

IP proﬁle parameters

To bind a map list to a Connection Proﬁle, from the Main Menu go to the WAN Conﬁguration screen then the Display/Change Connection Proﬁle screen. From the pop-up menu list of your Connection Proﬁles, choose the one you want to bind your map list to. Select IP Proﬁle Parameters and press Return.

Main

Menu

WAN

Configuration

The IP Proﬁle Parameters screen appears.

IP Profile Parameters

Address Translation Enabled: Yes IP Addressing... Unnumbered

NAT Map List... Easy-PAT List NAT Server List... Easy-Servers

Local WAN IP Address: 206.1.1.6 Local WAN IP Mask: 0.0.0.0 Remote IP Address: 127.0.0.2 Remote IP Mask: 255.255.255.255

Filter Set... Basic Firewall Remove Filter Set

RIP Profile Options...

Display/Change

Connection Profile

IP Profile

Parameters

Configure IP requirements for a remote network connection here.

3-22 Firmware User Guide

■ Select NAT Map List and press Return. A pop-up menu displays a list of your deﬁned map lists.

Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.

■ Select the map list you want to bind to this Connection Proﬁle and press Return. The map list you selected

will now be bound to this Connection Proﬁle.

■ Select NAT Server List and press Return. A pop-up menu displays a list of your deﬁned ser ver lists.

Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.

■ Select the server list you want to bind to this Connection Proﬁle and press Return. The ser ver list you

selected will now be bound to this Connection Proﬁle.

Note: There is no interdependency between NAT and IP Addressing. Also, the Local WAN IP Address and Mask ﬁelds’ visibility are dependent only on the IP Addressing type.

Multiple Network Address Translation 3-23

IP Parameters (WAN Default Proﬁle)

The Netopia Firmware Version 5.4 using RFC 1483 supports a WAN default proﬁle that permits several parameters to be conﬁgured without an explicitly conﬁgured Connection Proﬁle.

The procedure is similar to the procedure to bind map lists and server lists to a Connection Proﬁle.

From the Main Menu go to the WAN Conﬁguration screen, then the Default Proﬁle screen. Select IP Parameters and press Return.

Main

Menu

WAN

Configuration

The IP Parameters (Default Proﬁle) screen appears.

IP Parameters (Default Profile)

Address Translation Enabled: Yes

NAT Map List... Easy-PAT List NAT Server List... Easy-Servers

Filter Set (Firewall)... Remove Filter Set

Receive RIP: Both

WAN Default

Profile

IP Parameters

Return/Enter to select <among/between> ...

■ Toggle Address Translation Enabled to Yes.

3-24 Firmware User Guide

■ Select NAT Map List and press Return. A pop-up menu displays a list of your deﬁned map lists.

Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.

■ Select the map list you want to bind to the default proﬁle and press Return. The map list you selected will

now be bound to the default proﬁle.

■ Select NAT Server List and press Return. A pop-up menu displays a list of your deﬁned ser ver lists.

Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.

■ Select the server list you want to bind to the default proﬁle and press Return. The ser ver list you selected

will now be bound to the default proﬁle.

Note: There is no interdependency between NAT and IP Addressing. Also, the Local WAN IP Address and

Mask ﬁelds’ visibility are dependent only on the IP Addressing type.

Multiple Network Address Translation 3-25

NAT Associations

Conﬁguration of map and server lists alone is not sufﬁcient to enable NAT for a WAN connection because map and server lists must be linked to a proﬁle that controls the WAN interface. This can be a Connection Proﬁle, a WAN Ethernet interface, a default proﬁle, or a default answer proﬁle. Once you have conﬁgured your map and server lists, you may want to reassign them to different interface-controlling proﬁles, for example, Connection Proﬁles. To permit easy access to this IP Setup functionality, you can use the NAT Associations screen.

You access the NAT Associations screen from the Network Address Translation screen.

Main

Menu

System

Configuration

IP

Setup

Network Address

Select NAT Associations and press Return. The NAT Associations screen appears.

