PLANET Technology does not warrant that the hardware will work properly in all enviro nments and
applications, and makes no warranty and representation, either implied or expressed, with respect to the
quality, performance, merchantability, or fitness for a particular purpose.
PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability
for any inaccuracies or omissions that may have occurred.
Information in this User’s Manual is subject to change without notice and does not represent a commitment
on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in
this User’s Manual. PLANET makes no commitment to update or keep current the information in this User’s
Manual, and reserves the right to make improvements to this User’s Manual and/or to the products described
in this User’s Manual, at any time without notice.
If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your
comments and suggestions.
Trademarks
The PLANET logo is a trademark of PLANET Technology.
This documentation may refer to numerous hardware and software products by their trade names. In most, if
not all cases, these designations are claimed as trademarks or registered trademarks by their respective
companies.
CE mark Warning
This is a class B device, in a domestic environment; this product may cause radio interference, in which case
the user may be required to take adequate measures.
Federal Communication Commission Interference Statement
This equipment has been tested and found to comply with the limits for a Class B digital device, pursu ant to
Part 15 of FCC Rules. These limits are designed to provide reasonable protection against harmful
interference in a residential installation. This equipment generates, uses, and can radiate radio frequ ency
energy and, if not installed and used in accordance with the instructions, may cause harmful interference to
radio communications. However, there is no guarantee that interference will not occur in a particular
installation. If this equipment does cause harmful interference to radio or television reception, which can
be determined by turning the equipment off and on, the user is encouraged to try to correct the interference
by one or more of the following measures:
1. Reorient or relocate the receiving antenna.
2. Increase the separation between the equipment and receiver.
3. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
4. Consult the dealer or an experienced radio technician for help.
To assure continued compliance (example-use only shielded interface cables when connec ting to computer
or
peripheral devices). Any changes or modifications not expressly approved by the party responsible for
compliance could void the user’s authority to operate the equipment.
This device complies with Part 15 of the FCC Rules. Operation is subject to the Following two conditions: (1)
This device may not cause harmful interference, and (2) this Device must accept any interference received,
including interference that may cause undesired operation.
R&TTE Compliance Statement
This equipment complies with all the requirements of DIRECTIVE 1999/5/EC OF THE EUROPEAN
PARLIAMENT AND THE COUNCIL OF 9 March 1999 on radio equipment and telecommunication
terminal Equipment and the mutual recognition of their conformity (R&TTE)
The R&TTE Directive repeals and replaces in the directive 98/13/EEC (Telecommunications Terminal
Equipment and Satellite Earth Station Equipment) As of April 8, 2000.
WEEE Caution
To avoid the potential ef fect s on the environment and human health as a result of the presence of
hazardous substances in electrical and electronic equipment, end users of electrical and
electronic equipment should understand the meaning of the crossed-out wheeled bin symbol. Do
not dispose of WEEE as unsorted municipal waste and have to collect such WEEE separately.
Safety
This equipment is designed with the utmost care for the safety of those who install and use it. However,
special attention must be paid to the dangers of electric shock and static electricity when working with
electrical equipment. All guidelines of this and of the computer manufacture must therefore be allowed at all
times to ensure the safe use of the equipment.
Customer Service
For information on customer service and support for the Multi-Homing Security Gateway, please refer to the
following Website URL:
http://www.planet.com.tw
Before contacting customer service, please take a moment to gather the following information:
♦ The GRT-504 serial number and MAC address
♦ Any error messages that displayed when the problem occurred
♦ Any software running when the problem occurred
♦ Steps you took to resolve the problem on your own
Revision
User’s Manual for PLANET 4-Wire G.SHDSL.bis Firewall Router
Model: GRT-504
Rev: 1.0 (Sep. 2008)
Port No. EM-GRT504v1
6.2.1.2Line Type ................................................................................................................................... 47
6.2.1.3TCPAM Type .............................................................................................................................48
The Planet new SHDSL family member GRT-504 is the G.SHDSL.bis router that complies with
ITU-T G.991.2 standard and provides affordable, flexible, efficient Internet access solution for
SOHO and Small Medium Business environment. The GRT-504 supports business-class,
multi-range from 384 Kbps to 11.4 Mbps (4-wire) symmetric data rates and also can be connected
as the LAN-to-LAN network connection at the distance up to 6.7km (4.2 miles) by using existing
telephone copper wires.
The Planet GRT-504 is integrated high-end Bridging/Routing capabilities with advanced functions
of Firewall, QoS, DMZ, Virtual Server, and VPN pass-through. And because of the network
environment growing rapidly, Virtual LAN has become more and more important feature in
internetworking industry. The GRT-504 supports IEEE 802.1Q and port-based VLAN over ATM
network.
With the built-in Simple Network Management Protocol (SNMP) and web-based management, the
GRT-504 offers an easy-to-use, platform-independent management and configuration facility. And
the GRT-504 also provides Command-Line Interface; it can be accessed via Telnet and the
console port. The network administrator can manage the device by proper way.
1.1 Features
♦High Speed Symmetric Data Transmission:The GRT-504 supp orts the latest
G.SHDSL.bis technology, provides the higher symmetric data rate up to 11.4 Mbps on 4
wires.
♦ CO and CPE side Support:Provide the back-to-back connection.
♦ Firewall: It supports Natural NAT firewall and Advanced Stateful packet Inspection (SPI)
firewall functions.
♦QoS (Quality of Service): The GRT-504 supports ATM QoS and IP QoS. The ATM QoS
includes UBR (Unspecified bit rate), CBR (Constant bit rate), VBR-rt (Variable bit rate
real-time), and VBR-nrt (Variable bit rate non-real-time). Also, the traffic classification
based on IP, IP range, port, protocol, and precedence.
♦VLAN Support:It supports the IEEE 802.1Q Tagged and port-based VLAN. It offers
significant benefit in terms with efficient use of bandwidth, flexibility, performance, and
security.
♦Bridge and Router Modes:The GRT-504 supports two connection modes. Currently, it
comes pre-configured with routing mode. Note that, routing mode and bridging mode
cannot be used simultaneously.
♦Virtual Server:This feature allows Internet users to access Internet serve rs on your LAN.
The required setup is quick and easy.
♦
VPN Pass through Support:PCs with VPN (Virtual Private Networking) software
using PPTP, L2TP, and IPSec are transparently supported - no configuration is required.
♦DMZ Support:The GRT-504 can translate public IP address to private IP address to allow
unrestricted 2-way communication with Servers or individual users on the Internet. This
provides the most flexibility to run programs, which could be incompatible in NAT
environment.
♦RIPv1/v2 Routing:It supports RIPv1/v2 routing protocol for routing capability.
