Tenda G3 User Manual

www.tendacn.com

Copyright Statement

© 2016 Shenzhen Tenda Technology Co., Ltd. All rights reserved.

is a registered trademark legally held by Shenzhen Tenda Technology Co., Ltd. Other brand and

product names mentioned herein are trademarks or registered trademarks of their respective holders. Copyright
of the whole product as integration, including its accessories and software, belongs to Shenzhen Tenda
Technology Co., Ltd. No part of this publication can be reproduced, transmitted, transcribed, stored in a retrieval
system, or translated into any language in any form or by any means without the prior written permission of
Shenzhen Tenda Technology Co., Ltd.

Disclaimer

Pictures, images and product specifications herein are for references only. To improve internal design,
operational function, and/or reliability, Tenda reserves the right to make changes to the products without
obligation to notify any person or organization of such revisions or changes. Tenda does not assume any liability
that may occur due to the use or application of the product described herein. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information and
recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface

Preface

Thank you for choosing Tenda! Please read this user guide before you start. This user guide instructs you to
configure the product G3.

Conventions

Typographical conventions in this User Guide:

Item

Presentation

Example

Menu

『』

The menu "Status" will be simplified as 『Status』.

Continuous Menus

>

Go to 『System』>『Live Users』.

Symbols in this User Guide:

Symbol

Meaning

Note

This format is used to highlight information of importance or special interest. Ignoring
this type of note may result in ineffective configurations, loss of data or damage to
device.

Tip

This format is used to highlight a procedure that will save time or resources.

For More Documents

For more documents, please go to our website http://www.tendacn.com and search for the appropriate
product model to get the latest documents.

Technical Support

If you need more help, please contact us with any of the following ways. We will be glad to assist you as soon as
possible.

Tenda website: http://www.tendacn.com

Global Hotline:（86）755-27657180
United States Hotline: 1-800-570-5892
Technical Support: support@tenda.com.cn
HongKong Hotline: 00852-81931998

Canada Hotline: 1-888-998-8966
Email: support@tenda.com.cn
Website: http://www.tendacn.com
Skype: tendasz

Preface

Document Overview

The structure of the user guide is described as following:

Chapter

Content

1 Product Overview

About router appearance, packaging, functional characteristics, etc.

2 Device Installation

About router installation steps and installation notes.

3 Internet Access Setup

About steps for setting Internet access parameters of the router.

4 Device Management

About the router management page and the use of the functions in the page.

Appendix

About computer IP address settings, production specifications, FAQs, and
declaration on toxic and harmful substances.

Table of Contents

Table of Contents

Product Overview ................................................................................................ - 1 -

1.1 Overview ........................................................................................................................................................ - 2 -

1.2 Feature ........................................................................................................................................................... - 2 -

1.3 Appearance .................................................................................................................................................... - 3 -

1.4 Package Contents .......................................................................................................................................... - 5 -

Device Installation ............................................................................................... - 6 -

2.1 Installation Notes ........................................................................................................................................... - 7 -

2.2 Installing the Router ...................................................................................................................................... - 8 -

2.3 Connecting the Router ................................................................................................................................... - 9 -

Internet Access Setup ........................................................................................ - 11 -

Step 1: Log in to the router management page ................................................................................................ - 12 -

Step 2: Set Internet access parameters ............................................................................................................. - 13 -

Device Management .......................................................................................... - 17 -

4.1 Overview of Page ......................................................................................................................................... - 19 -

4.2 Network ....................................................................................................................................................... - 20 -

4.3 Filter Management ...................................................................................................................................... - 32 -

4.4 Bandwidth Control ....................................................................................................................................... - 50 -

4.5 VPN .............................................................................................................................................................. - 54 -

4.6 Security ........................................................................................................................................................ - 72 -

4.7 AC Management .......................................................................................................................................... - 78 -

4.8 Captive Portal .............................................................................................................................................. - 83 -

4.9 PPPoE Authentication .................................................................................................................................. - 92 -

Table of Contents

4.10 Virtual Server ........................................................................................................................................... - 104 -

4.11 USB........................................................................................................................................................... - 116 -

4.12 Maintenance ............................................................................................................................................ - 127 -

4.13 System status ........................................................................................................................................... - 140 -

Appendix ......................................................................................................... - 145 -

1 Obtain IP address autimatically .................................................................................................................... - 146 -

2 Product Specification .................................................................................................................................... - 151 -

3 FAQs .............................................................................................................................................................. - 152 -

4 Safety and emission statement .................................................................................................................... - 153 -

1

Product Overview

Overview

Main Features

Appearance

Package Contents

Product Overview

- 2 -

1.1 Overview

G3 are multi-WAN routers specially designed by Tenda for small and medium-sized enterprises and chain hotels.
Use a high performance processor with a dominant frequency up to 800 MHz, support a maximum of 4 WAN
ports, and integrate load balancing, flow control, and user authentication functions. Support IPSec/PPTP/L2TP
VPN, a maximum of 15 concurrent tunnels. In addition, provide the AC management function to manage all
models of APs of Tenda. G3 provides a 200-people standard device quantity and can manage up to 16 APs. Meet
the requirements of enterprises and hotels for establishing an efficient, safe and manageable network.

1.2 Main Features

 Default 2 WAN ports and 3 LAN ports.

 Support multi-WAN policies to effectively prevent network congestion.

 Support intelligent bandwidth management to ensure rational use of network resources.

 Support PPTP/L2TP server and client modes. The server mode is mainly deployed in an enterprise's

headquarters. The client mode is mainly deployed in an enterprise's branch.

 Support IPSec VPN service to ensure data integrity check, anti-data replay, and data encryption.

 Support AC function to manage APs in the network.

 Support the Captive Portal and PPPoE authentication functions that allow only legitimate users to have the

right to Internet access.

 Rich website classification libraries and APP application libraries to effectively control the staff's Internet

access behavior and improve the staff's work efficiency.

 Support USB print and file sharing to simply set the sharing of printers and file servers in an enterprise.

 Support software online upgrade.

Product Overview

- 3 -

1.3 Appearance

1.3.1 Front Panel

After the device is energized, the indicator states are described as follows:

Indicators

Color

Description

PWR

Green

Solid indicates normal power-on.

Off indicates abnormal power-on. Please check whether the power cord is loose.

USB

Green

Solid indicates that a USB device is connected.

Blinking indicates that a USB device and this USB port have data transmission.

Off indicates that no USB device is connected or connection is abnormal.

SYS

Green

Blinking indicates that the system operates normally.

Solid or off indicates that the system fails.

Link

Orange

Solid indicates that a device is connected to the port.

Off indicates that no device is connected to the port or connection is abnormal.

Act

Green

Solid indicates that there is no data transmission on the port.

Blinking indicates that there is data transmission on the port.

Product Overview

- 4 -

Port and Button

Description

RESET

In power-on state, press and hold the button with a spike for 8s and release it, and the
device will be restored to factory state.

USB

USB3.0 Connects USB devices such as USB disks, mobile hard disks, and printers.

LAN0

Intranet port that connects devices such as switches and computers.

WAN3/LAN1,
WAN2/LAN2,
WAN1/LAN3

Multiplexing for Intranet and Extranet ports.

 WAN3/LAN1 and WAN2/LAN are Intranet (LAN) ports by default.
 WAN1/LAN3 is an Extranet (WAN) port by default.

The router enables 2 WAN ports by default. If you need to modify the number of WAN
ports, please go to Network > Internet Setup and select the number of WAN ports.

WAN0

Extranet port that connects Extranet cables. Extranet cables may be network cables
from ADSL, fiber, and cable television cats, or broadband network cables directly
provided by the broadband operator.

1.3.2 Rear Panel

 Power port: Connects the power cord. Please use the supporting power cord in the product packing box for

connection.

 Power switch: After the power cord of the device is connected, press this button for power supply to the

device.

Product Overview

- 5 -

1.3.3 Label at the Bottom

(1): The login IP address for router. This IP address can be used to go to the web login page of this router.

(2): Default login user name and password, it can be used to go to the web login page of this router.

1.4 Package Contents

Unpack the package. Your box should contain the following items:

If any item is incorrect, missing or damaged, please keep the original package and contact the vendor for
replacement immediately.

(1)

(2)

- 6 -

2

Device Installation

Installation Notes

Installing the Router

Connecting the Router

Device Installation

- 7 -

2.1 Installation Notes

Follow the following notes to avoid device damage or personal injury due to improper use.

2.1.1 Safety Measures

 It is necessary to wear antistatic gloves in the installation process and the device must not be powered on.

