Netopia R910 User Manual

Netopia™ R910 Ethernet Router for DSL and Cable Modems

User’s Reference Guide

This manual and any associated artwork, software, and product designs are copyrighted with all rights reserved. Under the copyright laws such materials may not be copied, in whole or part, without the prior written consent of Netopia, Inc. Under the law, copying includes translation to another language or format.

Netopia, Inc. 2470 Mariner Square Loop Alameda, CA 94501-1010 U.S.A.

Part Number

For additional copies of this electronic manual, order Netopia par t number 6161087-PF-01

Printed Copies

For printed copies of this manual, order Netopia part number TER910/Doc (P/N 6161087-00-01)

CCCCoooonnnntttteeeennnnttttss

Chapter 1 — Introduction.......................................................... 1-9

Overview ........................................................................ 1-9

Features and capabilities ................................................1-9

How to use this guide ...................................................1-10

Chapter 2 — Setting Up Internet Services ...............................2-11

Deciding on an ISP account ........................................... 2-11

DSL and cable modems....................................... 2-11

Obtaining information from the ISP.................................2-11

Local LAN IP address information to obtain ........... 2-12

Chapter 3 — Making the Physical Connections........................ 3-13

Find a location..............................................................3-13

What you need .............................................................3-14

Identify the connectors and attach the cables .................3-14

Netopia R910 Ethernet Router back panel ports ............. 3-15

Netopia R910 Ethernet Router status lights....................3-16

G B

Chapter 4 — Connecting to Your Local Area Network ............... 4-17

Overview ...................................................................... 4-17

Network Model.................................................... 4-17

Readying computers on your local network...................... 4-18

Connecting to an Ethernet network................................. 4-20

10Base-T............................................................ 4-20

Chapter 5 — Conﬁguring TCP/IP............................................. 5-23

Hardware and operating system requirements ................ 5-23

Conﬁguring TCP/IP on Windows 95 or 98 .......................5-24

Conﬁguring TCP/IP on a Macintosh Computer ................. 5-26

Chapter 6 — Console-Based Managment ................................. 6-31

Connecting through a Telnet session.............................. 6-32

Conﬁguring Telnet software ..................................6-33

iv User’s Reference Guide

Connecting a console cable to your router ......................6-33

Navigating through the console screens .........................6-34

Chapter 7 — Easy Setup .........................................................7-35

Easy Setup console screens.......................................... 7-35

Accessing the Easy Setup console screens ........... 7-35

Quick Easy Setup connection path .................................7-37

If your ISP supports DHCP ...................................7-37

If your ISP doesn’t support DHCP .........................7-37

More Easy Setup options .............................................. 7-39

WAN Ethernet Conﬁguration ................................. 7-39

IP Easy Setup .....................................................7-40

Easy Setup Security Conﬁguration ........................7-41

Chapter 8 — WAN and System Conﬁguration ........................... 8-43

WAN conﬁguration......................................................... 8-43

System conﬁguration screens ........................................8-44

Navigating through the system conﬁguration screens....... 8-45

System conﬁguration features .............................. 8-46

IP setup..............................................................8-47

Filter sets (ﬁrewalls) ............................................ 8-47

IP address serving ..............................................8-47

Date and time.....................................................8-47

Console conﬁguration .......................................... 8-48

SNMP (Simple Network Management Protocol) ...... 8-48

Security.............................................................. 8-48

Upgrade feature set ............................................8-48

Logging ..............................................................8-49

Installing the Syslog client ...................................8-50

Chapter 9 — IP Setup and Network Address Translation ..........9-51

Network Address Translation features ............................ 9-51

Using Network Address Translation ................................ 9-53

Associating port numbers with nodes ................... 9-55

Network Address Translation guideline.................. 9-55

IP setup ....................................................................... 9-56

IP subnets .......................................................... 9-60

Contents v

Static routes.......................................................9-62

IP address serving ........................................................ 9-66

IP Address Pools ................................................. 9-68

DHCP NetBIOS Options........................................ 9-70

Chapter 10 — Virtual Private Networks (VPN) .......................10-73

Overview .................................................................... 10-73

About PPTP Tunnels ....................................................10-76

PPTP conﬁguration.............................................10-76

Encryption Support ..................................................... 10-79

About IPsec Tunnels....................................................10-80

Conﬁguration ....................................................10-80

IP Proﬁle Parameters ......................................... 10-83

Advanced IP Proﬁle Options................................ 10-84

VPN Default Answer Proﬁle .......................................... 10-85

VPN QuickView ...........................................................10-86

Dial-Up Networking for VPN .......................................... 10-88

Installing Dial-Up Networking .............................. 10-88

Creating a new Dial-Up Networking proﬁle ...........10-89

Conﬁguring a Dial-Up Networking proﬁle .............. 10-90

Installing the VPN Client .............................................. 10-92

Windows 95 VPN installation.............................. 10-92

Windows 98 VPN installation.............................. 10-92

Connecting using Dial-Up Networking .................. 10-93

About ATMP Tunnels.................................................... 10-94

ATMP conﬁguration............................................ 10-94

Allowing VPNs through a Firewall .................................. 10-98

PPTP example ................................................... 10-99

ATMP example ................................................ 10-102

Chapter 11 — PPP over Ethernet ........................................11-105

PPP Ethernet LAN Reconﬁguration .............................. 11-107

Conﬁguration ..................................................11-107

Quick View...................................................... 11-108

vi User’s Reference Guide

Chapter 12 — Monitoring Tools ...........................................12-109

Quick View status overview .......................................12-109

General status ................................................ 12-110

Status lights ...................................................12-110

Statistics & Logs ...................................................... 12-111

General Statistics ...........................................12-111

Event histories .........................................................12-112

Routing tables ..........................................................12-114

Served IP Addresses................................................. 12-116

System Information................................................... 12-117

SNMP ...................................................................... 12-118

The SNMP Setup screen .................................. 12-118

SNMP traps .................................................... 12-119

Chapter 13 — Security .......................................................13-123

Suggested security measures .................................... 13-123

User accounts .......................................................... 13-123

Telnet access ........................................................... 13-125

About ﬁlters and ﬁlter sets ........................................13-126

What’s a ﬁlter and what’s a ﬁlter set?...............13-126

How ﬁlter sets work.........................................13-126

How individual ﬁlters work................................ 13-128

Design guidelines............................................ 13-132

Working with IP ﬁlters and ﬁlter sets........................... 13-133

Adding a ﬁlter set ............................................ 13-134

Viewing ﬁlter sets............................................13-138

Modifying ﬁlter sets ......................................... 13-139

Deleting a ﬁlter set.......................................... 13-139

A sample IP ﬁlter set ....................................... 13-139

Firewall tutorial ......................................................... 13-143

General ﬁrewall terms ..................................... 13-143

Basic IP packet components ............................13-143

Basic protocol types ........................................ 13-143

Firewall design rules........................................13-144

Filter basics.................................................... 13-146

Contents vii

Example ﬁlters ................................................13-147

RADIUS Client Support.............................................. 13-151

RADIUS client conﬁguration.............................. 13-151

Chapter 14 — Utilities and Diagnostics ...............................14-155

Ping ......................................................................... 14-156

Trace Route.............................................................. 14-158

Telnet client.............................................................. 14-159

Disconnect Telnet console session ............................ 14-160

Factory defaults........................................................ 14-160

Transferring conﬁguration and ﬁrmware ﬁles

with TFTP .................................................................14-160

Updating ﬁrmware ........................................... 14-161

Downloading conﬁguration ﬁles ........................14-162

Uploading conﬁguration ﬁles ............................14-163

Transferring conﬁguration and ﬁrmware ﬁles

with XMODEM........................................................... 14-163

Updating ﬁrmware ........................................... 14-164

Downloading conﬁguration ﬁles ........................14-165

Uploading conﬁguration ﬁles ............................14-165

Restarting the system...............................................14-166

Appendix A — Troubleshooting..............................................A-167

Conﬁguration problems ...............................................A-167

Console connection problems ............................ A-168

Network problems ............................................. A-168

How to reset the router to factor y defaults ................... A-169

Power outages............................................................ A-169

Technical suppor t ....................................................... A-170

How to reach us................................................ A-170

Appendix B — Understanding IP Addressing ..........................B-173

What is IP?................................................................. B-173

About IP addressing .................................................... B-173

Subnets and subnet masks ...............................B-174

Example: Using subnets on a Class C

IP internet ........................................................B-175

viii User’s Reference Guide

Example: Working with a Class C subnet.............B-177

Distributing IP addresses ............................................B-177

Technical note on subnet masking ...................... B-178

Conﬁguration ....................................................B-179

Manually distributing IP addresses .....................B-180

Using address serving ....................................... B-180

Tips and rules for distributing IP addresses.........B-180

Nested IP subnets ...................................................... B-182

Broadcasts................................................................. B-185

Packet header types..........................................B-185

Appendix C — Understanding Netopia NAT Behavior...............C-187

Network conﬁguration..................................................C-187

Background ................................................................ C-187

Exported services ............................................. C-191

Important notes ................................................ C-192

Conﬁguration .............................................................. C-193

Summary ................................................................... C-194

Appendix D — Binary Conversion Table..................................D-195

Appendix E — Further Reading .............................................. E-197

Appendix F — Technical Speciﬁcations and Safety

Information ........................................................................... F-201

Description................................................................. F-201

Power requirements .......................................... F-201

Environment ..................................................... F-201

Software and protocols...................................... F-201

Agency approvals........................................................ F-201

Regulatory notices ............................................ F-202

Important safety instructions ............................. F-203

Index

Introduction 1-9

CCCChhhhaaaapppptttteeeerrrr 11

IIIInnnnttttrrrroooodddduuuuccccttttiiiioooonn

Overview

The Netopia R910 Ethernet Router is a stand-alone, multiprotocol broadband router for connecting diverse local area networks (LANs) to the Internet and other remote networks. Combining the Netopia R910 with a cable or DSL modem provides businesses with a low-cost connection to the Internet while retaining the power of a router. Once your Netopia R910 Ethernet Router is connected to your LAN and an Internet connection device such as a cable or a DSL modem, and your account is activated by your network service provider, you will have a high-speed connection between your LAN and the telephone company’s network of high-speed digital facilities.

This section covers the following topics:

■

“Features and capabilities” on page 1-9

■

“How to use this guide” on page 1-10

Features and capabilities

The Netopia R910 Ethernet Router provides the following features:

■

Always-on connection eliminates dialing and provides lower, more predictable transmission costs.

■

Interconnects with cable modems or DSL modems or bridges that have an Ethernet por t.

Connectivity to support Ethernet LANs via built-in 4-por t 10Base-T hub.

■

Support for Network Address Translation (NAT) and MultiNAT, allowing all computers and IP hosts on the LAN to appear as one or more IP addresses to the ISP on the WAN link.

■

Support for DHCP, allowing automatic assignment of IP addresses on the LAN or WAM and simplyfying conﬁguration and management.

Support for VPN client and server, supporting remote VPN clients as well as providing a single connection

■

for all or select VPN clients on the LAN. Supports PPTP-based VPN for interoperability with Windows Dial-Up Networking and IPSec for secure public key encryption.

■

Status lights (LEDs) for easy monitoring and troubleshooting.

Support for IP routing for Internet and intranet connectivity.

■

Support for console-based management over Telnet or serial cable connection.

■

Support for remote conﬁguration by your reseller, your network administrator, or technicians at Netopia, Inc., via IP network.

Wall-mountable, bookshelf (side-stackable), or desktop-stackable design for effective space usage.

■

1-10 User’s Reference Guide

How to use this guide

This guide is designed to be your single source for information about your Netopia R910 Ethernet Router. It is intended to be viewed on-line, using the powerful features of the Adobe Acrobat Reader. The information display has been deliberately designed to present the maximum information in the minimum space on your screen. You can keep this document open while you perform any of the procedures described, and ﬁnd useful information about the procedure you are per forming.

If you prefer to work from hard copy rather than on-line documentation, you can also print out all of the manual, or individual sections. The pages are formatted to print on standard 8 1/2 by 11 inch paper. We recommend that you print on three-hole punched paper, so you can put the pages in a binder for future reference. For your convenience, a printed copy can be purchased from Netopia. Order par t number TER910/Doc.

This guide is organized into chapters describing the Netopia R910’s advanced features. You may want to read each chapter’s introductory section to familiarize yourself with the various features available.

Use the guide’s table of contents and index to locate informational topics.

Setting Up Internet Services 2-11

CCCChhhhaaaapppptttteeeerrrr 22

SSSSeeeettttttttiiiinnnngggg UUUUpppp IIIInnnntttteeeerrrrnnnneeeetttt SSSSeeeerrrrvvvviiiicccceeeess

This chapter describes how to obtain and set up Internet ser vices.

This section covers the following topics:

■

“Deciding on an ISP account” on page -11

■

“Obtaining information from the ISP” on page -11

Deciding on an ISP account

Your ISP may offer various Internet access account plans. Typically, these plans vary by usage charges and the number of host IP addresses supplied. Evaluate your networking needs and discuss them with your ISP before deciding on a plan for your network.

DSL and cable modems

Many ISPs offer economical service plans that connect to the DSL or cable network using a DSL or cable modem. Unlike V.90 or V.32 analog modems, which typically were installed directly into your computer or were connected serially, DSL and cable modems typically connect over Ethernet. With Ethernet, your ISP can offer you a service connecting one or more computers. Using NAT and MultiNAT features, you can conﬁgure your Netopia router to give all computers, printers, and other IP hosts access to the Internet using one or a limited number of IP addresses. This means that you have more ﬂexibility in selecting ISP account types. The most affordable single IP account may be sufﬁcient for your needs. With the router conﬁgured for NAT all users on the LAN have access to the Internet, yet you’re using just the one IP address assigned by your ISP.

The Netopia router offers another beneﬁt to DSL and cable modem users. Because a DSL or cable modem connects your computers directly to the Internet with a static IP address, you are more vulnerable to hackers or would-be intruders. The Netopia R910 Ethernet Router is installed between the DSL or cable modem and the computer, printer, and other IP hosts on the LAN, and induces a ﬁrewall to deﬂect hackers and intruders.

Obtaining information from the ISP

After your account is set up, the ISP should send you the IP parameter information that will help you conﬁgure the Netopia R910.

2-12 User’s Reference Guide

Local LAN IP address information to obtain

Your ISP will need to provide you with the following information:

■

The default gateway IP address

Remote IP address

■

Local IP address or addresses and subnet mask

Note:

In a single IP address service, your ISP will refer to your computer’s IP address. However, when your

connection is conﬁgured with a router, this becomes the router’s WAN IP address.

■

Primary and secondary domain name server (DNS) IP addresses

■

Domain name (usually the same as the ISP’s domain name unless you have registered for your own individual domain name)

Note:

The default gateway, WAN address and mask, DNS, and domain name are all obtainable via WAN DHCP,

if your ISP supports it.

With Network Address Translation

If you are using NAT, you should obtain the following:

■

If you are connecting to a remote site using Network Address Translation on your router, your provider will not deﬁne the IP address information on your local LAN. You can deﬁne this information based on an IP conﬁguration that may already be in place for the existing network. Alternatively, you can use the default IP address range used by the router, where 192.168.1.1 is the default IP address of the router.

Without Network Address Translation

If you are

not

using Network Address Translation, you will need to obtain all of the local LAN IP address

information from your ISP and you will need to pay for an IP address for each device on the network.

If you are not using NAT, you should obtain:

■

The Ethernet IP address for your Netopia R910

The Ethernet IP subnet mask for your Netopia R910

■

An IP address for each device on your network, in the same network range as the Netopia R910.

Making the Physical Connections 3-13

CCCChhhhaaaapppptttteeeerrrr 33

MMMMaaaakkkkiiiinnnngggg tttthhhheeee PPPPhhhhyyyyssssiiiiccccaaaallll CCCCoooonnnnnnnneeeeccccttttiiiioooonnnnss

This section tells you how to make the physical connections to your Netopia R910 Ethernet Router. This section covers the following topics:

■

“Find a location” on page 3-13

■

“What you need” on page 3-14

“Identify the connectors and attach the cables” on page 3-14

■

“Netopia R910 Ethernet Router back panel ports” on page 3-15

■

“Netopia R910 Ethernet Router status lights” on page 3-16

Find a location

When choosing a location for the Netopia Router, consider:

■

Available space and ease of installation

Physical layout of the building and how to best use the physical space available for connecting your Netopia

■

Router to the LAN

■

Available wiring and jacks

■

Distance from the point of installation to the next device (length of cable or wall wiring)

Ease of access to the front of the unit for conﬁguration and monitoring

■

Ease of access to the back of the unit for checking and changing cables

■

Cable length and network size limitations when expanding networks

For small networks, install the Netopia R910 near one of the LANs. For large networks, you can install the Netopia R910 in a wiring closet or a central network administration site. In most cases the router will be near the cable or DSL modem which is near the cable or DSL wall outlet. You could pull a line from the wall outlet to a wiring closet if you store the modem and router there.

3-14 User’s Reference Guide

What you need

Locate all items that you need for the installation.

Included in your router package are:

The Netopia R910 Ethernet Router

■

A power adapter and cord with a mini-DIN8 connector

■

Two RJ-45 cables (one for the Ethernet port on your PC; one for the Line por t on the router)

A DB-9 console cable

■

A cross-over cable

■

The Netopia CD containing an Internet browser, Adobe Acrobat Reader for Windows and Macintosh, ZTerm terminal emulator software and NCSA Telnet for Macintosh, and documentation

You will need:

■

A Windows 95, 98, 2000, or NT–based PC or a Macintosh computer with Ethernet connectivity for conﬁguring the Netopia R910. This may be built-in Ethernet or an add-on card, with TCP/IP installed and conﬁgured. See “Hardware and operating system requirements” on page 5-23.