Product 4-Wire G.SHDSL.bis Firewall Router
Model GRT-504
Hardware
Standard
Protocol
AAL and ATM Support Support up to 8 PVCs
LAN Port 4 x 10Base-T/100Base-TX ( Auto-Negotiation, Auto MDI/MDI-X)
Console 1 x RS-232 (DB9)
Button 1 x Reset Button
LED Indicators PWR, WAN LNK/ACT, LAN 1/2/3/4, ALM
Software
Maximum Concurrent
Sessions
Protocol and Advanced
Functions
Security
VPN
Management
Environment Specification
Dimension (W x D x H) 145 x 188 x 33mm
Power 9V DC, 1A
Temperature:
Humidity
Emission FCC, CE
Compliant with ITU-T G.991.2 Standard Annex A/B
Compliant with G.SHDSL.bis Annex A/B/F/G
TC-PAM Line Code
Symmetric data transmission speed up to 11.4 Mbps on 4-wire
Multi-range from 384 Kbps to 11.4 Mbps
RFC 1577 - Classical IP over ATM (RFC 1577)
RFC 2364 - PPP over ATM
RFC 1483/2684 - Ethernet over ATM
RFC 2516 - PPP over Ethernet (fixed and dynamic IP)
RFC 2364 - PPP over ATM (fixed and dynamic IP)
ATM Forum UNI 3.1/4.0 PVC
Support OAM F4 / F5 AIS/RDI and loopback
VC multiplexing and SNAP/LLC
Integrated ATM QoS support (UBR,CBR,VBR-rt, and VBR-nrt)
1024
IEEE 802.1D transparent learning bridge
IEEE 802.1Q VLAN
Support IP/TCP/UDP/ARP/ICMP/IGMP protocols
IP routing with static routing and RIPv1/RIPv2
IP multicast and IGMP proxy
Network address translation (NAT/PAT)
DMZ host/Multi-DMZ/Multi-NAT function
Virtual Server (RFC1631)
DNS relay and caching
DHCP server, client and relay
IP QoS
Built-in NAT and SPI Firewall
PPP over PAP (RFC1334)
PPP over CHAP (RFC1994)
Password protection for system management
VPN (PPTP/L2TP/IPSec) pass-through
Web-based configuration
Command-line Interpreter(CLI) via Console
Command-line Interpreter(CLI) via Telnet
Software upgrade via web-browser/TFTP server
SNMPv1 and v2
The following items should be included. If any of these items are damaged or missing, please
contact your dealer immediately.
4-Wire G.SHDSL.bis Firewall Router x 1
Power Adapter x 1
Quick Installation Guide x 1
User’s manual CD x 1
Console Cable x 1
RJ-45 to RJ-11 Cable x 1
The rear panel of SHDSL.bis router is where all of the connections are made.
Port Description
DC-IN Power connector with 9V DC 1.0A
LAN (1 / 2 / 3 / 4)Ethernet 10/100Base-TX for LAN port (RJ-45)
CONSOLE RS- 232C (DB9) for system configuration and maintenance
LINE G.SHDSL.bis interface for WAN Port
RST The reset button, the router restore the default settings when press
this button until reboot.
!
The reset button can be used only in one of two ways.
(1) Press the Reset Button for one second will cause system reboot.
(2) Pressing the Reset Button for four seconds will cause the product loading the factory default
setting and losing all of yours configuration. When you want to change its configuration but
forget the user name or password, or if the product is having problems connecting to the
Internet and you want to configure it again clearing all configurations, press the Reset Button
for four seconds with a paper clip or sharp pencil.
A firewall protects networked computers from intentional hostile intrusion that could compromise
confidentiality or result in data corruption or denial of service. It must have at least two network
interfaces, one for the network it is intended to protect, and one for the network it is exposed to. A
firewall sits at the junction point or gateway between the two networks, usually a private network
and a public network such as the Internet.
A firewall examines all traffic routed between the networks. The traffic is routed between the
networks if it meets certain criteria; otherwise, it is filtered. A firewall filters both inbound and
outbound traffic. Except managing the public access to private networked resources such as host
applications, the firewall is capable of log all attempts to enter the private network and trigger
alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their
IP addresses of source and destination. This is known as address filtering. Firewalls can also filter
specific types of network traffic by port numbers, which is also known as protocol filtering because
the decision of traffic forwarding is dependant upon the protocol used, for example HTTP, ftp or
telnet. Firewalls can also filter traffic by packet attribute or state.
An Internet firewall cannot prevent the damage from the individual users with router dialing into or
out of the network, which bypass the firewall altogether. The misconduct or carelessness of
employee is not in the control of firewalls either. Authentication Policies, which is involved in the
use and misuse of passwords and user accounts, must be strictly enforced. The above
management issues need to be settled during the planning of security policy, but cannot be solved
with Internet firewalls alone.
In packet filtering, firewall will examine the protocol and the address information in the header of
each packet and ignore its contents and context (its relation to other packets and to the intended
application). The firewall pays no attention to applications on the host or local network and it
"knows" nothing about the sources of incoming data. Filtering includes the examining on incoming
and outgoing packets, and determines the packet dropping or not by a set of configurable rules.
Network Address Translation (NAT) routers offer the advantages of packet filtering firewalls but
can also hide the IP addresses of computers behind the firewall, and offer a level of circuit-based
filtering.
Level 5: Application
Protocol
Level 4: TCP
Level 3: IP
Source/Destination address
Source/destination port
IP options
connection status
Also called a "Circuit Level Gateway," this is a firewall approach, which validates connections
before allowing data to be exchanged. What this means is that the firewall doesn't simply allow or
disallow packets but also determines whether the connection between both ends is valid according
to configurable rules, then opens a session and permits traffic only from the allowed source and
possibly only for a limited period of time.
Level 5: Application
destination IP address and/or port
Level 4: TCP
Level 3: IP
Level 2: Data Link
source IP address and/or port
time of day
protocol
user
password
The Application Level Gateway acts as a proxy for applications, performing all data exchanges
with the remote system in their behalf. This can render a computer behind the firewall invisible to
the remote system. It can allow or disallow traffic according to very specific rules, for instance
permitting some commands to a server but not others, limiting file access to certain types, varying
rules according to authenticated users and so forth. This type of firewall may also perform very
detailed logging of traffic and monitoring of events on the host system; furthermore can often be
instructed to sound alarms or notify an operator under defined conditions. Application-level
gateways are generally regarded as the most secure type of firewall. They certainl y have the most
sophisticated capabilities.
Level 5: Application
Level 4: TCP
Level 3: IP
Level 2: Data Link
Level 1: Physical
Internal
Host PC
Request Page
Return Page
Interface
Proxy Application
External
Interface
Proxy Server
Check URL
Filter Content
Telnet
FTP
Http
SMTP
Public Server
Request Page
Return Page
18
3.3 Denial of Service Attack
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’ s Manual
Inturruption
Typically, Denial of Service (DoS) attacks result in two flavors: resource starvation and system
overloading. DoS attacks happen usually when a legitimate resource demanding is greater than
the supplying (ex. too many web requests to an already overloaded web server). Software
weakness or system incorrect configurations induce DoS situations also. The difference bet ween a
malicious denial of service and simple system overload is the requirement of an individual with
malicious intent (attacker) using or attempting to use resources specifically to deny those
resources to other users.
Ping of death- On the Internet, ping of death is a kind of denial of service (DoS) attack caused by
deliberately sending an IP packet which size is larger than the 65,536 bytes allowed in the IP
protocol. One of the features of TCP/IP is fragmentation, which allows a single IP packet to be
broken down into smaller segments. Attackers began to take advantage of that feature when they
found that fragmented packets could be added up to the size more than the allo wed 65,536 bytes.
Many operating systems don’t know what to do once if they received an oversized packet, then
they freeze, crash, or reboot. Other known variants of the ping of death in clude teard rop, bonk an d
nestea.
Ping of Death Packet (112,000 bytes)
Hacker 's
System
Normal IP Packet (Maximun 65,536 bytes)
Target
System
Normal reassembled Packets
bytes from 1~1500bytes from 1501~3000bytes from 3000~4500
Reassembled teardrop packets
bytes from 1~1700
bytes from 1300~3200bytes from 2800~4800
SYN Flood- The attacker sends TCP SYN packets, which start connections very fast, leaving the
victim waiting to complete a huge number of connections, causing it to run out of resources and
dropping legitimate connections. A new defense against this is the “SYN cookies”. Each side of a
connection has its own sequence number. In response to a SYN, the attacked machine creates a
special sequence number that is a “cookie” of the connection then forgets everything it knows
about the connection. It can then recreate the forgotten information about the connection where
the next packets come in from a legitimate connection.
ICMP Flood- The attacker transmits a volume of ICMP request packets to cause all CPU
resources to be consumed serving the phony requests.