 Use the power cord in the product packaging box for power supply to the device.

 Ensure that any input voltage range is consistent with the input voltage range indicated on the device.

 Ensure that the installation location of the device is well ventilated.

 Do not open or remove the device shell.

 Do not cut off the power supply when cleaning the device. Do not use any liquid to scrub the device.

 Keep the device away from power lines, electric lamps, power grids or any places where there is a potential

risk of touching a strong-current power grid.

Note

A tamper protection seal is attached to one installation screw on the device shell. When maintaining the device,
an agent must keep its seal intact. If you want to open the device shell, contact your local agent. Otherwise, you
are held liable provided that the device cannot be maintained due to unauthorized action.

2.1.2 Environmental Requirements

 Temperature and humidity requirements

Environment description

Temperature

Humidity

Operating environment

0℃ ~ 40℃

10% - 90% RH (non-condensing)

Storage environment

-40℃ ~ 70℃

5% - 90% RH (non-condensing)

 Cleanliness requirement

To avoid any electrostatic effect on normal action of the device, pay attention to the following: Keep room air
clean and regularly remove dust on the device. Perform correctly grounding of the device to ensure that static
electricity is transferred smoothly.

Device Installation

- 8 -

Anti-lightning requirement

To avoid any damage to the device due to strong transient current generated from thunder and lightning, take
the following lightning protection measures:

 Confirm that the power socket, rack, and worktable contact the ground well.

 The cabling shall be reasonable to avoid inducing lightning internally. When outdoor cabling is required, it is

recommended to use the signal lightning arrester.

 Requirements for the mounting table

Regardless of whether the device is installed in the rack or other work tables, pay attention to the following:

 Confirm that the rack or work table is stable and firm.

 Keep well ventilated. Leave 10 cm heat dissipation space around the device.

 Do not place any weight on the device.

 The vertical distance between devices shall not be smaller than 1.5 cm during rack installation.

2.1.3 Preparing Installation Tools

The following installation tools may be used in the device installation process. Please prepare them.

2.2 Installing the Router

This device supports rack installation and tabletop installation. Please select a suitable installation mode
according to your installation environment.

2.2.1 Rack Installation

The device is provided with L-shaped supports and screws and supports standard 19-inch rack installation.

Step 1: Ensure that the rack is stable and grounded.

Step 2: Fix two L-shaped supports on both sides of the device respectively with screws provided in the packaging

box.

Device Installation

- 9 -

Step 3: Fix the device on the rack with screws (provided by the user).

2.2.2 Tabletop Installation

If the user does not have a 19-inch standard cabinet, the tabletop installation mode can be used.

Step 1: Place the device on the tabletop with the bottom upward and paste 4 foot pads into the round groove at
the bottom of the shell.

Step 2: Turn over the device so that it is placed on the tabletop with its front upward.

2.3 Connecting the Router

Step 1: Connect the Extranet cable to the WAN port of the device.

Device Installation

- 10 -

Step 2: Connect switches and other network devices (such as APs, servers, and computers) with network cables.
After checking that the network topological graph is correct, connect the router to the power socket with the
power cord in the product packaging box and press the power switch to power on the router.

- 11 -

3

Internet Access Setup

Step 1: Log in to the router management page

Step 2: Set Internet access parameters

Internet Access Setup

- 12 -

Step 1: Log in to the router management page

Step 1: Set the local connection of the computer to obtain an IP address automatically and Obtain DNS server

address automatically. For detailed steps, refer to 1 Configure your computer.

Step 2: Open the browser on the computer, enter 192.168.0.252 in the address bar, and press Enter on the
keyboard.

Step 3: Go to the web login page of the device. Enter the user name admin and password admin, and click Login.

Tip

If you cannot log in to the router management page, refer to Question 1 of FAQs.

You will successfully go to the web management page of the device.

Internet Access Setup

- 13 -

Step 2: Set Internet access parameters

Set Internet access information. Select one connection method from Methods 1, 2, and 3 according to actual
situations. Try to surf the Internet after settings are finished.

Click 『Network』 to go to the Internet Setup page.

Tip

 This router provides 2 WAN ports by default. Take WAN0 settings as an example below. WAN1 port settings

are consistent with WAN0 port settings.

 The default connection method of the router WAN0 is ADSL. The default connection method of WAN1 is

Dynamic IP.

 All Internet access setting parameters are provided by the broadband operator. If you have any question,

consult your broadband operator.

 If there is any prompt dialog box appearing in the setting process, take corresponding measures according

to the contents of the prompt dialog box.

Internet Access Setup

- 14 -

Method 1: There is a broadband user name and password provided by operators such as China Telecom and
China Unicom. The connection method is ADSL. Perform settings by referring to the figure below.

Configuration steps:

❶ Connection Type: Click to select ADSL.

❷ PPPoE Username/Password: Enter the broadband user name and password information provided by

operators such as China Telecom and China Unicom.

❸ Operator: Select an operator that handles the broadband.

❹ Line Bandwidth: Enter the size of broadband.

❺ Click OK to finish settings.

Wait a moment. When Connection Status is displayed as Connected, you can try to surf the Internet.

Internet Access Setup

- 15 -

Method 2: For users whose computers need only to be connected with a broadband network cable for Internet
access when the router is not used, the connection method is Dynamic IP. Perform settings by referring to the
figure below.

Configuration steps:

❶ Connection Type: Click to select Dynamic IP.

❷ Operator: Select an operator that handles the broadband.

❸ Line Bandwidth: Enter the size of broadband.

❹ Click OK to finish settings.

Wait a moment. When Connection Status is displayed as Connected, you can try to surf the Internet.

Internet Access Setup

- 16 -

Method 3: For users who have fixed IP addresses provided by operators for Internet access, the connection
method is Static IP. Perform settings by referring to the figure below.

Configuration steps:

❶ Connection Type: Click to select Static IP.

❷ IP Address, Subnet Mask, Default Gateway, and Preferred/Alternate DNS: Enter fixed IP address

information provided by the broadband operator.

❸ Operator: Select an operator that handles the broadband.

❹ Line Bandwidth: Enter the size of broadband.

❺ Click OK to finish settings.

Wait a moment. When Connection Status is displayed as Connected, you can try to surf the Internet.

Device Management

- 17 -

4

Device Management

Overview of Page

Network

Filter Management

Bandwidth Control

VPN

Security

AC Management

Captive Portal

PPPoE Authentication

Virtual Server

USB

Device Management

- 18 -

Maintenance

System

Device Management

- 19 -

4.1 Overview of Page

Go to the management page of the router. The web management page is divided into three parts: primary
navigation bar, secondary navigation bar and configuration area, described as follows.

S/N

Name

Description

❶

Primary
Navigation bar

The navigation bar organizes the router's menu of all functions in the form of a
navigation tree. You can choose the function menu from the navigation bar with
selection result shown in the Secondary area.

❷

Secondary
Navigation bar

The navigation bar organizes the router's menu of all functions in the form of a
navigation tree. You can choose the function menu from the navigation bar with
selection result shown in the configuration area.

❸

Configuration
area

The area for users to configure and view.

Commonly used buttons and links

S/N

Name

Description

Click the button to apply your settings.

Click the button to cancel or clear the settings you are editing.

Click this link to back to the router login page.

1

2

3

Device Management

- 20 -

4.2 Network

Network includes the following contents:

Internet Setup: Set router Internet access information.

WAN Parameters: Modify WAN port parameters including WAN Speed, MTU, and MAC Address.

LAN Setup: Modify relevant parameters of LAN IP and DHCP server.

Port Mirroring: Set the router port mirroring function.

Static Route: View router route forwarding information and configure static routing.

Hotel Mode: Enable/Disable the router hotel mode. It is generally used for hotels. It allows you to set any IP

address for clients in the router to surf the Internet.

4.2.1 Internet Setup

After setting Internet access parameters and logging in to the router web page, you will automatically log in to the
Internet setup page. You can also click 『Network』 to go to the Internet Setup page. For detailed configuration
steps, refer to Step 2: Set Internet access parameters.

Device Management

- 21 -

Parameter description in the page:

Parameter

Description

WAN ports

Set the number of WAN ports and view RJ45 port status (connection status. The role is
WAN or LAN port). The device enables 2 WAN ports by default. After the number of
WAN ports is modified, the RJ45 port status diagram will also be changed as follows:

indicates that the port connection is normal. indicates that no device is

connected to the port or connection is abnormal.