An Internet modem such as a cable modem or DSL bridge connected to the appropriate wall outlet for your

■

Internet ser vice source. Your Internet connection device must have a 10Base-T Ethernet port for connecting it to the router’s Line port.

Identify the connectors and attach the cables

Identify the connectors and switches on the back panel and attach the necessary Netopia Router cables.

The ﬁgure below displays the back of the Netopia R910 Ethernet Router.

Netopia R910 Ethernet Router back panel

Line 1 port

Ethernet

4 port Ethernet hub

Console

Console port

Line 1

1. Connect the mini-DIN8 connector from the power adapter to the power port, and plug the other end into an electrical outlet.

Power

Power port

Making the Physical Connections 3-15

2. Connect one end of one of the RJ-45 cables to the Line 1 port and the other end to your Internet modem’s Ethernet port. DO NOT CONNECT IT DIRECTLY TO A TELCO LINE OUTLET.

3. Connect one end of one of the RJ-45 cables to any of the Ethernet hub ports on the router, and the other end to the Ethernet port of your PC.

If you are connecting the router to an existing Ethernet hub, use a cross-over cable.

You should now have: the power adapter plugged in; the Ethernet cable connected between the router and your computer; and the Line cable connected between the router and your Internet modem.

Netopia R910 Ethernet Router back panel ports

The following table describes all the Netopia R910 Ethernet Router back panel ports.

Port Description

Power port A mini-DIN8 power adapter cable connection. Line port The dedicated Ethernet port for your connection to your Internet connection

device’s Ethernet port.

Console port A DB-9 console port for a direct serial connection to the console screens. You

can use this if you are an experienced user. See “Connecting a console cable to

your router” on page 6-33.

4-port Ethernet hub Four Ethernet jacks. You will use one of these to conﬁgure the Netopia R910.

For a new installation, use the Ethernet connection. Alternatively, you can use the console connection to run console-based management using a direct serial connection. You can either connect your computer directly to any of the Ethernet ports on the router, or connect both your computer and the router to an existing Ethernet hub on your LAN.

3-16 User’s Reference Guide

Netopia R910 Ethernet Router status lights

The ﬁgure below represents the Netopia R910 status light (LED) panel.

Netopia R910 LED front panel

8 9 10 12 13 14 15 1617

Link/

Receive

Power

Ready

Channel 1

Management

WAN Ethernet

Trafﬁc

Collision

The following table summarizes the meaning of the various LED states and colors:

When this happens... the LEDs...

Power is on 1 is green. Data is transmitted or received 8 ﬂashes orange. The WAN interface is operational 9 is green. The WAN interface is inactive 9 is off. The WAN interface detects a failure after line activation 9 ﬂashes red. Calls are setting up 10 ﬂashes green. Data calls connect 10 is green. The line is carr ying data traf ﬁc 10 ﬂashes orange. The Ethernet port is connected to the LAN 14, 15, 16, and 17 are green. There is activity on the respective Ethernet por ts 14, 15, 16, and 17 ﬂash green. Note: The Channel 2 LED and the unlabeled LEDs are not used.

Connecting to Your Local Area Network 4-17

CCCChhhhaaaapppptttteeeerrrr 44

CCCCoooonnnnnnnneeeeccccttttiiiinnnngggg ttttoooo YYYYoooouuuurrrr LLLLooooccccaaaallll AAAArrrreeeeaaaa NNNNeeeettttwwwwoooorrrrkk

This chapter describes how to physically connect the Netopia R910 to your local area network (LAN). Before you proceed, make sure the Netopia R910 is properly conﬁgured. You can customize the router’s conﬁguration for your particular LAN requirements using console-based management (see “Console-Based Management” on

page 6-31).

This section covers the following topics:

■ “Overview” on page 4-17

■ “Readying computers on your local network” on page 4-18

■ “Connecting to an Ethernet network” on page 4-20

Overview

You can connect the Netopia R910 to an IP network that uses Ethernet.

Network Model

The following diagrams illustrate network models for typical deployments of the Netopia R910 Ethernet Router as an Internet access device.

Before

With a DSL or cable modem, you can connect a single computer to the Internet.

using a DSL modem

using a cable modem

4-18 User’s Reference Guide

After

Using the Netopia R910 Ethernet Router, you can connect multiple computers to the Internet with a single user account.

using a DSL modem with a Netopia R910

using a cable modem with a Netopia R910

While this network model is typical, other network models are possible. For example, you may choose to attach the Ethernet WAN port to an external Ethernet hub connected to a number of workstations.

Readying computers on your local network

PC and Macintosh computers must have certain components installed before they can communicate through the Netopia R910. The following illustration shows the minimal requirements for a typical PC or Macintosh computer.

Connecting to Your Local Area Network 4-19

Application software

TCP/IP stack

Ethernet/EtherTalk Driver

Your PC or Macintosh computer

To the Netopia R910

Application software: This is the software you use to send e-mail, browse the World Wide Web, read newsgroups, etc. These applications may require some conﬁguration. Examples include the Eudora e-mail client and the Web browsers Microsoft Internet Explorer and Netscape Navigator.

TCP/IP stack: This is the software that lets your PC or Macintosh communicate using Internet protocols. TCP/IP stacks must be conﬁgured with some of the same information you used to conﬁgure the Netopia R910. There are a number of TCP/IP stacks available for PC computers. Windows 95 includes a built-in TCP/IP stack. See “Conﬁguring TCP/IP on Windows 95 or 98” on page 5-24. Macintosh computers use either MacTCP or Open Transport. See “Conﬁguring TCP/IP on a Macintosh Computer” on page 5-26.

Ethernet: Ethernet hardware and software drivers enable your PC or Macintosh computer to communicate on the LAN.

EtherTalk: This is an AppleTalk protocol used over Ethernet.

Once the Netopia R910 is properly conﬁgured and connected to your LAN, PC and Macintosh computers that have their required components in place will be able to connect to the Internet or other remote IP networks.

4-20 User’s Reference Guide

Connecting to an Ethernet network

The Netopia R910 supports Ethernet connections through its four Ethernet por ts. The router automatically detects which Ethernet port is in use.

You can connect 10Base-T networks to the Netopia R910. The following table displays some important attributes of these connections.

Attribute 10Base-T

Max. length of backbone, branch, or end to end (cable length)

Cable type

330 feet

(100 meters)

Twisted pair

(10Base-T)

Netopia R910 port used Ethernet

Other restrictions

No daisy

chain

10Base-T

You can connect a standard 10Base-T Ethernet network to the Netopia R910 using any of its available Ethernet ports.

Netopia R910 Ethernet Router back panel

Line 1 port

Ethernet

Console

Line 1

Power

4 port Ethernet hub

Power port

Console port

Connecting to Your Local Area Network 4-21

The Netopia R910 in a 10Base-T network

Ethernet

To connect your 10Base-T network to the Netopia R910 through an Ethernet port, use a 10Base-T cable with RJ-45 connectors.

If you have more than four devices to connect, you can attach additional devices using a 10Base-T hub, using a cross-over cable.

The Netopia R910 in a 10Base-T network with a hub

10BASE-T

Hub

Ethernet

10BASE-T

Hub

4-22 User’s Reference Guide

Conﬁguring TCP/IP 5-23

CCCChhhhaaaapppptttteeeerrrr 55

CCCCoooonnnnffffiiiigggguuuurrrriiiinnnngggg TTTTCCCCPPPP////IIIIPP

Be sure the computer you use to conﬁgure your Netopia R910 has TCP/IP software and hardware properly conﬁgured to work with a router and the network ser vice provider you will be using. Typically, this means that you will have your computer set up to accept a dynamically assigned IP address from the router, although other options are possible. This chapter is a general guide to conﬁguring TCP/IP connectivity for your PC or Macintosh. Consult your computer’s documentation for more detail.

This section covers the following topics:

■ “Hardware and operating system requirements” on page 5-23

■ “Conﬁguring TCP/IP on Windows 95 or 98” on page 5-24

■ “Conﬁguring TCP/IP on a Macintosh Computer” on page 5-26

If after following the instructions in this section you are having dif ﬁculties conﬁguring the router, see Appendix

A, “Troubleshooting.”

Hardware and operating system requirements

Before you can conﬁgure your router make sure your computer meets the following requirements:

PC Macintosh

System software Windows 95, 98, or NT operating system MacOS 7.5 or later

(minimum system version: 7.5)

Connectivity software

Connectivity hardware

TCP/IP must be installed and properly conﬁgured. See “Conﬁguring TCP/IP on

Windows 95 or 98” on page 5-24

Ethernet card (10Base-T) Either built-in Ethernet or a third-par ty

MacTCP or Open Transport TCP/IP must be installed and properly conﬁgured. See

“Conﬁguring TCP/IP on a Macintosh Computer” on page 5-26.

Ethernet card (10Base-T)

5-24 User’s Reference Guide

Conﬁguring TCP/IP on Windows 95 or 98

Be sure TCP/IP is installed and conﬁgured on your Windows computer. The following is a quick guide to conﬁguring TCP/IP for Windows machines. Conﬁguring TCP/IP in a Windows machine requires the following:

■ An Ethernet card (also known as a network adapter)

■ The TCP/IP protocol must be “bound” to the adapter or card

Dynamic conﬁguration (recommended)

The easiest conﬁguration method is to accept the dynamic IP address assigned by your router. Dynamic Host Conﬁguration Protocol (DHCP), which enables dynamic addressing, is enabled by default on the router.

1. Go to Start Menu/Settings/Control Panels and double click the Network icon. From the Network components list, select the Conﬁguration tab.

2. Select TCP/IP-->Your Network Card. Then select Properties. In the TCP/IP Properties screen (shown at right), select the IP Address tab. Click “Obtain an IP Address automatically.”

3. Click OK in this window, and the next window. When prompted, reboot the computer.

Static conﬁguration (optional)

If you are manually conﬁguring from a ﬁxed or static IP address, per form the following:

1. Go to Start Menu/Settings/Control Panels and double click the Network icon. From the Network components list, select the Conﬁguration tab.

2. Select TCP/IP-->Your Network Card. Then select Properties. In the TCP/IP Properties screen (shown at right), select the IP Address tab. Click “Specify an IP Address.” Enter the following:

IP Address: 192.168.1.2 Subnet Mask: 255.255.255.0

Your ISP or network administrator may ask you to use a different IP address and subnet mask.

3. Click on the Gateway tab (shown at right). Under New gateway, enter 192.168.1.1. Click Add. This is the address that is assigned to the Netopia R910.

4. Click on the DNS Conﬁguration tab. Click “Enable DNS.” Enter the following information:

Conﬁguring TCP/IP 5-25

Host: Type the name you want to give to this computer.

Domain: Type your domain name. If you don't have a domain name, type your ISP's domain name; for example, netopia.com.

DNS Server Search Order: Type the primary DNS IP address given to you by your ISP. Click Add. Repeat this process for the secondary DNS.

Domain Sufﬁx Search Order: Enter the same domain name you entered above.

5. Click OK in this window, and the next window. When prompted, reboot the computer.

Note: More details about Windows 95 TCP/IP conﬁguration (including dial-up) can be found in Technote NIR_027, “Windows 95 TCP/IP Properties and the Netopia Router,” located on the Netopia Web site.

5-26 User’s Reference Guide

Conﬁguring TCP/IP on a Macintosh Computer

The following is a quick guide to conﬁguring TCP/IP for MacOS computers. Conﬁguring TCP/IP on a Macintosh computer requires the following:

■ You must have either Open Transport or MacTCP installed.

Note: If you want to use the Dynamic Host Conﬁguration Protocol (DHCP) server built into your Netopia R910 to assign IP addresses to your Macintoshes, you must be running Open Transport. You can have your Netopia R910 dynamically assign IP addresses using MacTCP; however, to do so requires that the optional AppleTalk kit be installed and this can only be done after the router is conﬁgured.

■ You must have built-in Ethernet or a third-par ty Ethernet card and its associated drivers installed in your

Macintosh.

Dynamic conﬁguration (recommended)

The easiest conﬁguration method is to accept the dynamic IP address assigned by your router. DHCP, which enables dynamic addressing, is enabled by default on the router.

1. Go to the Apple Menu. Select Control Panels and then TCP/IP.

2. With the TCP/IP window open, go to the Edit menu and select User Mode. Choose Basic and click OK.

3. In the TCP/IP window, select “Connect via: Ethernet” and “Conﬁgure: Using DHCP Server.”

Conﬁguring TCP/IP 5-27

Static conﬁguration (optional)

If you are manually conﬁguring from a ﬁxed or static IP address, then per form the following:

1. Go to the Apple menu. Select Control Panels and then TCP/IP or MacTCP.

2. With the TCP/IP window open, go to the Edit menu and select User Mode. Choose Advanced and click OK. In the MacTCP window, select Ethernet and click the More button.

3. In the TCP/IP window or in the MacTCP/More window, select or type information into the ﬁelds as shown in the table at right.

4. Close the TCP/IP or MacTCP control panel and save the settings.

5. If you are using MacTCP, you must restart the computer. If you are using Open Transport, you do not need to restart.

These are the only ﬁelds you need to modify in this screen.

Option: Select/Type:

Connect via: Ethernet

Conﬁgure: Manually

IP Address: 192.168.1.2

Subnet mask: 255.255.255.0

Router address: 192.168.1.1

Name server address: Enter the primary and

secondary name server addresses given to you by your ISP

Implicit Search Path: Starting domain name:

Enter your domain name; if you do not have a domain name, enter the domain name of your ISP

5-28 User’s Reference Guide

Dynamic conﬁguration using MacIP (optional)

If you want to use MacIP to dynamically assign IP addresses to the Macintosh computers on your network you must install the optional AppleTalk feature set kit.

Note: You cannot use MacIP dynamic conﬁguration to conﬁgure your Netopia R910 Ethernet to Ethernet Router because you must ﬁrst conﬁgure the router in order to enable AppleTalk.

Once the AppleTalk kit is installed, you can conﬁgure your Macintoshes for MacIP. To conﬁgure dynamically using MacIP, perform the following:

Using Open Transport TCP/IP

1. Go to the Apple menu. Select Control Panels and then TCP/IP.

2. With the TCP/IP window open, go to the Edit menu and select User Mode. Choose Advanced and click OK.

3. In the TCP/IP window, select or type information into the ﬁelds as shown in the following table.

TCP/IP Option: Select/ Type:

Connect via: AppleTalk (MacIP)

Conﬁgure: Using MacIP ser ver

MacIP Server zone: (select available zone)

Name server address: Enter the primary and secondary name server

addresses given to you by your ISP

Implicit Search Path: Starting domain name:

Enter your domain name; if you do not have a domain name, enter the domain name of your ISP

4. Close the TCP/IP control panel and save the settings.

These are the only ﬁelds you need to modify in these screens.

Conﬁguring TCP/IP 5-29

Using Classic Networking (MacTCP)

1. Go to the Apple Menu. Select Control Panels and then Network.

2. In the Network window, select EtherTalk.

3. Go back to the Apple menu. Select Control Panels and then MacTCP.

4. Select EtherTalk.

From the pull-down menu under EtherTalk, select an available zone; then click the More button.

In the MacTCP/More window select the Server radio button. If necessar y, ﬁll in the Domain Name Server Information given to you by your administrator.

5. Restart the computer.

These are the only ﬁelds you need to modify in these screens.

Note: More information about conﬁguring your Macintosh computer for TCP/IP connectivity through a Netopia R910 can be found in Technote NIR_026, “Open Transport and Netopia Routers,” located on the Netopia Web site.

5-30 User’s Reference Guide

Console-Based Management 6-31

CCCChhhhaaaapppptttteeeerrrr 66

CCCCoooonnnnssssoooolllleeee----BBBBaaaasssseeeedddd MMMMaaaannnnaaaaggggeeeemmmmeeeennnntt

Console-based management is a menu-driven interface for the capabilities built in to the Netopia R910. Console-based management provides access to a wide variety of features that the router suppor ts. You can customize these features for your individual setup. This chapter describes how to access the console-based management screens.

This section covers the following topics:

■ “Connecting through a Telnet session” on page 6-32

■ “Connecting a console cable to your router” on page 6-33

■ “Navigating through the console screens” on page 6-34

Console-based management screens contain seven entry points to the Netopia Router conﬁguration and monitoring features. The entry points are displayed in the Main Menu shown below:

Netopia R910 v4.8

Easy Setup...

WAN Configuration...

System Configuration...

Utilities & Diagnostics...

Statistics & Logs...

Quick Menus...

Quick View...

You always start from this main screen.

■ The Easy Setup menus display and permit changing the values contained in the default WAN and IP

conﬁguration. Experienced users can use Easy Setup to initially conﬁgure the router directly through a console session.

Easy Setup menus contain up to ﬁve descendant screens for viewing or altering these values. The number of screens depends on whether you have optional features installed.

■ The WAN Conﬁguration menu displays and permits changing your WAN and IP conﬁguration(s) and default

proﬁle, and conﬁguring or reconﬁguring the manner in which you may be using the router to connect to

6-32 User’s Reference Guide

more than one service provider or remote site.

■ The System Conﬁguration menus display and permit changing:

■ Network protocols setup. See Chapter 9, “IP Setup and Network Address Translation.”

■ Filter sets (ﬁrewalls). See “About ﬁlters and ﬁlter sets” on page 13-126.

■ IP address serving. See “IP address ser ving” on page 9-66.

■ Date and time. See “Date and time” on page 8-47.

■ Console conﬁguration. See “Connecting a console cable to your router” on page 6-33.