UDP Flood- The attacker transmits a volume of requests for UDP diagnostic services, which
cause all CPU resources to be consumed serving the phony requests.
Land attack- The attacker attempts to slow your network down by sending a packet with identical
source and destination addresses originating from your network.
IP Spoofing- IP Spoofing is a method of masking the identity of an intrusion by making it appeared
that the traffic came from a different computer. This is used by intruders to keep their anonymity
and can be used in a Denial of Service attack.
Smurf attack- The source address of the intended victim is forged in a broadcast ping so that a
huge number of ICMP echo reply back to victim indicated by the address, overloadin g it.
Broadcast ping
request from spoofed
IP address
Hacker 's
System
Internet
Target Router
Ping response
Multiple network
Subnet
Fraggle Attack- A perpetrator sends a large amount of UDP echo packets at IP broadcast
addresses, all of it having a fake source address.
Virtual Local Area Network (VLAN) is defined as a group of devices on one or more LANs that are
configured so that they can communicate as if they were attached to the same wire, when in fact
they are located on a number of different LAN segments. Because VLAN is based on logical
instead of physical connections, it is extremely flexible.
The IEEE 802.1Q defines the operation of VLAN bridges that permit the definition, operation, and
administration of VLAN topologies within a bridged LAN infrastructure. VLAN architecture benefits
include:
1. Increased performance
2. Improved manageability
3. Network tuning and simplification of software configurations
4. Physical topology independence
5. Increased security options
As DSL (over ATM) links are deployed more and more extensively and popularly, it is rising
progressively to implement VLAN (VLAN-to-PVC) over DSL links and, hence, it is possible to be a
requirement of ISPs.
We discuss the implementation of VLAN-to-PVC only for bridge mode operation, i.e., the VLAN
spreads over both the COE and CPE sides, where there is no layer 3 routing involved.
4.1 Specification
1. The unit supports up to 8 active VLANs with shared VLAN learning (SVL) bridge out of 4096
possible VLANs specified in IEEE 802.1Q.
2. Each port always belongs to a default VLAN with its port VID (PVID) as an untagged member.
Also, a port can belong to multiple VLANs and be tagged members of these VLANs.
3. A port must not be a tagged member of its default VLAN.
4. If a non-tagged or null-VID tagged packet is received, it will be assigned with the default PVID
of the ingress port.
5. If the packet is tagged with non-null VID, the VID in the tag will be used.
6. The look up process starts with VLAN look up to determine whether the VID is valid. If the VID
is not valid, the packet will be dropped and its address will not be learned. If the VID is valid,
the VID, destination address, and source address lookups are p erformed.
7. The VID and destination address lookup determines the forwarding ports. If it fails, the packet
will be broadcasted to all members of the VLAN, except the ingress port.
8. Frames are sent out tagged or untagged depend on if the egress port is a tagged or untagged
member of the VLAN that frames belong.
9. If VID and source address look up fails, the source address will be learned.
4.2 Frame Specification
An untagged frame or a priority-tagged frame does not carry any identification of the VLAN to
which it belongs. Such frames are classified as belonging to a particular VLAN based on
parameters associated with the receiving port. Also, priority tagged frames, which, by definition,
carry no VLAN identification information, are treated the same as untagged frames.
A VLAN-tagged frame carries an explicit identification of the VLAN to which it belongs; i.e., it
carries a tag header that carries a non-null VID. This results in a minimum tagged frame length of
68 octets. Such a frame is classified as belonging to a particular VLAN based on the value of the
VID that is included in the tag header. The presence of the tag header carrying a non-null VID
means that some other device, either the originator of the frame or a VLAN-aware bridge, has
mapped this frame into a VLAN and has inserted the appropriate VID.
The following figure shows the difference between a untagged frame and VLAN tagged frame,
where the Tag Protocol Identifier (TPID) is of 0x8100 and it identifies the frame as a tagged frame.
The Tag Control Information (TCI) consists of the following elements: 1) User priority allows the
tagged frame to carry user priority information across bridged LANs in which individual LAN
segments may be unable to signal priority information (e.g., 802.3/Ethernet segments). 2) The
Canonical Format Indicator (CFI) is used to signal the presence or absence of a Routing
Information Field (RIF) field, and, in combination with the Non-canonical Format Indicator (NCFI)
carried in the RIF, to signal the bit order of address information carried in the encapsulated frame.
3) The VID uniquely identifies the VLAN to which the frame belongs.
This guide is designed to let users through Web Configuration or serial console with G.shdsl.bis
Router in the easiest and quickest way possible. Please follow the instructions carefully.
Note: There are three methods to configure the router: serial console, Telnet and Web Browser.
Only one configuration application is used to setup the Router at any given time. Users have
to choose one method to configure it.
For Web configuration, you can skip item 3.
For Serial Console Configuration, you can skip item 1 and 2.
5.1 Check List
(1) Check the Ethernet Adapter in PC or NB
Make sure that Ethernet Adapter had been installed in PC or NB used for configuration of the
router. TCP/IP protocol is necessary for web configuration, so please check the TCP/IP protocol
whether it has been installed.
(2) Check the Web Browser in PC or NB
According to the Web Configuration, the PC or NB need to install Web Browser, IE or Netscape.
Note: Suggest to use IE5.0, Netscape 6.0 or above and 800x600 resolutions or above.
(3) Check the Terminal Access Program
For Serial Console and Telnet Configuration, users need to setup the terminal access program
with VT100 terminal emulation.
(4) Determine Connection Setting
Users need to know the Internet Protocol supplied by your Service Provider and determine the
mode of setting.
Protocol Selection
RFC1483Ethernet over ATM
RFC1577 Classical Internet Protocol over ATM
RFC2364 Point-to-Point Protocol over ATM
RFC2516 Point-to-Point Protocol over Ethernet
The difference Protocols need to setup difference WAN pa rameters. After knowing the Protocol
provided by ISP, you have to ask the necessary WAN parameters to setup it.
To avoid possible damage to this Router, do not turn on the router before Hardware Installation.
y Connect the power adapter to the port labeled DC-IN on the rear panel of the product.
y Connect the Ethernet cable.
Note: This router supports auto-M DIX switching so both straight through and cross-over
Ethernet cable can be used.
y Connect the phone cable to the router and the other side of phone cable to wall jack.
y Connect the power adapter to power source inlet.
y Turn on the PC or NB, which is used for configuration the Router.
The window will ask you to restart the PC. Click Yes button.
After rebooting your PC, open IE or Netscape Browser to connect the Router. Type
http://192.168.0.1
The default IP address and sub net-mask of the Router is 192.168. 0.1 and 255.255.255.0.
Because the router acts as DHCP server in your network, the router will automatically assign IP
address for PC or NB in the network.
Type User Na me root and Password root and then click OK.
The default user name and password bot h is root. For the system security, suggest changing them
after configuration.
Note: After changing the User Name and Password, strongly recommend you to save them
because another time when you login, the User Name and Password have to be used the
new one you changed.
The Basic Setup contains Bridge or Route operation mode. User can use it to completely setu p the
router. After successfully completing it, you can access Internet or as LAN extension. This is the
easiest and possible way to setup the router.
Note: The advanced functions are only for advanced use rs to setup advanced functions. The
incorrect setting of advanced function will affect the performance or system error, even
disconnection.
Click Bridge and CPE Side to setup Bridging mode and then click Next for the next setting.
This router can be setup as one of two SHDSL.bis working mode: CO (Central Office) and CPE
(Customer Premises Equipment). For connection with DSLAM, the SHDSL.bis ro uter working
mode is CPE. For “LAN to LAN” connection, one side must be CO and the other side must be
CPE.