Connection Type

Router connection method. Three connection methods are described as follows:
 ADSL: Broadband operators such as China Telecom and China Unicom provide a

PPPoE username and password. When surfing the Internet without using the
router, you need to perform dial-up access on the computer.

 Dynamic IP: Broadband operators such as China Telecom and China Unicom do

not provide any Internet access information. When surfing the Internet without
using the router, you can surf the Internet by connecting the computer with a
broadband network cable.

 Static IP: Broadband operators such as China Telecom and China Unicom a fixed IP

address. When surfing the Internet without using the router, you need to set a
static IP address on the computer for Internet access.

PPPoE Username and
PPPoE Password

Valid when the connection method is ADSL. Consult your broadband operator.

IP Address, Subnet
Mask, Default
Gateway, and
Preferred/Alternate
DNS

Valid when the connection method is Static IP. Consult your broadband operator.

Device Management

- 22 -

Parameter

Description

Line Bandwidth

Handle the size of bandwidth. Consult a corresponding broadband operator.

Note

If this item is empty, it will affect the "Intelligent Bandwidth Control" and "Smart Load
Balancing" functions. Please fill in it.

Connection Status

Display the connection status of a WAN port. The states mainly include:
 Connected or authenticated: The router has been successfully connected to the

Internet.

 Connecting…: The router is being connected to the Internet.
 Disconnected: Disconnection or connection failure. Please check Internet access

information or consult a corresponding broadband operator.

If other status information is displayed, take corresponding measures according to the
prompt message about connection status.

4.2.2 WAN Parameters

If you cannot access the Internet after performing Internet setup, you can solve this problem by modifying WAN
parameters. Click『Network』>『WAN Parameters』 to go to the configuration page.

Configuration steps for MAC address clone:

❶ MAC Address: Click the dropdown list and select Clone Local MAC or Manual Input. Enter a MAC address to

be cloned in the MAC input box when selecting Manual Input MAC.

❷ Click OK.

Device Management

- 23 -

Tip

Please use a correct MAC address to perform the clone action! A correct MAC address is a MAC address of a
computer on which a technician performs commissioning to surf the Internet during broadband installation.

Parameter description in the page:

Parameter

Description

WAN Speed

Router WAN port speed. The default is Auto. Do not change it unless necessary.

MTU

Maximum transmission unit. It is the maximum packet transmitted in the network device. It
is recommended to maintain the default setting.

Mac Address

MAC address of the WAN port. If the router cannot be connected to the Internet after
perform "Internet Setup", the reason may be that the broadband operator binds Internet
access information to a MAC address. At this point, perform MAC address clone and try to
surf the Internet.

 Current MAC: Current MAC address of the router’s WAN port.
 Default MAC: Set the MAC address of the router WAN port to the factory default.
 Clone Local MAC: Clone the MAC address of the computer that logs in to the router to

the router’s WAN port.

 Manual Input：Manual enter a MAC address to be cloned to the router WAN port.

4.2.3 LAN Setup

This section describes how to set the IP address and DHCP server parameters of the router LAN port. Click
『Network』>『LAN Setup』 to go to the configuration page.

The LAN port IP address is a management IP address of the router.

The DHCP server can automatically assign Internet access information such as IP address, subnet mask, gateway,
and DNS to clients that are successfully connected to the router. If this function is turned off, you can surf the
Internet only by manually configuring IP address information on the client. Keep the DHCP server enabled in the
absence of exceptional circumstances.

Device Management

- 24 -

Configuration steps for modifying a LAN port IP address:

❶ LAN IP: Modify an IP address such as 192.168.10.1.

❷ Click OK.

After clicking OK, wait a moment. After the progress bar is over, if login fails, ensure that the method for
obtaining a computer IP address is Obtain an IP address automatically. Repair a computer IP address. Retry using
a new IP address.

Steps for setting DHCP server parameters:

❶ DHCP Server: Click Enable.

❷ Start /End IP: Set the last bit of start and end IP addresses that are automatically assigned to the client by

the DHCP server.

❸ Click OK.

Tip

1. The router enables the DHCP server function by default. After this function is disabled, you must manually
set IP address information for every client under the router.

2. If there is no professional advice, maintain the default settings of the DHCP server to avoid any effect on
normal Internet access.

4.2.4 Port Mirroring

Overview

Port mirroring is to copy packets of one or more ports to one monitoring port of the device. The network

Device Management

- 25 -

administrator may perform network monitoring and troubleshooting using these detected data.

Topological graph for port mirroring:

This device supports monitoring communication of other ports (mirrored ports) through the LAN0 port (mirroring
port). Click 『Network』>『Port Mirroring』 to go to the configuration page. The port mirroring function is disabled
by default.

Parameter description in the page:

Parameter

Description

Port
Mirroring

Enable/Disable the port mirroring function. The default is Disable.

Mirroring
port

Monitoring port. Clients under this port must be installed with monitoring software.
The default is LAN0 and cannot be changed.

Mirrored
port

Mirrored port. After the port mirroring function is enabled, packets of a mirrored
port will be automatically copied to the a mirroring port.

Example of port mirroring

 Example: An enterprise purchases a G3 enterprise router to establish a network. Recently, the network in the

company is abnormal so that Internet access often fails. The port mirroring function can be used to capture

WAN and LAN port data for analysis. Monitoring software is installed on the computer under LAN0. Other

ports are set to mirrored ports.

Device Management

- 26 -

The reference application scenario is as follows:

Configuration steps:

❶ Port Mirroring: Click Enable.

❷ Mirrored port: Click to select monitored ports such as LAN1, LAN2, WAN1, and WAN0.

❸ Click OK.

After settings are finished, the computer installed with monitoring software (connected to the LAN0 port of the
router) can monitor packets of other ports.

4.2.5 Static Route

Overview

Routing is a behavior to select one optimal path to transmit data from a source address to a destination address.
Static route is a special route manually configured. It is characterized by simpleness, high efficiency, and reliability.
A suitable static route may reduce route selection problems and the overload of route selection data stream and

Device Management

- 27 -

increase the packet forwarding speed.

Click 『Network』>『Static Route』 to go to the configuration page.

Parameter description in the page:

Parameter

Description

Static Route

Manually add a static route.

Route table

Current route table information of the router, including default routes and added static
routes.

Destination
Network

Destination network address, i.e. IP address where packets reach.
Subnet Mask

Subnet mask of a destination network address.

Gateway

Entry IP address of the next-hop route after packets leave from a router port.

Interface

Port where packets leave from the router. Select a corresponding WAN port as needed.

Example of static route

 Example: An enterprise purchases a G3 enterprise router to establish a network. The Intranet and Internet

are located in different networks. The router has been connected to the Internet through the WAN0 port and

to the Intranet through the WAN1 port. Now, it must be realized that the client under the router needs to

access both the Internet and Intranet. This can be by achieved by setting a static route on the router.

Assume that basic information is as follows:
Intranet information assigned by the company:

IP Address

192.168.58.190

Gateway

192.168.58.1

Subnet mask

255.255.255.0

Master DNS

192.168.58.1

Device Management

- 28 -

Internet access information assigned by the company:

Username

tenda

Password

tenda

Intranet server information is as follows:

IP Address

172.16.0.0

Subnet mask

255.255.0.0

The reference topological graph is as follows:

Configuration steps:

Step 1： Set a WAN port according to information assigned by the company (The Internet is connected to the

WAN0 port. The Intranet is connected to the WAN1port), as shown in the figure below. For detailed configuration
steps, refer to Step 2: Set Internet access parameters.

Device Management

- 29 -

Device Management

- 30 -

Step 2: Set static router rules.

❶ Click .

❷ Set static router rules.

 Destination Network/ Subnet Mask: Enter a destination network address and subnet mask.
 Gateway: Enter a gateway address to the Intranet.
 Interface: Select a router port that a destination network is connected to.
 Click OK.

After settings are finished, newly added static router rules will be displayed in the route table.

Device Management

- 31 -

4.2.6 Hotel Mode

The client under the router can generally surf the Internet by obtaining an IP address automatically or by
manually setting correct IP address, gateway and DNS information. However, a hotel generally has a great flow of
people. The configurations of computer network cards of many customers are different. Some computers obtain
an IP address automatically. Some computers have an IP address that has been statically set. In addition, many
customers do not know how to configure a computer network card. In this case, hotel personnel must help them
to perform configurations and customers will also think that this is inconvenient.

To realize Internet access by plugging a network cable by customers, Tenda develops the hotel mode function.
After this function is enabled, customers can surf the Internet by plugging a network cable regardless of IP
address settings of customers' computer network cards, thus being convenient and simple.

