Planet Technology GRT-504 User Manual

Download

4-Wire G.SHDSL.bis

Firewall Router

GRT-504

User’s Manual

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Copyright© 2008 by PLANET Technology Corp. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual or otherwise, without the prior written permission of PLANET. PLANET makes no representations or warranties, either expressed or implied, with respect to the contents hereof and specifically disclaims any warranties, merchantability or fitness for any particular purpose. Any software described in this manual is sold or licensed "as is". Should the programs prove defective following their purchase, the buyer (and not this company, its distributor, or its dealer) assumes the entire cost of all necessary servicing, repair, and any incidental or consequential damages resulting from any defect in the software. Further, this company reserves the right to revise this publication and to make changes from time to time in the contents hereof without obligation to notify any person of such revision or changes. All brand and product names mentioned in this manual are trademarks and/or registered trademarks of their respective holders.

Disclaimer

PLANET Technology does not warrant that the hardware will work properly in all enviro nments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose. PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability for any inaccuracies or omissions that may have occurred. Information in this User’s Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User’s Manual. PLANET makes no commitment to update or keep current the information in this User’s Manual, and reserves the right to make improvements to this User’s Manual and/or to the products described in this User’s Manual, at any time without notice. If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your comments and suggestions.

Trademarks

The PLANET logo is a trademark of PLANET Technology. This documentation may refer to numerous hardware and software products by their trade names. In most, if not all cases, these designations are claimed as trademarks or registered trademarks by their respective companies.

CE mark Warning

This is a class B device, in a domestic environment; this product may cause radio interference, in which case the user may be required to take adequate measures.

Federal Communication Commission Interference Statement

This equipment has been tested and found to comply with the limits for a Class B digital device, pursu ant to Part 15 of FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequ ency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

1. Reorient or relocate the receiving antenna.

2. Increase the separation between the equipment and receiver.

3. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

4. Consult the dealer or an experienced radio technician for help.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

FCC Caution:

To assure continued compliance (example-use only shielded interface cables when connec ting to computer or peripheral devices). Any changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the Following two conditions: (1) This device may not cause harmful interference, and (2) this Device must accept any interference received, including interference that may cause undesired operation.

R&TTE Compliance Statement

This equipment complies with all the requirements of DIRECTIVE 1999/5/EC OF THE EUROPEAN PARLIAMENT AND THE COUNCIL OF 9 March 1999 on radio equipment and telecommunication terminal Equipment and the mutual recognition of their conformity (R&TTE) The R&TTE Directive repeals and replaces in the directive 98/13/EEC (Telecommunications Terminal Equipment and Satellite Earth Station Equipment) As of April 8, 2000.

WEEE Caution

To avoid the potential ef fect s on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment, end users of electrical and electronic equipment should understand the meaning of the crossed-out wheeled bin symbol. Do not dispose of WEEE as unsorted municipal waste and have to collect such WEEE separately.

Safety

This equipment is designed with the utmost care for the safety of those who install and use it. However, special attention must be paid to the dangers of electric shock and static electricity when working with electrical equipment. All guidelines of this and of the computer manufacture must therefore be allowed at all times to ensure the safe use of the equipment.

Customer Service

For information on customer service and support for the Multi-Homing Security Gateway, please refer to the following Website URL:

http://www.planet.com.tw

Before contacting customer service, please take a moment to gather the following information:

♦ The GRT-504 serial number and MAC address ♦ Any error messages that displayed when the problem occurred ♦ Any software running when the problem occurred ♦ Steps you took to resolve the problem on your own

Revision

User’s Manual for PLANET 4-Wire G.SHDSL.bis Firewall Router Model: GRT-504 Rev: 1.0 (Sep. 2008) Port No. EM-GRT504v1

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Table of Contents

DESCRIPTIONS.................................................................................................................................7

1.1 FEATURES .....................................................................................................................................7

1.2 SPECIFICATION..............................................................................................................................9

1.3 APPLICATIONS.............................................................................................................................11

2 GETTING TO KNOW ABOUT THE ROUTER............................................................................12

2.1 FRONT PANEL..............................................................................................................................12

2.2 REAR PANEL ...............................................................................................................................13

2.3 SHDSL.BIS LINE CONNECTOR....................................................................................................14

2.4 CONSOLE CABLE.........................................................................................................................14

3 GETTING TO KNOW FIREWALL FEATURE.............................................................................15

3.1 INTRODUCTION ...........................................................................................................................15

3.2 TYPES OF FIREWALL....................................................................................................................16

3.2.1 Packet Filtering.....................................................................................................................16

3.2.2 Circuit Gateway.....................................................................................................................17

3.2.3 Application Gateway.............................................................................................................18

3.3 DENIAL OF SERVICE ATTACK.......................................................................................................19

4 GETTING TO KNOW VLAN FEATURE ......................................................................................21

4.1 SPECIFICATION............................................................................................................................21

4.2 FRAME SPECIFICATION................................................................................................................21

4.3 APPLICATIONS.............................................................................................................................22

5 CONFIGURA TION TO THE ROUTER.........................................................................................25

5.1 CHECK LIST ................................................................................................................................25

5.2 INST A LL THE SHDSL.BIS ROUTER ..............................................................................................27

6 CONFIGURATION VIA WEB BROWSER ...................................................................................28

6.1 BASIC SETUP...............................................................................................................................32

6.1.1 Bridge Mode..........................................................................................................................32

6.1.2 Routing Mode........................................................................................................................35

6.1.3 Reference diagram.................................................................................................................44

6.2 ADVANCED SETUP.......................................................................................................................46

6.2.1 SHDSL.bis .............................................................................................................................46

6.2.1.1 Annex Type................................................................................................................................46

6.2.1.2 Line Type ................................................................................................................................... 47

6.2.1.3 TCPAM Type .............................................................................................................................48

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.1.4 Data Rate.................................................................................................................................... 48

6.2.1.5 SNR Margin...............................................................................................................................49

6.2.2 WAN.......................................................................................................................................50

6.2.3 Bridge....................................................................................................................................53

6.2.4 VLAN.....................................................................................................................................55

6.2.4.1 802.1Q Tag-Based VLAN..........................................................................................................56

6.2.4.2 Port-Based VLAN......................................................................................................................56

6.2.5 STP........................................................................................................................................58

6.2.6 Route .....................................................................................................................................59

6.2.7 NAT/DMZ..............................................................................................................................6 2

6.2.7.1 Multi-DMZ.................................................................................................................................64

6.2.7.2 Mutli-NAT..................................................................................................................................64

6.2.8 Virtual Server ........................................................................................................................65

6.2.9 Firewall.................................................................................................................................67

6.2.9.1 Basic Firewall Security..............................................................................................................68

6.2.9.2 Automatic Firewall Security.......................................................................................................69

6.2.9.3 Advanced Firewall Security.......................................................................................................70

6.2.10 IP QoS ..............................................................................................................................74

6.3 STATUS........................................................................................................................................77

6.3.1 SHDSL.bis .............................................................................................................................78

6.3.2 LAN .......................................................................................................................................79

6.3.3 WAN.......................................................................................................................................80

6.3.4 ROUTE..................................................................................................................................81

6.3.5 INTERFACE ..........................................................................................................................82

6.3.6 FIREWALL ............................................................................................................................83

6.3.7 IP QoS...................................................................................................................................84

6.3.8 STP........................................................................................................................................85

6.4 ADMINISTRATION........................................................................................................................87

6.4.1 Security..................................................................................................................................87

6.4.2 SNMP ....................................................................................................................................89

6.4.2.1 Community pool.........................................................................................................................89

6.4.2.2 Trap host pool.............................................................................................................................90

6.4.3 Time Sy nc...............................................................................................................................91

6.4.3.1 Synchronization with PC............................................................................................................ 91

6.4.3.2 SNTP v4.0.................................................................................................................................. 92

6.5 UTILITY ......................................................................................................................................93

6.5.1 System Info ............................................................................................................................93

6.5.2 Config Tool............................................................................................................................94

6.5.2.1 Load Factory Default ................................................................................................................. 95

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.5.2.2 Restore Configuration................................................................................................................95

6.5.2.3 Backup Configuration................................................................................................................95

6.5.3 Upgrade.................................................................................................................................96

6.5.4 Logout....................................................................................................................................97

6.5.5 Restart ...................................................................................................................................97

6.6 EXAMPLE....................................................................................................................................99

6.6.1 LAN-to-LAN connection with bridge Mode...........................................................................99

6.6.1.1 CO side.......................................................................................................................................99

6.6.1.2 CPE Side..................................................................................................................................100

6.6.2 LAN to LAN connection with routing mode.........................................................................101

6.6.2.1 CO Side....................................................................................................................................101

6.6.2.2 CPE side................................................................................................................................... 102

7 CONFIGURA TION VIA SERIAL CONSOLE OR TELNET WITH MANU DRIVEN

INTERFACE .............................................................................................................................................105

7.1 INTRODUCTION .........................................................................................................................105

7.1.1 Serial Console.....................................................................................................................105

7.1.2 Telnet ...................................................................................................................................105

7.1.3 Operation Interface.............................................................................................................106

7.1.4 Window structure.................................................................................................................106

7.1.5 Menu Driven Interface Commands......................................................................................107

7.2 MAIN MENU BEFORE ENABLE....................................................................................................108

7.3 ENABLE.....................................................................................................................................109

7.4 STATUS......................................................................................................................................110

7.4.1 Shdsl.bis...............................................................................................................................110

7.4.2 Wan...................................................................................................................................... 111

7.4.3 Route ................................................................................................................................... 111

7.4.4 Interface ..............................................................................................................................112

7.4.5 Firewall...............................................................................................................................112

7.4.6 IP_QoS................................................................................................................................113

7.4.7 STP......................................................................................................................................114

7.5 SHOW........................................................................................................................................115

7.5.1 System information..............................................................................................................115

7.5.2 Configuration information................................................................................................... 115

7.5.3 Configuration with Script format ........................................................................................ 119

7.6 WRITE.......................................................................................................................................122

7.7 REBOOT ....................................................................................................................................123

7.8 PING..........................................................................................................................................124

7.9 ADMINISTRATION......................................................................................................................125

7.9.1 User Profile.........................................................................................................................125

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

7.9.2 Security................................................................................................................................126

7.9.3 SNMP ..................................................................................................................................127

7.9.4 Supervisor Password and ID...............................................................................................128