NAT Associations

Profile/Interface Name-------------Nat?-Map List Name-----Server List Name Default Answer Profile On my_first_map my_servers Easy Setup Profile On Easy-PAT my_servers Profile 01 On my_second_map my_servers Profile 02 On my_first_map my_server_list Profile 03 On <<None>> <<None>>

Translation

■ You can toggle NAT? On or Off for each Proﬁle/Interface name. You do this by navigating to the NAT? ﬁeld

associated with each proﬁle using the arrow keys. Toggle NAT on or off by using the Tab key.

■ You can reassign any of your map lists or server lists to any of the Proﬁle/Interfaces. You do this by

navigating to the Map List Name or Server List Name ﬁeld associated with each proﬁle using the arrow

3-26 Firmware User Guide

keys. Select the item by pressing Return to display a pop-up menu of all of your conﬁgured lists.

Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.

■ Select the list name you want to assign and press Return again. Your selection will then be associated with

the corresponding proﬁle or interface.

Multiple Network Address Translation 3-27

IP Passthrough

Netopia Firmware Version 5.4 offers an IP passthrough feature. The IP passthrough feature allows for a single PC on the LAN to have the router’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet. Using IP passthrough:

■ The public WAN IP is used to provide IP address translation for private LAN computers.

■ The public WAN IP is assigned and reused on a LAN computer.

■ DHCP address serving can automatically serve the WAN IP address to a LAN computer.

When DHCP is used for addressing the designated passthrough PC, the acquired or conﬁgured WAN address is passed to DHCP, which will dynamically conﬁgure a single-servable-address subnet, and reser ve the address for the conﬁgured MAC address. This dynamic subnet conﬁguration is based on the local and remote WAN address and subnet mask. If the WAN interface does not have a suitable subnet mask that is usable, for example when using PPP or PPPoE, the DHCP subnet conﬁguration will default to a class C subnet mask.

Globally, only one dynamically-conﬁgured DHCP subnet is available. If you conﬁgure multiple Connection Proﬁles to use IP Passthrough's DHCP option, when any of these proﬁles is established, the dynamic DHCP conﬁguration will be overwritten.

In the case of an Ethernet WAN router the IP passthrough conﬁguration is located in the WAN Ethernet Conﬁguration menu. For all other routers, it is located in the Connection Proﬁles' IP Proﬁle Parameters.

The WAN Ethernet Conﬁguration screen, found under the WAN Conﬁguration menu, WAN Setup screen, appears as shown.

WAN Ethernet Configuration

Address Translation Enabled: Yes Local WAN IP Address: 0.0.0.0

NAT Map List... Easy-PAT List NAT Server List... Easy-Servers NAT Options... Stateful Inspection Enabled: No

Filter Set... Remove Filter Set Enable PPP over Ethernet: Off WAN Ethernet Speed Setting... Auto-Negotiation Wan Ethernet MAC Address: 00:fc:de:fa:dd:02

DHCP Client Mode: Standards-Based

RIP Options...

Set up the basic IP attributes of your Ethernet Module in this screen.

3-28 Firmware User Guide

The IP Proﬁle Parameters screen, found under the WAN Conﬁguration menu, Add/Change Connection Proﬁle screen, appears as shown.

IP Profile Parameters

Address Translation Enabled: Yes IP Addressing... Numbered NAT Map List... Easy-PAT List NAT Server List... Easy-Servers NAT Options... Stateful Inspection Enabled: No

Local WAN IP Address: 0.0.0.0 Local WAN IP Mask: 0.0.0.0

Filter Set... Remove Filter Set

RIP Profile Options...

Toggle to Yes if this is a single IP address ISP account. Configure IP requirements for a remote network connection here.

If you select NAT Options, in either case, the NAT Options screen appears.

NAT Options

IP Passthrough Enabled: No

Toggle ON to allow local WAN IP address to be used on LAN in addition to NAT.

If you toggle IP Passthrough Enabled to Ye s , additional ﬁeld(s) appear.

Multiple Network Address Translation 3-29

NAT Options

IP Passthrough Enabled: Yes IP Passthrough DHCP Enabled: Yes IP Passthrough DHCP MAC address: 00-00-00-00-00-00

Enter MAC addr. of IP passthrough host, or zeroes for first come first serve.

Toggling IP Passthrough DHCP Enabled to Yes displays the IP Passthrough DHCP MAC address ﬁeld. This is an editable ﬁeld in which you can enter the MAC (hardware) address of the designated PC be used as the DHCP Client Identiﬁer for dynamic address reser vation. The MAC address must be six colon-delimited or dash-delimited sets of hex digits ('0' – 'FF').