Tip

When the hotel mode is enabled, it has no effect on Internet access of clients by obtaining an IP address
automatically. Clients in the LAN can also access the Internet by configuring any IP address (including IP addresses
other than IP groups), gateway, and DNS.

Click 『Network』>『Hotel Mode』 to go to the configuration page. The hotel mode is disabled by default.

Device Management

- 32 -

4.3 Filter Management

Filter Management includes the following contents:

IP Group & Time Group: Set an IP group and time group. Applications such as Port Filter, Web Filter, and

Multi-WAN Policy will be used.

MAC Filter: Set limitations on a specified client from surfing the Internet.

Port Filter：Set limitations on a client from accessing a specified port.

Web Filter：Set application filter and QQ filter rules.

Multi-WAN Policy: Set WAN port policies of the router.

4.3.1 IP Group & Time Group

Overview

This section describes how to add an IP group and time group. Most filter management functions of this router

are set based on IP group and time group.

Click 『Filter Management』 to go to the IP Group & Time Group configuration page.

Device Management

- 33 -

Steps for Adding a Time Group

Click .

Set time group rule contents in the window that appears.

Steps for adding an IP group

Click .

Set IP group rule contents in the window that appears.

Click OK to finish settings.

Click OK to finish settings.

Set a name for this rule.

Set specific time.

❷

❶

❸

Set a name for this rule.

Set a specific IP address/range.

❸

❷

❶

Device Management

- 34 -

4.3.2 MAC Filter

Overview

Computers and laptops that people often use have respective MAC addresses. You can control LAN clients' access
to the Internet through the MAC Filter function. MAC Filter has two access control modes: Allow_Internet and
Forbid_Internet.

Click『Filter Management』>『MAC Filter』 to go to the configuration page.

After the rule is set successfully, the page is shown in the figure below.

Device Management

- 35 -

Parameter description in the page:

Parameter

Description

MAC Filter

Enable/Disable the MAC filter function. The default is Disable.

Click this button to add a MAC filter rule.

Click this button to delete a selected rule.

Mode

 White List: Allow a device with this MAC address to access the Internet.
 Black List: Forbid a device with this MAC address from accessing the

Internet.

MAC Address

MAC address of client device.

Time

Time to forbid or allow a corresponding device in the list to access the
Internet.

Status

Current status of a rule, including Enabled and Disabled.

Action

Perform the enable/disable, edit, and delete actions on a rule.

Allow the hosts
excluded from
the list or
disabling the rule
to access the
Internet.

 When this item is enabled, all devices excluded from the list or disabling

the rule in the list can access the Internet.

 When this item is disabled, only the rule in the list is valid and all devices

excluded from the list or disabling the rule in the list cannot access the
Internet.

Device Management

- 36 -

Example of MAC filter

 Example: An enterprise uses a G3 enterprise router to establish a network. The staffs are forbidden from

surfing the Internet in office hours, but recruiters are allowed to do so in office hours (8:00 - 18:00). This can

be achieved through the MAC filter function. The MAC address for Internet access is CC:3A:61:71:1B:6E.

Configuration steps:

Step 1: Set a time group (8:00 - 18:00) as follows. For detailed configuration steps, refer to Steps for adding a time

group.

Step 2: Enable the MAC filter function.

Click Enable and OK.

Device Management

- 37 -

Step 3: Set MAC Filter rule contents.

Click .

Set rule contents in the window that appears.

Step 4: Back to the MAC Filter page, disable Allow the hosts excluded from the list or disabling the rule to access
the Internet, and click OK.

Click OK.

Click to select Allow access
to the Internet.

Click the dropdown list to
select a corresponding time
group.

❹

❷

❶

❸

Enter corresponding MAC
address information.

Device Management

- 38 -

4.3.3 Port Filter

Overview

Network protocols involved by many services in the Internet have specific port numbers.0-1023 are the port

numbers of typical ports. These port numbers are generally assigned to specific services. To facilitate further

management on clients in the LAN, the access of clients in the LAN to some ports in the Internet can be controlled

by setting the port filter function.

Click 『Filter Management』>『Port Filter』 to enter the configuration page.

After the rule is set successfully, the page is shown in the figure below.

Device Management

- 39 -

Parameter description in the page:

Parameter

Description

Port Filter

Enable/Disable the port filter function. The default is Disable.

Click this button to add a port filter rule.

Click this button to delete a selected rule.

IP Group

IP group where the rule is valid.

Time Group

Time when the rule is valid, i.e. time to forbid a device corresponding to an IP
group in the rule to access a specified service.

Port

Port number of an unaccessible service.

Protocol

Protocol used by an unaccessible service. It is recommended to maintain the
default settings.

Status

Current status of a rule, including Enabled and Disabled.

Action

Perform the enable/disable, edit, and delete actions on a rule.

Example of port filter

 Example: An enterprise uses a G3 enterprise router to establish a network. Computers with IP addresses

192.168.0.2-192.168.0.100 in the LAN cannot browse a web page at 8:00-18:00 (office hours) of Monday to

Friday. (The port for the service of browsing a web page is 80 by default.)

Configuration steps:
Step 1: Set a time group (8:00 - 18:00) as follows. For detailed configuration steps, refer to Steps for adding a time

group.

Device Management

- 40 -

Step 2: Set an IP group (IP field is 192.168.0.2-192.168.0.100) as follows. For detailed configuration steps, refer to

Steps for adding an IP group.

Step 3: Enable the Port Filter function.

Click Enable and OK.

Step 4: Set Port Filter rule contents.

❶ Click .

Device Management

- 41 -

❶ Set rule contents in the window that appears.

 IP Group、Time Group: Click the dropdown list and select a corresponding IP.
 Ports: Set a service port unaccessible for the LAN that may be a single port or port segment.
 Protocol: Set a protocol used by a forbidden service. It is recommended to maintain the default settings.
 Click OK to finish settings.

The rule addition is finished, as shown in the figure below:

Device Management

- 42 -

4.3.4 Web Filter

Overview

This describes how to set the web filter function. This router can forbid any specified client in the LAN from using
any specified applications such as communication software, video software, and music software.

Click 『Filter Management』>『Web Filter』 to go to the configuration page. You must define a website before
performing filter settings.

After the rule is set successfully, the page is shown in the figure below.

Parameter description in the page:

Device Management

- 43 -

Parameter

Description

Web Filter

Enable/Disable the web filter function. The default is Disable.

Click this button to add a web filter rule.

Click this button to delete a selected rule.

IP Group

IP group where the rule is valid.

Time Group

Time when the rule is valid, i.e. time to forbid a client corresponding to an IP group in
the rule from using a specified application.

Classification

Application that is forbidden from being used by a device corresponding to an IP
group.

Status

Current status of a rule, including Enabled and Disabled.

Action

Perform the enable/disable, edit, and delete actions on a rule.

Add website contents.

Device Management

- 44 -

Example of web filter

 Example: An enterprise uses a G3 enterprise router to establish a network. Computers with IP addresses

192.168.0.2-192.168.0.100 in the LAN cannot access yahoo.com at 8:00-18:00 (office hours) of Monday to

Friday.

Configuration steps:

Step 1: Set a time group (8:00 - 18:00) as follows. For detailed configuration steps, refer to Steps for adding a time

group.

Step 2: Set an IP group (IP field is 192.168.0.2-192.168.0.100) as follows. For detailed configuration steps, refer to

Steps for adding an IP group.

Device Management

- 45 -

Step 3: Set the Web Filter function.

Click Enable and OK to enable the Web Filter function.

Add website contents to be filtered.

Click .

Device Management

- 46 -

Set rule contents in the window that appears.

The rule addition is finished, as shown in the figure below:

Set website filter.

Click .

Click OK to finish settings.

Set a rule name.

❶

❷

❸

Set website description.

Set a website to be filtered.

❹

Device Management

- 47 -

Set filter rule contents.

 IP Group、Time Group: Click the dropdown list and select a corresponding IP group and time group.
 Classification: Select an application type that is forbidden from being used by a client. When adding

multiple websites, you can quickly select them through All and Invert.

 Click OK to finish settings.

After addition is successful, the page is shown in the figure below.

Device Management

- 48 -

4.3.5 Multi-WAN Policy

Overview

This section describes how to set a router WAN port policy. A router WAN port supports two operating modes:
Smart Load Balancing (Auto) and Custom. Click 『Filter Management』>『Multi-WAN Policy』 to go to the
configuration page.