7.9.5 SNTP ...................................................................................................................................129

7.10 UTILITY ....................................................................................................................................131

7.10.1 Upgrade..........................................................................................................................131

7.10.2 Backup............................................................................................................................131

7.10.3 Restore............................................................................................................................132

7.11 EXIT..........................................................................................................................................133

7.12 SETUP .......................................................................................................................................134

7.12.1 Mode...............................................................................................................................134

7.12.2 SHDSL.bis ......................................................................................................................134

7.12.3 WAN................................................................................................................................135

7.12.4 Bridge.............................................................................................................................137

7.12.5 VLAN..............................................................................................................................138

7.12.6 802. 11Q VLAN................................................................................................................138

7.12.7 STP.................................................................................................................................139

7.12.8 Route...............................................................................................................................139

7.12.9 LAN.................................................................................................................................141

7.12.10 IP share...........................................................................................................................141

7.12.10.1 NAT.......................................................................................................................................... 141

7.12.10.2 PAT ........................................................................................................................................... 143

7.12.10.3 DMZ.........................................................................................................................................144

7.12.11 Firewall ..........................................................................................................................145

7.12.11.1 Firewall security level..............................................................................................................145

7.12.11.2 Packet Filtering ........................................................................................................................ 145

7.12.11.3 DoS Protection ......................................................................................................................... 146

7.12.12 IPQoS .............................................................................................................................148

7.12.13 DHCP.............................................................................................................................149

7.12.14 DNS proxy.......................................................................................................................150

7.12.15 Host name.......................................................................................................................150

7.12.16 Default............................................................................................................................150

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

1 Descriptions

The Planet new SHDSL family member GRT-504 is the G.SHDSL.bis router that complies with ITU-T G.991.2 standard and provides affordable, flexible, efficient Internet access solution for SOHO and Small Medium Business environment. The GRT-504 supports business-class, multi-range from 384 Kbps to 11.4 Mbps (4-wire) symmetric data rates and also can be connected as the LAN-to-LAN network connection at the distance up to 6.7km (4.2 miles) by using existing telephone copper wires.

The Planet GRT-504 is integrated high-end Bridging/Routing capabilities with advanced functions of Firewall, QoS, DMZ, Virtual Server, and VPN pass-through. And because of the network environment growing rapidly, Virtual LAN has become more and more important feature in internetworking industry. The GRT-504 supports IEEE 802.1Q and port-based VLAN over ATM network.

With the built-in Simple Network Management Protocol (SNMP) and web-based management, the GRT-504 offers an easy-to-use, platform-independent management and configuration facility. And the GRT-504 also provides Command-Line Interface; it can be accessed via Telnet and the console port. The network administrator can manage the device by proper way.

1.1 Features

♦ High Speed Symmetric Data Transmission：The GRT-504 supp orts the latest

G.SHDSL.bis technology, provides the higher symmetric data rate up to 11.4 Mbps on 4 wires.

♦ CO and CPE side Support：Provide the back-to-back connection. ♦ Firewall: It supports Natural NAT firewall and Advanced Stateful packet Inspection (SPI)

firewall functions.

♦ QoS (Quality of Service): The GRT-504 supports ATM QoS and IP QoS. The ATM QoS

includes UBR (Unspecified bit rate), CBR (Constant bit rate), VBR-rt (Variable bit rate real-time), and VBR-nrt (Variable bit rate non-real-time). Also, the traffic classification based on IP, IP range, port, protocol, and precedence.

♦ VLAN Support：It supports the IEEE 802.1Q Tagged and port-based VLAN. It offers

significant benefit in terms with efficient use of bandwidth, flexibility, performance, and security.

♦ Bridge and Router Modes：The GRT-504 supports two connection modes. Currently, it

comes pre-configured with routing mode. Note that, routing mode and bridging mode cannot be used simultaneously.

♦ Virtual Server：This feature allows Internet users to access Internet serve rs on your LAN.

The required setup is quick and easy.

♦

VPN Pass through Support：PCs with VPN (Virtual Private Networking) software

using PPTP, L2TP, and IPSec are transparently supported - no configuration is required.

♦ DMZ Support：The GRT-504 can translate public IP address to private IP address to allow

unrestricted 2-way communication with Servers or individual users on the Internet. This provides the most flexibility to run programs, which could be incompatible in NAT environment.

♦ RIPv1/v2 Routing：It supports RIPv1/v2 routing protocol for routing capability.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

♦ Simple Network Management Protocol (SNMP)：It is an easy way to remotely manage

the router via SNMPv1/v2.

♦ Fully ATM protocol stack implementation over G.SHDSL.bis ♦ PPPoA and PPPoE support user authentication with PAP/CHAP/MS-CHAP

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

1.2 Specification

Product 4-Wire G.SHDSL.bis Firewall Router Model GRT-504 Hardware

Standard

Protocol

AAL and ATM Support Support up to 8 PVCs

LAN Port 4 x 10Base-T/100Base-TX ( Auto-Negotiation, Auto MDI/MDI-X) Console 1 x RS-232 (DB9) Button 1 x Reset Button LED Indicators PWR, WAN LNK/ACT, LAN 1/2/3/4, ALM Software Maximum Concurrent

Sessions Protocol and Advanced

Functions

Security

VPN Management

Environment Specification Dimension (W x D x H) 145 x 188 x 33mm Power 9V DC, 1A Temperature: Humidity Emission FCC, CE

Compliant with ITU-T G.991.2 Standard Annex A/B Compliant with G.SHDSL.bis Annex A/B/F/G

TC-PAM Line Code Symmetric data transmission speed up to 11.4 Mbps on 4-wire Multi-range from 384 Kbps to 11.4 Mbps RFC 1577 - Classical IP over ATM (RFC 1577) RFC 2364 - PPP over ATM RFC 1483/2684 - Ethernet over ATM RFC 2516 - PPP over Ethernet (fixed and dynamic IP) RFC 2364 - PPP over ATM (fixed and dynamic IP)

ATM Forum UNI 3.1/4.0 PVC Support OAM F4 / F5 AIS/RDI and loopback VC multiplexing and SNAP/LLC Integrated ATM QoS support (UBR,CBR,VBR-rt, and VBR-nrt)

1024 IEEE 802.1D transparent learning bridge

IEEE 802.1Q VLAN Support IP/TCP/UDP/ARP/ICMP/IGMP protocols IP routing with static routing and RIPv1/RIPv2 IP multicast and IGMP proxy Network address translation (NAT/PAT) DMZ host/Multi-DMZ/Multi-NAT function Virtual Server (RFC1631) DNS relay and caching DHCP server, client and relay IP QoS

Built-in NAT and SPI Firewall PPP over PAP (RFC1334) PPP over CHAP (RFC1994) Password protection for system management VPN (PPTP/L2TP/IPSec) pass-through

Web-based configuration Command-line Interpreter(CLI) via Console Command-line Interpreter(CLI) via Telnet Software upgrade via web-browser/TFTP server SNMPv1 and v2

Operating: 0~45 degree C, 0%~ 90% (non-condensing), Storage: -10~70 degree C, 0~95% (non-condensing)

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Package Contents

The following items should be included. If any of these items are damaged or missing, please contact your dealer immediately.

 4-Wire G.SHDSL.bis Firewall Router x 1  Power Adapter x 1  Quick Installation Guide x 1  User’s manual CD x 1  Console Cable x 1  RJ-45 to RJ-11 Cable x 1

1.3 Applications

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

2 Getting to know about the router

This section will introduce hardware of the router.

2.1 Front Panel

The front panel contains LEDs which show status of the router.

LEDs Color Active Description

PWR Green ON The power adaptor is connected to GRT-504

LNK

WAN

ACT Green Blink

1 / 2 / 3 / 4 Green ON LAN Port connect with Ethernet link

LAN

1 / 2 / 3 / 4 Green Blink LAN Port Transmit or receive data

ALM

Green ON G.SHDSL.bis connection is established Green Blink G.SHDSL.bis is handshaking

Transmit data or receive data over G.SHDSL.bis link

Red ON Red Blink

G.SHDSL.bis line connection is dropped G.SHDSL.bis self test

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

2.2 Rear Panel

The rear panel of SHDSL.bis router is where all of the connections are made.

Port Description

DC-IN Power connector with 9V DC 1.0A LAN (1 / 2 / 3 / 4) Ethernet 10/100Base-TX for LAN port (RJ-45) CONSOLE RS- 232C (DB9) for system configuration and maintenance LINE G.SHDSL.bis interface for WAN Port RST The reset button, the router restore the default settings when press

this button until reboot.

The reset button can be used only in one of two ways. (1) Press the Reset Button for one second will cause system reboot. (2) Pressing the Reset Button for four seconds will cause the product loading the factory default

setting and losing all of yours configuration. When you want to change its configuration but

forget the user name or password, or if the product is having problems connecting to the

Internet and you want to configure it again clearing all configurations, press the Reset Button

for four seconds with a paper clip or sharp pencil.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

2.3 SHDSL.bis Line Connector

Below figure show the SHDSL.bis line cord plugs pin asignment:

2.4 Console Cable

Below figure show the cosole cable pins asignment:

Pin Number Description Figure

1 No connection 2 RxD (O) 3 TxD (I) 4 No connection 5 GND 6

7 CTS (O) 8 RTS (I) 9 No connection

No connection

12345

6789

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

3 Getting to know Firewall feature

3.1 Introduction

A firewall protects networked computers from intentional hostile intrusion that could compromise confidentiality or result in data corruption or denial of service. It must have at least two network interfaces, one for the network it is intended to protect, and one for the network it is exposed to. A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet.

A firewall examines all traffic routed between the networks. The traffic is routed between the networks if it meets certain criteria; otherwise, it is filtered. A firewall filters both inbound and outbound traffic. Except managing the public access to private networked resources such as host applications, the firewall is capable of log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their IP addresses of source and destination. This is known as address filtering. Firewalls can also filter specific types of network traffic by port numbers, which is also known as protocol filtering because the decision of traffic forwarding is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state.

An Internet firewall cannot prevent the damage from the individual users with router dialing into or out of the network, which bypass the firewall altogether. The misconduct or carelessness of employee is not in the control of firewalls either. Authentication Policies, which is involved in the use and misuse of passwords and user accounts, must be strictly enforced. The above management issues need to be settled during the planning of security policy, but cannot be solved with Internet firewalls alone.