Set up (a) LAN IP address , Subnet Mask, Gateway and Host Name
(b) WAN1 VPI,VCI and Encapsulation
LAN:
IP: 192.168.0.1
Subnet Mask: 255.255.255.0
Gateway: 192.168.0.254 (The Gateway IP is provided by ISP)
Host Name: SOHO
Some of the ISP requires the Host Name as identification. You may check with ISP to see if your
Internet service has been configured with a host name. In most cases, this field can be ignored.
WAN1:
VPI: 0
VCI: 32
Encap: Click LLC and than Click Next to review
Review
The screen will prompt the new configured parameters. Checking the parameters and Click
Restart The router will reboot with the new setting or Continue to configure another parameters.
Routing mode contains DHCP server, DHCP client, DHCP relay, Point-to-Point Protocol over ATM
and Ethernet and IP over ATM and Ethernet over ATM. You have to clarify which Internet protocol
is provided by ISP.
Set up the LAN IP address , Subnet Mask, Gateway, Host Name and Trigger DHCP Service with
fixed IP type.
IP type: Fixed
IP Address: 192.168.0.1
Subnet Mask: 255.255.255.0
Host Name: SOHO
Some of the ISP requires the host name as identification. You may check with ISP to see if your
Internet service has been configured with a host name. In most cases, this field can be ignored.
Trigger DHCP Service: Server
The default setup is Enable DHCP server. If you want to turn off the DHCP service, choose
Disable.
If set DHCP server to Relay, the router acts as a surrogate DHCP server and relays requests and
responses between the remote server and the clients.
DHCP Server
Dynamic Host Configuration Protocol (DHCP) is a communication protocol that lets netwo rk
administrators to manage centrally and automate the assignment of Internet Protocol (IP)
addresses in an organization's network. Using the Internet Protocol, each machi ne that can
connect to the Internet needs a unique IP address. When an organization sets up its computer
users with a connection to the Internet, an IP address must be assigned to each machine.
Without DHCP, the IP address must be entered manually at each computer. If computers move to
another location in another part of the network, a new IP address m ust be entered. DHCP lets a
network administrator to supervise and distribute IP addresses from a central point and
automatically sends a new IP address when a computer is plugged into a different place in the
network.
If the DHCP server is “Enable”, you have to setup the following p ar ameters for processing it as
DHCP server.
The embedded DHCP server assigns network configuration inform ation at most 253 users
accessing the Internet in the same time.
Set up the DHCP Server parameters and fixed DHCP host table
Start IP Address: This field specifies the first of the contiguous addresses in the IP address pool.
End IP Address: The field specifies the last of the contiguous addresses in the IP address pool.
For example: If the LAN IP address is 192.168.0.1, the IP range of LAN is 192.168.0.2 to
192.168.0.51. The DHCP server assigns the IP form Start IP Address to End IP Addre ss. The legal
IP address range is form 0 to 255, but 0 are reserved as network name and 255 are reserved for
broadcast. It implies the legal IP address range is from 1 to 254. That mean s you cannot assign an
IP greater than 254 or less then 1. Lease time 72 hours indicates that the DHCP server will
reassign IP information in every 72 hours.
DNS Server1, DNS Server2, and DNS Server3: Your ISP will provide at least one Domain Name
Service Server IP. You can type the router IP in this field. The router will act as DNS server relay
function. There have three DNS server can use.
You may assign a fixed IP address to some device while using DHCP, you have to put this device’s
MAC address in the Table of Fixed DHCP Host Entries. There have ten fixed IP address location
can use.
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is
assigned at factory and consists of six pairs of hexadecimal characters, for example,
00:30:4F:0A:02:4F
Press Next to setup WAN1 parameters.
Some of the ISP provides DHCP server servi ce by which the PC in LAN can access IP information
automatically. To setup the DHCP client mode, follow the procedure.
Set up IP address, Subnet Mask, Host Name with DHCP Client mode
LAN IP Type: Dynamic(DHCP Client)
Click Next to setup WAN1 parameters.
DHCP relay
If you have a DHCP server in LAN and you want to use it for DHCP services, the product provides
DHCP relay function to meet yours need.
IP T ype: Fixed
IP Address: 192.168.0.1
Subnet Mask: 255.255.255.0
Host Name: SOHO
Some of the ISP requires the host name as identification. You may check with ISP to see if your
Internet service has been configured with a host name. In most cases, this field can be ignored.
Trigger DHCP Service: Relay
Set up the DHCP Server
Press Next to setup Remote DHCP server parameter.
If using DHCP relay service, there must set up the remote DHCP server IP address
Enter DHCP server IP address in IP address field.
Press Next
Protocol: PPPoA + NAT or PPPoE + NAT
Click Next to setup User name and password.
For more understanding about NAT, review NAT/DMZ chapter.
If the Protocol using PPPoA+NA T or PPPoE+NAT, you must setup the ISP’s parameters on the
following:
Type the ISP1 parameters.
Username: test
Password: test
Password Confirm: test
Your ISP will provide the user name and password.
Idle Time: 10
You want your Internet connection to remain on at all time, enter “0” in the Idle Time field.
IP T ype: Dynamics.
The default IP type is Dynamic. It means that ISP PPP server will provide IP information including
dynamic IP address when SHDSL.bis connection is established. On the other hand, you do not
need to type the IP address of WAN1. Some of the ISP will provide fixed IP address over PPP. For
fixed IP address:
IP T ype: Fixed
IP Address: 192.168.1.1
Click Next.
Note: For safety, the password will be prompt as star symbol.
Username : Enter the user name exactly as your ISP assigned.
Password: Enter the password associated with the user name above.
Password confirm: Enter the password again for confirmation.
Idle Time: When you don’t want the connection up all the time and specify an idle time on this field.
IP type: A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed;
the ISP assigns you a differnet on each time you connect to the Internet.
The screen will prompt the parameters that will be written in NVRAM. Check the para meters
before writing in NVRAM.
Press Restart to restart the router working with new parameters or press to continue setting
another parameter.
Set up : WAN1 VPI, VCI, Encap. and Protocol
WAN:
VPI: 0
VCI: 33
AAL5 Encap: LLC
Protocol: IPoA , EoA , IPoA + NAT or EoA + NAT
Click Next to setup the IP parameters.
For more understanding about NAT, review NAT/DMZ chapter.
Set up the WAN1 IP address, Subnet Mask, gateway and DNS Server
IP Address: 10.1.2.1
It is router IP address like from Internet. Your ISP will provide it and you need to specify here.
Subnet mask: 255.255.255.0
This is the router subnet mask seen by external users on Internet. Your ISP will provide it to you.
Gateway: 10.1.2.2
Your ISP will provide you the default gateway.
DNS Server 1: 168.95.1.1
Your ISP will provide at least one DNS (Domain Name System) Server IP address.
Click Next to review.
When configured in Bridge Mode, the router will act as a pass-through device and allow the
workstations on your LAN to have public addresses directly on the internet.
IPoA (Dynamic IP over ATM) interfaces carries IP packets over AAL5. AAL5 provides the IP hosts
on the same network with the data link layer for communications. In addition, to allow these hosts
to communicate on the same ATM networks, IP packets must be tuned somewhat. AS the bearer
network of IP services, ATM provides high speed point-to-point connections which considerably
improve the bandwidth performance of IP network. On the other hand, ATM provides excellent
network performance and perfect QoS.
EoA (Ethernet-over-ATM) protocol is commonly used to carry data between local area networks
that use the Ethernet protocol and wide-area networks that use the ATM protocol. Many
telecommunications industry networks use the ATM protocol. ISPs who provide DSL services
often use the EoA protocol for data transfer with their customers' DSL modems.
EoA can be implemented to provide a bridged connection between a DSL modem and the ISP. In
a bridged connection, data is shared between the ISP's network and their customer's as if the
networks were on the same physical LAN. Bridged connections do not use the IP protocol. EoA
can also be configured to provide a routed connection with the ISP, which uses the IP protocol to
exchange data.