 Smart Load Balancing: The system automatically searches a WAN port with the minimum traffic for

communication. It needs no manual intervention and automatically assign traffic.

 Custom: You can specify a specific WAN port against a specific source address according to actual need.

Example of custom

 Example: An enterprise uses a G3 enterprise router to establish a network. Broadband services provided by

both China Telecom and China Mobile are handled to meet enterprise network requirements. The Internet

has been successfully accessed. Multi-WAN policy settings can be performed to manage the network better.

Configuration steps:

Step 1: Add an IP group applied to this WAN policy. For example, the IP range is 192.168.0.2-192.168.0.100. For

detailed configuration steps, refer to Steps for adding an IP group.

Step 2: Set a WAN policy rule.

❶ WAN policy: Click to select Custom.

❷ Click OK.

Device Management

- 49 -

❸ Click Add a new rule.

❹ IP Group: Click the dropdown list to select a corresponding IP group.

❺ WAN: Select a WAN port where the data traffic of the IP group passes.

❻ Click OK to finish settings.

The rule addition is finished, as shown in the figure below:

Device Management

- 50 -

4.4 Bandwidth Control

Overview

This section describes how to set the router traffic function. By setting corresponding limitation rules on various
data traffic, bandwidth control on data transmission can be realized so that limited bandwidth resources are
reasonably allocated to achieve the objective of effectively using the existing bandwidth. Click 『Bandwidth
Control』 to go to the configuration page.

 Disable: Disable the bandwidth control function.
 Smart Bandwidth Control: The router smartly allocates bandwidth to a client according to actual situations.
 Custom: Manually set bandwidth for a client.

After the "custom rule" is set successfully, the page is shown in the figure below.

Device Management

- 51 -

Parameter description in the page:

Parameter

Description

IP Group

IP group where the rule is valid.

Time Group

Time when the rule is valid, i.e. time to forbid a client corresponding to an IP group in
the rule from accessing a specified website.

Concurrent session
(one device)

Maximum total number of connections used by every computer in a controlled IP
address range.

Mode

 Shared: The sum of bandwidths of all IP addresses in a controlled address range is

an uploading/downloading rate set by the current rule.

 Exclusive: Every IP address in a controlled address range applies an

uploading/downloading rate set by the current rule.

Upload/Download

Uploading/Downloading rate of a client under a corresponding rule. 1 Mbps = 128 KB/s
= 1,024 kb/s

Status

Current status of a rule, including Enabled and Disabled.

Action

Perform the enable/disable, edit, and delete actions on a rule.

Defaults for unlimited
host:

 When this item is enabled, the bandwidth parameters of devices excluded from

the list or disabling the rule in the list are "default parameters".

 When this item is disabled, only the rule in the list is valid and no bandwidth of

devices excluded from the list or disabling the rule in the list is restricted.

Enabling smart bandwidth control

Click Smart Bandwidth Control and click OK.

Example of custom

 Example: An enterprise uses a G3 enterprise router to establish a network. The router LAN port IP address is

192.168.0.252. The subnet mask is 255.255.255.0. Bandwidth control on a client under the router needs to

be set so that the client has a fixed bandwidth. The IP address is 192.168.0.2-192.168.0.100. The time group

restricted for the broadband is 8:00-18:00.

Configuration steps:

Step 1: Set a time group (8:00 - 18:00) as follows. For detailed configuration steps, refer to Steps for adding a time

group.

Device Management

- 52 -

Step 2: Set an IP group (IP field is 192.168.0.2-192.168.0.100) as follows. For detailed configuration steps, refer to

Steps for adding an IP group.

Step 3: Click Custom and OK to enable the "Custom" function.

Device Management

- 53 -

Step 4: Set "Custom" rule contents.

Click .

Set rule contents in the window that appears.

 IP Group, Time Group: Click the dropdown list and select a corresponding IP group and time group.
 Concurrent session: It is recommended to set this parameter to 300 in the absence of exceptional

circumstances.

 Mode: Select Exclusive.
 Upload/ Upload: Set an uploading/downloading rate of a client.
 Click OK to finish settings.

Device Management

- 54 -

4.5 VPN

VPN includes the following contents:

PPTP/L2TP Client: The router as a client is connected to the server.

PPTP/L2TP Server: The router as a server allows a specified client to be connected to it.

IPSec: Establish an IPSec tunnel to implement VPN transmission.

Example of PPTP/L2TP configurations: Explain VPN application through the example of PPTP server/client.

Example of IPSec configurations: Explain VPN application through the example of establishing an IPSec tunnel.

VPN (Virtual Private Network) is a private network established on the public network (generally the Internet).
However, this private network logically exists only and has no actual physical line. Therefore, it is called VPN. VPN
technology allows employees in a branch to conveniently share LAN resources of other employees or the
headquarters without exposing these resources to users on the Internet.

VPN establishes a virtual private line between two sites using tunnel technology. It uses end-to-end
authentication and encryption to ensure data security. Tunnel protocols supported by this router include Layer 2
tunneling protocols PPTP and L2TP and Layer 3 tunneling protocol IPSec.

4.5.1 PPTP/L2TP Client

The PPTP/L2TP client supports connection from the VPN router client to the VPN router server. For example,
information simple and safe access between the branch and the headquarters is required. This can be achieved by
using the VPN server function in the router in the headquarters and the VPN client function in the router in the
branch.

Device Management

- 55 -

Click 『VPN』 to go to the PPTP/L2TP Client configuration page.

After PPTP/L2TP Client is enabled, the page is shown in the figure below.

Device Management

- 56 -

Parameter description in the page:

Parameter

Description

PPTP/L2TP Client

Enable or disable the PPTP/L2TP client function. After this function is enabled, the
router is used as a VPN client.

Type

Type of client that the router acts as, including PPTP Client and L2TP Client.

WAN

Select the current WAN port, i.e. the router port where the PPTP/L2TP client is
enabled.

Server IP/Domain
Name

Enter a VPN server IP address/domain name to be connected to,which is generally a
WAN port IP address of the remote VPN router as a server where the "PPTP/L2TP
Server" function is enabled.

Username/password

Enter a username/password assigned to the PPTP/L2TP client by the VPN server.

Encryption

Whether to enable data encryption. Server settings shall be consistent with client
settings.

VPN Proxy

When this function is enabled after a VPN rule is established, the client router can
surf the Internet through the server router.

Remote LAN

LAN segment under the VPN server.

Remote subnet mask

Subnet mask of LAN under the VPN server.

Status

Display the connection status of the current VPN client.

4.5.2 PPTP/L2TP Server

The PPTP/L2TP server allows specified users to dial into the server. For example, simple and safe access between
the branch and the headquarters is required. This can be achieved by using the VPN server function in the router
in the headquarters and the VPN client function in the router in the branch.

Click 『VPN』>『PPTP/L2TP Server』 to go to the configuration page.

Device Management

- 57 -

After PPTP/L2TP Server is enabled, the page is shown in the figure below.

Device Management

- 58 -

Parameter description in the page:

Parameter

Description

PPTP/L2TP Server

Status

Enable/Disable the PPTP/L2TP server function. After this function is
enabled, the router is used as a VPN server.

Type

Type of server that the router acts as, including PPTP Server and L2TP
Server.

WAN

Router port where the PPTP/L2TP server is enabled. The IP address of this
port is "Server IP/Domain Name" information of the PPTP/L2TP client.

Encryption

Whether to enable data encryption. Server settings shall be consistent
with client settings.

IP Pool

IP address field assigned to the PPTP/L2TP client by the server.

Max
Connections

Maximum number of PPTP/L2TP clients that are allowed to be
connected. The system fixes this maximum number to 15.

PPTP/L2TP User

Username/Pa
ssword

Set a user name/password assigned to the PPTP/L2TP client by the
server. Username and password used when the PPTP/L2TP client is
connected to the PPTP/L2TP server.

Type

The client is a network or host. When the PPTP/L2TP client is a network,
the LAN and mask of the PPTP/L2TP client must be set.

Network

When the PPTP/L2TP client is a network, this item must be set. Set anIP
LAN of the PPTP/L2TP client.

Subnet Mask

When the PPTP/L2TP client is a network, this item must be set. Set a
remote subnet mask of the PPTP/L2TP client.

Remark

Description of this user. No description is displayed if it is not set when a
rule is set.

Action

Perform the edit and delete actions on users.

4.5.3 IPSec

IPSec (IP Security) is the set of a series of services and protocols that protects end-to-end communication security

Device Management

- 59 -

and prevents any network attack in the IP network. Click 『VPN』>『IPSec』 to go to the configuration page.