■ SNMP (Simple Network Management Protocol). See “SNMP” on page 12-118.

■ Security. See Chapter 13, “Security.”

■ Upgrade feature set. See “Upgrade feature set” on page 8-48.

■ The Utilities & Diagnostics menus provide a selection of seven tools for monitoring and diagnosing the

router's behavior, as well as for updating the ﬁrmware and rebooting the system. See Chapter 14, “Utilities

and Diagnostics,” for detailed information.

■ The Statistics & Logs menus display a selection of tables and device logs that show information about

your router, your network and their history. See Chapter 12, “Monitoring Tools,” for detailed information.

■ The Quick Menus screen is a shortcut entry point to a wide variety of the most commonly used

conﬁguration menus that are accessed through the other menu entr y points.

■ The Quick View menu displays at a glance current real-time operating information about your router. See

“Quick View status overview” on page 12-109 for detailed information.

Connecting through a Telnet session

Features of the Netopia R910 can be conﬁgured through the console screens.

Before you can access the console screens through Telnet, you must have:

■ A network connection locally to the router or IP access to the router.

Note: Alternatively, you can have a direct serial console cable connection using the provided console cable for your platform (PC or Macintosh) and the Console por t on the back of the router. For more information on attaching the console cable, see “Connecting a console cable to your router” on page 6-33.

■ Telnet software installed on the computer you will use to conﬁgure the router

Console-Based Management 6-33

Conﬁguring Telnet software

If you are conﬁguring your router using a Telnet session, your computer must be running a Telnet software program.

■ If you connect a PC with Microsoft Windows, you can use a Windows Telnet application or simply run Telnet

from the Start menu.

■ If you connect a Macintosh computer, you can use the NCSA Telnet program supplied on the Netopia R910

CD. You install NCSA Telnet by simply dragging the application from the CD to your hard disk.

Connecting a console cable to your router

You can perform all of the system conﬁguration activities for your Netopia R910 through a local serial console connection using terminal emulation software, such as HyperTerminal provided with Windows95 on the PC, or ZTerm, included on the Netopia CD, for Macintosh computers.

The Netopia R910 back panel has a connector labeled “Console” for attaching the Router to either a PC or Macintosh computer via the serial port on the computer. (On a Macintosh computer, the serial por t is called the Modem port or Printer port.) This connection lets you use the computer to conﬁgure and monitor the Netopia R910 via the console screens.

Ethernet

Console

Line 1

Power

Console connection port

DB-9 (male)

To connect the Netopia R910 to your computer for serial console communication, use the supplied console cable.

If you connect a PC with Microsoft Windows 95 or NT, you can use the HyperTerminal application bundled with the operating system.

If you connect a Macintosh computer, you can use the ZTerm terminal emulation program on the supplied CustomerCare CD.

6-34 User’s Reference Guide

Launch your terminal emulation software and conﬁgure the communications software for the values shown in the table below. These are the default communication parameters that the Netopia R910 uses.

Parameter Suggested Value

Terminal type PC: ANSI-BBS

Mac: ANSI, VT-100, or VT-200

Data bits 8

Parity None

Stop bits 1

Speed Options are: 9600, 19200, or 38400 bits per second

Flow Control None

Note: The router ﬁrmware contains an autobaud detection feature. If you are at any screen on the serial console, you can change your baud rate and press Return (HyperTerminal for the PC requires a disconnect). The new baud rate is displayed at the bottom of the screen.

Navigating through the console screens

Use your keyboard to navigate the Netopia R910’s conﬁguration screens, enter and edit information, and make choices. The following table lists the keys to use to navigate through the console screens.

To... Use These Keys...

Move through selectable items in a screen or pop-up menu Up, Down, Left, and Right Arrow

To set a change to a selected item or open a pop-up menu of options for a selected item like entering an upgrade key

Change a toggle value (Yes/No, On/Off) Tab

Restore an entry or toggle value to its previous value Esc

Move one item up Up arrow or Control + o

Move one item down Down arrow or Control +k

Display a dump of the device event log Control + e

Display a dump of the WAN event log Control + f

Refresh the screen Control + L

Go to topmost selectable item <

Go to bottom right selectable item >

Return or Enter

Easy Setup 7-35

CCCChhhhaaaapppptttteeeerrrr 77

EEEEaaaassssyyyy SSSSeeeettttuuuupp

This chapter describes how to use the Easy Setup console screens on your Netopia R910 Ethernet Router. After completing the Easy Setup console screens, your router will be ready to connect to the Internet or another remote site.

This chapter covers the following topics:

■ “Easy Setup console screens” on page 7-35

■ “Quick Easy Setup connection path” on page 7-37

■ “More Easy Setup options” on page 7-39

Easy Setup console screens

Using three Easy Setup console screens, you can:

■ Deﬁne your Wide Area Network (WAN) connection for your router to connect to your ISP or remote location

■ Set up IP addresses and IP address ser ving

■ Password–protect conﬁguration access to your Netopia R910 Ethernet Router

Accessing the Easy Setup console screens

To access the console screens, Telnet to the Netopia Router over your Ethernet network, or physically connect with a serial console cable and access the Netopia Router with a terminal emulation program. See “Connecting

through a Telnet session” on page 6-32 or “Connecting a console cable to your router” on page 6-33.

Note: Before continuing, make sure you have the information that your telephone ser vice provider, ISP, or network administrator has given you for conﬁguring the Netopia Router.

The Netopia Router’s ﬁrst console screen, Main Menu, appears in the terminal emulation window of the attached PC or Macintosh computer when

■ The Netopia Router is turned on

■ The computer is connected to the Netopia Router

■ The Telnet or terminal emulation software is running and conﬁgured correctly

7-36 User’s Reference Guide

A screen similar to the following Main Menu appears:

Netopia R910 v4.8

Easy Setup...

WAN Configuration...

System Configuration...

Utilities & Diagnostics...

Statistics & Logs...

Quick Menus...

Quick View...

Your Baud Rate has been changed to 38400

You always start from this main screen.

If you do not see the Main Menu, verify that:

■ The computer used to view the console screen has its serial port connected to the Netopia R910’s

Console port or an Ethernet connection to one of its Ethernet por ts. See “Connecting a console cable to

your router” on page 6-33 or “Connecting through a Telnet session” on page 6-32.

■ The Telnet or terminal emulation software is conﬁgured for the recommended values.

■ If you are connecting via the Console port, your computer’s serial port is not being used by another device,

such as an internal modem, or an application. Turn off all other programs (other than your terminal emulation program) that may be interfering with your access to the por t.

■ You have entered the correct password, if necessary. Your Netopia R910’s console access may be

password protected from a previous conﬁguration. See your system administrator to obtain the password.

See Appendix A, “Troubleshooting,” for more suggestions.

Easy Setup 7-37

Quick Easy Setup connection path

This section may be all you need to do to conﬁgure your Netopia R910 Ethernet Router to connect to the Internet.

If your ISP supports DHCP

Your Netopia R910 Ethernet Router comes preconﬁgured with the ability to accept an IP address dynamically assigned by your ISP. To do this, it acts as a Dynamic Host Conﬁguration Protocol client to your ISP's DHCP server. This means that each time you power the Router on when it is connected to the Internet connection line, it conﬁgures itself with IP address settings without any input on your par t. If your ISP suppor ts this method, skip these instructions and go to Chapter 4, “Connecting to Your Local Area Network.” You don’t need to do anything else. This is the true Plug-and-Play solution.

If your ISP doesn’t support DHCP

Some ISPs may not be running a DHCP ser ver. In this case, they may simply assign your router a Static IP Address and will supply you with several values for you to enter into the Router. The ISP will provide the values shown below:

Local WAN IP Address

Local WAN IP Mask

Default IP Gateway

Domain Name

Primary Domain Name Server

Secondary Domain Name Server

(You can record these values; print this page and use the spaces above.)

If your ISP assigns your Router a Static IP address, do the following:

1. From the computer connected to your router, as described in the section “Identify the connectors and

attach the cables” on page 3-14, open a Telnet session to 192.168.1.1 to bring up the Main Menu.

If you don't know how to do this, see “Connecting through a Telnet session” on page 6-32.

Alternatively, you can connect the console cable and open a direct serial console connection, using a terminal emulator program. See “Connecting through a Telnet session” on page 6-32.

7-38 User’s Reference Guide

The Main Menu appears.

Netopia R910 v4.8

Easy Setup...

WAN Configuration...

System Configuration...

Utilities & Diagnostics...

Statistics & Logs...

Quick Menus...

Quick View...

Your Baud Rate has been changed to 38400

You always start from this main screen.

2. Select the ﬁrst item on the Main Menu list, Easy Setup. Press Return to bring up the Easy Setup menu screen.

3. Press the Down arrow key until the editable ﬁeld labelled Local WAN IP Address is highlighted.

4. Type the IP Address your ISP gave you. Press Return. The next ﬁeld Local WAN IP Mask will appear.

5. Type the Subnet Mask your ISP gave you. Press Return.

6. Press the Down arrow key until you reach NEXT SCREEN. Press Return to bring up the next screen.

7. Press the Down arrow key until the editable ﬁeld labelled Domain Name is highlighted.

8. Type the Domain Name your ISP gave you. Press Return. The next ﬁeld Primary Domain Name Server will be highlighted.

9. Type the Primary Domain Name Server address your ISP gave you. Press Return. A new ﬁeld Secondary Domain Name Server will appear. If your ISP gave you a secondary domain name server address, enter it here. Press Return until the next ﬁeld Default IP Gateway is highlighted.

10. Enter the Default IP Gateway address your ISP gave you. Press Return.

11. Press the Down arrow key until you reach NEXT SCREEN. Press Return.

12. Do this again, through the next two screens until you reach RESTART DEVICE. When RESTART DEVICE is highlighted, press Return. When prompted, select CONTINUE, and press Return.

The router will restar t and your conﬁguration settings will be activated. You can then Exit or Quit your Telnet application.

For more Easy Setup options see “More Easy Setup options” on page 7-39.

More Easy Setup options

You always begin Easy Setup by selecting Easy Setup in the Main Menu, then pressing Return.

The WAN Ethernet Conﬁguration screen appears.

WAN Ethernet Configuration

PPOE: Yes Address Translation Enabled: Yes Local WAN IP Address: 0.0.0.0

TO MAIN MENU NEXT SCREEN

Set up the basic IP attributes of your Ethernet Module in this screen.

Easy Setup 7-39

WAN Ethernet Conﬁguration

The WAN Ethernet Conﬁguration screen is where you conﬁgure the parameters that control the Netopia R910’s connection to a speciﬁc remote destination, usually your ISP or a corporate site.

1. To enable address translation, toggle Address Translation Enabled to Ye s (the default). For more information on Network Address Translation, see Chapter 9, “IP Setup and Network Address Translation.”

Address Translation Enabled allows you to specify whether or not the router performs Network Address Translation (NAT) on the Ethernet WAN port. NAT is enabled by default.

2. To manually conﬁgure an IP address for use on the Ethernet WAN port, select Local WAN IP Address and enter the IP address you want to use.

Otherwise, accept the default value 0.0.0.0. If you accept the default, the Netopia R910 Ethernet Router will act as a DHCP client on the Ethernet WAN port and attempt to acquire an address from a DHCP ser ver. By default, the router acts as a DHCP client on the Ethernet WAN port and obtains its IP address and subnet mask from the DHCP server.

3. A new ﬁeld Local WAN IP Mask (not shown) becomes visible only if you have conﬁgured a non-zero Ethernet IP address. If you have conﬁgured a non-zero Ethernet IP address, enter an appropriate subnet mask.

4. Select NEXT SCREEN and press Return. The IP Easy Setup screen appears.

7-40 User’s Reference Guide

IP Easy Setup

The IP Easy Setup screen is where you enter information about your Netopia Router’s:

■ Ethernet IP address

■ Ethernet Subnet mask

■ Domain Name

■ Domain Name Server IP address

■ Default gateway IP address

■ Whether to serve IP addresses or not

Consult with your network administrator to obtain the information you will need. For more information about setting up IP, see “IP Setup and Network Address Translation” on page 9-51.

IP Easy Setup

Ethernet IP Address: 192.168.1.1 Ethernet Subnet Mask: 255.255.255.0

Domain Name: Primary Domain Name Server: 173.166.4.10 Secondary Domain Name Server: 0.0.0.0

Default IP Gateway: 173.166.1.1

IP Address Serving: On

Number of Client IP Addresses: 100 1st Client IP Address: 192.168.1.100

PREVIOUS SCREEN NEXT SCREEN

Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). Set up the basic IP attributes of your Netopia in this screen.

1. Select Ethernet IP Address and enter the ﬁrst IP address from the IP address range your ISP has given you. This will be the Netopia Router’s IP address.

If Network Address Translation is enabled in Easy Setup, the Ethernet IP Address defaults to an address within a range reserved by the Internet address administration authority for use within private networks,

192.168.1.1.

Because this is a private network address, it should never be directly connected to the Internet. Using NAT for all your WAN and IP conﬁgurations will ensure this restriction. See “IP Setup and Network Address

Translation” on page 9-51 of this guide for more information.

2. Select Ethernet Subnet Mask and enter the subnet mask your ISP has given you. The Ethernet Subnet Mask defaults to a standard class mask derived from the class of the Ethernet IP address you entered in the previous step.

3. Select Domain Name and enter the domain name your ISP has given you.

Easy Setup 7-41

Note: If the Netopia R910’s WAN interface is acting as a DHCP client, do not change the default settings for Steps 3, 4, and 5.

4. Select Primary Domain Name Server and enter the IP address your ISP has given you. An alternate or Secondary Domain Name Server ﬁeld will appear, where you can enter a secondar y DNS IP address if your ISP has given you one.

5. If you do not enter a Default IP Gateway value, the router defaults to the remote IP address you entered in Easy Setup. If the Netopia Router does not recognize the destination of any IP trafﬁc, it forwards that trafﬁc to this gateway.

Do not confuse the remote IP address and the Default IP Gateway’s address with the block of local IP addresses you receive from your ISP. You use the local IP addresses for the Netopia R910’s Ethernet port and for IP clients on your local network. The remote IP address and the default gateway’s IP address should point to your ISP’s router.

6. Toggle IP Address Serving to On or Off.

7. Select NEXT SCREEN and press Return. The Easy Setup Security Conﬁguration screen appears.

Easy Setup Security Conﬁguration

The Easy Setup Security Conﬁguration screen lets you password-protect your Netopia R910. Input your Write Access Name and Write Access Password with names or numbers totaling up to eleven digits.

If you password protect the console screens, you will be prompted to enter the name and password you have speciﬁed every time you log in to the console screens. Do not forget your name and password. If you do, you will be unable to access any of the conﬁguration screens.

Additional security features are available. See Chapter 13, “Security.”

Easy Setup Security Configuration

It is strongly suggested that you password-protect configuration access to your Netopia. By entering a Name and Password pair here, access via serial, Telnet, SNMP and Web Server will be password-protected.

Be sure to remember what you have typed here, because you will be prompted for it each time you configure this Netopia.

You can remove an existing Name and Password by clearing both fields below.

Write Access Name:

Write Access Password:

PREVIOUS SCREEN TO MAIN MENU RESTART DEVICE

Configure a Configuration Access Name and Password here.

The ﬁnal step in conﬁguring the Easy Setup console screens is to restar t the Netopia R910, so that the conﬁguration settings take effect.

7-42 User’s Reference Guide

1. Select RESTART DEVICE. A prompt asks you to conﬁrm your choice.

2. Select CONTINUE to restart the Netopia Router and have your selections take effect.

Note: You can also restart the system at any time by using the Restart System utility (see “Restarting the

system” on page 14-166) or by turning the Netopia Router off and on with the power switch.

Easy Setup is now complete.

WAN and System Conﬁguration 8-43

CCCChhhhaaaapppptttteeeerrrr 88

WWWWAAAANNNN aaaannnndddd SSSSyyyysssstttteeeemmmm CCCCoooonnnnffffiiiigggguuuurrrraaaattttiiiioooonn

This section covers the following topics:

■ “WAN conﬁguration” on page 8-43

■ “System conﬁguration screens” on page 8-44

■ “Navigating through the system conﬁguration screens” on page 8-45

■ “System conﬁguration features” on page 8-46

WAN conﬁguration

To conﬁgure your Wide Area Network (WAN) connection, navigate to the WAN Conﬁguration screen from the Main Menu and select WAN Conﬁguration, then WAN Ethernet Conﬁguration.

Main

The WAN Ethernet Conﬁguration screen appears.

WAN Ethernet Configuration

Address Translation Enabled: Yes Local WAN IP Address: 0.0.0.0

NAT Map List... Easy-PAT List NAT Server List... Easy-Servers

Filter Set... Remove Filter Set

Receive RIP: Both

Enable PPP over Ethernet: On

Wan Ethernet MAC Address: 00:00:c5:70:03:4a

Configuration

WAN

WAN Ethernet

Configuration

8-44 User’s Reference Guide

■ Address Translation Enabled allows you to specify whether or not the router performs Network Address

Translation (NAT) on the Ethernet WAN port. NAT is enabled by default.

■ Local WAN IP Address allows you to manually conﬁgure an IP address for use on the Ethernet WAN port.

The value 0.0.0.0 indicates that the device will act as a DHCP client on the Ethernet WAN port and attempt to acquire an address from a DHCP ser ver. By default, the router acts as a DHCP client on the Ethernet WAN port.

■ Local WAN IP Mask allows you to manually conﬁgure an IP subnet mask for use on the Ethernet WAN port.

This item is visible only if you have conﬁgured a non-zero Ethernet IP Address; other wise, the router obtains a subnet mask via DHCP.