PPPoA (point-to-point protocol over ATM) and PPPoE (point-to-point protocol over Ethernet) are
authentication and connection protocols used by many service providers for broadband Internet
access. These are specifications for connecting multiple computer users on an Ethernet local area
network to a remote site through common customer premises equipment, which is the telephone
company's term for a modem and similar devices. PPPoE and PPPoA can be used to office or
building. Users share a common Digital Subscr iber Line (DSL), cable modem, or wireless
connection to the Internet. PPPoE and PPPoA combine the Point-to-Point Protocol (PPP),
commonly used in dialup connections, with the Ethernet protocol or ATM protocol, which supports
multiple users in a local area network. The PPP protocol information is encapsul ated within an
Ethernet frame or ATM frame.
Advanced setup contains SHDSL.bis, WAN, Bridge, VLAN, Ethernet, Route, NAT/DMZ, V i rtual
SERVER, FIREWALL and IP QoS parameters.
6.2.1 SHDSL.bis
Y ou can setup the Annex type, dat a rate and SNR margin for SHDSL.bis pa rameters in SHDSL.bis.
Click SHDSL.bis
Enter Parameters in SHDSL.bis
6.2.1.1 Annex Type
There are four Annex types: Annex A (ANSI), Annex B (ETSI), AnnexAF and Annex BG . It the
router must connect to your ISP, please check them about it. If your routers configed to point to
point application, you must choose one of the four types according to which line rate you need.
There are six type of line type for you choose: 2-wire, M-Pair, M-Pair(Conexant), Auto Fall Back,
StandBy and Multi-link.
2-wire mode
For 4-wires model, it can use only the first one pair for the single pair DSL wire application.
M – Pair Mode
In this mode, each wire pair of SHDSL.bis router must be configured with the same line rate. If one
pair fails then the entire line must be restarted. It also has th e Cone xant M-pair standard used with
connection to other router with Conexant chip set solution.
Auto Fall Back Mode
Two DSL pairs are working simultaneously. When one pair of both is disconnect, the other pair will
keep working.
Stanby Mode
Only one of two pairs are working, other pair is standby. If the working pair fails, the standby pair
will start up to continues.
For 4-wire model, each pair will connect to two different remote device, whi ch ma y or may not be
in the same location.
6.2.1.3 TCPAM T ype
TCPAM stands for Trellis Coded Pulse Amplitude Modulation. It is the modulation format that is
used in both HDSL2 and SHDSL, and provides robust performance over a variety of loop
conditions. SHDSL.bis supports 16 level TCPAM line code(TPCAM-16) or 32 level TCPAM line
code(TCPAM-32) to provide a rate/reach adaptive capability, offering enhanced performance
(increased rate or reach) and improved spectral compatibility. The default option is Auto. You may
assign the different type manually by click the caption TPCAM-16 or TPCAM-32.
6.2.1.4 Data Rate
For 2-wire model (n*64kbps)
You can setup the SHDSL.bis data rate in the multiple of 64kbps.
The default data rate is 5696Kbps (n=89).
For using Annex AF or BG
TCPAM32 ; data rate is 768Kbps ~ 5696Kbps (Nx64kbps, N=12~89)
TCPAM16 ; data rate is 192Kbps ~ 3840Kbps (Nx64kbps, N=3~60)
For uning Annex A or B
TCPAM16 ; 192Kbps ~ 2304Kbps (Nx 6 4kbps, N=3~36)
For 4-wire model (n*128kbps)
You can setup the SHDSL.bis data rate in the multiple of 128kbps.
The default data rate is 11392Kbps (n=89).
For using Annex AF or BG
TCPAM32 ; data rate is 1536Kbps ~ 11392Kbps (Nx128kbps, N=12~ 89)
TCPAM16 ; data rate is 384Kbps ~ 7680Kbps (Nx128kbps, N=3~60)
For using Annex A or B
TCPAM16 ; 384Kbps ~ 4608Kbps (Nx 1 28kbps, N=3~36)
For adaptive mode, you have to setup n=0. The router will adapt the data rate according to the line
status.
This is an index of line connection quality. You can see the actual SNR margin in STATUS
SHDSL.bis. The larger is SNR margin, the better is line connection quality.
If you set SNR margin in the field as 3, the SHDSL.bis connection will drop and reconnect when
the SNR margin is lower than 3. On the other hand, the device will reduce the line rate and
reconnect for better line connection quality.
The screen will prompt the parameters that will be written in NVRAM. Check the para meters
before writing in NVRAM.
Press Restart to rest art the router worki ng with new p arameters o r press continue to setup another
parameter.
The router can support up to 8 PVCs. WAN 1 was configured via BASIC item except QoS. If you
want to setup another PVCs such as WAN 2 to 7, those parameters are setup on the pages of
WAN under ADVANCED. On the other hand, you don’t need to setup WAN except you apply two
or more Internet Services with ISPs.
The parameters in WAN Number 1 has been setup in Basic Setup. If you want to setup another
PVC, you can configure in WAN 2 to WAN 8.
Enter the parameters:
Protocol: If WAN Protocol is PPPoA or PPPoE with dynamic IP, leave the default WAN IP Address
and Subnet Mask as default setting. The system will ingore the IP Address and Subnet Mask
information, but erasion or blank in default setting will cause system error.
If the WAN Protocol is IPoA or EoA, leave the ISP parameters as default setting. The system will
ingore the information, but erasion or blank in default setting will cause system error.
VC-mux (VC-based Multiplexing): Each protocol is assigned to a specific virtual circuit. VC-based
multiplexing may be dominant in environments where dynamic creation of large numbers of ATM
VCs is fast and economical.
LLC (LLC-based Multiplexing): One VC carries multiptle protocols with protocol identifying
information being contained in each packet header. Deapite the extra bandwidth and processing
overhead, this method may be advantagrous if it is not practical to have a sepat ate VC for each
carried protocol.
VPI (Virtual Path Identifier) is for set up ATM Permanent Virtual Channels(PVC).The valid rang e for
VPI is 0 to 255.
VCI (Virtual Channel Identifier is for set up ATM Permanent Virtual Channels(PVC). The valid
range for VCI is 32 to 65535 ( 0 to 31 is reserved for local management of ATM traffic.)
QoS (Quality of Service) class : The Traffic Management Specification V4.0 defines ATM service
cataloges that describe both the traf fic transmitted by use rs onto a network as well as the Quailty of
Service that the network need to provide for that traffic. There have four class four choi ce: UBR,
CBR, rt-VBR and nrt-VBR. Select CBR to specify fixed bandwidth for voice or data traffic. Select
UBR for applications that are non-time sensitive, such as e-mail. Slect VBR for bursty traffic and
bandwidth sharing with other applications.
UBR (Unspecified Bit Rate) is the simplest service provided by ATM networks. There is no
guarantee of anything. It is a primary service used for transferring Internet traffic over the ATM
network.
CBR (Constant Bit Rate) is used by connections that requires a static amount of bandwidth that is
avilable during the connection life time. This bandwidth is cha ra cte rized by Peak Cell Rate (PCR).
Based on the PCR of the CBR traffic, specific cell slots are a ssigned for the VC in the schedule
table. The ATM always sends a signle cell during the CBR connection’s assigned cell slot.
VBR-rt (Varible Bit Rate real-time) is intended for real-time applications, such as compressed
voice over IP and video comferencing, that require tightly constrained delays an d delay variation.
VBR-rt is characterized by a peak cell rate (PCR), substained cell rate (SCR), and maximun burst
rate (MBR).
VBR-nrt (Varible Bit Rate non-real-time) is intended for non-real-time applications , such as FTP,
e-mail and browsing.