After IPSec is enabled, the page is shown in the figure below.

Device Management

- 60 -

Parameter description in the page:

Parameter

Description

IPSec

Enable/Disable the IPSec function.

WAN

Router port where IPSec is enabled. The IP address of this port is "Remote Gateway
Address" information of the remote router.

Connection Name

Set a name for this IPSec connection to facilitate identification.

Tunnel Protocol

Select ESP, AH or AH+ESP as needed.
 AH (Authentication Header). The AH protocol is used to ensure data integrity. If data

packets are falsified in the transmission process, the packet receiver will discard
packets during integrity verification.

 ESP (Encapsulating Security Payload). The ESP protocol is used for data integrity

check and data encryption. It is difficult for the third party to obtain true
information even if encrypted packets are intercepted.

Remote Gateway
Address

IP address or domain name of the remote router port.
Local LAN/Mask

IP LAN of the local router.

Remote LAN/Mask

IP LAN of the remote router.

Key Negotiation

The default is Auto. If you want to set it to Custom, refer to Key Negotiation — Custom.

Pre-shared key

Key that is mutually authenticated by both parties. The local and remote routers must
have the same pre-shared key.

 Key Negotiation — Auto

When key negotiation is Auto, the whole negotiation process is divided into two stages. Stage 1: Both parties of
communication will negotiate security proposals such as exchange and verification algorithm and encryption
algorithm, and establish an ISAKMP SA to securely exchange more information in Stage 2. Stage 2: Both parties of
communication will negotiate parameters for the IPSec security protocol using ISAKMP SA established in Stage 1,
and create IPSec SA to protect communication data of both parties.

Tip

1. ISAKMP: Internet Security Association and Key Management Protocol.

2. SA: Security Association.

3. IKE: Internet Key Exchange.

Description of IPSec tunnel Advanced parameters.

Device Management

- 61 -

Click Hide Advanced …, and the page below appears:

Parameter description in the page:

Parameter

Description

Mode

Set an exchange mode negotiated in Stage 1. This exchange mode must be the same as that
of the remote end.

There are two exchange modes as follows:
 MAIN: This mode allows both parties to exchange many packets, provides identity

protection, and applies to situations with high requirements for identity protection.

 AGGRESSIVE: Also called ACTIVE. This mode provides no identity protection, allows

parties to exchange a small number of packets, has a fast negotiation speed, and applies
to situations with low requirements for identity protection.

Encryption
algorithm

Select an encryption algorithm applied to an IKE session.

The router supports the following encryption algorithms:
 DES (Data Encryption Standard): Encrypt64-bit data using a 56-bit key. The last 8 bits of

64 bits are used for parity check. 3DES (Triple DES) performs encryption using three
56-bit keys.

 AES (Advanced Encryption Standard): AES128/192/256 indicates performing encryption

Device Management

- 62 -

using a 128/192/256-bit key.

Parameter

Description

Integrity
Verification
Algorithm

Select a verification algorithm applied to an IKE session.

The router supports the following verification algorithms:
 MD5 (Message Digest Algorithm): Generate a 128-bit message digest for a message to

prevent this message from being falsified.

 SHA1 (Secure Hash Algorithm): Generate a 160-bit message digest for a message. It is

more difficult to crack SHA1than to crack MD5.

Diffie-Hellman
Group

Diffie-Hellman algorithm group information that is used to generate a session key to encrypt
an IKE tunnel.

Key Life Cycle

IPSec SA survival time.

PFS

The PFS (Perfect Forward Secrecy) feature enables IKE Stage 2 negotiation to generate a new
key material that has no association with any key material generated in Stage 1 negotiation.
Therefore, the Stage 2 key is safe even if the IKE1 Stage 1 key is cracked. If PFS is not used,
the Stage 2 key will be generated according to the key material generated in Stage 1. Once
the Stage 1 key is cracked, the Stage 2 key used to protect communication data will also be
placed in jeopardy. This will seriously threaten communication security of both parties.

 Key Negotiation — Custom

When key negotiation is Custom, the page is shown in the figure below.

Device Management

- 63 -

Parameter description in the page:

Parameter

Description

ESP Encryption
Algorithm

Set an ESP encryption algorithm when selecting an ESP security protocol.

The router supports the following encryption algorithms:
 DES (Data Encryption Standard): Encrypt64-bit data using a 56-bit key. The last 8 bits

of 64 bits are used for parity check. 3DES (Triple DES) performs encryption using
three 56-bit keys.

 AES (Advanced Encryption Standard): AES128/192/256 indicates performing

encryption using a 128/192/256-bit key.

ESP Encryption Key

Set an ESP encryption key. Both parties of communication must keep the key consistent.

ESP Authentication
Algorithm

Set an ESP authentication algorithm when selecting an ESP security protocol. Set an AH
authentication algorithm when selecting an AH security protocol.

The router supports the following verification algorithms:
 MD5 (Message Digest Algorithm): Generate a 128-bit message digest for a message

to prevent this message from being falsified.

 SHA1 (Secure Hash Algorithm): Generate a 160-bit message digest for a message. It

is more difficult to crack SHA1than to crack MD5.

ESP Outcoming SPI

Set an SPI parameter. Three parameters including SPI, tunnel remote gateway address,
and protocol type jointly identifies one IPSec security ally.

The SPI parameter must be the same as the Incoming SPI value of the remote end of
communication.

ESP Incoming SPI

Set an SPI parameter. Three parameters including SPI, tunnel remote gateway address,
and protocol type jointly identifies one IPSec security ally.

The SPI parameter must be the same as the Outcoming SPI value of the remote end of
communication.

Device Management

- 64 -

4.5.4 Example of PPTP/L2TP configurations

 Example: The headquarters and the branch use a G3 enterprise router to establish a network with successful

access to the Internet. Employees in the branch need to access the company's resources via the Internet at

any time. These resources include the company's internal data, office OA, ERP system, CRM system, project

management system, etc. Remote users can access the company's server by setting the VPN service on the

router. Take PPTP as an example. The setting method of L2TP is similar.

The reference topological graph is as follows:

Configuration steps:

Step 1: Set Router 1 that acts as a server.

Enable the "PPTP/L2TP Server" function.

❶ Status: Click Enable.

❷ Type: Click PPTP Server.

❸ WAN: Select an enabled WAN port of Router 1 (VPN server) (In this example, WAN0).

❹ Encryption: Click Enable to enable encryption.

❺ Click OK.

Device Management

- 65 -

Add a username and password whose access is allowed.

Click OK.

Click Add a user.

❶

Enter a client LAN and

subnet mask.

Set a username and
password used when the
client is connected to the

server, such as admin.

❸

❷

❺

❹

Enter the description of
this user (optional).

Device Management

- 66 -

After settings are successfully finished, the page is shown in the figure below.

Step 2: Set Router 2 that acts as a client.

❶ PPTP/L2TP Client: Click Enable.

❷ Type: Click PPTP client.

❸ WAN: Select an enabled WAN port of Router 2 (VPN client) (In this example, WAN0).

❹ Server IP/Domain Name: Enter an enabled WAN port IP address of the VPN server.

❺ Username/Password: Enter a username/password assigned to the client by the server.

❻ Encryption: Click Enable to enable encryption.

❼ Remote LAN: Enter a server LAN.

❽ Remote subnet mask: Enter a subnet mask of server LAN.

❾ Click OK.

Device Management

- 67 -

After settings are successfully finished, the page is shown in the figure below. The connection is successful when
the status is displayed as Connected and an IP address has been obtained.

Device Management

- 68 -

4.5.5 Example of IPSec configurations

 Example: The headquarters and the branch use a G3 enterprise router to establish a network with successful

access to the Internet. Employees in the branch need to access the company's resources via the Internet at

any time. These resources include the company's internal data, office OA, ERP system, CRM system, project

management system, etc. Remote users can access the company's server by setting the VPN service on the

router. Take IPSec as an example.

The reference topological graph is as follows:

Configuration steps:

Assume that basic information about the IPSec tunnel of two routers is as follows:

Key Negotiation: Auto

Pre-shared key: 12345678

Step 1: Set Router 1.

Click .

Device Management

- 69 -

Set rule contents.

❶ IPSec: Click Enable.

❷ WAN: Select an enabled WAN port of this tunnel (In this example, WAN0).

❸ Connection Name: Set a name for this tunnel such as IPSec_1.

❹ Remote Gateway (Domain Name): Enter an IP address of the enabled WAN port of the IPSec tunnel of the

remote router (In this example, 210.76.200.101).