Local User

Firewall

Access to Specific

Destination

Allowed Traffic Out to Internet

Restricted Traffic

Unknown Traffic

Specified Allowed Traffic

Internet

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

3.2 Types of Firewall

There are three types of firewall:

3.2.1 Packet Filtering

In packet filtering, firewall will examine the protocol and the address information in the header of each packet and ignore its contents and context (its relation to other packets and to the intended application). The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data. Filtering includes the examining on incoming and outgoing packets, and determines the packet dropping or not by a set of configurable rules. Network Address Translation (NAT) routers offer the advantages of packet filtering firewalls but can also hide the IP addresses of computers behind the firewall, and offer a level of circuit-based filtering.

Level 5: Application

Protocol

Level 4: TCP

Level 3: IP

Source/Destination address Source/destination port IP options connection status

Level 2: Data Link

Level 1: Physical

Stateful Inspection

Filter remember this

information

192.168.0.5 SP=3264 SA=192.168.0.5 DP=1525 DA=172.16.3.4

Matches outgoing so allows in

UDP SP=1525 SA=172.16.3.4 DP=3264 DA=192.168.0.5

Nomatches so disallows in

UDP SP=1525 SA=172.168.3.4 DP=2049 DA=192.168.0.5

172.16.3.4UDP

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

NAT (Network Address Translation)

Firewall

192.168.0.10

192.168.0.11 Internal/Protected Network External/Unprotected Network

192.120.8.5

Internal IP External IP

192.168.0.10

192.168.0.11

192.120.8.5

Internet

PAT (Port Address Translation)

Firewall

192.168.0.10:1025

192.120.8.5

192.120.8.5:2205

192.120.8.5:2206

Internet

Client IP Internal Port External Port

192.168.0.11:4406 Internal/Protected Network External/Unprotected Network

192.168.0.10

192.168.0.11

1025 4406

2205 2206

3.2.2 Circuit Gateway

Also called a "Circuit Level Gateway," this is a firewall approach, which validates connections before allowing data to be exchanged. What this means is that the firewall doesn't simply allow or disallow packets but also determines whether the connection between both ends is valid according to configurable rules, then opens a session and permits traffic only from the allowed source and possibly only for a limited period of time.

Level 5: Application

destination IP address and/or port

Level 4: TCP

Level 3: IP

Level 2: Data Link

source IP address and/or port time of day protocol user password

Level 1: Physical

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

3.2.3 Application Gateway

The Application Level Gateway acts as a proxy for applications, performing all data exchanges with the remote system in their behalf. This can render a computer behind the firewall invisible to the remote system. It can allow or disallow traffic according to very specific rules, for instance permitting some commands to a server but not others, limiting file access to certain types, varying rules according to authenticated users and so forth. This type of firewall may also perform very detailed logging of traffic and monitoring of events on the host system; furthermore can often be instructed to sound alarms or notify an operator under defined conditions. Application-level gateways are generally regarded as the most secure type of firewall. They certainl y have the most sophisticated capabilities.

Level 5: Application

Level 4: TCP

Level 3: IP

Level 2: Data Link

Level 1: Physical

Internal

Host PC

Request Page

Return Page

Interface

Proxy Application

External

Interface

Proxy Server

Check URL

Filter Content

Telnet FTP Http SMTP

Public Server

Request Page

Return Page

3.3 Denial of Service Attack

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’ s Manual

Inturruption

Typically, Denial of Service (DoS) attacks result in two flavors: resource starvation and system overloading. DoS attacks happen usually when a legitimate resource demanding is greater than the supplying (ex. too many web requests to an already overloaded web server). Software weakness or system incorrect configurations induce DoS situations also. The difference bet ween a malicious denial of service and simple system overload is the requirement of an individual with malicious intent (attacker) using or attempting to use resources specifically to deny those resources to other users.

Ping of death- On the Internet, ping of death is a kind of denial of service (DoS) attack caused by deliberately sending an IP packet which size is larger than the 65,536 bytes allowed in the IP protocol. One of the features of TCP/IP is fragmentation, which allows a single IP packet to be broken down into smaller segments. Attackers began to take advantage of that feature when they found that fragmented packets could be added up to the size more than the allo wed 65,536 bytes. Many operating systems don’t know what to do once if they received an oversized packet, then they freeze, crash, or reboot. Other known variants of the ping of death in clude teard rop, bonk an d nestea.

Ping of Death Packet (112,000 bytes)

Hacker 's

System

Normal IP Packet (Maximun 65,536 bytes)

Target

System

Normal reassembled Packets

bytes from 1~1500 bytes from 1501~3000 bytes from 3000~4500

Reassembled teardrop packets

bytes from 1~1700

bytes from 1300~3200 bytes from 2800~4800

SYN Flood- The attacker sends TCP SYN packets, which start connections very fast, leaving the victim waiting to complete a huge number of connections, causing it to run out of resources and dropping legitimate connections. A new defense against this is the “SYN cookies”. Each side of a connection has its own sequence number. In response to a SYN, the attacked machine creates a special sequence number that is a “cookie” of the connection then forgets everything it knows about the connection. It can then recreate the forgotten information about the connection where the next packets come in from a legitimate connection.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

TCP SYN

requests

Hacker 's

System

Internet

Backing

quene

TCP SYN-ACK

Packets

Target

System

ICMP Flood- The attacker transmits a volume of ICMP request packets to cause all CPU resources to be consumed serving the phony requests.

UDP Flood- The attacker transmits a volume of requests for UDP diagnostic services, which cause all CPU resources to be consumed serving the phony requests.

Land attack- The attacker attempts to slow your network down by sending a packet with identical source and destination addresses originating from your network.

IP Spoofing- IP Spoofing is a method of masking the identity of an intrusion by making it appeared that the traffic came from a different computer. This is used by intruders to keep their anonymity and can be used in a Denial of Service attack.

Smurf attack- The source address of the intended victim is forged in a broadcast ping so that a huge number of ICMP echo reply back to victim indicated by the address, overloadin g it.

Broadcast ping

request from spoofed

IP address

Hacker 's

System

Internet

Target Router

Ping response

Multiple network

Subnet

Fraggle Attack- A perpetrator sends a large amount of UDP echo packets at IP broadcast addresses, all of it having a fake source address.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

4 Getting to know VLAN feature

Virtual Local Area Network (VLAN) is defined as a group of devices on one or more LANs that are configured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLAN is based on logical instead of physical connections, it is extremely flexible.

The IEEE 802.1Q defines the operation of VLAN bridges that permit the definition, operation, and administration of VLAN topologies within a bridged LAN infrastructure. VLAN architecture benefits include:

1. Increased performance

2. Improved manageability

3. Network tuning and simplification of software configurations

4. Physical topology independence

5. Increased security options

As DSL (over ATM) links are deployed more and more extensively and popularly, it is rising progressively to implement VLAN (VLAN-to-PVC) over DSL links and, hence, it is possible to be a requirement of ISPs.

We discuss the implementation of VLAN-to-PVC only for bridge mode operation, i.e., the VLAN spreads over both the COE and CPE sides, where there is no layer 3 routing involved.

4.1 Specification

1. The unit supports up to 8 active VLANs with shared VLAN learning (SVL) bridge out of 4096 possible VLANs specified in IEEE 802.1Q.

2. Each port always belongs to a default VLAN with its port VID (PVID) as an untagged member. Also, a port can belong to multiple VLANs and be tagged members of these VLANs.

3. A port must not be a tagged member of its default VLAN.

4. If a non-tagged or null-VID tagged packet is received, it will be assigned with the default PVID of the ingress port.

5. If the packet is tagged with non-null VID, the VID in the tag will be used.

6. The look up process starts with VLAN look up to determine whether the VID is valid. If the VID is not valid, the packet will be dropped and its address will not be learned. If the VID is valid, the VID, destination address, and source address lookups are p erformed.

7. The VID and destination address lookup determines the forwarding ports. If it fails, the packet will be broadcasted to all members of the VLAN, except the ingress port.

8. Frames are sent out tagged or untagged depend on if the egress port is a tagged or untagged member of the VLAN that frames belong.

9. If VID and source address look up fails, the source address will be learned.

4.2 Frame Specification

An untagged frame or a priority-tagged frame does not carry any identification of the VLAN to which it belongs. Such frames are classified as belonging to a particular VLAN based on parameters associated with the receiving port. Also, priority tagged frames, which, by definition, carry no VLAN identification information, are treated the same as untagged frames. A VLAN-tagged frame carries an explicit identification of the VLAN to which it belongs; i.e., it carries a tag header that carries a non-null VID. This results in a minimum tagged frame length of

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

68 octets. Such a frame is classified as belonging to a particular VLAN based on the value of the VID that is included in the tag header. The presence of the tag header carrying a non-null VID means that some other device, either the originator of the frame or a VLAN-aware bridge, has mapped this frame into a VLAN and has inserted the appropriate VID.

The following figure shows the difference between a untagged frame and VLAN tagged frame, where the Tag Protocol Identifier (TPID) is of 0x8100 and it identifies the frame as a tagged frame. The Tag Control Information (TCI) consists of the following elements: 1) User priority allows the tagged frame to carry user priority information across bridged LANs in which individual LAN segments may be unable to signal priority information (e.g., 802.3/Ethernet segments). 2) The Canonical Format Indicator (CFI) is used to signal the presence or absence of a Routing Information Field (RIF) field, and, in combination with the Non-canonical Format Indicator (NCFI) carried in the RIF, to signal the bit order of address information carried in the encapsulated frame.

3) The VID uniquely identifies the VLAN to which the frame belongs.

4.3 Applications

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

5 Configuration to the Router

This guide is designed to let users through Web Configuration or serial console with G.shdsl.bis Router in the easiest and quickest way possible. Please follow the instructions carefully.

Note: There are three methods to configure the router: serial console, Telnet and Web Browser.

Only one configuration application is used to setup the Router at any given time. Users have

to choose one method to configure it. For Web configuration, you can skip item 3. For Serial Console Configuration, you can skip item 1 and 2.

5.1 Check List

(1) Check the Ethernet Adapter in PC or NB

Make sure that Ethernet Adapter had been installed in PC or NB used for configuration of the router. TCP/IP protocol is necessary for web configuration, so please check the TCP/IP protocol whether it has been installed.