PCR (Peak Cell Rate) in kbps: The maximum rate at which you ex pect to transmit data, voice and
video. Consider PCR and MBS as a menas of reducing lantency, not increasing bandwidth. The
range of PCR is 384kbps to 11392kbps
SCR (Substained Cell Rate): The sustained rate at which you expect to transmit data, voice and
video. Consider SCR to be the true bandwidth of a VC and not the lone-term average traffic rate.
The range of SCR is 384kbps to 11392kbps.
MBS (Maximum Burst Size): Refers to the maximum number of cells that can be sent at the peak
rate. The range of MBS is 1 cell to 255 cells.
If you want to setup advanced filter function while router is working in bridge mode, you can use
BRIDGE menu to setup the filter function, blocking function.
VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical
networks. Devices on a logical network belong to one group. A device can belong to more than
one group. With VLAN, a device cannot directly talk to or hear from devices that are not in the
same group.
With MTU (Multi-Tenant Unit) applications, VLAN is vital in providing isolation and security among
the subscribers. When properly configured, VLAN prevents one su bscriber from accessing the
network resources of another on the same LAN.
VLAN also increases network performance by limiting broadcasts to a smaller a nd more
manageable logical broadcast domain. In traditional switched environments, all broadcast packets
go to each every individual port. With VLAN, all broadcasts are confined to a specific broadcast
domain.
The IEEE 802.1Q defines the operation of VLAN bridges that permit the definition, operation, and
administration of VLAN topologies within a bridged LAN infrastructure.
The router supports two types of VLAN: 802.1Q Tag-Based VLAN and Port-Based VLAN.
User can configure one of them to the router .
For setting 802.1Q VLAN click the 802.1Q Tagt-Based VLAN. The screem will prompt as
following.
VID: (Virtual LAN ID) It is an definite number of ID which number is from 1 to 4094.
PVID: (Port VID) It is an untagged member from 1 to 4094 of default VLAN.
Link Type: Access means the port can receive or send untagged packets.
Trunk means that the prot can receive or send tagged packets.
The Router initially default configures one VLAN , VID=1.
A port such as LAN1 to LAN4 an d WAN1 to WAN8 can have only one PVID, but can have as many
VID as the router has memory in its VLAN table to store them.
Ports in the same VLAN group share the same frame broadcast domin thus increase network
performance through reduced boardcast traffic. VLAN groups can be modified at any time by
adding, moving or changing ports without any re-cabling.
6.2.4.2 Port-Based VLAN
Port-Based VLANs are VLANs where the packet forwarding decision is based on the destination
For setting Port-Based VLAN, Click Port-Based VLAN, The screem will prompt as following:
Port-Based VLANs are VLANs where the packet forwarding decision is based on the destination
MAC address and its associated port.
When using the port-based VLAN, the port is assigned to a spe cific VLAN i nde pend ent of the user
or system attached to the port. This means all users attached to the port should be members in the
same VLAN. The network administrator typically performs the VLAN assignment. The port
configuration is static and cannot be automatically changed to another VLAN without manual
reconfiguration.
As with other VLAN approaches, the packets forwarded using this method do not leak into other
VLAN domains on the network. After a port has been assigned to a VLAN, the port cannot send to
or receive from devices in another VLAN.
The default setting is all ports (LAN1 to LAN4 and WAN1 to WAN8) connected together which
means all ports can communicate with each other. That is, there are no virtual LANs. The option is
the most flexible but the least secure.
Click STP can disable or enable the bridge STP mode.
STP (Spanning-Tree Protocol) defined in the IEEE 802.1D, is a link management protocol that
provides path redundancy while preventing undesirable loops in the network. For an Ethernet
network to function properly, only one active path can exist between two stations.
Multiple active paths between stations cause loops in the network. If a loop exists in the network
topology, the potential exists for duplication of messages. When loops occur, some switches see
stations appear on both sides of the switch. This condition confuses the forwarding algorithm and
allows duplicate frames to be forwarded.
To provide path redundancy, Spanning-Tree Protocol defines a tree that spans all switches in an
extended network. Spanning-Tree Protocol forces certain redundant data paths into a standby
(blocked) state. If one network segment in the Spanning-Tree Protocol become s unreach able, or if
Spanning-Tree Protocol costs change, the spanning -tree al go rithm reconfigure s the span ning -tree
topology and reestablishes the link by activating the standby path.
Spanning-Tree Protocol operation is transparent to end stations, which are unaware whether they
are connected to a single LAN segment or a switched LAN of multiple segments.
If the Router is connected to more than one network, it may be necessary to set up a static route
between them. A static route is a pre-determined pathway that network information must travel to
reach a specific host or network.
With Dynamic Routing, you can enable the Router to automatically adjust to physical changes in
the network’s layout. The Router, using the RIP protocol, determines the network packets’ route
based on the fewest number of hops between the source and the destination. The RIP protocol
regularly broadcasts routing information to other routers on the network.
To modify the RIP (Routing information protocol) Parameters:
RIP Mode: Enable
Auto RIP Summary: Enable
Press Modify
RIP Mode:
This parameter determines how the router handle RIP (Routing information protocol). RIP allows it
to exchange routing information with other router. If set to Disable, the gateway does not
participate in any RIP exchange with oth er ro uter. If set Enable, the router broadcasts the routing
table of the router on the LAN and incoporates RIP broad cast by other routers in to it’s routing t able.
If set silent, the router does not broadcast the routing table, but it accepts RIP broad cast packets
that it receives.
RIP Version:
It determines the format and broadcasting method of any RIP transmissions by the gateway.
RIP v1: it only sends RIP v1 messages only.
RIP v2: it sends RIP v2 messages in multicast and broadcast format.
Authentication required:
None: for RIP, there is no need of authentication code.
Password: the RIP is protected by password, authentication code.
MD5: The RIP will be decoded by MD5 than protected by password, authentication code.
Poison Reserve:
Poison Reserve is for the purpose of promptly broadcast or multicast the RIP wh ile the route is
changed. (ex shuting down one of the routers in routing table)
Enable: the gateway will actively broadcast or multicast the information.
Disable: the gateway will not broadcast or multicast the information.
After modifying the RIP parameters, press finish.
The screen will prompt the modified parameter. Check the parameters and perss Restart to restart
the router or press Continue to setup a nother parameters.
NAT (Network Address Translation) is the translation of an Internet Protocol address (IP address)
used within one network to a different IP address known within another network. One network is
designated the inside network and the other is the outside. Typically, a company maps its local
inside network addresses to one or more global outside IP addresses and reverse the global IP
addresses of incoming packets back into local IP addresses. This ensure security since each
outgoing or incoming request must go through a translation process, that also offers the
opportunity to qualify or authenticate the request or match it to a previous request. NAT also
conserves on the number of global IP addresses that a com pany needs and lets the company to
use a single IP address of its communication in the Internet world.
DMZ (Demilitarized zone) is a computer host or small network inserted as a “neutral zone”
between a company private network and the outside publi c network. It prevents outside users from
getting direct access to a server that has company private data.
In a typical DMZ configuration for an enterprise, a separate computer or host receives requests
from users within the private network to access via W eb sites or other compa nies accessible on the
public network. The DMZ host then initiates sessions for these requests to the public network.
However, the DMZ host is not able to initiate a session back into the private network. It can only
forward packets that have already been requested.
Users of the public network outside the company can access only the DMZ host. The DMZ may
typically also have the company’s W eb p ages so these could se rve the outsi de world. However, the
DMZ provides access to no other company data. In the event that an outside user penetrated the
DMZ host’s security, the Web pages might be corrupted, but no other company information would
be exposed.
If you want to enable the NAT/DMZ functions, click Enable. Enable the DMZ h ost Function is u sed
the IP address assigned to the WAN for enabling DMZ function for the virtual IP address.