■ The Filter Set pop-up allows you to associate an IP ﬁlter set with the Ethernet WAN port. See “About ﬁlters

and ﬁlter sets” on page 13-126.

■ Remove Filter Set allows you to remove a previously associated ﬁlter set.

■ The Receive RIP pop-up controls the reception and transmission of Routing Information Protocol (RIP)

packets on the Ethernet WAN port. The default is Both. The Transmit RIP pop-up is hidden if NAT is enabled.

Routing Information Protocol (RIP) is needed if there are IP routers on other segments of your Ethernet network that the Netopia R910 needs to recognize. Set to “Both” (the default) the Netopia R910 will accept information from either RIP v1 or v2 routers. Alternatively, select Receive RIP and select v1 or v2 from the popup menu. With Receive RIP set to “v1,” the Netopia R910’s Ethernet por t will accept routing information provided by RIP packets from other routers that use the same subnet mask. Set to “v2,” the Netopia R910 will accept routing information provided by RIP packets from other routers that use different subnet masks.

If you want the Netopia R910 to advertise its routing table to other routers via RIP, select Transmit RIP and select v1, v2 (broadcast), or v2 (multicast) from the popup menu. With Transmit RIP v1 selected, the Netopia R910 will generate RIP packets only to other RIP v1 routers. With Transmit RIP v2 (broadcast) selected, the Netopia R910 will generate RIP packets to all other hosts on the network. With Transmit RIP v2 (multicast) selected, the Netopia R910 will generate RIP packets only to other routers capable of recognizing RIP v2 packets.

System conﬁguration screens

You can connect to the Netopia R910’s system conﬁguration screens in either of two ways:

■ By using Telnet with the Router’s Ethernet por t IP address

■ Through the console port, using a local terminal (see “Connecting a console cable to your router” on

page 6-33)

You can also retrieve the Netopia R910’s conﬁguration information and remotely set its parameters using the Simple Network Management Protocol (see “SNMP” on page 12-118).

Open a Telnet connection to the router’s IP address; for example, “192.168.1.1.”

WAN and System Conﬁguration 8-45

The console screen will open to the Main Menu, similar to the screen shown below:

Netopia R910 v4.8

Easy Setup...

WAN Configuration...

System Configuration...

Utilities & Diagnostics...

Statistics & Logs...

Quick Menus...

Quick View...

You always start from this main screen.

Navigating through the system conﬁguration screens

To help you ﬁnd your way to par ticular screens, some sections in this guide begin with a graphical path guide similar to the following example:

Main

System

Configuration

IP Setup

This particular path guide shows how to get to the Network Protocols Setup screens. The path guide represents these steps:

1. Beginning in the Main Menu, select System Conﬁguration and press Return. The System Conﬁguration screen appears.

2. Select IP Setup and press Return. The IP Setup screen appears.

To go back in this sequence of screens, use the Escape key.

8-46 User’s Reference Guide

System conﬁguration features

The Netopia R910 Ethernet Router’s default settings may be all you need to conﬁgure your Netopia R910. Some users, however, require advanced settings or prefer manual control over the default selections. For these users, the Netopia R910 provides system conﬁguration options.

To help you determine whether you need to use the system conﬁguration options, review the following requirements. If you have one or more of these needs, use the system conﬁguration options described in later chapters.

■ System conﬁguration of dynamic IP address distribution through DHCP or BootP

■ Greater network security through the use of ﬁlters

To access the system conﬁguration screens, select System Conﬁguration in the Main Menu, then press Return.

The System Conﬁguration menu screen appears:

System Configuration

IP Setup... Filter Sets (Firewalls)... IP Address Serving...

Date and Time...

Console Configuration...

SNMP (Simple Network Management Protocol)...

Security...

Upgrade Feature Set...

Logging...

Return/Enter to configure Networking Protocols (such as TCP/IP). Use this screen if you want options beyond Easy Setup.

WAN and System Conﬁguration 8-47

IP setup

These screens allow you to conﬁgure your network’s use of IP.

■ Details are given in Chapter 9, “IP Setup and Network Address Translation.”

Filter sets (ﬁrewalls)

These screens allow you to conﬁgure security on your network by means of ﬁlter sets and a basic ﬁrewall.

■ Details are given in Chapter 13, “Security.”

IP address serving

These screens allow you to conﬁgure IP address ser ving on your network by means of DHCP, WANIP, and BootP.

■ Details are given in “IP address ser ving” on page 9-66.

Date and time

You can set the system’s date and time in the Set Date and Time screen.

Select Date and Time in the System Conﬁguration screen and press Return. The Set Date and Time screen appears.

Set Date and Time

System Date Format: MM/DD/YY Current Date (MM/DD/YY): 12/9/1998

System Time Format: AM/PM Current Time: 04:18 AM or PM: PM

Follow these steps to set the system’s date and time:

1. Select Current Date and enter the date in the appropriate format. Use one- or two-digit numbers for the month and day, and the last two digits of the current year. The date’s numbers must be separated by forward slashes (/).

2. Select Current Time and enter the time in the format HH:MM, where HH is the hour (using either the 12-hour or 24-hour clock) and MM is the minutes.

8-48 User’s Reference Guide

3. Select AM or PM and choose AM or PM.

Console conﬁguration

You can change the default terminal communications parameters to suit your requirements.

To go to the Console Conﬁguration screen, select Console Conﬁguration in the System Conﬁguration screen.

Console Configuration

Baud Rate... 38400

SET CONFIG NOW CANCEL

Follow these steps to change a parameter’s value:

1. Select the parameter you want to change.

2. Select a new value for the parameter. Return to step 1 if you want to conﬁgure another parameter.

3. Select SET CONFIG NOW to save the new parameter settings. Select CANCEL to leave the parameters unchanged and exit the Console Conﬁguration screen.

SNMP (Simple Network Management Protocol)

These screens allow you to monitor and conﬁgure your network by means of a standard Simple Network Management Protocol (SNMP) agent.

■ Details are given in “SNMP” on page 12-118.

Security

These screens allow you to add users and deﬁne passwords on your network.

■ Details are given in Chapter 13, “Security.”

Upgrade feature set

You can upgrade your Netopia R910 by adding new feature sets through the Upgrade Feature Set utility.

WAN and System Conﬁguration 8-49

See the release notes that came with your router or feature set upgrade, or visit the Netopia Web site at www.netopia.com for information on new feature sets, how to obtain them, and how to install them on your Netopia R910.

Logging

You can conﬁgure a UNIX-compatible syslog client to repor t a number of subsets of the events entered in the router’s WAN Event History. See “WAN Event History” on page 12-113.The Syslog client (for the PC only) is supplied as a .ZIP ﬁle on the Netopia CustomerCare CD.

Select Logging from the System Conﬁguration menu.

The Logging Conﬁguration screen appears.

Logging Configuration

WAN Event Log Options Log Boot and Errors: Yes Log Line Specific: Yes Log Connections: Yes Log PPP, DHCP, CNA: Yes Log IP: Yes

Syslog Parameters Syslog Enabled: No Hostname or IP Address: Facility... Local 0

Return/Enter accepts * Tab toggles * ESC cancels.

By default, all events are logged in the event history.

■ By toggling each event descriptor either Yes or No, you can determine which ones are logged and which are

ignored.

■ You can enable or disable the syslog client dynamically. When enabled, it will report any appropriate and

previously unrepor ted events.

■ You can specify the syslog server’s address either in dotted decimal format or as a DNS name up to 63

characters.

■ You can specify the UNIX syslog Facility to use by selecting the Facility pop-up.

8-50 User’s Reference Guide

Installing the Syslog client

The Goodies folder on the Netopia CD contains a Syslog client daemon program that can be conﬁgured to report the WAN events you speciﬁed in the Logging Conﬁguration screen.

To install the Syslog client daemon, exit from the graphical Netopia CD program and locate the CD directory structure through your Windows desktop, or through Windows Explorer. Go to the Goodies directory on the CD and locate the Sds15000.exe program. This is the Syslog daemon installer. Run the Sds15000.exe program and follow the on screen instructions for enabling the Windows Syslog daemon.

The following screen shows a sample syslog dump of WAN events:

Nov 5 10:14:06 tsnext.netopia.com Link 1 down: PPP PAP failure Nov 5 10:14:06 tsnext.netopia.com >>Issued Speech Setup Request from our DN: 5108645534 Nov 5 10:14:06 tsnext.netopia.com Requested Disc. from DN: 917143652500 Nov 5 10:14:06 tsnext.netopia.com Received Clear Confirm for our DN: 5108645534 Nov 5 10:14:06 tsnext.netopia.com Link 1 down: Manual disconnect Nov 5 10:14:06 tsnext.netopia.com >>Issued Speech Setup Request from our DN: 5108645534 Nov 5 10:14:06 tsnext.netopia.com Requested Disc. from DN: 917143652500 Nov 5 10:14:06 tsnext.netopia.com Received Clear Confirm for our DN: 5108645534 Nov 5 10:14:06 tsnext.netopia.com Link 1 down: No answer Nov 5 10:14:06 tsnext.netopia.com --Device restarted----------------------------------------Nov 5 10:14:06 tsnext.netopia.com >>Received Speech Setup Ind. from DN: (not supplied) Nov 5 10:14:06 tsnext.netopia.com Requested Connect to our DN: 5108645534 Nov 5 10:14:06 tsnext.netopia.com ASYNC: Modem carrier detected (more) Modem reports: 26400 V34 Nov 5 10:14:06 tsnext.netopia.com >>WAN: 56K Modem 1 activated at 115 Kbps Nov 5 10:14:06 tsnext.netopia.com Connect Confirmed to our DN: 5108645534 Nov 5 10:14:06 tsnext.netopia.com PPP: Channel 1 up, Answer Profile name: Default Profile Nov 5 10:14:06 tsnext.netopia.com PPP: NCP up, session 1, Channel 1 Final (fallback) negotiated auth: Local PAP , Remote NONE Nov 5 10:14:06 tsnext.netopia.com PPP: PAP we accepted remote, Channel 1 Remote name: guest Nov 5 10:14:06 tsnext.netopia.com PPP: MP negotiated, session 1 Remote EDO: 06 03 0000C5700624 0 Nov 5 10:14:06 tsnext.netopia.com PPP: CCP negotiated, session 1, type: Ascend LZS Local mode: 1, Remote mode: 1 Nov 5 10:14:06 tsnext.netopia.com PPP: BACP negotiated, session 1 Local MN: FFFFFFFF, Remote MN: 00000001 Nov 5 10:14:06 tsnext.netopia.com PPP: IPCP negotiated, session 1, rem: 192.168.10.100 local:

192.168.1.1 Nov 5 10:14:06 tsnext.netopia.com >>WAN: 56K Modem 1 deactivated Nov 5 10:14:06 tsnext.netopia.com Received Clear Ind. from DN: 5108645534, Cause: 0 Nov 5 10:14:06 tsnext.netopia.com Issued Clear Response to DN: 5108645534 Nov 5 10:14:06 tsnext.netopia.com Link 1 down: Remote clearing Nov 5 10:14:06 tsnext.netopia.com PPP: IPCP down, session 1 Nov 5 10:14:06 tsnext.netopia.com >>Received Speech Setup Ind. from DN: (not supplied)

IP Setup and Network Address Translation 9-51

CCCChhhhaaaapppptttteeeerrrr 99

IIIIPPPP SSSSeeeettttuuuupppp aaaannnndddd NNNNeeeettttwwwwoooorrrrkkkk AAAAddddddddrrrreeeessssssss TTTTrrrraaaannnnssssllllaaaattttiiiioooonn

The Netopia R910 uses Internet Protocol (IP) to communicate both locally and with remote networks. This chapter shows you how to conﬁgure the Router to route IP trafﬁc. You also learn how to conﬁgure the router to serve IP addresses to hosts on your local network.

The Netopia R910 features IP address ser ving and Network Address Translation. For a detailed discussion of Network Address Translation, see Appendix C, “Understanding Netopia NAT Behavior” This chapter describes how to use the Network Address Translation feature.

This section covers the following topics:

■ “Network Address Translation features” on page 9-51

■ “Using Network Address Translation” on page 9-53

■ “IP setup” on page 9-56

■ “IP address serving” on page 9-66

Network Address Translation allows communication between the LAN connected to the Netopia R910 and the Internet using a single IP address instead of a routed account with separate IP addresses for each computer on the network.

Network Address Translation also provides increased security by hiding the local IP addresses of the LAN connected to the Netopia R910 from the outside world.

Network Address Translation features

Network Address Translation (NAT) offers users the following features:

■ The single proxy address is acquired at connection time from the answering side. The address can be

assigned by the remote router from either a dynamic pool of addresses or a ﬁxed, static address.

■ Static NAT Security is simpler and more reliable because only one IP address needs a ﬁrewall, and because

the internal network structure is not visible from the Internet.

9-52 User’s Reference Guide

Network Address Translation works by remapping the source IP address of trafﬁc from the LAN to a single static or dynamically assigned IP address shown to the remote side of the router.

HOW NAT WORKS

With NAT

163.167.132.1

Without NAT

163.167.132.1

163.167.132.2

163.167.132.3

163.167.132.4

163.167.132.5

163.167.132.6

ISP*

192.168.1.100

192.168.1.102

192.168.1.103

192.168.1.104

192.168.1.105

192.168.1.106

163.167.132.1

163.167.132.2

163.167.132.3

163.167.132.4

163.167.132.5

163.167.132.6

*or corporate intranet router

When NAT is enabled, the Netopia R910 can use either a statically assigned IP address or one dynamically assigned each time the router connects to the ISP. While a dynamically assigned IP address of fers the ISP more ﬂexibility, it does have an important limitation: the router requires a static IP address to support Web, FTP, or other services available to the WAN. To support these services with NAT enabled, a service can be associated with only one machine on the LAN.

When connected to the Internet or some other large network using Network Address Translation, the individual machines on your LAN are not directly accessible from the WAN. NAT provides an inherently secure method of connection to the outside world.

IP Setup and Network Address Translation 9-53

Using Network Address Translation

The following procedure describes how to use Network Address Translation.

1. Pick a network number for your local network (referred to as the internal network). This can be any IP address range you want. The Netopia R910 Router has a default IP address of 192.168.1.1. You may choose to change this address to match a pre-existing addressing scheme. For this example, we will use

10.0.0.0.

Note: The outside world (the external network) will not see this network number.

2. Using the internal network number, assign addresses to the local nodes on your LAN. For example, you could assign

■ 10.0.0.1 to your Netopia R910

■ 10.0.0.2 to a node running as a World Wide Web server

■ 10.0.0.3 to an FTP server

■ 10.0.0.4 to a Windows NT PC

■ 10.0.0.5 to a Windows 95 PC

Note: See “Associating port numbers with nodes” on page 9-55.

3. By default, Network Address Translation is enabled in the Netopia R910. If you disabled it and now want to reenable it:

From the WAN Conﬁguration menu in the Main Menu screen, select WAN (Wide Area Network) Setup.

The WAN Ethernet Conﬁguration screen appears.

WAN Ethernet Configuration

Address Translation Enabled: Yes Local WAN IP Address: 0.0.0.0

Filter Set... Remove Filter Set

Receive RIP: Both

Set up the basic IP attributes of your Ethernet Module in this screen.

Toggle Address Translation Enabled to Ye s or No (Yes to enable NAT) and press Return.

9-54 User’s Reference Guide

Or, from the Main Menu, select Easy Setup. The Easy Setup WAN Ethernet Conﬁguration screen appears.

WAN Ethernet Configuration

Address Translation Enabled: Yes Local WAN IP Address: 0.0.0.0

TO MAIN MENU NEXT SCREEN

Set up the basic IP attributes of your Ethernet Module in this screen.

Toggle Address Translation Enabled to Ye s or No (Yes to enable NAT) and press Return.

For more information see Appendix B, “Understanding IP Addressing” and Appendix C, “Understanding

Netopia NAT Behavior”

4. If your ISP uses numbered (interface-based) routing, select Local WAN IP Address and enter the local WAN address your ISP gave you. Then select Local WAN IP Mask and enter the WAN subnet mask of the remote site you will connect to.

The default address is 0.0.0.0, which allows for dynamic addressing, meaning that your ISP assigns an address via DHCP each time you connect. However, if you want to use static addressing, enter a speciﬁc address.

IP Setup and Network Address Translation 9-55

Associating port numbers with nodes

When an IP client such as a Netscape Navigator or Microsoft Internet Explorer, wants to establish a session with an IP server such as a Web server, the client machine must know the IP address to use and the TCP service port where the trafﬁc is to be directed.

For example, a Web browser locates a Web server by using a combination of the IP address and TCP port that the client machine has set up. Just as an IP address speciﬁes a particular computer on a network, ports are addresses that specify a particular service in a computer. There are many universally agreed-upon ports assigned to various services. For example:

■ Web servers typically use port number 80

■ All FTP servers use port number 21

■ Telnet uses por t number 23

■ SNMP uses port number 161

To help direct incoming IP traf ﬁc to the appropriate ser ver, the Netopia R910 lets you associate these and other port numbers with distinct IP addresses on your internal LAN using expor ted ser vices. See “IP setup” on

page 9-56 for details.

Network Address Translation guideline

Observe the following guideline when using Network Address Translation.

The router can export only one local IP address per UDP/TCP por t, so you can have just one machine available for a given service, such as one FTP server. However, some ser vices, such as Web servers (www-http ser vers), allow you to change the UDP/TCP port on both the server and client. With two different UDP/TCP ports exported, you can have Web servers on two different IP hosts.

9-56 User’s Reference Guide

IP setup

Main

System

Configuration

Network

Protocols

Setup

IP Setup

The IP Setup options screen is where you conﬁgure the Ethernet side of the Netopia R910. The information you enter here controls how the router routes IP traf ﬁc.