❺ Local LAN/Mask: Enter a local LAN/subnet mask (In this example, 192.168.0.0/24).

❻ Remote LAN/Mask: Enter a remote router LAN/subnet mask (In this example, 192.168.0.0/24).

❼ Pre-shared key: Enter a pre-shared key (In this example, 12345678).

❽ Click OK.

After settings are successfully finished, the page is shown in the figure below.

Step 2: Set Router 2.

Click .

Device Management

- 70 -

Set rule contents.

❶ IPSec: Click Enable.

❷ WAN: Select an enabled WAN port of this tunnel (In this example, WAN0).

❸ Connection Name: Set a name for this tunnel such as IPSec_1.

❹ Remote Gateway (Domain Name): Enter an IP address of the enabled WAN port of the IPSec tunnel of the

remote router (In this example, 202.105.106.55).

❺ Local LAN/Mask: Enter a local LAN/subnet mask (In this example, 192.168.0.0/24).

❻ Remote LAN/Mask: Enter a remote router LAN/subnet mask (In this example, 192.168.0.0/24).

❼ Pre-shared key: Enter a pre-shared key (In this example, 12345678).

❽ Click OK.

After settings are successfully finished, the page is shown in the figure below.

Device Management

- 71 -

Step 3: Verify whether settings are successful.

Go to the management page of the router. Click 『System』>『Live Users』 to go to the page. When the number
of connections is displayed in IPSec, settings are successful.

Tip

1. If you want to set the advanced option of the IPSec tunnel in the setting process, keep the setting
parameters of two routers consistent.

2. When key negotiation is Custom, the encryption algorithm, encryption key, and authentication at both ends
of IPSec shall be consistent. The outcoming SPI of Device 1 shall be consistent with the incoming SPI of
Device 2. The incoming SPI of Device 1 shall be consistent with the outcoming SPI of Device 2.

Device Management

- 72 -

4.6 Security

Security includes the following contents:

IP-MAC Binding: Set the function that only the users bound to IP and MAC addresses in the list can access the

Internet.

Firewall: Set the defense function of the device. You can set this part under the guide of a professional.

4.6.1 IP-MAC Binding

Overview

The IP-MAC address binding function allows users bound to IP and MAC addresses in the list to access the
Internet and forbids other users from accessing the Internet. This router supports manual binding and dynamic
binding.

Click『Security』 to go to the IP-MAC Binding configuration page.

Device Management

- 73 -

After an "IP-MAC Binding" rule is added, the page is shown in the figure below.

Parameter description in the page:

Parameter

Description

IP-MAC Binding

Enable/Disable the IP-MAC binding function. The default is Disable.

Binding List

Click this button to manually add bound IP and MAC addresses.

Click this button to unbind a selected bound rule.

IP Address

Displays a bound IP address.

MAC
Address

Displays a MAC address corresponding to a bound IP address.

Remark

Displays the description of a corresponding rule. No remark information is
displayed if it is not set during dynamic or manual binding.

Action

Perform the edit or delete action on a bound rule.

Device Management

- 74 -

Parameter

Description

Dynamic
Binding

Information about a client connected to the router is displayed in the dynamic
list. Click this button to add a selected rule in the binding list.

Click this button to add all rules in the dynamic list into the binding list.

IP Address

Displays an IP address of a client connected to the router.

MAC
Address

Display a MAC address corresponding to an IP address of a client connected to
the router.

Action

Click Bind after a corresponding rule to quickly add this rule in the binding list.

Example of IP-MAC binding

 Example: An enterprise uses a G3 enterprise router to establish a network. Only two employees in the

recruitment team are allowed to access the Internet in office hours of the company. Other employees are

forbidden from accessing the Internet. This can be achieved through the IP-MAC binding function. First of all,

you must know the IP and MAC addresses of the recruiters who are allowed to access the Internet, i.e.

192.168.0.226, C8:3A:35:03:11:79 and 192.168.0.208, CC:3A:61:71:1B:6E.

Configuration steps:

❶ After going to the IP-MAC Binding page, Click Enable and OK to enable this function.

❷ If a client to be bound has been connected to the router, find a corresponding device in the dynamic binding

Device Management

- 75 -

list and click Bind. If it is not connected to the router, click Add, enter IP and MAC address information to be

bound, and click OK.

After addition is successful, the page is shown in the figure below.

Device Management

- 76 -

4.6.2 Firewall

Firewall includes ARP Attack Defense, DDOS Defense, and IP Attack Defense.

ARP spoofing is that an attack host in the LAN sends ARP spoofing packets to replace records in the device ARP list
with forged IP and MAC correspondence. This type of ARP attacks seriously affects internal communication in the
LAN. Therefore, ARP protection technology is generated.

By sending a large number of request services to occupy excessive resources, DOS causes destination routers and
servers to be busy in answering requests or waiting nonexistent connection replies so that legitimate user
requests cannot be answered by servers. DDOS defense can prevent the WAN from performing port scanning and
malicious attack on computers in the router or LAN to ensure their safe action.

IP attack defense allows the router to intercept packets with some special IP options as required and record the
information about the host sending these packets in the IP option list.

Click『Security』>『Firewall』to go to the configuration page.

Device Management

- 77 -

Parameter description in the page:

Parameter

Description

ARP Attack
Defense

Enable ARP Attack
Defense

Enable/Disable the ARP attack defense function.
ARP Broadcast Interval

Time interval when the device sends ARP broadcast.

DDOS Defense

ICMP Flood Threshold

If a destination IP address receives ICMP request packets
exceeding a specified quantity within 1s, it is supposed that this
destination IP address is being attacked by ICMP Flood.

UDP Flood Threshold

If a port of a destination IP address receives UDP packets
exceeding a specified quantity within 1s, it is supposed that this
port of this destination IP address is being attacked by UDP
Flood.

SYN Flood Threshold

If a port of a destination IP address receives TCP SYN packets
exceeding a specified quantity within 1s, it is supposed that this
port of this destination IP address is being attacked by SYN
Flood.

IP Attack
Defense

IP Timestamp Option

Whether to check that IP packets from a specified area contain
the Internet Timestamp item.

IP Security Option

Whether to check that IP packets from a specified area contain
the Internet Security item.

IP Stream Option

Whether to check that IP packets from a specified area contain
the Stream ID item.

IP Record Route Option

Whether to check that IP packets from a specified area contain
the Record Route option.

IP Loose Source Route
Option

Whether to check that IP packets from a specified area contain
the Loose Source option.

Illegal IP Option

Whether to check the integrity or correctness of IP packets from
a specified area.

Prohibit Ping
WAN

After this item is enabled, other network devices in the network cannot ping a router WAN
port successfully.

Device Management

- 78 -

4.7 AC Management

This router integrates the wireless controller function to manage Tenda APs.

AC Management includes the following contents:

Discover AP: On this page, the router can discover compatible APs in the LAN network.
Wireless Policy: On this page, you can add wireless policies for the managed APs. The parameters contain

SSID-related parameters and radio parameters.

Advanced Policy: On this page, you can add reboot policies and alarm policies for the managed APs. A reboot

policy can make an AP reboot periodically or regularly, and enable or disable an AP’s LED status. An alarm policy
allows the system to send an AP’s alarm information to a specified email address or to a specified IP address.

AP Management: On this page, you can reboot, upgrade a firmware or reset the selected APs.
Issue Policy: On this page, you can deliver the added policies to the selected APs.
AP DHCP: On this page, you can set up the DHCP server for the managed APs. Note that the DHCP server and the

device’s LAN IP address must be on the same IP segment.

User Status: On this page, you can see or export the information of online users that connect to the managed

online APs.

4.7.1 Discover AP

On this page, the router can discover compatible APs in the LAN network.

For the descriptions of button and parameters, click on the upper right page.

To discover APs:

1. Log in to the device’s web UI.

2. Go to AC Management > Discover AP.

3. Click Discover AP. The available APs will display in the list.

4.7.2 Wireless Policy

On this page, you can add wireless policies for the managed APs. The parameters contain SSID-related parameters
and radio parameters.

Device Management

- 79 -

For the descriptions of button and parameters, click on the upper right page.

To add a wireless policy:

1. Log in to the device’s web UI.

2. Go to AC Management > Wireless Policy.

3. Click New.

4. On the pop-up window, set up the parameters and click OK. We recommend that you set up Policy Name,

SSID, Encryption Type, and Key, and keep the default values of other parameters.

Note that if you set up VLAN ID for the policy, go to Radio Config page and check the box of Enable VLAN.