Some users who have two or more global IP addresses assigned by ISP can be used the multi
DMZ. The table is for the mapping of global IP address and virtual IP address.
6.2.7.2 Mutli-NAT
Some of the virtual IP addresses (eg: 192.168.0.10 ~ 192.168.0.50) collectively use two of the
global IP addresses (eg: 69.210.1.9 and 69.210.1.10). The Multi-NAT table will be setup as;
Virtual Start IP Address: 192.168.0.10
Count: 40
Global Start IP Address: 69.210.1.9
Count: 2
Press Finish to continue to review.
The screen will prompt the parameters that will be written in NVRAM. Check the para meters
before writing in NVRAM. Press Restart to restart the router working with new parameters or
Continue to configure another parameter.
Press Restart to restart the router or press Continue to setup another function.
For example: Specific ports on the WAN interface are re-mapped to services inside the LAN. As
only 69.210.1.8 (e.g., assigned to WAN from ISP) is visible to the Internet, but does not actuall y
have any services (other than NAT of course) running on gateway, it is said to be a virtual server.
Request with TCP made to 69.210.1.8:80 are remapped to the server 1 on 192.168.0.2:80 for
working days from Monday to Friday 8 AM to 6PM, other request s with UDP made to 69.210.1.8:25
are remapped to server 2 on 192.168.0.3:25 and always on.
You can setup the router as Index 1, protocol TCP, interface WAN1, service name test1, private IP
192.168.0.2, private port 80, public port 80, schedule from Day Monday to Friday and time 8:0 to
16:0 and index 2, protocol UDP, interface WAN1, service name test2, private IP 192.168.0.3,
private port 25, public port 25, schedule always.
A firewall is a set of related programs that protects the resources of a private network from other
networks. It is helpful to users that allow preventing hackers to access its own private data
resource accidentally.
There have three security levels for setting: Basic firewall security, Automatic firewall security
and advanced firewall security.
This level only enables the NAT firewall and the remote management security. The NAT firewall will
take effect if NAT function is enabled. The remote management security is default to block any
WAN side connection to the device. Non-empty legal I P pool in ADMIN will block all remote
management connection except those IPs specified in the pool.
Press Finish to finish setting of firewall and can review the parameters.
The screen will prompt the parameters, which router will record in NVRAM. Check the parameters.
Press Restart to restart the router or press Continue to setup another function.
This level enables basic firewall security, all DoS protection, and the SPI filter function.
Press Finsih to finish setting firewall.
The screen will prompt the parameters, which will be written in NVRAM. Check the parameters.
Press Restart to restart the router or press Continue to setup another function.
User can determine the security level for special purpose, environment, and applications by
configuring the DoS protection and defining an extra packet filter with higher priority than the
default SPI filter. Note that, an improper filter policy may degrade the ca pability of the firewall
and/or even block the normal network traffic.
Click Advanced Firewall Security and then press Finish.
A user ca n determine the security level for special purpose, environment and applications by
configuring the DoS protection and defining an extra packet filter with higher priority than the
default SPI filter. Please notice that an improper filter policy may degrade the cap ability of the
firewall and even block the normal network traffic.
It can set up the DoS protection parameters
SYN flood: A SYN flood is a form of denial-of-service attack, attempts to slow your network by
requesting new connections but not completing the process to open the connection. Once the
buffer for these pending connections is full a server will not accept any more connections and will
be unresponsive.
ICMP flood: A sender tra nsmits a volume of ICMP request pa ckets to cause all CPU resources to
be consumed serving the phony requests.
UDP Flood: A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram
Protocol(UDP). A sender transmits a volume of requests for UDP diagnostic services which cause
all CPU resources to be consumed serving the phony requests.
Ping of Death: A ping of death (abbreviated ”POD”) attack attempts to crash your system by
sending a fragmented packet, when reconstructed is larger than the maximum allowable size.
Land attack: A land attack is an attempt to slow your network down by sending a packet with
identical source and destination addresses originating from your network.
IP Spoofing: IP Spoofing is a method of masking the identity of an intrusion by making it appeared
that the traffic came from a different computer. This is used by intruders to keep their anonymity
and can be used in a Denial of Service attack.
Smurf attack: The Smurf attack is a way of generating a lot of computer network traffic to a victim
host. That is a type of denial-of-service attack. A Smurf attack involves two systems. The att acker
sends a packet containing a ICMP echo request (ping) to the network address of one system. This
system is known as the amplifier. The return address of the ping has been faked (spoofed) to
appear to come from a machine on another network (the victim). The victim is then flood ed with
responses to the ping. As many responses are generated for only one attack, the attacker is able
use many amplifiers on the same victim.
Fraggle attack: A Fraggle attack is a type of denial-of-service atta ck where an attacker sends a
large amount of UDP echo traffic to IP broadcast addresses, all of it having a fake source address.
This is a simple rewrite of the smurf attack code.
For SYN attack, ICMP flood and UDP flood, they can set up the threshold of packets number per
second. The default values are 200 packets per second. If everything is working properly, you
probably do not need to change the threshold setting as the default threshold values. Reduce the
threshold values if your network is slower than average.
Traditional firewall is stateless meanin g they have no memory of the connections of data or p ackets
that pass through them. Such IP filtering firewalls simply examine header information in each
packet and attempt to match it to a set of define rule. If the firewall finds a match, the prescribe
action is taken. If no match is found, the packet is accepted into the network, or dropped,
depending on the firewall configuration.
A stateful firewall maintains a memory of each connection and data passing through it. Stateful
firewall records the context of connections during each session, continuously updating state
information in dynamic tables. With this information, stateful firewalls inspect each conne ction
traversing each interface of the firewall, testing the validity of data packets throughout each
session. As data arrives, it is checked against the state t ables and if the data is part of the session,
it is accepted. Stateful firewalls enable a more intelligent, flexible and robust approach to network
security, while defeating most intrusion methods that exploit state-less IP filtering firewalls.
Packet filter
Click Next can set up the packet filtering parameters.
If you want to configure the Packet Filtering Parameters, choose Enable and press Add.
It can setup the packet filter rule parameters:
Select the Protocol and configure the parameter.
Protocol: ANY, TCP, UDP, ICMP, GRE, RSVP, ESP and AH.(ANY means all protocol)
Direction: INBOUND (from WAN to LAN) or OUTBOUND (from LAN to WAN)
Action: DENY(block) or PERMIT(allow)
Description: Type a description for your customized service..
Src. IP Address: The source addresses or ranges of addresses to which this p acket filter rule
applies. (Address 0.0.0.0 is equivalent Any)
Dest. IP Address: The destination addresses or ranges of addresses to whi ch this packet filter rule
applies. (Address 0.0.0.0 is equivalent Any)
Schedule: Select everyday (always) or the day(s) of the week to apply the rule. Enter the start and
end times in the hour-minute format to apply the rule.
For example, If you want to ban all of the protocol from the IP (e.g.: 200.1.1.1) to access the all
PCs (e.g.: 192.168.0.2 ~ 192.168.0.50) in the LAN, key in the parameter as:
Protocol: ANY
Direction: INBOUND (INBOUND is from WAN)
Description: Hacker
Src. IP Address: 200.1.1.1
Dest. IP Address: 192.168.0.2-192.168.0.50
Schedule: You can set always or any time range which you want
The screen will prompt the configured parameters.
Click Enable on Trigger Packet Filtering Service item, to active the packet filtering service.
You can modify or delete the access policies by click Modify or Delete command.
Click Add in the bottom of web page to begin a new entry in IP QoS Policy table.
Description: A brief statement describe this policy
Local IP: type IP address of local host in prioritized session.
Remote IP: type IP address of remote host in prioritized sessi on.