(2) Check the Web Browser in PC or NB

According to the Web Configuration, the PC or NB need to install Web Browser, IE or Netscape. Note: Suggest to use IE5.0, Netscape 6.0 or above and 800x600 resolutions or above.

(3) Check the Terminal Access Program

For Serial Console and Telnet Configuration, users need to setup the terminal access program with VT100 terminal emulation.

(4) Determine Connection Setting

Users need to know the Internet Protocol supplied by your Service Provider and determine the mode of setting.

Protocol Selection

RFC1483 Ethernet over ATM RFC1577 Classical Internet Protocol over ATM RFC2364 Point-to-Point Protocol over ATM RFC2516 Point-to-Point Protocol over Ethernet

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

The difference Protocols need to setup difference WAN pa rameters. After knowing the Protocol provided by ISP, you have to ask the necessary WAN parameters to setup it.

Bridge EoA

IPoA

262626262626262626262626ó26 2626262626262626262626ó2626

Route EoA

2626下午 06:08:09Wed2626WWed 2626¾Wed2626 Wednesday2626

PPPoA

2626262626262626262626ê2626 26262626262626262626ó262626

øWed2626b

ÈWednesday2626

PPPoE

26262626262626ó262626262626 262626262626ó26262626262626

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

5.2 Install the SHDSL.bis Router

To avoid possible damage to this Router, do not turn on the router before Hardware Installation.

y Connect the power adapter to the port labeled DC-IN on the rear panel of the product. y Connect the Ethernet cable.

Note: This router supports auto-M DIX switching so both straight through and cross-over Ethernet cable can be used.

y Connect the phone cable to the router and the other side of phone cable to wall jack. y Connect the power adapter to power source inlet. y Turn on the PC or NB, which is used for configuration the Router.

4-port router with complex network topology

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6 Configuration via Web Browser

Step. 1 Click the start button. Select setting and control panel.

Step. 2 Double click the network icon.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

In the Configuration window, select the TCP/IP protocol line that has been associated with your network card and then click property icon.

Choose IP address tab. Select Obtain IP address automatically. Click OK button.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

The window will ask you to restart the PC. Click Yes button.

After rebooting your PC, open IE or Netscape Browser to connect the Router. Type

http://192.168.0.1

The default IP address and sub net-mask of the Router is 192.168. 0.1 and 255.255.255.0. Because the router acts as DHCP server in your network, the router will automatically assign IP address for PC or NB in the network.

Type User Na me root and Password root and then click OK. The default user name and password bot h is root. For the system security, suggest changing them after configuration.

Note: After changing the User Name and Password, strongly recommend you to save them

because another time when you login, the User Name and Password have to be used the new one you changed.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Function Listing

Following is the G.SHDSL.bis router full function listing.

 BASIC (Quick Setup)  ADVANCED

• SHDSL.bis

• WAN

• BRIDGE

• VLAN

• STP

• ROUTE

• NAT/DMZ

• VIRTUAL SERVER

• FIREWALL

• IP QoS

 STATUS

• SHDSL.bis

• LAN

• WAN

• ROUTE

• INTERFACE

• FIREWALL

• IP QoS

• STP

 ADMIN

• SECURITY

• SNMP

• TIME SYNC

 UTILITY

• SYSTEM INFO

• CONFIG TOOL

• FIRMWARE UPGRADE

• LOGOUT

• RESTART

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.1 Basic Setup

The Basic Setup contains Bridge or Route operation mode. User can use it to completely setu p the router. After successfully completing it, you can access Internet or as LAN extension. This is the easiest and possible way to setup the router. Note: The advanced functions are only for advanced use rs to setup advanced functions. The incorrect setting of advanced function will affect the performance or system error, even disconnection.

Click Basic for basic installation.

6.1.1 Bridge Mode

Parameter Table:

System mode Bridge

SHDSL □CO side □CPE side LAN

WAN1

IP address Subnet Mast Gateway

Host Name

VPI

VCI Encapsulation □VC-mux □LLC

The flow chart of bridge mode setup:

Setup up system mode and SHDSL mode

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Click Bridge and CPE Side to setup Bridging mode and then click Next for the next setting. This router can be setup as one of two SHDSL.bis working mode: CO (Central Office) and CPE (Customer Premises Equipment). For connection with DSLAM, the SHDSL.bis ro uter working mode is CPE. For “LAN to LAN” connection, one side must be CO and the other side must be CPE.

Set up (a) LAN IP address , Subnet Mask, Gateway and Host Name (b) WAN1 VPI,VCI and Encapsulation

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

LAN: IP: 192.168.0.1 Subnet Mask: 255.255.255.0 Gateway: 192.168.0.254 (The Gateway IP is provided by ISP) Host Name: SOHO Some of the ISP requires the Host Name as identification. You may check with ISP to see if your Internet service has been configured with a host name. In most cases, this field can be ignored. WAN1: VPI: 0 VCI: 32 Encap: Click LLC and than Click Next to review

Review

The screen will prompt the new configured parameters. Checking the parameters and Click Restart The router will reboot with the new setting or Continue to configure another parameters.

6.1.2 Routing Mode

Parameter Table:

System mode Route

SHDSL □CO side □CPE side

LAN

IP type □Fixed □Dynamic(DHCP Client)

IP address

Subnet Mast

Host Name

Trigger DHCP service □Disable □Server □Relay

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

WAN1

DHCP Server

VPI

VCI

Encapsulation □VC-mux □LLC

Protocol □IPoA

Default gateway

Subnet Mast

Start IP address End IP address

DNS Server 1

DNS Server 2

DNS Server 3

Lease time

Host Entries

□IPoA + NAT □EoA □EoA + NAT □PPPoA + NAT □PPPoE + NAT

1 MAC : IP:

2 MAC : IP:

3 MAC : IP:

4 MAC : IP:

5 MAC : IP:

6 MAC : IP:

7 MAC : IP:

8 MAC : IP:

9 MAC : IP:

10 MAC : IP:

DHCP Relay IP address

The flow chart of route mode setup:

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Routing mode contains DHCP server, DHCP client, DHCP relay, Point-to-Point Protocol over ATM and Ethernet and IP over ATM and Ethernet over ATM. You have to clarify which Internet protocol is provided by ISP.

Setup up system mode and SHDSL mode

click ROUTE and CPE Side then press Next.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Set up the LAN IP address , Subnet Mask, Gateway, Host Name and Trigger DHCP Service with fixed IP type.

IP type: Fixed IP Address: 192.168.0.1 Subnet Mask: 255.255.255.0 Host Name: SOHO Some of the ISP requires the host name as identification. You may check with ISP to see if your Internet service has been configured with a host name. In most cases, this field can be ignored.

Trigger DHCP Service: Server The default setup is Enable DHCP server. If you want to turn off the DHCP service, choose Disable.

If set DHCP server to Relay, the router acts as a surrogate DHCP server and relays requests and responses between the remote server and the clients.

DHCP Server Dynamic Host Configuration Protocol (DHCP) is a communication protocol that lets netwo rk administrators to manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network. Using the Internet Protocol, each machi ne that can connect to the Internet needs a unique IP address. When an organization sets up its computer users with a connection to the Internet, an IP address must be assigned to each machine. Without DHCP, the IP address must be entered manually at each computer. If computers move to another location in another part of the network, a new IP address m ust be entered. DHCP lets a network administrator to supervise and distribute IP addresses from a central point and automatically sends a new IP address when a computer is plugged into a different place in the network.

If the DHCP server is “Enable”, you have to setup the following p ar ameters for processing it as DHCP server. The embedded DHCP server assigns network configuration inform ation at most 253 users accessing the Internet in the same time.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Set up the DHCP Server parameters and fixed DHCP host table

Start IP Address: This field specifies the first of the contiguous addresses in the IP address pool. End IP Address: The field specifies the last of the contiguous addresses in the IP address pool.

For example: If the LAN IP address is 192.168.0.1, the IP range of LAN is 192.168.0.2 to

192.168.0.51. The DHCP server assigns the IP form Start IP Address to End IP Addre ss. The legal IP address range is form 0 to 255, but 0 are reserved as network name and 255 are reserved for broadcast. It implies the legal IP address range is from 1 to 254. That mean s you cannot assign an IP greater than 254 or less then 1. Lease time 72 hours indicates that the DHCP server will reassign IP information in every 72 hours.

DNS Server1, DNS Server2, and DNS Server3: Your ISP will provide at least one Domain Name Service Server IP. You can type the router IP in this field. The router will act as DNS server relay function. There have three DNS server can use. You may assign a fixed IP address to some device while using DHCP, you have to put this device’s MAC address in the Table of Fixed DHCP Host Entries. There have ten fixed IP address location can use. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at factory and consists of six pairs of hexadecimal characters, for example, 00:30:4F:0A:02:4F

Press Next to setup WAN1 parameters.

Some of the ISP provides DHCP server servi ce by which the PC in LAN can access IP information automatically. To setup the DHCP client mode, follow the procedure.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Set up IP address, Subnet Mask, Host Name with DHCP Client mode

LAN IP Type: Dynamic(DHCP Client) Click Next to setup WAN1 parameters.

DHCP relay If you have a DHCP server in LAN and you want to use it for DHCP services, the product provides DHCP relay function to meet yours need.

IP T ype: Fixed IP Address: 192.168.0.1 Subnet Mask: 255.255.255.0 Host Name: SOHO Some of the ISP requires the host name as identification. You may check with ISP to see if your Internet service has been configured with a host name. In most cases, this field can be ignored. Trigger DHCP Service: Relay

Set up the DHCP Server

Press Next to setup Remote DHCP server parameter.

If using DHCP relay service, there must set up the remote DHCP server IP address Enter DHCP server IP address in IP address field. Press Next

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Set up the WAN1 VPI, VCI Encap. and Protocol

VPI: 0 VCI: 33 AAL5 Encap: LLC

Protocol: PPPoA + NAT or PPPoE + NAT Click Next to setup User name and password.

For more understanding about NAT, review NAT/DMZ chapter.

