background image

            ADSL2+ (802.11g) (VPN) Firewall Router 
 

Chapter 4: Configuration 

 

79 

encryption method. 

Diffie-Hellman  Group:

  It  is  a  public-key  cryptography  protocol  that  allows  two  parties  to  establish  a 

shared secret over an unsecured communication channel (i.e. over the Internet). There are three modes, 
MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups. 

IPSec  Proposal: 

Select  the  IPSec  security  method.  There  are  two  methods  of  checking  the 

authentication information, AH (authentication header) and ESP (Encapsulating Security Payload). Use 
ESP  for  greater  security  so  that  data  will  be  encrypted  and  authenticated.  Using  AH  data  will  be 
authenticated but not encrypted. 

Authentication: 

Authentication establishes the integrity of the datagram and ensures it is not tampered 

with  in transmit. There  are three  options,  Message  Digest  5  (

MD5

),  Secure  Hash  Algorithm  (

SHA1

)  or 

NONE

. SHA1 is more resistant to brute-force attacks than MD5, however it is slower. 

     MD5: 

A one-way hashing algorithm that produces a 128−bit hash. 

     SHA1: 

A one-way hashing algorithm that produces a 160−bit hash.  

Encryption: 

Select  the  encryption  method  from  the  pull-down  menu.  There  are  several  options, 

DES

3DES

AES (128, 192 and 256)

 and 

NULL

. NULL means it is a tunnel only with no encryption. 3DES and 

AES are more powerful but increase latency. 

     DES: 

Stands for Data Encryption Standard, it uses 56 bits as an encryption method. 

  3DES: 

Stands  for  Triple  Data  Encryption  Standard,  it  uses  168  (56*3)  bits  as  an  encryption       

method.  

  AES: 

Stands  for  Advanced  Encryption  Standards,  you  can  use  128,  192  or  256  bits  as 

encryption method. 

Perfect Forward Secrecy: 

Choose whether to enable PFS using Diffie-Hellman public-key cryptography 

to change encryption keys during the second phase of VPN negotiation. This function will provide better 
security, but extends the VPN negotiation time. Diffie-Hellman is a public-key cryptography protocol that 
allows two parties to establish a shared secret over an unsecured communication channel (i.e. over the 
Internet). There are three modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for 
Modular Exponentiation Groups. 

Pre-shared Key: 

This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128 characters. 

Both sides should use the same key. IKE is used to establish a shared security policy and authenticated 
keys for services (such as IPSec) that require a key. Before any IPSec traffic can be passed, each router 
must be able to verify the identity of its peer. This can be done by manually entering the pre-shared key 
into both sides (router or hosts). 

Local ID: 

    Content: 

Input ID’s information, like domain name 

www.ipsectest.com

.

 

Remote ID: 

  Identifier: 

Input remote ID’s information, like domain name 

www.ipsectest.com

.

 

SA Lifetime: 

Specify the number of minutes that a Security Association (SA) will stay active before new 

encryption and authentication key will be exchanged. There are two kinds of SAs, IKE and IPSec. IKE 
negotiates and establishes SA on behalf of IPSec, an IKE SA is used by IKE.   

    Phase 1 (IKE): 

To issue an initial connection request for a new VPN tunnel. The range can be 

from 5 to 15,000 minutes, and the default is 480 minutes. 

    Phase 2 (IPSec): 

To negotiate and establish secure authentication. The range can be from 5 to 

15,000 minutes, and the default is 60 minutes.

 

A short SA time increases security by forcing the two parties to update the keys. However, every   

time the VPN tunnel re-negotiates, access through the tunnel will be temporarily disconnected. 

PING for Keep Alive: 

         

None: 

The default setting is 

None

.    To this mode, it will not detect the remote IPSec peer has 

Summary of Contents for BiPAC 7402 R3

Page 1: ...Version Release 552g s4 ds2 Last Revision Date 25 02 2008 BiPAC 7402 G L R3 Series ADSL2 802 11g VPN Firewall Router User s Manual ...