Consult your network administrator or Internet ser vice provider to obtain the IP setup information (such as the Ethernet IP address, Ethernet subnet mask, default IP gateway and Primar y Domain Name Server IP address) you will need before changing any of the settings in this screen. Changes made in this screen will take ef fect only after the Netopia R910 is reset.

To go to the IP Setup options screen, from the Main Menu, select System Conﬁguration then Network Protocols Setup, and then IP Setup.

The IP Setup screen appears.

IP Setup

Ethernet IP Address: 192.128.117.162 Ethernet Subnet Mask: 255.255.255.0 Define Additional Subnets...

Default IP Gateway: 192.128.117.163

Primary Domain Name Server: 0.0.0.0 Secondary Domain Name Server: 0.0.0.0 Domain Name:

Receive RIP: Both Transmit RIP: v2 (multicast) Static Routes...

Address Serving Setup... Exported Services... Filter Sets...

Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). Set up the basic IP attributes of your Netopia in this screen.

Follow these steps to conﬁgure IP Setup for your Netopia R910:

■ Select Ethernet IP Address and enter the IP address for the Netopia R910’s Ethernet por t.

■ Select Ethernet Subnet Mask and enter the subnet mask for the Ethernet IP address that you entered in

the last step.

■ If you desire multiple subnets select Deﬁne Additional Subnets. If you select this item you will be taken to

the IP Subnets screen. This screen allows you to deﬁne IP addresses and masks for additional subnets. See “IP subnets” on page 9-60 for details.

IP Setup and Network Address Translation 9-57

The Netopia R910 Router supports multiple IP subnets on the Ethernet inter face. You may want to conﬁgure multiple IP subnets to service more hosts that are possible with your primar y subnet. It is not always possible to obtain a larger subnet from your ISP. For example, if you already have a full Class C subnet, your only option is multiple Class C subnets, since it is virtually impossible to justify a Class A or Class B assignment. This assumes that you are not using NAT.

If you are using NAT, you can use the reserved Class A or Class B subnet.

■ Select Default IP Gateway and enter the IP address for a default gateway. This can be the address of any

major router accessible to the Netopia R910.

A default gateway should be able to successfully route packets when the Netopia R910 cannot recognize the intended recipient’s IP address. A typical example of a default gateway is the ISP’s router.

■ Select Primary Domain Name Server and enter the IP address for a domain name server. The domain

name server matches the alphabetic addresses favored by people (for example, robin.hood.com) to the IP addresses actually used by IP routers (for example, 163.7.8.202).

■ If a secondary DNS server is available, select Secondary Domain Name Server and enter its IP address.

The secondary DNS server is used by the Netopia R910 when the primary DNS ser ver is inaccessible. Entering a secondary DNS is useful but not necessary.

■ Select Domain Name and enter your network’s domain name (for example, netopia.com).

■ Routing Information Protocol (RIP) is needed if there are IP routers on other segments of your Ethernet

network that the Netopia R910 needs to recognize. If this is the case select Receive RIP and select v1, v2, or Both from the popup menu. With Receive RIP set to “v1,” the Netopia R910’s Ethernet por t will

accept routing information provided by RIP packets from other routers that use the same subnet mask. Set to “v2,” the Netopia R910 will accept routing information provided by RIP packets from other routers that use different subnet masks. Set to “Both,” the Netopia R910 will accept information from either RIP v1 or v2 routers.

■ If you want the Netopia R910 to advertise its routing table to other routers via RIP, select Transmit RIP and

select v1, v2 (broadcast), or v2 (multicast) from the popup menu. With Transmit RIP v1 selected, the Netopia R910 will generate RIP packets only to other RIP v1 routers. With Transmit RIP v2 (broadcast) selected, the Netopia R910 will generate RIP packets to all other hosts on the network. With Transmit RIP v2 (multicast) selected, the Netopia R910 will generate RIP packets only to other routers capable of recognizing RIP v2 packets.

■ Select Static Routes to manually conﬁgure IP routes. See the section “Static routes,” below.

■ If you select Address Serving Setup you will be taken to the IP Address Ser ving screen (see “IP address

serving” on page 9-66. Since no two hosts can use the same IP address at the same time, make sure that

the addresses distributed by the Netopia R910, and those that are manually conﬁgured are not the same. Each method of distribution must have its own exclusive range of addresses to draw from.

■ Select Exported Services. The Exported Services screen appears with three options: Show/Change

9-58 User’s Reference Guide

Exports, Add Export, and Delete Export.

Exported Services (Local Port to IP Address Remapping)

Show/Change Exports...

Add Export...

Delete Export...

Return/Enter to configure UDP/TCP Port-to-IP Address redirection.

■ Select Add Export. The Add Expor ted Ser vice screen appears.

Add Exported Service

Service...

Local Server's IP Address: 0.0.0.0

ADD EXPORT NOW CANCEL

IP Setup and Network Address Translation 9-59

■ Select Service. A pop-up menu of ser vices and por ts appears.

ADD EXPORT NOW CANCEL

5. Select any of the services/ports and press Return to associate it with the address of a ser ver on your local area network. For example, if we select www-http 80, press Return, and type 10.0.0.2, the Netopia R910 redirects any incoming trafﬁc destined for a Web server to address 10.0.0.2.

Some services such as Timbuktu require the expor t of multiple TCP por ts. When you associate Timbuktu with a local server (or Timbuktu host) all of the major Timbuktu services are expor ted, i.e., Obser ve, Control, Send, and Exchange.

Note: If the TCP port of a service you want to use is not listed, you can add it by selecting Other... on the pop-up menu.

9-60 User’s Reference Guide

Press Escape when you are ﬁnished conﬁguring expor ted ser vices. You are returned to the IP Setup screen.

IP Setup

Ethernet IP Address: 192.128.117.162 Ethernet Subnet Mask: 255.255.255.0 Define Additional Subnets...

Default IP Gateway: 192.128.117.163

Primary Domain Name Server: 0.0.0.0 Secondary Domain Name Server: 0.0.0.0 Domain Name:

Receive RIP: Both Transmit RIP: v2 (multicast) Static Routes...

Address Serving Setup... Exported Services... Filter Sets...

■ If you select Filter Sets you will be taken directly to the screen for conﬁguring IP packet ﬁlters. For

information see “About ﬁlters and ﬁlter sets,” beginning on page 13-126.

IP subnets

The IP Subnets screen allows you to conﬁgure up to eight Ethernet IP subnets on unlimited-user models, one “primary” subnet and up to seven secondary subnets, by entering IP address/subnet mask pairs:

IP Subnets

IP Address Subnet Mask

---------------- -------------- #1: 192.128.117.162 255.255.255.0

#2: 0.0.0.0 0.0.0.0

#3:

#4:

#5:

#6:

#7:

#8:

IP Setup and Network Address Translation 9-61

Note: You need not use this screen if you have only a single Ethernet IP subnet. In that case, you can continue to enter or edit the IP address and subnet mask for the single subnet on the IP Setup screen.

This screen displays up to eight rows of two editable columns, preceded by a row number between one and eight. If you have eight subnets conﬁgured, there will be eight rows on this screen. Other wise, there will be one more row than the number of conﬁgured subnets. The last row will have the value 0.0.0.0 in both the IP address and subnet mask ﬁelds to indicate that you can edit the values in this row to conﬁgure an additional subnet. All eight row labels are always visible, regardless of the number of subnets conﬁgured.

■ To add an IP subnet, enter the Netopia R910’s IP address on the subnet in the IP Address ﬁeld in a

particular row and the subnet mask for the subnet in the Subnet Mask ﬁeld in that row.

For example:

IP Subnets

IP Address Subnet Mask

---------------- -------------- #1: 192.128.117.162 255.255.255.0

#2: 192.128.152.162 255.255.0.0

#3: 0.0.0.0 0.0.0.0

#4:

#5:

#6:

#7:

#8:

■ To delete a conﬁgured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly

or by clearing each ﬁeld and pressing Return or Enter to commit the change. When a conﬁgured subnet is deleted, the values in subsequent rows adjust up to ﬁll the vacant ﬁelds.

Note that the subnets conﬁgured on this screen are tied to the address ser ving pools conﬁgured on the IP Address Pools screen, and that changes on this screen may af fect the IP Address Pools screen. In par ticular, deleting a subnet conﬁgured on this screen will delete the corresponding address serving pool, if any, on the IP Address Pools screen.

9-62 User’s Reference Guide

If you have conﬁgured multiple Ethernet IP subnets, the IP Setup screen changes slightly:

IP Setup

Subnet Configuration...

Default IP Gateway: 192.128.117.163

Primary Domain Name Server: 0.0.0.0 Secondary Domain Name Server: 0.0.0.0 Domain Name:

Receive RIP: Both Transmit RIP: v2 (multicast) Static Routes...

Address Serving Setup... Exported Services... Filter Sets...

The IP address and Subnet mask items are hidden, and the “Deﬁne Additional Subnets...” item becomes “Subnet Conﬁguration...”. If you select Subnet Conﬁguration, you will return to the IP Subnets screen that allows you to deﬁne IP addresses and masks for additional Ethernet IP subnets.

Static routes

Static routes are IP routes that are maintained manually. Each static route acts as a pointer that tells the Netopia R910 how to reach a particular network. However, static routes are used only if they appear in the IP routing table, which contains all of the routes used by the Netopia R910 (see “IP routing table” on

page 12-115).

Static routes are helpful in situations where a route to a network must be used and other means of ﬁnding the route are unavailable. For example, static routes are useful when you cannot rely on RIP.

To go to the Static Routes screen, select Static Routes in the IP Setup screen.

The Static Routes screen will appear.

Static Routes

Display/Change Static Route...

Add Static Route...

Delete Static Route...

Configure/View/Delete Static Routes from this and the following Screens.

Viewing static routes

IP Setup and Network Address Translation 9-63

To display a view-only table of static routes, select Display/Change Static Route. The table shown below will appear.

+-Dest. Network---Subnet Mask-----Next Gateway----Priority-Enabled-+ +------------------------------------------------------------------+ | 0.0.0.0 0.0.0.0 163.176.8.1 Low Yes | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +------------------------------------------------------------------+

Select a Static Route to modify.

The table has the following columns:

Dest. Network: The network IP address of the destination network.

9-64 User’s Reference Guide

Subnet Mask: The subnet mask associated with the destination network.

Next Gateway: The IP address of the router that will be used to reach the destination network.

Priority: An indication of whether the Netopia R910 will use the static route when it conﬂicts with information

received from RIP packets.

Enabled: An indication of whether the static route should be installed in the IP routing table.

To return to the Static Routes screen, press Escape.

Adding a static route

To add a new static route, select Add Static Route in the Static Routes screen. The Add Static Route screen will appear.

Add Static Route

Static Route Enabled: Yes

Destination Network IP Address: 0.0.0.0

Destination Network Subnet Mask: 0.0.0.0

Next Gateway IP Address: 0.0.0.0

Route Priority... High

Advertise Route Via RIP: No

ADD STATIC ROUTE NOW CANCEL

Configure a new Static Route in this Screen.

■ To install the static route in the IP routing table, select Static Route Enabled and toggle it to Yes. To

remove the static route from the IP routing table, select Static Route Enabled and toggle it to No.

■ Be sure to read the rules on the installation of static routes in the IP routing table. See “Rules of static

route installation” on page 9-65.

■ Select Destination Network IP Address and enter the network IP address of the destination network.

■ Select Destination Network Subnet Mask and enter the subnet mask used by the destination network.

■ Select Next Gateway IP Address and enter the IP address for the router that the Netopia R910 will use to

reach the destination network. This router does not necessarily have to be par t of the destination network, but it must at least know where to forward packets destined for that network.

■ Select Route Priority and choose High or Low. High means that the static route takes precedence over RIP

information; Low means that the RIP information takes precedence over the static route.

■ To make sure that the static route is known only to the Netopia R910, select Advertise Route Via RIP and

toggle it to No. To allow other RIP-capable routers to know about the static route, select Advertise Route

IP Setup and Network Address Translation 9-65

Via RIP and toggle it to Ye s . When Adver tise Route Via RIP is toggled to Yes, a new item called RIP Metric appears below Advertise Route Via RIP.

With RIP Metric you set the number of routers, from 1 to 15, between the sending router and the destination router. The maximum number of routers on a packet’s route is 15. Setting RIP Metric to 1 means that a route can involve 15 routers, while setting it to 15 means a route can only involve one router.

■ Select ADD STATIC ROUTE NOW to save the new static route, or select CANCEL to discard it and return to

the Static Routes screen.

■ Up to 16 static routes can be created, but one is always reser ved for the default gateway, which is

conﬁgured using either Easy Setup or the IP Setup screen in system conﬁguration.

Modifying a static route

To modify a static route, in the Static Routes screen select Display/Change Static Route to display a table of static routes.

Select a static route from the table and go to the Change Static Route screen. The parameters in this screen are the same as the ones in the Add Static Route screen (see “Adding a static route” on page 9-64).

Deleting a static route

To delete a static route, in the Static Routes screen select Delete Static Route to display a table of static routes. Select a static route from the table and press Return to delete it. To exit the table without deleting the selected static route, press Escape.

Rules of static route installation

The Netopia R910 applies certain rules before installing enabled static routes in the IP routing table. An enabled static route will not be installed in the IP routing table if any of the following conditions are true:

■ The static route’s Next Gateway IP Address matches the IP address used by the Netopia R910’s Ethernet

port.

■ The static route’s Next Gateway IP Address matches an IP address in the range of IP addresses being

distributed by MacIP or DHCP.

■ The static route’s Next Gateway IP Address is determined to be unreachable by the Netopia R910.

A static route that is already installed in the IP routing table will be removed if any of the conditions listed above become true for that static route. However, an enabled static route is automatically reinstalled once the conditions listed above are no longer true for that static route.

9-66 User’s Reference Guide

IP address serving

Main

System

Configuration

IP Address

Serving

• Serve DHCP Clients

• Serve BootP Clients

• Serve Dynamic WAN Clients

In addition to being a router, the Netopia R910 is also an IP address server. There are three protocols it can use to distribute IP addresses.

■ The ﬁrst, called Dynamic Host Conﬁguration Protocol (DHCP), is widely supported on PC networks, as

well as Apple Macintosh computers using Open Transport and computers using the UNIX operating system. Addresses assigned via DHCP are “leased” or allocated for a shor t period of time; if a lease is not renewed, the address becomes available for use by another computer. DHCP also allows most of the IP parameters for a computer to be conﬁgured by the DHCP server, simplifying setup of each machine.

■ The second, called BootP (also known as Bootstrap Protocol), is the predecessor to DHCP and allows older

IP hosts to obtain most of the information that a DHCP client would obtain. However, in contrast, BootP address assignments are “permanent” since there is no lease renewal mechanism in BootP.

■ The third protocol, called Dynamic WAN, is part of the PPP/MP suite of wide area protocols used for WAN

connections. It allows remote terminal adapters and NAT-enabled routers to be assigned a temporary IP address for the duration of their connection.

Since no two hosts can use the same IP address at the same time, make sure that the addresses distributed by the Netopia R910 and those that are manually conﬁgured are not the same. Each method of distribution must have its own exclusive range of addresses to draw from.

Go to the System Conﬁguration screen. Select IP Address Serving and press Return. The IP Address Serving screen will appear.

IP Address Serving

Number of Client IP Addresses: 5 1st Client Address: 176.163.222.10 Client Default Gateway... 176.163.222.1

Serve DHCP Clients: Yes DHCP NetBios Options...

Serve BOOTP Clients: Yes

IP Setup and Network Address Translation 9-67

Follow these steps to conﬁgure IP Address Ser ving:

■ If you enabled IP Address Serving, DHCP, BootP clients, Dynamic WAN clients, and MacIP/KIP clients (if you

have the AppleTalk kit installed) are automatically enabled.

■ Select Number of Client IP Addresses and enter the total number of contiguous IP addresses that the

Netopia R910 will distribute to the client machines on your local area network. 12-user models are limited to twelve IP addresses.

■ In the screen example shown above, ﬁve Client IP addresses have been allocated.

■ Select 1st Client Address and enter the ﬁrst client IP address that you will allocate to your ﬁrst client

machine. For instance, on your local area network you may want to ﬁrst ﬁgure out what machines are going to be allocated speciﬁc static IP addresses so that you can determine the pool of IP addresses that you will be serving addresses from via DHCP, BootP, Dynamic WAN, and/or MacIP.

Example: Your ISP has given your Netopia R910 the IP address 192.168.6.137, with a subnet mask of

255.255.255.248. The subnet mask allocated will give you six IP addresses to use when connecting to the ISP over the Internet (for more information on IP addressing refer to Appendix B, “Understanding IP

Addressing”). Your address range will be from .137-.143. In this example you would enter 192.168.6.138

as the 1st Client Address, since the router itself must have an IP address.

■ To enable DHCP, select Serve DHCP Clients and toggle it to Yes. DHCP serving is automatic when IP

Address Serving is enabled.

If you have conﬁgured multiple Ethernet IP subnets, the appearance of the IP Address Ser ving screen is altered slightly:

IP Address Serving

Configure Address Pools...

Serve DHCP Clients: Yes DHCP NetBios Options...

Serve BOOTP Clients: Yes

Serve Dynamic WAN Clients: Yes

The ﬁrst three menu items are hidden, and Conﬁgure Address Pools appears instead. If you select Conﬁgure Address Pools you will be taken to the IP Address Pools screen that allows you to conﬁgure an address serving

pool for each of the conﬁgured Ethernet IP subnets. See “IP Address Pools,” in the next section.