If the Protocol using PPPoA+NA T or PPPoE+NAT, you must setup the ISP’s parameters on the following:

Type the ISP1 parameters. Username: test Password: test Password Confirm: test Your ISP will provide the user name and password. Idle Time: 10

You want your Internet connection to remain on at all time, enter “0” in the Idle Time field. IP T ype: Dynamics. The default IP type is Dynamic. It means that ISP PPP server will provide IP information including dynamic IP address when SHDSL.bis connection is established. On the other hand, you do not need to type the IP address of WAN1. Some of the ISP will provide fixed IP address over PPP. For fixed IP address: IP T ype: Fixed IP Address: 192.168.1.1 Click Next. Note: For safety, the password will be prompt as star symbol.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Username : Enter the user name exactly as your ISP assigned. Password: Enter the password associated with the user name above. Password confirm: Enter the password again for confirmation. Idle Time: When you don’t want the connection up all the time and specify an idle time on this field. IP type: A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed;

the ISP assigns you a differnet on each time you connect to the Internet.

The screen will prompt the parameters that will be written in NVRAM. Check the para meters before writing in NVRAM.

Press Restart to restart the router working with new parameters or press to continue setting another parameter.

Set up : WAN1 VPI, VCI, Encap. and Protocol

WAN: VPI: 0 VCI: 33 AAL5 Encap: LLC

Protocol: IPoA , EoA , IPoA + NAT or EoA + NAT Click Next to setup the IP parameters.

For more understanding about NAT, review NAT/DMZ chapter.

Set up the WAN1 IP address, Subnet Mask, gateway and DNS Server

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

IP Address: 10.1.2.1 It is router IP address like from Internet. Your ISP will provide it and you need to specify here. Subnet mask: 255.255.255.0 This is the router subnet mask seen by external users on Internet. Your ISP will provide it to you. Gateway: 10.1.2.2 Your ISP will provide you the default gateway. DNS Server 1: 168.95.1.1 Your ISP will provide at least one DNS (Domain Name System) Server IP address. Click Next to review.

Review

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

The screen will prompt the parameters that will be written in NVRAM. Check the para meters before writing in NVRAM.

Press Restart to restart the router working with new parameters or press Continue to setup another parameter.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.1.3 Reference diagram

Bridge mode

When configured in Bridge Mode, the router will act as a pass-through device and allow the workstations on your LAN to have public addresses directly on the internet.

IP: 192.168.0.1 Netmask: 255.255.255.0 Gateway: 192.168.0.254

IP: 192.168.0.2 Netmask: 255.255.255.0 Gateway: 192.168.0.254

Bridge BAS

IP: 192.168.0.254

DSLAM

VPI:0, VCI:32 Encapsulation: LLC

ISP

IPoA or EoA

IPoA (Dynamic IP over ATM) interfaces carries IP packets over AAL5. AAL5 provides the IP hosts on the same network with the data link layer for communications. In addition, to allow these hosts to communicate on the same ATM networks, IP packets must be tuned somewhat. AS the bearer network of IP services, ATM provides high speed point-to-point connections which considerably improve the bandwidth performance of IP network. On the other hand, ATM provides excellent network performance and perfect QoS.

EoA (Ethernet-over-ATM) protocol is commonly used to carry data between local area networks that use the Ethernet protocol and wide-area networks that use the ATM protocol. Many telecommunications industry networks use the ATM protocol. ISPs who provide DSL services often use the EoA protocol for data transfer with their customers' DSL modems.

EoA can be implemented to provide a bridged connection between a DSL modem and the ISP. In a bridged connection, data is shared between the ISP's network and their customer's as if the networks were on the same physical LAN. Bridged connections do not use the IP protocol. EoA can also be configured to provide a routed connection with the ISP, which uses the IP protocol to exchange data.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

LAN

IP: 192.168.0.1

Netmask: 255.255.255.0

IP: 192.168.0.2~51 Netmask: 255.255.255.0 Gateway: 192.168.0.1

Router

IP: 10.1.2.1 Netmask: 255.255.255.0 Gateway: 10.1.2.2 DNS: 168.95.1.1

Netmask: 255.255.255.0

DSLAM

VPI:0, VCI:33

Encapsulation: LLC

WAN

BAS

IP: 10.1.2.2

ISP

PPPoE or PPPoA

PPPoA (point-to-point protocol over ATM) and PPPoE (point-to-point protocol over Ethernet) are authentication and connection protocols used by many service providers for broadband Internet access. These are specifications for connecting multiple computer users on an Ethernet local area network to a remote site through common customer premises equipment, which is the telephone company's term for a modem and similar devices. PPPoE and PPPoA can be used to office or building. Users share a common Digital Subscr iber Line (DSL), cable modem, or wireless connection to the Internet. PPPoE and PPPoA combine the Point-to-Point Protocol (PPP), commonly used in dialup connections, with the Ethernet protocol or ATM protocol, which supports multiple users in a local area network. The PPP protocol information is encapsul ated within an Ethernet frame or ATM frame.

IP: 192.168.0.1 Netmask: 255.255.255.0 Gateway: 192.168.0.254

IP: 192.168.0.2 Netmask: 255.255.255.0 Gateway: 192.168.0.254

Bridge BAS

IP: 192.168.0.254

DSLAM

VPI:0, VCI:32 Encapsulation: LLC

ISP

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2 Advanced Setup

Advanced setup contains SHDSL.bis, WAN, Bridge, VLAN, Ethernet, Route, NAT/DMZ, V i rtual

SERVER, FIREWALL and IP QoS parameters.

6.2.1 SHDSL.bis

Y ou can setup the Annex type, dat a rate and SNR margin for SHDSL.bis pa rameters in SHDSL.bis. Click SHDSL.bis

Enter Parameters in SHDSL.bis

6.2.1.1 Annex Type

There are four Annex types: Annex A (ANSI), Annex B (ETSI), AnnexAF and Annex BG . It the router must connect to your ISP, please check them about it. If your routers configed to point to point application, you must choose one of the four types according to which line rate you need.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.1.2 Line Type

There are six type of line type for you choose: 2-wire, M-Pair, M-Pair(Conexant), Auto Fall Back, StandBy and Multi-link.

2-wire mode

For 4-wires model, it can use only the first one pair for the single pair DSL wire application.

M – Pair Mode

In this mode, each wire pair of SHDSL.bis router must be configured with the same line rate. If one pair fails then the entire line must be restarted. It also has th e Cone xant M-pair standard used with connection to other router with Conexant chip set solution.

Auto Fall Back Mode

Two DSL pairs are working simultaneously. When one pair of both is disconnect, the other pair will keep working.

Stanby Mode

Only one of two pairs are working, other pair is standby. If the working pair fails, the standby pair will start up to continues.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Multi–Link Mode

For 4-wire model, each pair will connect to two different remote device, whi ch ma y or may not be in the same location.

6.2.1.3 TCPAM T ype

TCPAM stands for Trellis Coded Pulse Amplitude Modulation. It is the modulation format that is used in both HDSL2 and SHDSL, and provides robust performance over a variety of loop conditions. SHDSL.bis supports 16 level TCPAM line code(TPCAM-16) or 32 level TCPAM line code(TCPAM-32) to provide a rate/reach adaptive capability, offering enhanced performance (increased rate or reach) and improved spectral compatibility. The default option is Auto. You may

assign the different type manually by click the caption TPCAM-16 or TPCAM-32.

6.2.1.4 Data Rate

For 2-wire model (n*64kbps) You can setup the SHDSL.bis data rate in the multiple of 64kbps.

The default data rate is 5696Kbps (n=89). For using Annex AF or BG TCPAM32 ; data rate is 768Kbps ~ 5696Kbps (Nx64kbps, N=12~89) TCPAM16 ; data rate is 192Kbps ~ 3840Kbps (Nx64kbps, N=3~60) For uning Annex A or B TCPAM16 ; 192Kbps ~ 2304Kbps (Nx 6 4kbps, N=3~36)

For 4-wire model (n*128kbps)

You can setup the SHDSL.bis data rate in the multiple of 128kbps. The default data rate is 11392Kbps (n=89). For using Annex AF or BG TCPAM32 ; data rate is 1536Kbps ~ 11392Kbps (Nx128kbps, N=12~ 89) TCPAM16 ; data rate is 384Kbps ~ 7680Kbps (Nx128kbps, N=3~60) For using Annex A or B TCPAM16 ; 384Kbps ~ 4608Kbps (Nx 1 28kbps, N=3~36)

For adaptive mode, you have to setup n=0. The router will adapt the data rate according to the line status.

2-wire model 4-wire model

Annex A/B TCPAM-16 192~2304 kbps 384~4608 kbps

TCPAM-16 192~3840 kpbs 384~7680 kbps Annex AF/BG TCPAM-32 768~5696 kpbs 1536~11392 kbps

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.1.5 SNR Margin

This is an index of line connection quality. You can see the actual SNR margin in STATUS SHDSL.bis. The larger is SNR margin, the better is line connection quality.

If you set SNR margin in the field as 3, the SHDSL.bis connection will drop and reconnect when the SNR margin is lower than 3. On the other hand, the device will reduce the line rate and reconnect for better line connection quality.

The screen will prompt the parameters that will be written in NVRAM. Check the para meters before writing in NVRAM. Press Restart to rest art the router worki ng with new p arameters o r press continue to setup another parameter.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.2 WAN

The router can support up to 8 PVCs. WAN 1 was configured via BASIC item except QoS. If you want to setup another PVCs such as WAN 2 to 7, those parameters are setup on the pages of WAN under ADVANCED. On the other hand, you don’t need to setup WAN except you apply two or more Internet Services with ISPs.

The parameters in WAN Number 1 has been setup in Basic Setup. If you want to setup another PVC, you can configure in WAN 2 to WAN 8.

Enter the parameters:

Protocol: If WAN Protocol is PPPoA or PPPoE with dynamic IP, leave the default WAN IP Address and Subnet Mask as default setting. The system will ingore the IP Address and Subnet Mask information, but erasion or blank in default setting will cause system error.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

If the WAN Protocol is IPoA or EoA, leave the ISP parameters as default setting. The system will ingore the information, but erasion or blank in default setting will cause system error.

VC-mux (VC-based Multiplexing): Each protocol is assigned to a specific virtual circuit. VC-based multiplexing may be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical.

LLC (LLC-based Multiplexing): One VC carries multiptle protocols with protocol identifying information being contained in each packet header. Deapite the extra bandwidth and processing overhead, this method may be advantagrous if it is not practical to have a sepat ate VC for each carried protocol.

VPI (Virtual Path Identifier) is for set up ATM Permanent Virtual Channels(PVC).The valid rang e for VPI is 0 to 255.