Local Port: type the service port number of local host in prioritized session.
Remote Port: type the service port number of remote host in prioritized session.
Protocol: identify the transportation layer protocol type you want to prioritize, ex: TCP or UDP.
The default is ANY.
Precedence: type the session’s prioritized level you classify, “0” is lowest priority, “5” is highest
priority.
Click OK when all parameters are finish.
You can modify or delete the policies by click Modify or Delete command
Click Finish can make a review for all IP QoS parameter
To let the IP QoS configuration you have changed and want those take effect immediately, please
click Restart button to reb oot the system. To continue the setup procedure, please click Continue
button.
76
6.3 Status
On STATUS item, you can monitor the following:
SHDSL.bis
Mode, Line rate, and Performance information including SNR margin, atteunation,
and CRC error count.
The status information shows this is 4-wire model which have cha nnel A and B. If the router have
connected to remote side, it can also show the performance information of remote side.
Click Clear CRC Error can clear the CRC error count.
Bridge ID: The bridge ID of a configuration message is an 8-byte field. The six low order bytes are
the MAC address of the switch. The high order two-byte (unsigned 1 6-bit integer) field is the bridge
priority number.
Designated Root ID: The unique Bridge Identifier of the Bridge assumed to be the Root, this
parameter is used as the value of the Root Identifier parameter in all CBPDUs transmitted by the
Bridge.
Root Port: Identifies the Port through which the path to the Root is established, and is not
significant when the Bridge is the Root and is set to zero. It is the Port Identifier of the Port that
offers the lowest Cost Path to the Root
Root Path Cost: The Cost of the Path to the Root from this Bridge, this is equal to the sum of the
values of the Designated Cost and Path Cost parameters held for the Root Port. When the Bridge
is the Root, this parameter is zero.
The ports parameters have:
Learning: This is when the modem creates a switching table that will map MAC addresses to port
number.
Listening: This is when the modem processes BPDU’s that allow it to determine the network
topology.
Forwarding: When a port receives or sends data. In other words, this is operating normally.
Disabled: This is when the network administrator has disabled the port.
Blocking: this means the port was blocked to stop a looping condition.
This session introduces security and simple network management protocol (SNMP) and time
synchronous.
6.4.1 Security
For system secutiry, suggest to change the default user name and password in the first setup
otherwise unauthorized persons can access the router and change the parameters.
There are three ways to configure the router: Web browser, telnet and serial console.
Press Security to setup the parameters.
For greater security, change the Supervisor ID and password for th e gateway. If you don’t set them,
all users on your network can be able to access the gateway using the default IP and Password
root.
You can authorize five legal users to access the router via telnet or console. There are two UI
modes: menu driven mode and line command mode to configure the router.
Legal address pool will setup the legal IP addresses from which authorized person can configure
the gateway. This is the more secure function for network administrator to setup the legal address
of configuration.
Configured 0.0.0.0 will allow all hosts on Internet or LAN to access the router.
Leaving blank of trust host list will cause blocking all PC from WAN to access the router. On the
other hand, only PC in LAN can access the router.
If you type the excact IP address in the filed, only the host can access the router.
Click Finish to finish the setting.
The browser will prompt the all configured parameters and check it before writing into NVRA M.
Press Restart to restart the gateway working with the new parameters and press Continue to
setup other parameters.
Simple Network Management Protocol (SNMP) provides for the exchange of messages bet ween a
network management client and a network management agent for remote m anagement of network
nodes. These messages contain request s to get and set variables that exist in network nodes in
order to obtain statistics, set configuration parameters, and monitor network events. SNMP
communications can occur over the LAN or WAN connection.
The router can generate SNMP traps to indicate alarm conditions, and it relies on SNMP
community strings to implement SNMP security.
This router support both MIB I and MIB II.
Press Modify to modify the community pool. You can setup the access authority.
SNMP Status: Enable
Access Right: Deny for deny all access
Read for access read only
Write for access read and write.
Community: it serves as password for access right.
After configuring the community pool, press OK.
6.4.2.2 Trap host pool
SNMP trap is an informational message sent from an SNMP agent to a manager. Click Modify to
modify the trap host pool.
Version: select version for trap host. (Version 1 is for SNMPv1; Version 2 for SNMPv2).
IP Address: type the trap host IP address
Community: type the community password. The community is setup in community pool.
Press OK to finish the setup.
The browser will prompt the configured parameters and check it before writing into NVRAM.
Press Restart to restart the gateway working with the new parameters and press Continue to
setup other parameters.
ime synchronization is an essential element for any business, which relies on the IT system. The
T
reason for this is that these systems all have clock that is the source of timer for their filing or
operations. Without time synchronization, these system’s clocks vary and cause the failure of
firewall packet filtering schedule processes, compromised security, or virtual server working in
wrong schedule.
C
lick TIME SYNC.
ime synchronization has two methods:
T
Sync with PC
SNTP v4.0.
Synchronization with PC
Simple Network Time Protocol with Version 4
6.4.3.1 Synchronization with PC
connecting PC.
outer will synchronize the time with the For synchronization with PC, select Sync with PC. The r
SNTP is the acronym for Simple Network Time Protocol, which is an adaptation of the Network
Time Protocol (NTP) used to synchronize computer cl ocks in the Internet. SNTP can be used
when the ultimate performance of the full NTP implementation.
Service: Enable
Time Server 1, Time Server 2 and Time Server 3: All of the time server around the world can be
used but suggest using the time server nearby to your country. You can set up m aximum
three time server on here.
Time Zone: you have to choose the right GMT time zone on your country.
Press Finish to finish the setup. The browser w ill prompt the configured parameters and check it
before writing into NVRAM.
This section will describe the utility of the product including:
SYSTEM INFO
CONFIG TOOL
UPGRADE
LOGOUT
RESTART
Show the system information
Load the factory default configuration, restore configuration and backup
configuration
Upgrade the firmware
Logout the system
Restart the router.
There will display general system information including: MCSV, software version, chipset, firmware
version, Host Name, System Time and System Up Time.
MCSV: For internal identification purposes.
Software Version: This is the modem’s firmware version. This is sometimes needed by
technicians to help troubleshoot problems.
Chipset: This is the SHDSL.bis chipset model name.
Firmware Version: This is the chipset’s firmware version.
Host Name: This is the system name you enter in BASIC Setup. It is for identification purposes.
System Time: This field display your modem’s present date and time.
System Up Time: This is the total time on the modem has been on.
6.5.2 Config Tool
This configuration tool has three functions: load Factory Default, Restore Configuration, and
Backup Configuration.
Load Factory Default: It will load the factory default parameters to the router.
Note: This action will change all of the settings to factory default value. On the other hand, you
will lose all the existing configured parameters.
6.5.2.2 Restore Configuration
Sometime the configuration crushed occasionally. It will help you to recover the backup
configuration easily.
Click Finish after sel ecting Restore Configuration.
Browse the route of backup file then press Finish. Brower the pla ce of restore file name or put the
name. Then press OK. The router will automatically restore the saved configuration.
6.5.2.3 Backup Configuration
After configuration, suggest using the function to backup your router parameters in the PC. Select
the Backup Configuration and then press Finish. Browse the place of backup file name or put the
name. Then press OK. The router will automatically backup the configuration. If you don’t put the
file name, the system will use the default: config1.log
You can upgrade the gateway using the upgrade function.
Press Upgrade in UTILITY.
Select the firmware file name by click Browse on your PC or NB and press OK button to upgrade.
The system will reboot automatically after finish the firmware upgrade operation.
Press Restart to reboot the router.
When the restart button been clicked, the router will restarting and the browser session will be
disconnected. This may appear as if your browser session is hung u p. Af ter the router rest art s, you
may either click the browser’s reload button or close the browser and re-open it later.