9-68 User’s Reference Guide

IP Address Pools

The IP Address Pools screen allows you to conﬁgure a separate IP address ser ving pool for each of up to eight conﬁgured Ethernet IP subnets:

IP Address Pools

Subnet (# host addrs) 1st Client Addr Clients Client Gateway

--------------------- --------------- ------- --------------

192.128.117.0 (253) 192.128.117.196 16 192.128.117.162

192.129.117.0 (253) 192.129.117.110 8 192.129.117.4

This screen consists of between two and eight rows of four columns each. There are exactly as many rows as there are Ethernet IP subnets conﬁgured on the IP Subnets screen.

■ The Subnet (# host addrs) column is non-selectable and non-editable. It indicates the network address of

the Ethernet IP subnet for which an address pool is being conﬁgured and the number of host addresses available on the subnet. The network address is equal to the router’s IP address on the subnet bitwise-ANDed with the subnet mask. The host address count is equal to the subnet size minus three, since one address is reser ved for the network address, one for the subnet broadcast address, and one for the router’s interface address on the subnet.

You can edit the remaining columns in each row.

■ The 1st Client Addr and Clients columns allow you to specify the base and extent of the address serving

pool for a particular subnet. Entering 0.0.0.0 for the ﬁrst client address or 0 for the number of clients indicates that no addresses will be served from the corresponding Ethernet IP subnet.

■ The Client Gateway column allows you to specify the default gateway address that will be provided to

clients served an address from the corresponding pool. The value defaults to the Netopia R910’s IP address on the corresponding subnet (or the Netopia R910’s default gateway, if that gateway is located on the subnet in question). You can override the value by entering any address that is par t of the subnet.

DHCP, BootP, and dynamic WAN clients may receive an address from any one of the address ser ving pools conﬁgured on this screen.

IP Setup and Network Address Translation 9-69

Numerous factors inﬂuence the choice of served address. It is difﬁcult to specify the address that will be served to a particular client in all circumstances. However, when the address server has been conﬁgured, and the clients involved have no prior address serving interactions, the Netopia R910 will generally serve the ﬁrst unused address from the ﬁrst address pool with an available address. The Netopia R910 star ts from the pool on the ﬁrst row and continues to the pool on the last row of this screen.

Once the address server and/or the clients have participated in address ser ving transactions, dif ferent rules apply:

■ When requesting an address, a client will often suggest an address to be assigned, such as the one it was

last served. The Netopia R910 will attempt to honor this request if the address is available. The client stores this address in non-volatile storage, for example, on disk, and the speciﬁc storage method/location differs depending on the client operating system.

■ When requesting an address, a client may provide a client identiﬁer, or, if it does not, the Netopia R910

may construct a pseudo-client identiﬁer for the client. When the client subsequently requests an address, the Netopia R910 will attempt to serve the address previously associated with the client identiﬁer. This is normally the last address ser ved to the client.

■ Otherwise, the Netopia will select the least-recently used available address, star ting from the ﬁrst address

in the ﬁrst pool and ending with the last address in the last pool.

Note that the address serving pools on this screen are tied to the IP subnets conﬁgured on the IP Subnets screen. Changes to the IP Subnets screen may affect this one. In particular, deleting a subnet on the IP Subnets screen will delete the corresponding address serving pool, if any, on this screen.

9-70 User’s Reference Guide

DHCP NetBIOS Options

If your network uses NetBIOS, you can enable the Netopia R910 to use DHCP to distribute NetBIOS information.

NetBIOS stands for Network Basic Input/Output System. It is a layer of software originally developed by IBM and Sytek to link a network operating system with speciﬁc hardware. NetBIOS has been adopted as an industr y standard. It offers LAN applications a variety of “hooks” to carr y out inter-application communications and data transfer. Essentially, NetBIOS is a way for application programs to talk to the network. To run an application that works with NetBIOS, a non-IBM network operating system or network interface card must offer a NetBIOS emulator. Many vendors either provide a version of NetBIOS to interface with their hardware or emulate its transport layer communications services in their network products. A NetBIOS emulator is a program provided by NetWare clients that allow workstations to run applications that support IBM’s NetBIOS calls.

■ Select DHCP NetBios Options and press Return. The DHCP NetBIOS Options screen appears.

DHCP NetBios Options

Serve NetBios Type: Yes NetBios Type... Type B

Serve NetBios Scope: No NetBios Scope:

Serve NetBios Name Server: No NetBios Name Server IP Addr: 0.0.0.0

Configure DHCP-served NetBIOS options here.

■ To ser ve DHCP clients with the type of NetBIOS used on your network, select Serve NetBios Type and

toggle it to Yes .

IP Setup and Network Address Translation 9-71

■ From the NetBios Type pop-up menu, select the type of NetBIOS used on your network.

DHCP NetBios Options

■ To ser ve DHCP clients with the NetBIOS scope, select Serve NetBios Scope and toggle it to Yes.

Select NetBios Scope and enter the scope.

■ To ser ve DHCP clients with the IP address of a NetBIOS name ser ver, select Serve NetBIOS Name Server

and toggle it to Yes .

Select NetBios Name Server IP Addr and enter the IP address for the NetBIOS name ser ver.

You are now ﬁnished setting up DHCP NetBIOS Options. To return to the IP Address Serving screen press Escape.

■ To enable BootP’s address ser ving capability, select Serve BOOTP Clients and toggle to Ye s .

Note: Addresses assigned through BootP are permanently allocated from the IP Address Serving pool until

you release them. To release these addresses, navigate back to the Main Menu, then Statistics & Logs, Served IP Addresses, and Lease Management.

Main

Statistics

& Logs

Served IP

Addresses

Lease Management

9-72 User’s Reference Guide

IP Address Lease Management

Reset All Leases

Release BootP Leases

Reclaim Declined Addresses

Hit RETURN/ENTER, you will return to the previous screen.

Select Release BootP Leases and press Return.

You have ﬁnished your IP setup.

Virtual Private Networks (VPN) 10-73

CCCChhhhaaaapppptttteeeerrrr 111100

VVVViiiirrrrttttuuuuaaaallll PPPPrrrriiiivvvvaaaatttteeee NNNNeeeettttwwwwoooorrrrkkkkssss ((((VVVVPPPPNNNN))

The Netopia R910 Router offers both PPTP and ATMP tunneling support for Virtual Private Networks (VPN).

The following topics are covered in this chapter:

■ “Overview” on page 10-73

■ “About PPTP Tunnels” on page 10-76

■ “Encryption Support” on page 10-79

■ “VPN Default Answer Proﬁle” on page 10-85

■ “VPN QuickView” on page 10-86

■ “Dial-Up Networking for VPN” on page 10-88

■ “Installing the VPN Client” on page 10-92

■ “About ATMP Tunnels” on page 10-94

■ “Allowing VPNs through a Firewall” on page 10-98

))

OOOOvvvveeeerrrrvvvviiiieeeeww

When you make a long distance telephone call from your home to a relative far away, you are creating a private network. You can hold a conversation and exchange information about the happenings on opposite sides of the state, or the continent, that you are mutually interested in. When your next door neighbor picks up the phone to call her daughter at college, at the same time you are talking to your relatives, your calls don't overlap, but each is separate and private. Neither house has a direct wire to the places they call. Both share the same lines on the telephone poles (or underground) on the street.

These calls are virtual private networks. Virtual, because they appear to be direct connections between the calling and answering parties, even though they travel over the public wires and switches of the phone company; private, because neither pair of calling and answering parties interacts with the other; and networks, because they exchange information.

Computers can do the same thing; it's called Virtual Private Networks (VPNs). Equipped with Netopia Routers, a single computer or private network (LAN) can establish a private connection with another computer or private network over the public network (Internet).

The Netopia Router can be used in VPNs either to initiate the connection or to answer it. When used in this way, the routers are said to be tunnelling through the public network (Internet). The advantages are that, like your long distance phone call, you don't need a direct line between one computer or LAN and the other, but use the local connections, making it much cheaper; and the information you exchange through your tunnel is private and secure.

10-74 User’s Reference Guide

Tunneling is a process of creating a private path between a remote user or private network and another private network over some intermediate network, such as the IP-based Internet. A VPN allows remote ofﬁces or employees access to your internal business LAN through means of encr yption allowing the use of the public Internet to look “virtually” like a private secure network. When two networks communicate with each other through a network based on the Internet Protocol, they are said to be tunneling through the IP network.

Transit Internetwork

Virtual Private Network

Logical

Equivalent

Unlike the phone company, private and public computer networks can use more than one protocol to carry your information over the wires. Three such protocols are in common use for tunnelling, Point-to-Point Tunnelling Protocol (PPTP), IP Security (IPSec), and Ascend Tunnel Management Protocol (ATMP). The Netopia Router can use any of them.

■ Point-to-Point Tunneling Protocol (PPTP) is an extension of Point-to-Point Protocol (PPP) and uses a client

and server model. Netopia’s PPTP implementation is compatible with Microsoft’s and can function as either the client (PAC) or the ser ver (PNS). As a client, a Netopia R-series router can provide all users on a LAN with secure access over the Internet to the resources of another LAN by setting up a tunnel with a Windows NT server running Remote Access Ser vices (RAS) or with another Netopia Router. As a server, a Netopia R-series router can provide remote users a secure connection to the resources of the LAN over a dial-up, cable, DSL, or any other type of Internet access. Because PPTP can create a VPN tunnel using the Dial-Up Networking (DUN) (see “Dial-Up Networking for VPN” on page 10-88) utility built into Windows 95, 98, or NT, no additional client software is required.

■ IP Security (IPsec) is a set of protocols that supports secure exchange of IP packets at the IP layer. IPsec

is widely used to implement Virtual Private Networks. DES stands for Data Encryption Standard, a popular symmetric-key encryption method. DES uses a 56-bit key.

■ Ascend Tunnel Management Protocol (ATMP) is the protocol that is implemented in many Ascend routers.

ATMP is a simple protocol for connecting nodes and/or networks together over the Internet via a tunnel. ATMP encapsulates IP or other user data without PPP headers within General Routing Encapsulation (GRE) protocol over IP. ATMP is more efﬁcient than PPTP for network-to-network tunnels.

Virtual Private Networks (VPN) 10-75

When used to initiate the tunnelled connection, the Netopia Router is called a PPTP Access Concentrator (PAC , in PPTP language), or a foreign agent (in ATMP language). When used to answer the tunnelled connection, the Netopia Router is called a PPTP Network Server (PNS, in PPTP language) or a home agent (in ATMP language).

In either case, the Netopia Router wraps, or encapsulates, information that one end of the tunnel exchanges with the other, in a wrapper called General Routing Encapsulation (GRE), at one end of the tunnel, and unwraps, or decapsulates, it at the other end.

Conﬁguring the Netopia Router for use with any of the three protocols is done through the console-based menu screens. Each type is described in its own section:

■ “About PPTP Tunnels” on page 10-76

■ “About IPsec Tunnels” on page 10-80

■ “About ATMP Tunnels” on page 10-94

Your conﬁguration depends on which protocol you (and the router at the other end of your tunnel) will use, and whether or not you will be using the VPN client software in a standalone remote connection.

Note: You must choose which protocol you will be using, since you cannot both expor t PPTP and use ATMP, or vice versa, at the same time.

Having both an ATMP tunnel and a PPTP export is not possible because both functions require GRE and the router’s PPTP export/server does not distinguish the GRE packets it for wards. Since it processes all of them, ATMP tunneling is impaired. For example, you cannot run an ATMP tunnel between two routers and also have PPTP exported on one side.

SSSSuuuummmmmmmmaaaarrrryy

A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this by allowing you to tunnel through the Internet or another public network in a manner that provides the same security and features formerly available only in private networks.

VPNs allow networks to communicate across an IP network. Your local networks (connected to the Netopia Router) can exchange data with remote networks that are also connected to a VPN-capable router.

This feature provides individuals at home, on the road, or in branch of ﬁces with a cost-effective and secure way to access resources on remote LANs connected to the Internet with Netopia Routers. The feature is built around two key technologies: PPTP and ATMP.

10-76 User’s Reference Guide

Main

WAN

Configuration

Add Connection

Profile

AAAAbbbboooouuuutttt PPPPPPPPTTTTPPPP TTTTuuuunnnnnnnneeeellllss

To set up a PPTP tunnel, you create a Connection Proﬁle including the IP address and other relevant information for the remote PPTP partner. You use the same procedure to initiate a PPTP tunnel that terminates at a remote PPTP server or to terminate a tunnel initiated by a remote PPTP client.

PPPPPPPPTTTTPPPP ccccoooonnnnffffiiiigggguuuurrrraaaattttiiiioooonn

To set up the router as a PPTP Network Ser ver (PNS) capable of answering PPTP tunnel requests you must also conﬁgure the VPN Default Answer Proﬁle. See “VPN Default Answer Proﬁle” on page 10-85 for more information.

PPTP is a Datalink Encapsulation option in Connection Proﬁles. It is not an option in device or link conﬁguration screens, as PPTP is not a native encapsulation. Consequently, the Easy Setup Proﬁle does not offer PPTP datalink encapsulation.

Note: The Netopia R910 Router has access to Connection Proﬁles for tunnelling purposes. If the PPP dialup kit is not installed, you cannot use PPP as a datalink encapsulation, and you will have access only to ATMP and PPTP. If the kit is installed you also have access to PPP.

Channel 4 (and higher) events, such as connections and disconnections, reported in the WAN Event Histories are VPN tunnel events.

To deﬁne a PPTP tunnel, navigate to the Add Connection Proﬁle menu from the Main Menu.

Add Connection Profile

ADD PROFILE NOW CANCEL

Virtual Private Networks (VPN) 10-77

When you deﬁne a Connection Proﬁle as using PPTP by selecting PPTP as the datalink encapsulation method, and then select Data Link Options, the PPTP Tunnel Options screen appears.

PPTP Tunnel Options

PPTP Partner IP Address: 173.167.8.134 Tunnel Via Gateway: 0.0.0.0

Data Compression... None Authentication... CHAP

Send Host name: tony Send Secret: *****

Receive Host name: kimba Receive Secret: ******

Initiate Connections: Yes On Demand: Yes

Idle Timeout (seconds): 300

Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. In this Screen you will configure the GRE/PPTP specific connection params.

Note: Proﬁles using PPTP do not offer a Telco Options screen.

■ Enter the PPTP Partner IP Address. This speciﬁes the address of the other end of the tunnel.

If you do not specify the PPTP Partner IP Address the gateway cannot initiate tunnels, i.e., act as a PPTP Access Concentrator (PAC) for this proﬁle. It can only accept tunnel requests as a PPTP Network Server (PNS).

■ If you specify the PPTP Partner IP Address, and the address is in the same subnet as the Remote IP

Address you speciﬁed in the IP Proﬁle Parameters, the Tunnel Via Gateway option becomes visible. You can enter the address by which the gateway partner is reached.

If you do not specify the PPTP Partner IP Address, the router will use the default gateway to reach the partner and the Tunnel Via Gateway ﬁeld is hidden. If the partner should be reached via an alternate por t (i.e., the LAN instead of the WAN), the Tunnel Via Gateway ﬁeld allows this path to be resolved.

■ You can specify a Data Compression algorithm, either None or Standard LZS, for the PPTP connection.

Note: When the Authentication protocol is MS-CHAP, compression is set to None, and the Data Compression option is hidden.

■ From the pop-up menu select an Authentication protocol for the PPP connection. Options are PAP, CHAP, or

MS-CHAP. The default is PAP. The authentication protocol must be the same on both ends of the tunnel.

■ When the authentication protocol is MS-CHAP, you can specify a Data Encryption algorithm for the PPTP

connection. Available options are MPPE and None (the default). For other authentication protocols, this option is hidden. When MPPE is negotiated, the WAN Event History reports that it is negotiated as a CCP (compression) type. This is because the MPPE protocol uses a compression engine, even though it is not itself a compression protocol.

10-78 User’s Reference Guide

Note: The Netopia R910 Router supports 128-bit (“strong”) encryption and MS-CHAP Version 2. Unlike MS-CHAP version 1, which supports one-way authentication, MS-CHAP version 2 supports mutual authentication between connected routers and is incompatible with MS-CHAP version 1 (MS-CHAP-V1). When you choose MS-CHAP as the authentication method for the PPTP tunnel, the Netopia router will start negotiating MS-CHAP-V2. If the router you are connecting to does not suppor t MS-CHAP-V2, it will fall back to MS-CHAP-V1, or, if the router you are connecting to does not support MPPE at all, the PPP session will be dropped.

■ You can specify a Send Host Name which is used with Send Secret for authenticating with a remote PNS

when the proﬁle is used for initiating a tunnel connection.

■ You must specify a Send Secret (the CHAP term for password), used for authenticating the tunnel when

initiating a tunnel connection.

■ You can specify a Receive Host Name which is used with the Receive Secret for authenticating a remote

PPTP client.

■ You must specify a Receive Secret, used for authenticating the remote PPTP client.

■ You can specify that this router will Initiate Connections (acting as a PAC) or only answer them (acting as a

PNS).

■ Tunnels are normally initiated On Demand; however, you can disable this feature. When disabled, the

tunnel must be manually established via the call management screens or may be scheduled using the scheduled connections feature.

■ Some networks that use Microsoft Windows NT PPTP Network Servers require additional authentication

information, called Windows NT Domain Name, when answering PPTP tunnel connection requests. Not all Windows NT installations require this information, since not all such installations use this authentication feature. The Optional Windows NT Domain Name is not the same as the Internet domain name, but is the name of a group of servers that share common security policy and user account databases. Your PPTP tunnel partner’s administrator will supply this Windows NT Domain Name if it is required.