VCI (Virtual Channel Identifier is for set up ATM Permanent Virtual Channels(PVC). The valid range for VCI is 32 to 65535 ( 0 to 31 is reserved for local management of ATM traffic.)

QoS (Quality of Service) class : The Traffic Management Specification V4.0 defines ATM service cataloges that describe both the traf fic transmitted by use rs onto a network as well as the Quailty of Service that the network need to provide for that traffic. There have four class four choi ce: UBR, CBR, rt-VBR and nrt-VBR. Select CBR to specify fixed bandwidth for voice or data traffic. Select UBR for applications that are non-time sensitive, such as e-mail. Slect VBR for bursty traffic and bandwidth sharing with other applications.

UBR (Unspecified Bit Rate) is the simplest service provided by ATM networks. There is no guarantee of anything. It is a primary service used for transferring Internet traffic over the ATM network.

CBR (Constant Bit Rate) is used by connections that requires a static amount of bandwidth that is avilable during the connection life time. This bandwidth is cha ra cte rized by Peak Cell Rate (PCR). Based on the PCR of the CBR traffic, specific cell slots are a ssigned for the VC in the schedule table. The ATM always sends a signle cell during the CBR connection’s assigned cell slot.

VBR-rt (Varible Bit Rate real-time) is intended for real-time applications, such as compressed voice over IP and video comferencing, that require tightly constrained delays an d delay variation. VBR-rt is characterized by a peak cell rate (PCR), substained cell rate (SCR), and maximun burst rate (MBR).

VBR-nrt (Varible Bit Rate non-real-time) is intended for non-real-time applications , such as FTP, e-mail and browsing.

PCR (Peak Cell Rate) in kbps: The maximum rate at which you ex pect to transmit data, voice and video. Consider PCR and MBS as a menas of reducing lantency, not increasing bandwidth. The range of PCR is 384kbps to 11392kbps

SCR (Substained Cell Rate): The sustained rate at which you expect to transmit data, voice and video. Consider SCR to be the true bandwidth of a VC and not the lone-term average traffic rate. The range of SCR is 384kbps to 11392kbps.

MBS (Maximum Burst Size): Refers to the maximum number of cells that can be sent at the peak rate. The range of MBS is 1 cell to 255 cells.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Username : Enter the user name exactly as your ISP assigned.

Password: Enter the password associated with the user name above.

Password confirm: Enter the password again for confirmation.

Idle Time: When you don’t want the connection up all the time and specify an idle time on this field.

IP type: A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed;

the ISP assigns you a differnet on each time you con nect to the Internet.

Press Finish to finish setting.

The screen will prompt the parameters that will be written in NVRAM. Check the p arameters before writing in NVRAM.

Press Restart to restart the router working with new parameters or press continue to setup another parameter.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.3 Bridge

If you want to setup advanced filter function while router is working in bridge mode, you can use BRIDGE menu to setup the filter function, blocking function.

Click Bridge to setup.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Press Add in the bottom of web page to add the static bridge information.

If you want to filter the

designated MAC address of LAN PC to access Internet, press Add to

establish the filtering table. Put the MAC address in MAC Addr ess field and select Filter in LAN field.

If you want to filter the

designated MAC address of WAN PC to access LAN, press Ad d to establish

the filtering table. Key the MAC address in MAC Address field and select Filter in WAN field.

For example: if your VC is setup at WAN 1, select WAN 1 Filter.

Press Finish in the bottom of web page to review the bridge parameters.

The screen will prompt the parameters that will be written in NVRAM. Check the p arameters before writing in NVRAM.

Press Restart to restart the router working with new parameters or press Continue to setup another parameter.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.4 VLAN

Click VLAN to configure VLAN.

VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical networks. Devices on a logical network belong to one group. A device can belong to more than one group. With VLAN, a device cannot directly talk to or hear from devices that are not in the same group.

With MTU (Multi-Tenant Unit) applications, VLAN is vital in providing isolation and security among the subscribers. When properly configured, VLAN prevents one su bscriber from accessing the network resources of another on the same LAN.

VLAN also increases network performance by limiting broadcasts to a smaller a nd more manageable logical broadcast domain. In traditional switched environments, all broadcast packets go to each every individual port. With VLAN, all broadcasts are confined to a specific broadcast domain.

The IEEE 802.1Q defines the operation of VLAN bridges that permit the definition, operation, and administration of VLAN topologies within a bridged LAN infrastructure.

The router supports two types of VLAN: 802.1Q Tag-Based VLAN and Port-Based VLAN. User can configure one of them to the router .

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.4.1 802.1Q Tag-Based VLAN

For setting 802.1Q VLAN click the 802.1Q Tagt-Based VLAN. The screem will prompt as

following.

VID: (Virtual LAN ID) It is an definite number of ID which number is from 1 to 4094. PVID: (Port VID) It is an untagged member from 1 to 4094 of default VLAN. Link Type: Access means the port can receive or send untagged packets.

Trunk means that the prot can receive or send tagged packets.

The Router initially default configures one VLAN , VID=1. A port such as LAN1 to LAN4 an d WAN1 to WAN8 can have only one PVID, but can have as many VID as the router has memory in its VLAN table to store them.

Ports in the same VLAN group share the same frame broadcast domin thus increase network performance through reduced boardcast traffic. VLAN groups can be modified at any time by adding, moving or changing ports without any re-cabling.

6.2.4.2 Port-Based VLAN

Port-Based VLANs are VLANs where the packet forwarding decision is based on the destination

MAC address and its associated port.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

For setting Port-Based VLAN, Click Port-Based VLAN, The screem will prompt as following:

Port-Based VLANs are VLANs where the packet forwarding decision is based on the destination

MAC address and its associated port.

When using the port-based VLAN, the port is assigned to a spe cific VLAN i nde pend ent of the user or system attached to the port. This means all users attached to the port should be members in the same VLAN. The network administrator typically performs the VLAN assignment. The port configuration is static and cannot be automatically changed to another VLAN without manual reconfiguration.

As with other VLAN approaches, the packets forwarded using this method do not leak into other VLAN domains on the network. After a port has been assigned to a VLAN, the port cannot send to or receive from devices in another VLAN.

The default setting is all ports (LAN1 to LAN4 and WAN1 to WAN8) connected together which means all ports can communicate with each other. That is, there are no virtual LANs. The option is the most flexible but the least secure.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.5 STP

Click STP can disable or enable the bridge STP mode.

STP (Spanning-Tree Protocol) defined in the IEEE 802.1D, is a link management protocol that provides path redundancy while preventing undesirable loops in the network. For an Ethernet network to function properly, only one active path can exist between two stations. Multiple active paths between stations cause loops in the network. If a loop exists in the network topology, the potential exists for duplication of messages. When loops occur, some switches see stations appear on both sides of the switch. This condition confuses the forwarding algorithm and allows duplicate frames to be forwarded. To provide path redundancy, Spanning-Tree Protocol defines a tree that spans all switches in an extended network. Spanning-Tree Protocol forces certain redundant data paths into a standby (blocked) state. If one network segment in the Spanning-Tree Protocol become s unreach able, or if Spanning-Tree Protocol costs change, the spanning -tree al go rithm reconfigure s the span ning -tree topology and reestablishes the link by activating the standby path. Spanning-Tree Protocol operation is transparent to end stations, which are unaware whether they are connected to a single LAN segment or a switched LAN of multiple segments.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.6 Route

If the Router is connected to more than one network, it may be necessary to set up a static route between them. A static route is a pre-determined pathway that network information must travel to reach a specific host or network. With Dynamic Routing, you can enable the Router to automatically adjust to physical changes in the network’s layout. The Router, using the RIP protocol, determines the network packets’ route based on the fewest number of hops between the source and the destination. The RIP protocol regularly broadcasts routing information to other routers on the network.

Click Route to modify the routing information.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

To modify the RIP (Routing information protocol) Parameters: RIP Mode: Enable Auto RIP Summary: Enable Press Modify

RIP Mode: This parameter determines how the router handle RIP (Routing information protocol). RIP allows it to exchange routing information with other router. If set to Disable, the gateway does not participate in any RIP exchange with oth er ro uter. If set Enable, the router broadcasts the routing table of the router on the LAN and incoporates RIP broad cast by other routers in to it’s routing t able. If set silent, the router does not broadcast the routing table, but it accepts RIP broad cast packets that it receives.

RIP Version: It determines the format and broadcasting method of any RIP transmissions by the gateway.

RIP v1: it only sends RIP v1 messages only. RIP v2: it sends RIP v2 messages in multicast and broadcast format.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Authentication required: None: for RIP, there is no need of authentication code. Password: the RIP is protected by password, authentication code. MD5: The RIP will be decoded by MD5 than protected by password, authentication code.

Poison Reserve:

Poison Reserve is for the purpose of promptly broadcast or multicast the RIP wh ile the route is changed. (ex shuting down one of the routers in routing table)

Enable: the gateway will actively broadcast or multicast the information. Disable: the gateway will not broadcast or multicast the information.

After modifying the RIP parameters, press finish. The screen will prompt the modified parameter. Check the parameters and perss Restart to restart the router or press Continue to setup a nother parameters.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.7 NAT/DMZ

NAT (Network Address Translation) is the translation of an Internet Protocol address (IP address)

used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and reverse the global IP addresses of incoming packets back into local IP addresses. This ensure security since each outgoing or incoming request must go through a translation process, that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a com pany needs and lets the company to use a single IP address of its communication in the Internet world.

DMZ (Demilitarized zone) is a computer host or small network inserted as a “neutral zone” between a company private network and the outside publi c network. It prevents outside users from getting direct access to a server that has company private data.

In a typical DMZ configuration for an enterprise, a separate computer or host receives requests from users within the private network to access via W eb sites or other compa nies accessible on the public network. The DMZ host then initiates sessions for these requests to the public network. However, the DMZ host is not able to initiate a session back into the private network. It can only forward packets that have already been requested.

Users of the public network outside the company can access only the DMZ host. The DMZ may typically also have the company’s W eb p ages so these could se rve the outsi de world. However, the DMZ provides access to no other company data. In the event that an outside user penetrated the DMZ host’s security, the Web pages might be corrupted, but no other company information would be exposed.

Press NAT/DMZ to setup the parameters.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

If you want to enable the NAT/DMZ functions, click Enable. Enable the DMZ h ost Function is u sed the IP address assigned to the WAN for enabling DMZ function for the virtual IP address.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.7.1 Multi-DMZ

Some users who have two or more global IP addresses assigned by ISP can be used the multi DMZ. The table is for the mapping of global IP address and virtual IP address.