First Come First Serve Mode

Netopia Firmware Version 5.4 IP Passthrough allows a ﬁrst come ﬁrst serve mode.

NAT Options defaults to an all-zeroes MAC address.

If you leave the default all-zeroes MAC address, the Router will select the next DHCP client that initiates a DHCP lease request or renewal to be the IP passthrough host. When the WAN comes up, or if it is already up, the Router will serve this client the IP passthrough/WAN address. When this client's lease ends, the IP passthrough address becomes available for the next client to initiate a DHCP transaction. The next client will get the IP passthrough address. Note that there is no way to control which PC has the IP passthrough address without releasing all other DHCP leases on the LAN.

Note: If you specify a non-zeroes MAC address, the DHCP Client Identiﬁer must be in the format speciﬁed

above. Macintosh computers allow the DHCP Client Identiﬁer to be entered as a name or text, however Netopia routers accept only strict (binary/hex) MAC address format. Macintosh computers display their strict MAC addresses in the TCP/IP Control Panel (Classic MacOS) or the Network Preference Pane of System Preferences (Mac OS X).

Once conﬁgured, the passthrough host's DHCP leases will be shor tened to two minutes. This allows for timely updates of the host's IP address, which will be a private IP address before the WAN connection is established. After the WAN connection is established and has an address, the passthrough host can renew its DHCP address binding to acquire the WAN IP address.

3-30 Firmware User Guide

A restriction

Since both the router and the passthrough host will use same IP address, new sessions that conﬂict with existing sessions will be rejected by the router. For example, suppose you are a teleworker using an IPSec tunnel from the router and from the passthrough host. Both tunnels go to the same remote endpoint, such as the VPN access concentrator at your employer’s ofﬁce. In this case, the ﬁrst one to start the IPSec trafﬁc will be allowed; the second one – since, from the WAN it's indistinguishable – will fail.

Multiple Network Address Translation 3-31

MultiNAT Conﬁguration Example

To help you understand a typical MultiNAT conﬁguration, this section describes an example of the type of conﬁguration you may want to implement on your site. The values shown are for example purposes only. Make

your own appropriate substitutions.

A typical DSL service from an ISP might include ﬁve user addresses. Without PAT, you might be able to attach only ﬁve IP hosts. Using simple 1-to-many PAT you can connect more than ﬁve devices, but use only one of your addresses. Using multiNAT you can make full use of the address range. The example assumes the following range of addresses offered by a typical ISP:

Local WAN IP address: 206.1.1.6

Local WAN subnet mask: 255.255.255.248

Remote IP address: 206.1.1.254

Default gateway: 206.1.1.254

Public IP addresses assigned by the ISP are 206.1.1.1 through 206.1.1.6 (255.255.255.248 subnet mask).

Your internal devices have IP addresses of 192.168.1.1 through 192.168.1.254 (255.255.255.0 subnet mask).

Netopia Router's address is: 192.168.1.1

Web server's address is: 192.168.1.253

Mail server's address is: 192.168.1.254

FTP server's address is: 192.168.1.253

In this example you will statically map the ﬁrst ﬁve public IP addresses (206.1.1.1 - 206.1.1.5) to the ﬁrst ﬁve corresponding private IP addresses (192.168.1.1 - 192.168.1.5). You will use these 1-to-1 mapped addresses to give your servers “real” addresses. You will then map 206.1.1.6 to the remaining private IP addresses (192.168.1.6 - 192.168.1.254) using PAT.

The conﬁguration process is as follows:

From the Main Menu go to the Easy Setup and then the Connection Proﬁle screen.

Main

Menu

Easy

Setup

Connection

Profile

3-32 Firmware User Guide

Enter your ISP-supplied values as shown below.

Connection Profile 1: Easy Setup Profile

Connection Profile Name: Easy Setup Profile

Address Translation Enabled: Yes IP Addressing... Numbered

Local WAN IP Address: 206.1.1.6 Local WAN IP Mask: 255.255.255.248

PREVIOUS SCREEN NEXT SCREEN

Enter a subnet mask in decimal and dot form (xxx.xxx.xxx.xxx). Enter basic information about your WAN connection with this screen.