■ You can specify the Idle Timeout, an inactivity timer, whose expiration will terminate the tunnel. A value of

zero disables the timer. Because tunnels are subject to abrupt termination when the underlying datalink is torn down, use of the Idle Timeout is strongly encouraged.

■ Return to the Connection Proﬁle screen by pressing Escape.

■ Select IP Proﬁle Parameters and press Return.

Virtual Private Networks (VPN) 10-79

The IP Proﬁle Parameters screen appears.

IP Profile Parameters

Address Translation Enabled: Yes

NAT Map List... Easy-PAT NAT Server List... Easy-Servers

Local WAN IP Address: 0.0.0.0

Remote IP Address: 173.167.8.10 Remote IP Mask: 255.255.0.0

Filter Set... Remove Filter Set

Receive RIP: Both

Enter a subnet mask in decimal and dot form (xxx.xxx.xxx.xxx).

■ Enter the Remote IP Address and Remote IP Mask for the host to which you want to tunnel.

Note: A peculiarity associated with VPNs is that when a PAC has NAT applied to a Connection Proﬁle set for

PPTP data link encapsulation, the PNS and devices behind it, cannot Ping the PAC’s tunnel end-point IP address. This is because ICMP packets have no port association, and thus will be discarded rather than being processed by NAT.

Ordinarily, Ping is an excellent troubleshooting tool, but it will not be effective in this circumstance. Instead, use another TCP- or UDP-based network service for troubleshooting. Since the Netopia Router is capable of ser ving Telnet and HTTP, we recommend using these services instead of Ping.

EEEEnnnnccccrrrryyyyppppttttiiiioooonnnn SSSSuuuuppppppppoooorrrrtt

Encryption is a method for altering user data into a form that is unusable by anyone other than the intended recipient. The recipient must have the means to decr ypt the data to render it usable to them. The encr yption process protects the data by making it difﬁcult for any third par ty to get at the original data.

Netopia PPTP is fully compatible with Microsoft Point-to-Point Encryption (MPPE) data encr yption for user data transfer over the PPTP tunnel. Microsoft Windows NT Server provides MPPE encr yption capability only when Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is enabled. Netopia complies with this feature to allow MPPE only when MS-CHAP is negotiated. MS-CHAP and MPPE are user-selectable options in the PPTP Tunnel Options screen. If either the client or the server side speciﬁes encr yption, then encryption becomes mandatory for both.

Netopia’s ATMP implementation supports Data Encr yption Standard (DES) data encr yption for user data transfer over the ATMP tunnel between two Netopia routers. The encryption option, None or DES, is a selectable option in the ATMP Tunnel Options screen.

MMMMSSSS----CCCCHHHHAAAAPPPP VVVV2222 aaaannnndddd ssssttttrrrroooonnnngggg eeeennnnccccrrrryyyyppppttttiiiioooonn

Notes:

10-80 User’s Reference Guide

■ The Netopia R910 Router supports 128-bit (“strong”) encryption. If the router you are connecting to does

not support 128-bit encryption, the Netopia router will default to 40-bit encr yption.

US encryption regulations changed mid-Februar y, 2000, making it possible to include this new encryption feature as a standard par t of the ﬁrmware. This means that, worldwide, the Netopia R910 Router, because it supports VPN, also supports 128-bit encryption for free, when using PPTP tunnels.

ATMP does not have an option of using 128-bit MPPE. If you are using ATMP between two Netopia routers you can optionally set 56-bit DES encryption.

■ Unlike MS-CHAP version 1, which supports one-way authentication, MS-CHAP version 2 supports mutual

authentication between connected routers and is incompatible with MS-CHAP version 1 (MS-CHAPv1). When you choose MS-CHAP as the authentication method for a PPTP tunnel, the Netopia router will start negotiating MS-CHAPv2. If the router or VPN adapter client you are connecting to does not suppor t MS-CHAPv2, the Netopia router will fall back to MS-CHAPv1, or, if the router or VPN adapter client you are connecting to does not support MPPE at all, the PPP session will be dropped. This is done automatically and transparently.

About IPsec Tunnels

IPsec stands for IP Security, a set of protocols that supports secure exchange of IP packets at the IP layer. IPsec is deployed widely to implement VPNs.

IPsec supports two encryption modes: Transport and Tunnel. Transport mode encr ypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPsec-compliant device decrypts each packet. Netopia Routers support the more secure Tunnel mode. The Netopia R910 offers IPsec DES encr yption over the VPN tunnel.

DES stands for Data Encryption Standard, a popular symmetric-key encr yption method. DES uses a 56-bit key.

CCCCoooonnnnffffiiiigggguuuurrrraaaattttiiiioooonn

IPsec tunnels are deﬁned in the same manner as PPTP tunnels. You conﬁgure the Connection Proﬁle as follows.

From the Main Menu navigate to WAN Conﬁguration and then Add Connection Proﬁle.

Main

WAN

Configuration

Add Connection

Profile

Virtual Private Networks (VPN) 10-81

The Add Connection Proﬁle screen appears.

Add Connection Profile

Interface Group... Primary

COMMIT CANCEL

■ From the Data Link Encapsulation pop-up menu select IPsec.

■ Then select Data Link Options. The IPsec Encryption & Authentication Options screen appears.

IPsec Encryption & Authentication Options +----------------+ +----------------+ Encryption Transform... | DES | Encryption Key: | NULL |**** | | +----------------+

Authentication Type... ESP Authentication Transform... HMAC-MD5-96 Authentication Key: ********************************

Compression Type... None

COMMIT CANCEL

The screen offers the following Data Link Options for an IPsec Connection Proﬁle.

■ You must specify an Encryption Transform. The choices are DES or NULL. The default is DES.

10-82 User’s Reference Guide

IPsec Encryption & Authentication Options

Encryption Transform... DES Encryption Key 1: Encryption Key 2: Encryption Key 3:

Authentication Type... ESP Authentication Transform... HMAC-MD5-96 Authentication Key: ********************************

Compression Type... None

COMMIT CANCEL

■ You must enter an Encryption Key or keys if the Encr yption Transform is DES. The key must be a

hexadecimal entry of eight bytes (16 bytes of input). No key entry appears if the encryption transform is NULL.

■ You must specify an Authentication Type. The default is ESP, and the choices are ESP, None, or AH. ESP

provides conﬁdentiality over the IP payload and optional authentication of the IP payload and ESP header. AH (Authentication Header) provides authentication over the immutable parts of the IP header, AH header and the IP payload. ESP is preferred.

■ You must specify an Authentication Transform if the Authentication Type is anything other than None. The

default is HMAC-MD5-96, and the choices are HMAC-MD5-96 or HMAC-SHA1-96 for both AH and ESP.

■ You must specify an Authentication Key if the Authentication Type is anything other than None. The key

must be an ASCII string of up to 48 characters for both HMAC-MD5-96 and HMAC-SHA1-96.

Key: The key is a hexadecimal entry of 16 bytes (32 characters of input) for MD5 and 20 bytes (40 characters of input) for SHA1. It is not possible to view the Encryption Keys or Authentication Key once they have been set.

■ You can specify a Compression Type. The default is None.

■ Press COMMIT to return to the Add Connection Proﬁle screen.

Note: The Connection Proﬁle is copied to a temporary buffer while it is being modiﬁed. Only when the COMMIT button is selected will the proﬁle be updated and the changes applied. This is true of all proﬁles regardless of encapsulation type.

■ Select IP Proﬁle Parameters.

Virtual Private Networks (VPN) 10-83

IIIIPPPP PPPPrrrrooooffffiiiilllleeee PPPPaaaarrrraaaammmmeeeetttteeeerrrrss

The following IP Proﬁle Options screen is displayed for an IPsec Connection Proﬁle.

IP Profile Options

SPI (Security Parameters Index): 123456789

Remote Tunnel Endpoint Address: 0.0.0.0 Remote Members Network: 0.0.0.0 Remote Members Mask: 0.0.0.0

Address Translation Enabled: Yes NAT Map List... Easy-PAT List NAT Server List... Easy-Servers PAT IP Address: 1.1.1.1

Filter Set... <<None>> Remove Filter Set

Advanced IP Profile Options...

COMMIT CANCEL

■ You must specify an SPI (Security Parameters Index), which is the ESP receive side SPI and the default

SPI for ESP transmit, AH receive, and AH transmit. It must be unique relative to any other conﬁguration proﬁle “ESP Receive SPIs.” (See “Advanced IP Proﬁle Options” on page 10-84.)

■ You must specify a Remote Tunnel Endpoint Address. Specify the IP address of your tunnel par tner, the

endpoint of the tunnel. The Remote Tunnel Endpoint Address may be 0.0.0.0, which implies that the IPsec tunnel will not be established until packets are received on the SPI speciﬁed. At that time the tunnel will be bound to the Remote Tunnel Endpoint until trafﬁc from the remote gateway ceases for a timeout period.

■ You must specify a Remote Members Network address. This speciﬁes the subnet of the remote IPsec

tunnel and will be used with the Remote Members Mask to determine and set the route.

■ You must specify a Remote Members Mask. This is the subnet mask of the remote subnet to which the

IPsec tunnel will route.

■ You can specify Address Translation Enabled. For more information see Chapter 9, “IP Setup and Network

Address Translation.” If Address Translation Enabled is set to Ye s, you can specify the following three

ﬁelds:

■ NAT Map List

■ NAT Server List

■ PAT IP Address

(Note: Since there is no protocol to derive this address, 0.0.0.0 is not permitted.)

■ You can specify a Filter Set. For more information see Chapter 13, “Security.”

■ You can remove a Filter Set.

■ You can choose to conﬁgure Advanced IP Proﬁle Options (see “Advanced IP Proﬁle Options,” in the

10-84 User’s Reference Guide

following section).

Note: The SPI title ﬁeld above changes to SPI (Security Parameters Index) -- Use Advanced IP Proﬁle Options if any of the SPI values differ from each other.

AAAAddddvvvvaaaannnncccceeeedddd IIIIPPPP PPPPrrrrooooffffiiiilllleeee OOOOppppttttiiiioooonnnnss

Advanced IP Profile Options

ESP Receive SPI: 123456789 ESP Transmit SPI: 123456789 AH Receive SPI: 123456789 AH Transmit SPI: 123456789

Local Tunnel Endpoint Address: 0.0.0.0 Next Hop Gateway: 0.0.0.0

■ You can specify an ESP Receive SPI. The value must be unique over the set of all ESP SPIs speciﬁed for

the remote tunnel endpoint.

■ You can specify an ESP Transmit SPI. The value must be unique over the set of all ESP SPIs speciﬁed for

the remote tunnel endpoint.

■ You can specify an AH Receive SPI if AH authentication has been requested. The value must be unique

over the set of all AH SPIs speciﬁed for the router.

■ You can specify an AH Transmit SPI if AH authentication has been requested. The value must be unique

over the set of all AH SPIs speciﬁed for the remote tunnel endpoint.

■ You can specify a Local Tunnel Endpoint Address. If not 0.0.0.0, this value must be one of the assigned

interface addresses, either WAN or LAN. This is used as the source address of all IPsec trafﬁc.

■ You can specify a Next Hop Gateway. If you specify the Remote Tunnel Endpoint Address, and the address

is in the same subnet as the Remote Members Network you speciﬁed in the IP Proﬁle Parameters, the Next Hop Gateway option allows you to enter the address by which the gateway partner is reached.

If you do not specify the Remote Tunnel Endpoint Address, the router will use the default gateway to reach the partner. If the partner should be reached via an alternate port (for example, the LAN instead of the WAN), the Next Hop Gateway ﬁeld allows this path to be resolved.

Virtual Private Networks (VPN) 10-85

VVVVPPPPNNNN DDDDeeeeffffaaaauuuulllltttt AAAAnnnnsssswwwweeeerrrr PPPPrrrrooooffffiiiillllee

The WAN Conﬁguration menu offers a VPN Default Answer Proﬁle option. Use this selection when your router is acting as the server for VPN connections, that is, when you are on the answering end of the tunnel establishment. The VPN Default Answer Proﬁle determines the way the attempted tunnel connection is answered.

WAN Configuration

WAN (Wide Area Network) Setup...

Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile...

WAN Default Profile... VPN Default Answer Profile...

Frame Relay Configuration... Frame Relay DLCI Configuration...

Establish WAN Connection... Disconnect WAN Connection...

From here you will configure yours and the remote sites' WAN information.

To set the parameters under which the router will answer attempted VPN connections, select VPN Default Answer Proﬁle and press Return. The Default VPN Proﬁle screen appears.

Default VPN Profile

Answer VPN connections: No

PPTP Configuration Options: Receive Authentication... PAP Data Compression... None

Configure Default VPN Connection Parameters here.

■ Toggle Answer VPN Connections to Ye s if you want the router to accept VPN connections or No (the

default) if you do not. This applies to both ATMP and PPTP connections.

10-86 User’s Reference Guide

■ For PPTP tunnel connections only, you must deﬁne what type of authentication these connections will use.

Select Receive Authentication and press Return. A pop-up menu offers the following options: PAP (the default), CHAP, or MS-CHAP.

■ If you chose PAP or CHAP authentication, from the Data Compression pop-up menu select either None (the

default) or Standard LZS.

If you chose MS-CHAP authentication, the Data Compression option is not required, and this menu item becomes hidden.

Interoperation with other features

■ Address serving is not supported through IPsec Tunnels.

■ AH is not supported through an inter face that has NAT applied to it. NAT may be applied to the inner

payload.

AH is not supported through an inter face which is either Unnumbered or Numbered with a dynamically assigned address unless the Local Tunnel Endpoint address is speciﬁed in the Advanced IP Proﬁle Options screen.

VVVVPPPPNNNN QQQQuuuuiiiicccckkkkVVVViiiieeeeww

You can view the status of your VPN connections in the VPN QuickView screen.

From the Main Menu select QuickView and then VPN QuickView.

Main

QuickView

VPN

QuickView

The VPN QuickView screen appears.

VPN Quick View

Profile Name----------Type--Rx Pckts--Tx Pckts------Est.-Partner Address----- HA <-> FA1 (Jony Fon ATMP 99 99 Rmt 173.166.82.8 HA <-> FA3 (Sleve M. ATMP 13 14 Rmt 63.193.117.91

Virtual Private Networks (VPN) 10-87

Proﬁle Name: Lists the name of the Connection Proﬁle being used, if any.

Type: Shows the data link encapsulation method (PPTP or ATMP).

Rx Pckts: Shows the number of packets received via the VPN tunnel.

Tx Pckts: Shows the number of packets transmitted via the VPN tunnel.

Est: Indicates whether the connection was locally (“Lcl”) or remotely (“Rmt”) established.

Partner Address: Shows the tunnel partner’s IP address.

10-88 User’s Reference Guide

DDDDiiiiaaaallll----UUUUpppp NNNNeeeettttwwwwoooorrrrkkkkiiiinnnngggg ffffoooorrrr VVVVPPPPNN

Microsoft Windows Dial-Up Networking software permits a remote standalone workstation to establish a VPN tunnel to a PPTP server such as a Netopia Router located at a central site. Dial-Up Networking also allows a mobile user who may not be connected to a PAC to dial into an intermediate ISP and establish a VPN tunnel to, for example, a corporate headquarters, remotely. Netopia Routers also can serve as a PAC at the workstation's site, making it unnecessary for the standalone workstation to initiate the tunnel. In such a case, the Dial-Up Networking software is not required, since the Netopia Router initiates the tunnel.

This section is provided for users who may require the VPN client software for Dial-Up Networking in order to connect to an ISP who provides a PPTP account.

Microsoft Windows Dial-Up Networking (DUN) is the means by which you can initiate a VPN tunnel between your individual remote client workstation and a private network such as your corporate LAN via the Internet. DUN is a software adapter that allows you to establish a tunnel.

DUN is a free add-on available for Windows 95, and comes standard with Windows 98 and Windows NT. The VPN tunnel behaves as a private network connection, unrelated to other trafﬁc on the network. Once you have installed Dial-Up Networking, you will be able to connect to your remote site as if you had a direct private connection, regardless of the inter vening network(s) through which your data passes. You may need to install the Dial-Up Networking feature of Windows 95, 98, or 2000 to take advantage of the virtual private networking feature of your Netopia router.

Note: For the latest information and tech notes on Dial-Up Networking and VPNs be sure to visit the Netopia website at http://www.netopia.com and, for the latest software and release notes, the Microsoft website at http://www.microsoft.com.

IIIInnnnssssttttaaaalllllllliiiinnnngggg DDDDiiiiaaaallll----UUUUpppp NNNNeeeettttwwwwoooorrrrkkkkiiiinnnngg

Check to see if Dial-Up Networking is already installed on your PC. Open your My Computer (or whatever you have named it) icon on your desktop. If there is a folder named Dial-Up Networking, you don’t have to install it. If there is no such folder, you must install it from your system disks or CD-ROM. Do the following:

1. From the Start menu, select Settings and then Control Panel.

2. In the Control Panel window, double-click the Add/Remove Programs icon.

The Add/Remove Programs Proper ties window appears.

3. Click the Windows Setup tab.

4. Double-click Communications.

Virtual Private Networks (VPN) 10-89

The Communications window appears.

5. In the Communications window, select Dial-Up Networking and click the OK button.

This returns you to the Windows Setup screen. Click the OK button.

6. Respond to the prompts to install Dial-Up Networking from the system disks or CD-ROM.

7. When prompted, reboot your PC.

CCCCrrrreeeeaaaattttiiiinnnngggg aaaa nnnneeeewwww DDDDiiiiaaaallll----UUUUpppp NNNNeeeettttwwwwoooorrrrkkkkiiiinnnngggg pppprrrrooooffffiiiillllee

A Dial-Up Networking proﬁle is like an address book entr y that contains the information and parameters you need for a secure private connection. You can create this proﬁle by using either the Internet Connection Wizard or the Make New Connection feature of Dial-Up Networking. The following instructions tell you how to create the proﬁle with the Make New Connection feature. Do the following:

1. Double-click the My Computer (or whatever you have named it) icon on your desktop.

Open the Dial-Up Networking folder, and then double-click Make New Connection. The Make New Connection wizard window appears.