4.7.3 Advanced Policy

On this page, you can add reboot policies and alarm policies for the managed APs. A reboot policy can make an AP
reboot periodically or regularly, and enable or disable an AP’s LED status. An alarm policy allows the system to
send an AP’s alarm information to a specified email address or to a specified IP address.

Device Management

- 80 -

For the descriptions of button and parameters, click on the upper right page.

To add a reboot policy:

1. Log in to the device’s web UI.

2. Go to AC Management > Advanced Policy.

3. Click Reboot Policy.

4. On the pop-up window, set up the parameters and click OK. You can enable or disable LED status. If you

enable reboot settings, you can select Periodic or Reboot Scheduling to set up the parameters.

To add an alarm policy:

1. Log in to the device’s web UI.

2. Go to AC Management > Advanced Policy.

3. Click Alarm Policy.

Device Management

- 81 -

4. On the pop-up window, set up the parameters and click OK.
 If you enable and set up all the parameters, the alarm of AP traffic and AP accessing will be sent to the

specified email and IP address.

 If you enable Alarm from Desktop, you must install an alarm program on the computer. To get the

program, contact our technical support engineer.

4.7.4 AP Management

On this page, you can reboot, upgrade a firmware or reset the selected APs.

For the descriptions of button and parameters, click on the upper right page.

Device Management

- 82 -

4.7.5 Issue Policy

On this page, you can deliver the added policies to the selected APs.

For the descriptions of button and parameters, click on the upper right page.

4.7.6 AP DHCP

On this page, you can set up the DHCP server for the managed APs. Note that the DHCP server and the device’s
LAN IP address must be on the same IP segment.

For the descriptions of button and parameters, click on the upper right page.

Device Management

- 83 -

4.7.7 User Status

On this page, you can see or export the information of online users that connect to the managed online APs.

For the descriptions of button and parameters, click on the upper right page.

4.8 Captive Portal

Captive Portal includes the following contents:

Basic Setup: Set information about captive portal. This router supports captive portal and PPPoE authentication.

Only one of them can be selected when the authentication function is enabled.

User Management: Add username and password of captive portal.

Example of Captive Portal: Explain captive portal application through the example that the user performs captive

portal to access the Internet.

Device Management

- 84 -

4.8.1 Basic Setup

Overview

By default, a client connected to the router can access the Internet after the router is connected to the Internet.
After the captive portal function is enabled, any client under the router must be authenticated before accessing
the Internet.

Click 『Captive Portal』 to go to the Basic Setup page.

Device Management

- 85 -

Parameter description in the page:

Parameter

Description

Captive Portal

Enable/Disable the captive portal function.

Life Time

After the client passes the authentication and successfully
accesses the Internet, Once the life time is over, an
authentication is required again for normal Internet service.

Authentication-free
Host

Click this button to add a client that can access the Internet
without any authentication.

Click this button to delete a selected authentication-free host.

Authentication-free
Host (continued)

Mac
Address

Display a MAC address of a client that can access the Internet
without any authentication.

Remark

Description of a client that can access the Internet without any
authentication. No description is displayed if it is not filled during
setting.

Action

Perform the reedit or delete action on a corresponding rule.

Authentication Web
Config

Click this button to configure a page that appears during client
authentication.

Click to preview a set "Configuration Web".

Device Management

- 86 -

Enable captive portal

Select Enable in the Captive Portal option and click OK to enable captive portal. If necessary, you can configure
Authentication-free Host and Authentication Web Config.

4.8.2 User Management

Overview

This section describes how to add a username and password to be entered during captive portal of a client. Click
『Captive Portal』>『User Management』 to go to the configuration page.

Device Management

- 87 -

After an account is successfully added, the page is shown in the figure.

Parameter description in the page:

Parameter

Description

Click this button to add an account for captive portal.

Click this button to delete a selected captive portal account.

Username/Password

Username/Password to be entered during captive portal of a client.

Remark

Display the description of a corresponding account. No description is
displayed if it is not filled during setting.

Status

User's current status including enabled and disabled.

Action

Perform the enable/disable, edit, and delete actions on a rule.

Tip

One account (username and password) shall not be subject to multiple user authentications at the same time.

Steps for adding a captive portal account

1) Go to the User Management page and click .

2) Set user information in the window that appears.

Device Management

- 88 -

After a captive portal account is successfully added, the page is shown in the figure below.

4.8.3 Example of Captive Portal Configuration

 Example: An enterprise uses a G3 enterprise router to establish a network. The company specifies that an

authentication is required when employees access the Internet in office hours. However, the network

administrator needs no authentication. This can be achieved through the captive portal function. The MAC

address of the network administrator's computer is CC:3A:61:71:1B:6E.

Configuration steps:

Step 1: Perform basic settings of captive portal.

1) Click Enable and OK to enable the captive portal function.

Device Management

- 89 -

2) Add an authentication-free host.

Click .

Set host contents in the window that appears.

 MAC Address: Enter a MAC address of a client that can access the Internet without any authentication.
 Remark: Enter remark about this client (Optional).
 Click OK.

3) Set authentication page information.

Click .

Device Management

- 90 -

Set relevant information in the window that appears.

 Web Title: Modify the title of the captive portal page.
 Web Content: Set announcement contents such as Shenzhen Tenda Technology Co., Ltd.
 Click OK.

After settings are finished, the page is shown in the figure below.

Device Management

- 91 -

Step 2: Add a captive portal account.

Go to the User Management page and click .

Set user information in the window that appears.

 Username、Password: Set a user name and password for captive portal.
 Remark: Enter the description of this user (optional).
 Click OK to finish settings.

After a captive portal account is successfully added, the page is shown in the figure below.

The page below will appear when the client accesses the Internet or Intranet after settings are finished.

At this point, enter the added captive portal account and click Login.

Device Management

- 92 -

4.9 PPPoE Authentication

PPPoE Authentication includes the following contents:

Basic Setup: Set information about PPPoE authentication. This router supports captive portal and PPPoE

authentication. Only one of them can be selected when the authentication function is enabled.

Account Management: Add a user name and password for PPPoE authentication.

Example of PPPoE Authentication: Explain PPPoE authentication application through the example that a user in

the community performs dial-up networking.

4.9.1 Basic Setup

Overview

By default, a client connected to the router can access the Internet after the router is connected to the Internet.
After the PPPoE authentication is enabled, any client under the router must perform PPPoE authentication before
accessing the Internet. After PPPoE authentication is enabled, captive portal functions will be disabled.

Click 『PPPoE Authentication』 to go to the Basic Setup page. Drag the scroll bar to view more information.

Device Management

- 93 -

Parameter description in the page:

Parameter

Description

PPPoE Server

PPPoE Authentication

Enable/Disable the PPPoE authentication function.

Server IP

PPPoE server IP address.

Start/End IP of PPPoE
user

IP address range assigned to the client by the PPPoE server
after the client performs PPPoE authentication.

Preferred/Alternate DNS

Preferred/Alternate DNS address assigned to the client by the
PPPoE server after the client performs PPPoE authentication.

Expiry Alert

Alert time before expiry.

Set alert time before the expiry of the account. The default is 7
days.

Alert Page for Account
Due

Set alert page information before the expiry of the account.

Click to configure alert page information. Click

to view effects.

Alert Page for Account
Expiry

Set alert page information after the expiry of the account.

Click to configure alert page information. Click

to view effects.

Authentication-fr
ee

Click this button to add a client that can access the Internet
without any authentication.

Click this button to delete a selected authentication-free host.

Mac Address

Display a MAC address of a client that can access the Internet
without any authentication.

Remark

Description of a client that can access the Internet without any
authentication. No description is displayed if it is not filled
during setting.

Action

Perform the reedit or delete action on a corresponding rule.

Device Management

- 94 -

Parameter

Description

Flow Control
Config

Policy Name

Flow policy name. It cannot be modified. After the PPPoE
authentication function is enabled, the original "Bandwidth
Control" function of the router will be replaced with PPPoE
"Flow Control Config".

Uplink/Downlink

Uplink/Downlink rate of corresponding policies. These policies
will be associated with a PPPoE account. The maximum
uplink/downlink rate of the user who uses this account to
perform authentication is this rate.

Action

Click to modify an uplink/downlink rate. The default is
1,024KB/s. 1Mbps=128KB/s=1,024kb/s, 1B=8b

Enable PPPoE authentication

Select Enable in the PPPoE Authentication option and click OK at the bottom of the page to enable PPPoE
authentication. If necessary, you can configure Expiry Alert and Authentication-free.