6.2.7.2 Mutli-NAT

Some of the virtual IP addresses (eg: 192.168.0.10 ~ 192.168.0.50) collectively use two of the global IP addresses (eg: 69.210.1.9 and 69.210.1.10). The Multi-NAT table will be setup as; Virtual Start IP Address: 192.168.0.10 Count: 40 Global Start IP Address: 69.210.1.9 Count: 2 Press Finish to continue to review.

The screen will prompt the parameters that will be written in NVRAM. Check the para meters before writing in NVRAM. Press Restart to restart the router working with new parameters or Continue to configure another parameter.

6.2.8 Virtual Server

Click Virtual Server to configure the parameters.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

There have ten virtual server index form 1 to 10 can been set up.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Press Modify for modify index 1.

Type the necessary parameters and then click OK.

Press Restart to restart the router or press Continue to setup another function.

For example: Specific ports on the WAN interface are re-mapped to services inside the LAN. As only 69.210.1.8 (e.g., assigned to WAN from ISP) is visible to the Internet, but does not actuall y have any services (other than NAT of course) running on gateway, it is said to be a virtual server. Request with TCP made to 69.210.1.8:80 are remapped to the server 1 on 192.168.0.2:80 for working days from Monday to Friday 8 AM to 6PM, other request s with UDP made to 69.210.1.8:25 are remapped to server 2 on 192.168.0.3:25 and always on.

You can setup the router as Index 1, protocol TCP, interface WAN1, service name test1, private IP

192.168.0.2, private port 80, public port 80, schedule from Day Monday to Friday and time 8:0 to 16:0 and index 2, protocol UDP, interface WAN1, service name test2, private IP 192.168.0.3, private port 25, public port 25, schedule always.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.9 Firewall

A firewall is a set of related programs that protects the resources of a private network from other networks. It is helpful to users that allow preventing hackers to access its own private data resource accidentally.

There have three security levels for setting: Basic firewall security, Automatic firewall security and advanced firewall security.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.9.1 Basic Firewall Security

Click Basic Firewall Security.

This level only enables the NAT firewall and the remote management security. The NAT firewall will take effect if NAT function is enabled. The remote management security is default to block any WAN side connection to the device. Non-empty legal I P pool in ADMIN will block all remote management connection except those IPs specified in the pool. Press Finish to finish setting of firewall and can review the parameters.

The screen will prompt the parameters, which router will record in NVRAM. Check the parameters.

Press Restart to restart the router or press Continue to setup another function.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.9.2 Automatic Firewall Security

Click Automatic Firewall Security.

This level enables basic firewall security, all DoS protection, and the SPI filter function.

Press Finsih to finish setting firewall.

The screen will prompt the parameters, which will be written in NVRAM. Check the parameters. Press Restart to restart the router or press Continue to setup another function. User can determine the security level for special purpose, environment, and applications by configuring the DoS protection and defining an extra packet filter with higher priority than the default SPI filter. Note that, an improper filter policy may degrade the ca pability of the firewall and/or even block the normal network traffic.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.9.3 Advanced Firewall Security

Click Advanced Firewall Security and then press Finish.

A user ca n determine the security level for special purpose, environment and applications by configuring the DoS protection and defining an extra packet filter with higher priority than the default SPI filter. Please notice that an improper filter policy may degrade the cap ability of the firewall and even block the normal network traffic.

It can set up the DoS protection parameters

SYN flood: A SYN flood is a form of denial-of-service attack, attempts to slow your network by requesting new connections but not completing the process to open the connection. Once the buffer for these pending connections is full a server will not accept any more connections and will be unresponsive.

ICMP flood: A sender tra nsmits a volume of ICMP request pa ckets to cause all CPU resources to be consumed serving the phony requests.

UDP Flood: A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol(UDP). A sender transmits a volume of requests for UDP diagnostic services which cause all CPU resources to be consumed serving the phony requests.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Ping of Death: A ping of death (abbreviated ”POD”) attack attempts to crash your system by sending a fragmented packet, when reconstructed is larger than the maximum allowable size.

Land attack: A land attack is an attempt to slow your network down by sending a packet with identical source and destination addresses originating from your network.

IP Spoofing: IP Spoofing is a method of masking the identity of an intrusion by making it appeared that the traffic came from a different computer. This is used by intruders to keep their anonymity and can be used in a Denial of Service attack.

Smurf attack: The Smurf attack is a way of generating a lot of computer network traffic to a victim host. That is a type of denial-of-service attack. A Smurf attack involves two systems. The att acker sends a packet containing a ICMP echo request (ping) to the network address of one system. This system is known as the amplifier. The return address of the ping has been faked (spoofed) to appear to come from a machine on another network (the victim). The victim is then flood ed with responses to the ping. As many responses are generated for only one attack, the attacker is able use many amplifiers on the same victim.

Fraggle attack: A Fraggle attack is a type of denial-of-service atta ck where an attacker sends a large amount of UDP echo traffic to IP broadcast addresses, all of it having a fake source address. This is a simple rewrite of the smurf attack code.

For SYN attack, ICMP flood and UDP flood, they can set up the threshold of packets number per second. The default values are 200 packets per second. If everything is working properly, you probably do not need to change the threshold setting as the default threshold values. Reduce the threshold values if your network is slower than average.

Traditional firewall is stateless meanin g they have no memory of the connections of data or p ackets that pass through them. Such IP filtering firewalls simply examine header information in each packet and attempt to match it to a set of define rule. If the firewall finds a match, the prescribe action is taken. If no match is found, the packet is accepted into the network, or dropped, depending on the firewall configuration.

A stateful firewall maintains a memory of each connection and data passing through it. Stateful firewall records the context of connections during each session, continuously updating state information in dynamic tables. With this information, stateful firewalls inspect each conne ction traversing each interface of the firewall, testing the validity of data packets throughout each session. As data arrives, it is checked against the state t ables and if the data is part of the session, it is accepted. Stateful firewalls enable a more intelligent, flexible and robust approach to network security, while defeating most intrusion methods that exploit state-less IP filtering firewalls.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Packet filter Click Next can set up the packet filtering parameters. If you want to configure the Packet Filtering Parameters, choose Enable and press Add.

It can setup the packet filter rule parameters:

Select the Protocol and configure the parameter.

Protocol: ANY, TCP, UDP, ICMP, GRE, RSVP, ESP and AH.(ANY means all protocol) Direction: INBOUND (from WAN to LAN) or OUTBOUND (from LAN to WAN) Action: DENY(block) or PERMIT(allow) Description: Type a description for your customized service.. Src. IP Address: The source addresses or ranges of addresses to which this p acket filter rule

applies. (Address 0.0.0.0 is equivalent Any)

Dest. IP Address: The destination addresses or ranges of addresses to whi ch this packet filter rule

applies. (Address 0.0.0.0 is equivalent Any)

Schedule: Select everyday (always) or the day(s) of the week to apply the rule. Enter the start and

end times in the hour-minute format to apply the rule.

For example, If you want to ban all of the protocol from the IP (e.g.: 200.1.1.1) to access the all PCs (e.g.: 192.168.0.2 ~ 192.168.0.50) in the LAN, key in the parameter as:

Protocol: ANY Direction: INBOUND (INBOUND is from WAN) Description: Hacker Src. IP Address: 200.1.1.1 Dest. IP Address: 192.168.0.2-192.168.0.50 Schedule: You can set always or any time range which you want

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Press OK to finish.

The screen will prompt the configured parameters. Click Enable on Trigger Packet Filtering Service item, to active the packet filtering service. You can modify or delete the access policies by click Modify or Delete command.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.2.10 IP QoS

IP QoS is a good function to decide which PCs can get the priorities to pass though router once if the bandwidth is exhausted or fully saturated.

Click Enable at item Trigger IP QoS Service in General IP QoS Parameter, which will turn on this IP QoS function.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Click Add in the bottom of web page to begin a new entry in IP QoS Policy table.

Description: A brief statement describe this policy Local IP: type IP address of local host in prioritized session. Remote IP: type IP address of remote host in prioritized sessi on. Local Port: type the service port number of local host in prioritized session. Remote Port: type the service port number of remote host in prioritized session. Protocol: identify the transportation layer protocol type you want to prioritize, ex: TCP or UDP.

The default is ANY.

Precedence: type the session’s prioritized level you classify, “0” is lowest priority, “5” is highest

priority.

Click OK when all parameters are finish.

You can modify or delete the policies by click Modify or Delete command

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Click Finish can make a review for all IP QoS parameter

To let the IP QoS configuration you have changed and want those take effect immediately, please click Restart button to reb oot the system. To continue the setup procedure, please click Continue button.

6.3 Status

On STATUS item, you can monitor the following:

SHDSL.bis

Mode, Line rate, and Performance information including SNR margin, atteunation, and CRC error count.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

LAN

WAN

ROUTE

INTERFACE FIREWALL

IP QoS STP

IP type, MAC address, IP address, Subnet mask, and DHCP client table: Type, IP address and MAC address.

WAN interface information. 8 WAN interface including IP address, Subnet Mask, VPI/VCI, Encapsulation, Protocol, and Flag.

IP routing table including Flags, Destination IP/Netmask.Gateway, Interface, and Port name.

LAN and WAN statistics information. Current DoS protection status and dropped packets statistics.

IP QoS statistics on LAN interface STP information include Bridge parameter and Ports Parameter

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.3.1 SHDSL.bis

The status information shows this is 4-wire model which have cha nnel A and B. If the router have connected to remote side, it can also show the performance information of remote side.

Click Clear CRC Error can clear the CRC error count.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.3.2 LAN

This information shows the LAN interface status and DHCP client table.

6.3.3 WAN

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

This information shows all eight WAN interface.

6.3.4 ROUTE

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

This information shows the IP routing table.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.3.5 INTERFACE

This table shows the interface statistics.

6.3.6 FIREWALL

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

This information shows fireware status: DoS protection and dropped packets statistics.

6.3.7 IP QoS

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

This information shows IP QoS statistics.

6.3.8 STP

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

This information shows the STP parameter:

The bridge parameters have:

Bridge ID: The bridge ID of a configuration message is an 8-byte field. The six low order bytes are the MAC address of the switch. The high order two-byte (unsigned 1 6-bit integer) field is the bridge priority number.