2. Type a name for this connection (such as the name of your company or the computer you are dialing into).

From the pull-down menu, select the device you intend to use for the virtual private network connection. This can be any device you have installed or connected to your PC. Click the Next button. A screen appears with ﬁelds for you to enter telephone numbers for the computer you want to connect to.

3. Type the directory number or the Virtual Circuit Identiﬁer number.

This number is provided by your ISP or corporate administrator. Depending on the type of device you are using, the number may or may not resemble an ordinar y telephone director y number.

4. Click the Next button.

The ﬁnal window will give you a chance to accept or change the name you have entered for this proﬁle. If you are satisﬁed with it, click the Finish button. Your proﬁle is complete.

10-90 User’s Reference Guide

CCCCoooonnnnffffiiiigggguuuurrrriiiinnnngggg aaaa DDDDiiiiaaaallll----UUUUpppp NNNNeeeettttwwwwoooorrrrkkkkiiiinnnngggg pppprrrrooooffffiiiillllee

Once you have created your Dial-Up Networking proﬁle, you conﬁgure it for TCP/IP networking to allow you to connect to the Internet through your Internet connection device. Do the following:

1. Double-click the My Computer (or whatever you have named it) icon on your desktop.

Open the Dial-Up Networking folder. You will see the icon for the proﬁle you created in the previous section.

2. Right-click the icon and from the pop-up menu select Properties.

3. In the Properties window click the Server Type button.

From the Type of Dial-up Server pull-down menu select the appropriate type of ser ver for your system version:

■ Windows 95 users select PPP: Windows 95, Windows NT 3.5, Internet

■ Windows 98 users select PPP: Windows 98, Windows NT Server, Internet

In the Allowed network protocols area check TCP/IP and uncheck all of the other checkboxes.

Note: Netopia’s PPTP implementation does not currently suppor t tunnelling of IPX and NetBEUI protocols.

Virtual Private Networks (VPN) 10-91

4. Click the TCP/IP Settings button.

■ If your ISP uses dynamic IP addressing (DHCP), select the Server assigned IP address radio button.

■ If your ISP uses static IP addressing, select the Specify an IP address radio button and enter your

assigned IP address in the ﬁelds provided. Also enter the IP address in the Primar y and Secondar y DNS ﬁelds.

5. Click the OK button in this window and the next two windows.

10-92 User’s Reference Guide

IIIInnnnssssttttaaaalllllllliiiinnnngggg tttthhhheeee VVVVPPPPNNNN CCCClllliiiieeeennnntt

Before installing the VPN Client you must have TCP/IP installed and have an established Internet connection.

WWWWiiiinnnnddddoooowwwwssss 99995555 VVVVPPPPNNNN iiiinnnnssssttttaaaallllllllaaaattttiiiioooonn

1. From your Internet browser navigate to the following URL:

http://www.microsoft.com/NTServer/nts/downloads/recommended/dunl3win95/releasenotes.aso

Download the Microsoft Windows 95 VPN patch dun 1.3 to the Windows 95 computer you intend to use as a VPN client with PPTP. Follow the installation instructions.

2. From the Windows 95 Start menu select Settings, then Control Panel and click once.

The Control Panel screen appears.

3. Double-click Add/Remove Programs.

The Add/Remove Programs screen appears.

4. Click the Windows Setup tab.

The Windows Setup screen will be displayed within the top center box.

5. Highlight Communications and double-click.

This displays a list of possible selections for the communications option. Active components will have a check in the checkboxes to their left.

6. Check Dial Up Networking at the top of the list and Virtual Private Networking at the bottom of the list.

7. Click OK at the bottom right on each screen until you return to the Control Panel. Close the Control Panel by clicking the upper right corner X.

8. Double-click the My Computer icon (normally at the left upper corner of the screen).

This will display the devices within My Computer. Scroll down the list to Dial-Up Networking and double-click it.

9. Double-click Make New Connection.

This displays the Make New Connection installation screen. In this screen you will see a box labelled Select a device. From the pull-down menu to the right, select Microsoft VPN Adapter.

Click the Next button at the bottom of the screen

This displays the VPN Host screen. In the box to the top center of the screen enter your VPN ser ver’s IP address (for example, 192.168.xxx.xxx. This is not a proper Internet address)

WWWWiiiinnnnddddoooowwwwssss 99998888 VVVVPPPPNNNN iiiinnnnssssttttaaaallllllllaaaattttiiiioooonn

1. From the Windows 98 Start menu select Settings, then Control Panel and click once.

The Control Panel screen appears.

2. Double-click Add/Remove Programs.

The Add/Remove Programs screen appears.

Virtual Private Networks (VPN) 10-93

3. Click the Windows Setup tab.

The Windows Setup screen will be displayed within the top center box.

4. Double-click Communications.

This displays a list of possible selections for the communications option. Active components will have a check in the checkboxes to their left.

5. Check Dial Up Networking at the top of the list and Virtual Private Networking at the bottom of the list.

6. Click OK at the bottom right on each screen until you return to the Control Panel. Close the Control Panel by clicking the upper right corner X.

7. Double-click the My Computer icon (normally at the left upper corner of the screen).

This will display the devices within My Computer. Scroll down the list to Dial-Up Networking and double-click it.

8. Double-click Make New Connection.

This displays the Make New Connection installation screen. In this screen you will see a box labelled Select a device. From the pull-down menu to the right, select Microsoft VPN Adapter.

Click the Next button at the bottom of the screen

This displays the VPN Host screen. In the box to the top center of the screen enter your VPN ser ver’s IP address (for example, 192.168.xxx.xxx. This is not a proper Internet address)

CCCCoooonnnnnnnneeeeccccttttiiiinnnngggg uuuussssiiiinnnngggg DDDDiiiiaaaallll----UUUUpppp NNNNeeeettttwwwwoooorrrrkkkkiiiinnnngg

A Dial-Up Networking connection will be automatically launched whenever you run a TCP/IP application, such as a Web browser or email client. When you ﬁrst run the application a Connect To dialog box appears in which you enter your User name and Password. If you check the Save password checkbox, the system will remember your User name and Password, and you won’t be prompted for them again.

10-94 User’s Reference Guide

AAAAbbbboooouuuutttt AAAATTTTMMMMPPPP TTTTuuuunnnnnnnneeeellllss

To set up an ATMP tunnel, you create a Connection Proﬁle including the IP address and other relevant information for the remote ATMP partner. ATMP uses the terminology of a foreign agent that initiates tunnels and a home agent that terminates them. You use the same procedure to initiate or terminate an ATMP tunnel. Used in this way, the terms initiate and terminate mean the beginning and end of the tunnel; they do not mean activate and deactivate.

ATMP is a tunneling protocol, with two basic aspects. Tunnels are created and torn down using a session protocol that is UDP-based. User (or client) data is transferred across the tunnel by encapsulating the client data within Generic Routing Encapsulation (GRE). The GRE data is then routed using standard methods.

AAAATTTTMMMMPPPP ccccoooonnnnffffiiiigggguuuurrrraaaattttiiiioooonn

ATMP is a Datalink Encapsulation option in Connection Proﬁles. It is not an option in device or link conﬁguration screens, since ATMP is not a native encapsulation. The Easy Setup Proﬁle does not offer ATMP datalink encapsulation.

Note: The Netopia R910 Router has access to Connection Proﬁles for tunnelling purposes. If the PPP dialup kit is not installed, you cannot use PPP as a datalink encapsulation, and have access only to ATMP and PPTP. If the kit is installed you also have access to PPP.

The WAN Event History screens will report VPN tunnel events, such as connections and disconnections, as Channel 4 (and higher) events.

To deﬁne an ATMP tunnel, navigate to the Add Connection Proﬁle menu from the Main Menu.

Main

WAN

Configuration

Add Connection

Profile

Virtual Private Networks (VPN) 10-95

Add Connection Profile

COMMIT CANCEL

When you deﬁne a Connection Proﬁle as using ATMP by selecting ATMP as the datalink encapsulation method, and then select Data Link Options, the ATMP Tunnel Options screen appears.

ATMP Tunnel Options

ATMP Partner IP Address: 173.167.8.134 Tunnel Via Gateway: 0.0.0.0

Network Name: sam.net Password: ****

Data Encryption... DES Key String:

Initiate Connections: Yes On Demand: Yes

Idle Timeout (seconds): 300

Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). In this Screen you will configure the GRE/ATMP specific connection params.

Note: An ATMP tunnel cannot be assigned a dynamic IP address by the remote server, as in a PPP connection. When you deﬁne an ATMP tunnel proﬁle, the Local WAN IP Address, assigned in the IP Proﬁle Parameters screen, must be the true IP address, not 0.0.0.0, if NAT is enabled.

Note: Proﬁles using ATMP do not offer a Telco Options screen.

■ ATMP Partner IP Address speciﬁes the address of the other end of the tunnel. When unspeciﬁed, the

gateway can not initiate tunnels (i.e., act as a foreign agent) for this proﬁle; it can only accept tunnel requests as a home agent.

10-96 User’s Reference Guide

■ When you specify the ATMP Partner IP Address, and the address is in the same subnet as the Remote IP

Address you speciﬁed in the IP Proﬁle Parameters, you can specify the route (Tunnel Via Gateway) by which the gateway partner is reached. If you do not specify the ATMP Partner IP Address, the router will use the default gateway to reach the partner and the Tunnel Via Gateway ﬁeld is hidden. If the partner should be reached via an alternate por t (i.e., the LAN instead of the WAN), the Tunnel Via Gateway ﬁeld allows this path to be resolved.

■ You can specify a Network Name. When the tunnel partner is another Netopia router, this name may be

used to match against a Connection Proﬁle. When the partner is an Ascend router in Gateway mode, then Network Name is used by the Ascend router to match a gateway proﬁle. When the par tner is an Ascend router in Router mode, leave this ﬁeld blank.

■ You must specify a Password, used for authenticating the tunnel.

Note: The Password entry will be the same for both ends of the tunnel.

■ For Netopia-to-Netopia connections only, you can specify a Data Encryption algorithm for the ATMP

connection from the pop-up menu, either DES or None. None is the default.

Note: Ascend does not support DES encryption for ATMP tunnels.

■ You must specify an 8-byte Key String when DES is selected. When encryption is None, this ﬁeld is

invisible.

■ You can specify that this router will Initiate Connections, acting as a foreign agent (Ye s), or only answer

them, acting as a home agent (No).

■ Tunnels are normally initiated On Demand; however, you can disable this feature. When disabled, the

tunnel must be manually established through the call management screens.

■ You can specify the Idle Timeout, an inactivity timer, whose expiration will terminate the tunnel. A value of

zero disables the timer. Because tunnels are subject to abrupt termination when the underlying datalink is torn down, use of the Idle Timeout is strongly encouraged.

■ Return to the Connection Proﬁle screen by pressing Escape.

■ Select IP Proﬁle Parameters and press Return. The IP Proﬁle Parameters screen appears.

Virtual Private Networks (VPN) 10-97

IP Profile Parameters

Address Translation Enabled: Yes

NAT Map List... Easy-PAT NAT Server List... Easy-Servers

Local WAN IP Address: 0.0.0.0

Remote IP Address: 173.167.8.10 Remote IP Mask: 255.255.0.0

Filter Set... Remove Filter Set

Receive RIP: Both

Enter a subnet mask in decimal and dot form (xxx.xxx.xxx.xxx).

■ Enter the Remote IP Address and Remote IP Mask for the host to which you want to tunnel.

Note: A peculiarity associated with VPNs is that when a foreign agent has NAT applied to a Connection Proﬁle

set for ATMP data link encapsulation, the home agent and devices behind it, cannot Ping the foreign agent's tunnel end-point IP address. This is because ICMP packets have no port association, and thus will be discarded rather than being processed by NAT.

10-98 User’s Reference Guide

AAAAlllllllloooowwwwiiiinnnngggg VVVVPPPPNNNNssss tttthhhhrrrroooouuuugggghhhh aaaa FFFFiiiirrrreeeewwwwaaaallllll

An administrator interested in securing a network will usually combine the use of VPNs with the use of a ﬁrewall or some similar mechanism. This is because a VPN is not a complete security solution, but rather a component of overall security. Using a VPN will add security to transactions carried over a public network, but a VPN alone will not prevent a public network from inﬁltrating a private network. Therefore, you should combine use of a ﬁrewall with VPNs, where the ﬁrewall will secure the private network from inﬁltration from a public network, and the VPN will secure the transactions that must cross the public network.

A strict ﬁrewall may not be provisioned to allow VPN trafﬁc to pass back and forth as needed. In order to ensure that a ﬁrewall will allow a VPN, certain attributes must be added to the ﬁrewall's provisioning. The provisions necessary vary slightly between ATMP and PPTP, but both protocols operate on the same basic premise: there are control and negotiation operations, and there is the tunnelled traf ﬁc that carries the payload of data between the VPN endpoints. The difference is that ATMP uses UDP to handle control and negotiation, while PPTP uses TCP. Then both ATMP and PPTP use GRE to carry the payload.

For PPTP negotiation to work, TCP packets inbound and outbound destined for port 1723 must be allowed. Likewise, for ATMP negotiation to work, UDP packets inbound and outbound destined for port 5150 must be allowed. Source ports are dynamic, so, if possible, make this ﬂexible, too. Additionally, PPTP and ATMP both require a ﬁrewall to allow GRE bi-directionally.

The following sections illustrate a sample ﬁltering setup to allow either PPTP or ATMP trafﬁc to cross a ﬁrewall:

■ “PPTP example” on page 10-99

■ “ATMP example” on page 10-102

Make your own appropriate substitutions. For more information on ﬁlters and ﬁrewalls, see Chapter 13,

“Security.”

Virtual Private Networks (VPN) 10-99

PPPPPPPPTTTTPPPP eeeexxxxaaaammmmppppllllee

To enable a ﬁrewall to allow PPTP traf ﬁc, you must provision the ﬁrewall to allow inbound and outbound TCP packets speciﬁcally destined for port 1723. The source port may be dynamic, so often it is not useful to apply a compare function upon this portion of the control/negotiation packets. You must also set the ﬁrewall to allow inbound and outbound GRE packets, enabling transport of the tunnel payload.

From the Main Menu navigate to Display/Change IP Filter Set, and from the pop-up menu select Basic Firewall.

Main

System Filter

Sets

IP Filter

Sets

Display/Change

IP Filter SetConfiguration

Basic

Firewall

Select Display/Change Input Filter.

Display/Change Input Filter screen

+-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.0 TCP NC =1723 Yes Yes | | 2 0.0.0.0 0.0.0.0 GRE -- -- Yes Yes | | |

For Input Filter 1 set the Destination Port information as shown below.

Change Input Filter 1

Enabled: Yes Forward: Yes

Source IP Address: 0.0.0.0 Source IP Address Mask: 0.0.0.0

Dest. IP Address: 0.0.0.0 Dest. IP Address Mask: 0.0.0.0

Protocol Type: TCP Source Port Compare... No Compare Source Port ID: 0 Dest. Port Compare... Equal Dest. Port ID: 1723 Established TCP Conns. Only: No

10-100 User’s Reference Guide

For Input Filter 2 set the Protocol Type to allow GRE as shown below.

Change Input Filter 2

Enabled: Yes Forward: Yes

Source IP Address: 0.0.0.0 Source IP Address Mask: 0.0.0.0

Dest. IP Address: 0.0.0.0 Dest. IP Address Mask: 0.0.0.0

Protocol Type: GRE

In the Display/Change IP Filter Set screen select Display/Change Output Filter.

Display/Change Output Filter screen

For Output Filter 1 set the Protocol Type and Destination Port information as shown below.

Change Output Filter 1

Enabled: Yes Forward: Yes

Source IP Address: 0.0.0.0 Source IP Address Mask: 0.0.0.0

Dest. IP Address: 0.0.0.0 Dest. IP Address Mask: 0.0.0.0

Protocol Type: TCP Source Port Compare... No Compare Source Port ID: 0 Dest. Port Compare... Equal Dest. Port ID: 1723 Established TCP Conns. Only: No

Netopia R910 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Overview

Features and capabilities

How to use this guide

Deciding on an ISP account

DSL and cable modems

Obtaining information from the ISP

Local LAN IP address information to obtain

Find a location

What you need

Identify the connectors and attach the cables

Netopia R910 Ethernet Router back panel ports

Netopia R910 Ethernet Router status lights

Overview

Network Model

Readying computers on your local network

Connecting to an Ethernet network

10Base-T

Hardware and operating system requirements

Connecting through a Telnet session

Connecting a console cable to your router

Navigating through the console screens

Easy Setup console screens

Accessing the Easy Setup console screens

Quick Easy Setup connection path

If your ISP supports DHCP

If your ISP doesn’t support DHCP

More Easy Setup options

WAN Ethernet Configuration

IP Easy Setup

Easy Setup Security Configuration

IP setup

IP address serving

Date and time

Console Configuration

SNMP (Simple Network Management Protocol)

Security

Upgrade feature set

Logging

Installing the Syslog client

Network Address Translation features

Using Network Address Translation

Associating port numbers with nodes

Network Address Translation guideline

IP setup

IP subnets

Static routes

IP address serving

IP Address Pools

DHCP NetBIOS Options

About IPsec Tunnels

Configuration

Advanced IP Profile Options

VPN Quick View