Select NEXT SCREEN and press Return.

Your IP values are shown here.

IP Easy Setup

Ethernet IP Address: 192.168.1.1 Ethernet Subnet Mask: 255.255.255.0

Domain Name: ISP.net Primary Domain Name Server: 173.166.101.1 Secondary Domain Name Server: 173.166.102.1

Default IP Gateway: 206.1.1.254 IP Address Serving: On

Number of Client IP Addresses: 20 1st Client Address: 192.168.1.2

PREVIOUS SCREEN NEXT SCREEN

Set up the basic IP attributes of your Netopia in this screen.

Then navigate to the Network Address Translation (NAT) screen.

Main

Menu

System

Configuration

IP

Setup

Network Address Translation (NAT)

Multiple Network Address Translation 3-33

Select Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned for your public address (206.1.1.6, in this example). Toggle Type to pat. Your public address is then mapped to the remaining private IP addresses using PAT. (If you were not using the Easy-PAT Range and Easy-PAT List that are created by default by using Easy Setup, you would have to deﬁne a public range and map list. For the purpose of this example you can just alter this range and list.)

Change NAT Public Range

Range Name: Easy-PAT Range

Type... pat

Public Address: 206.1.1.6

First Public Port: 49152

Last Public Port: 65535

CHANGE NAT PUBLIC RANGE CANCEL

Select CHANGE NAT PUBLIC RANGE and press Return. This returns you to the Network Address Translation screen.

Select Add Public Range and press Return. Type a name for this static range, as shown below. Enter the ﬁrst and last public addresses your ISP assigned in their respective ﬁelds as shown. The ﬁrst ﬁve public IP addresses (206.1.1.1 - 206.1.1.5, in this example) are statically mapped to the ﬁrst ﬁve corresponding private IP addresses (192.168.1.1 - 192.168.1.5).

Add NAT Public Range

Range Name: Static Range

Type... static

First Public Address: 206.1.1.1

Last Public Address: 206.1.1.5

ADD NAT PUBLIC RANGE CANCEL

Return/Enter to commit changes.

3-34 Firmware User Guide

Select ADD NAT PUBLIC RANGE and press Return. You are returned to the Network Address Translation screen.

Next, select Show/Change Map List and choose Easy-PAT List. Select Add Map. The Add NAT Map screen appears. (Now the name Easy-PAT List is a misnomer since it has a static map included in its list.) Enter in

192.168.1.1 for the First Private Address and 192.168.1.5 for the Last Private Address.

Add NAT Map ("Easy-PAT List")

First Private Address: 192.168.1.1

Last Private Address: 192.168.1.5

Use NAT Public Range...

ADD NAT MAP CANCEL

Select Use NAT Public Range and from the pop-up menu choose Static Range. Select ADD NAT MAP and press Return.

This will statically map the ﬁrst ﬁve public IP addresses to the ﬁrst ﬁve corresponding private IP addresses and will map 206.1.1.6 to the remaining private IP addresses using PAT.

Notes on the example

The Easy-Map List and the Easy-PAT List are attached to any new Connection Proﬁle by default. If you want to use this NAT conﬁguration on a previously deﬁned Connection Proﬁle then you need to bind the Map List to the proﬁle. You do this through either the NAT Associations screen or the proﬁle’s conﬁguration screens.

The PAT part of this example setup will allow any user on the Netopia Router's LAN with an IP address in the range of 192.168.1.6 through 192.168.1.254 to initiate trafﬁc ﬂow to the outside world (for example, the Internet). No one on the Internet would be able to initiate a conversation with them.

The Static mapping part of this example will allow any of the machines in the range of addresses from

192.168.1.1 through 192.168.1.5 to communicate with the outside world as if they were at the addresses

206.1.1.1 through 206.1.1.5, respectively. It also allows any machine on the Internet to access any service

(port) on any of these ﬁve machines.

You may decide this poses a security risk. You may decide that anyone can have complete access to your FTP server, but not to your router, and only limited access to the desired services (ports) on the Web and Mail servers.

Netopia 4000 Software Manual

Specifications and Main Features

Frequently Asked Questions

User Manual