Designated Root ID: The unique Bridge Identifier of the Bridge assumed to be the Root, this parameter is used as the value of the Root Identifier parameter in all CBPDUs transmitted by the Bridge.

Root Port: Identifies the Port through which the path to the Root is established, and is not significant when the Bridge is the Root and is set to zero. It is the Port Identifier of the Port that offers the lowest Cost Path to the Root

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Root Path Cost: The Cost of the Path to the Root from this Bridge, this is equal to the sum of the values of the Designated Cost and Path Cost parameters held for the Root Port. When the Bridge is the Root, this parameter is zero.

The ports parameters have:

Learning: This is when the modem creates a switching table that will map MAC addresses to port number.

Listening: This is when the modem processes BPDU’s that allow it to determine the network topology.

Forwarding: When a port receives or sends data. In other words, this is operating normally.

Disabled: This is when the network administrator has disabled the port.

Blocking: this means the port was blocked to stop a looping condition.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.4 Administration

This session introduces security and simple network management protocol (SNMP) and time synchronous.

6.4.1 Security

For system secutiry, suggest to change the default user name and password in the first setup otherwise unauthorized persons can access the router and change the parameters. There are three ways to configure the router: Web browser, telnet and serial console.

Press Security to setup the parameters.

For greater security, change the Supervisor ID and password for th e gateway. If you don’t set them, all users on your network can be able to access the gateway using the default IP and Password root.

You can authorize five legal users to access the router via telnet or console. There are two UI modes: menu driven mode and line command mode to configure the router.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Legal address pool will setup the legal IP addresses from which authorized person can configure the gateway. This is the more secure function for network administrator to setup the legal address of configuration.

Configured 0.0.0.0 will allow all hosts on Internet or LAN to access the router.

Leaving blank of trust host list will cause blocking all PC from WAN to access the router. On the other hand, only PC in LAN can access the router.

If you type the excact IP address in the filed, only the host can access the router. Click Finish to finish the setting.

The browser will prompt the all configured parameters and check it before writing into NVRA M. Press Restart to restart the gateway working with the new parameters and press Continue to setup other parameters.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.4.2 SNMP

Simple Network Management Protocol (SNMP) provides for the exchange of messages bet ween a network management client and a network management agent for remote m anagement of network nodes. These messages contain request s to get and set variables that exist in network nodes in order to obtain statistics, set configuration parameters, and monitor network events. SNMP communications can occur over the LAN or WAN connection.

The router can generate SNMP traps to indicate alarm conditions, and it relies on SNMP community strings to implement SNMP security. This router support both MIB I and MIB II.

Click SNMP to configure the parameters.

6.4.2.1 Community pool

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Press Modify to modify the community pool. You can setup the access authority.

SNMP Status: Enable

Access Right: Deny for deny all access

Read for access read only Write for access read and write.

Community: it serves as password for access right. After configuring the community pool, press OK.

6.4.2.2 Trap host pool

SNMP trap is an informational message sent from an SNMP agent to a manager. Click Modify to modify the trap host pool.

Version: select version for trap host. (Version 1 is for SNMPv1; Version 2 for SNMPv2). IP Address: type the trap host IP address Community: type the community password. The community is setup in community pool.

Press OK to finish the setup.

The browser will prompt the configured parameters and check it before writing into NVRAM.

Press Restart to restart the gateway working with the new parameters and press Continue to setup other parameters.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.4.3 Time Sync

ime synchronization is an essential element for any business, which relies on the IT system. The

T reason for this is that these systems all have clock that is the source of timer for their filing or operations. Without time synchronization, these system’s clocks vary and cause the failure of firewall packet filtering schedule processes, compromised security, or virtual server working in wrong schedule.

lick TIME SYNC.

ime synchronization has two methods:

Sync with PC SNTP v4.0.

Synchronization with PC Simple Network Time Protocol with Version 4

6.4.3.1 Synchronization with PC

connecting PC.

outer will synchronize the time with the For synchronization with PC, select Sync with PC. The r

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.4.3.2 SNTP v4.0

For using the SNTP, select SNTP v4.0.

SNTP is the acronym for Simple Network Time Protocol, which is an adaptation of the Network Time Protocol (NTP) used to synchronize computer cl ocks in the Internet. SNTP can be used when the ultimate performance of the full NTP implementation.

Service: Enable Time Server 1, Time Server 2 and Time Server 3: All of the time server around the world can be

used but suggest using the time server nearby to your country. You can set up m aximum three time server on here.

Time Zone: you have to choose the right GMT time zone on your country.

Press Finish to finish the setup. The browser w ill prompt the configured parameters and check it before writing into NVRAM.

6.5 Utility

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

This section will describe the utility of the product including:

SYSTEM INFO CONFIG TOOL

UPGRADE LOGOUT RESTART

Show the system information Load the factory default configuration, restore configuration and backup configuration Upgrade the firmware Logout the system Restart the router.

6.5.1 System Info

Click System Info for review the information.

The browser will prompt the system information.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

There will display general system information including: MCSV, software version, chipset, firmware version, Host Name, System Time and System Up Time.

MCSV: For internal identification purposes.

Software Version: This is the modem’s firmware version. This is sometimes needed by

technicians to help troubleshoot problems.

Chipset: This is the SHDSL.bis chipset model name. Firmware Version: This is the chipset’s firmware version. Host Name: This is the system name you enter in BASIC Setup. It is for identification purposes. System Time: This field display your modem’s present date and time. System Up Time: This is the total time on the modem has been on.

6.5.2 Config Tool

This configuration tool has three functions: load Factory Default, Restore Configuration, and Backup Configuration.

Press CONFIG TOOL.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Choose the function and then press Finish

6.5.2.1 Load Factory Default

Load Factory Default: It will load the factory default parameters to the router.

Note: This action will change all of the settings to factory default value. On the other hand, you will lose all the existing configured parameters.

6.5.2.2 Restore Configuration

Sometime the configuration crushed occasionally. It will help you to recover the backup configuration easily.

Click Finish after sel ecting Restore Configuration. Browse the route of backup file then press Finish. Brower the pla ce of restore file name or put the name. Then press OK. The router will automatically restore the saved configuration.

6.5.2.3 Backup Configuration

After configuration, suggest using the function to backup your router parameters in the PC. Select the Backup Configuration and then press Finish. Browse the place of backup file name or put the name. Then press OK. The router will automatically backup the configuration. If you don’t put the file name, the system will use the default: config1.log

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6.5.3 Upgrade

You can upgrade the gateway using the upgrade function. Press Upgrade in UTILITY.

Select the firmware file name by click Browse on your PC or NB and press OK button to upgrade. The system will reboot automatically after finish the firmware upgrade operation.

6.5.4 Logout

To logout the router, press LOGOUT in UTILITY.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

For logout system and close window, click the LOGOUT in UTILITY

When click the Yes button, the Router will logout and browser window will be closed.

6.5.5 Restart

For restarting the router, click the RESTART in UTILITY.

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

Press Restart to reboot the router. When the restart button been clicked, the router will restarting and the browser session will be disconnected. This may appear as if your browser session is hung u p. Af ter the router rest art s, you may either click the browser’s reload button or close the browser and re-open it later.

6.6 Example

6.6.1 LAN-to-LAN connection with bridge Mode

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

STU-C (CO)

IP: 192.168.0.1

Netmask: 255.255.255.0

IP: 192.168.0.100

Netmask: 255.255.255.0

Gateway: 192.168.0.1

Bridge

VPI:0, VCI:32

Encapsulation: LLC

STU-R (CPE)

IP: 192.168.0.2 Netmask: 255.255.255.0

IP: 192.168.0.200

Netmask: 255.255.255.0

Gateway: 192.168.0.2

6.6.1.1 CO side

lick Bridge and CO Side to setup Bridging mode of the Router and then click Next.

Enter LAN Parameters

IP: 192.168.0.1 Subnet Mask: 255.255.255.0 Gateway: 192.168.0.1 Host Name: SOHO

Planet Technology GRT-504 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

1 Descriptions

1.1 Features

1.2 Specification

1.3 Applications

2 Getting to know about the router

2.1 Front Panel

2.2 Rear Panel

2.3 SHDSL.bis Line Connector

2.4 Console Cable

3 Getting to know Firewall feature

3.1 Introduction

3.2 Types of Firewall

3.2.1 Packet Filtering

3.2.2 Circuit Gateway

3.2.3 Application Gateway

3.3 Denial of Service Attack

4 Getting to know VLAN feature

4.1 Specification

4.2 Frame Specification

4.3 Applications

5 Configuration to the Router

5.1 Check List

5.2 Install the SHDSL.bis Router

6 Configuration via Web Browser

6.1 Basic Setup

6.1.1 Bridge Mode

6.1.2 Routing Mode

6.1.3 Reference diagram

6.2 Advanced Setup

6.2.1 SHDSL.bis

6.2.1.1 Annex Type

6.2.1.2 Line Type

6.2.1.3 TCPAM T ype

6.2.1.4 Data Rate

6.2.1.5 SNR Margin

6.2.2 WAN

6.2.3 Bridge

6.2.4 VLAN

6.2.4.1 802.1Q Tag-Based VLAN

6.2.4.2 Port-Based VLAN

6.2.5 STP

6.2.6 Route

6.2.7 NAT/DMZ

6.2.7.1 Multi-DMZ

6.2.7.2 Mutli-NAT

6.2.8 Virtual Server

6.2.9 Firewall

6.2.9.1 Basic Firewall Security

6.2.9.2 Automatic Firewall Security

6.2.9.3 Advanced Firewall Security

6.2.10 IP QoS

6.3 Status

6.3.1 SHDSL.bis

6.3.2 LAN

6.3.3 WAN

6.3.4 ROUTE

6.3.5 INTERFACE

6.3.6 FIREWALL

6.3.7 IP QoS

6.3.8 STP

6.4 Administration

6.4.1 Security

6.4.2 SNMP

6.4.2.1 Community pool

6.4.2.2 Trap host pool

6.4.3 Time Sync

6.4.3.1 Synchronization with PC

6.4.3.2 SNTP v4.0

6.5 Utility

6.5.1 System Info

6.5.2 Config Tool

6.5.2.1 Load Factory Default

6.5.2.2 Restore Configuration

6.5.2.3 Backup Configuration

6.5.3 Upgrade

6.5.4 Logout