Page 2: ... 14 DHCP server 14 LAN and WAN Port Addresses 14 INFORMATION FROM YOUR ISP 15 CONFIGURING WITH YOUR WEB BROWSER 16 CHAPTER 4 CONFIGURATION 17 STATUS 18 ADSL Status 18 ARP Table 18 DHCP Table 19 Routing Table 20 NAT Sessions 21 UPnP Portmap 21 PPTP Status 21 IPSec Status 22 L2TP Status 22 Email Status 23 Event Log 23 Error Log 23 Diagnostic 23 QUICK START 24 CONFIGURATION 27 LAN Local Area Network ...

Page 3: ... L2TP Layer Two Tunneling Protocol 86 QoS Quality of Service 98 Prioritization 98 Outbound IP Throttling LAN to WAN 100 Inbound IP Throttling WAN to LAN 101 Virtual Server known as Port Forwarding 106 Add Virtual Server 107 Edit DMZ Host 108 Edit DMZ Host 109 Edit One to One NAT Network Address Translation 110 Time Schedule 113 Configuration of Time Schedule 114 Advanced 115 Static Route 115 Dynam...

Page 4: ...eady provides IPSec and PPTP pass through function to establish a VPN connection if the user likes to run the PPTP client in his local computer 802 11g Wireless AP with WPA Support Wireless Router only With integrated 802 11g Wireless Access Point in the router the device offers a quick and easy access among wired network wireless network and broadband connection ADSL with single device simplicity...

Page 5: ...fic should be given priority by the router ensuring important data like gaming packets customer information or management information move through the router ay lightning speed even under heavy load The QoS features are configurable by source IP address destination IP address protocol and port You can throttle the speed at which different types of outgoing data pass through the router to ensure P2...

Page 6: ...o supports remote management capability for remote users to configure and manage this product Firmware Upgradeable Device can be upgraded to the latest firmware through the WEB based GUI Rich Management Interfaces It supports flexible management interfaces with local console port LAN port and WAN port Users can use terminal applications through the console port to configure and manage the device o...

Page 7: ... Quick Start Guide Splitter Micro filter Optional Do not use this router under high humidity or high temperatures Do not use the same power source for this router as other equipment Do not open or repair the case by yourself If this router is too hot turn off the power immediately and have it repaired at a qualified service center Avoid using this product and all accessories outdoors Warning Place...

Page 8: ...f transmission hits 100Mbps appears Green The speed of transmission hits 10Mbps appears Orange Blinking when data is Transmitted Received 3 Wireless Lit green when the wireless connection is established Flashes when the device is sending receiving data 4 Mail Lit and flashed periodically when there are emails in the Inbox 5 ADSL Lit Green when the device is successfully connected to an ADSL DSLAM ...

Page 9: ... to one of the LAN ports when connecting to a PC or an office home network of 10Mbps or 100Mbps Caution Port 4 can be either a LAN or Console port at a time but not both 4 WPS Push WPS button to trigger Wi Fi Protected Setup function 5 RESET To be sure the device is being turned on press RESET button for 1 3 seconds quick reset the device 6 seconds above and power off power on the device restore t...

Page 10: ... proper cables Ensure that all other devices connected to the same telephone line as your router e g telephones fax machines analogue modems have a line filter connected between them and the wall socket unless you are using a Central Splitter or Central Filter installed by a qualified and licensed electrician and ensure that all line filters are correctly installed and the right way around Missing...

Page 11: ...b to the router or directly connecting with PCs However to be sure PCs have an Ethernet interface installed properly prior to connecting to the router device You ought to configure your PCs to obtain an IP address through a DHCP server or a fixed IP address that must be in the same subnet as the router The default IP address of the router is 192 168 1 254 and the subnet mask is 255 255 255 0 i e a...

Page 12: ...ecting Your Router 1 Connect this router to a LAN Local Area Network and the ADSL telephone ADSL network 2 Power on the device 3 Make sure the Power is lit steadily and that the LAN LED is lit 4 Connect RJ 11 cable to LINE Port when connecting to the telephone wall jack ...

Page 13: ... See Figure 3 1 3 In the LAN Area Connection Status window click Properties See Figure 3 2 4 Select Internet Protocol TCP IP and click Properties See Figure 3 3 5 Select the Obtain an IP address automatically and Obtain DNS server address automatically radio buttons See Figure 3 4 6 Click OK to finish the configuration Figure 3 1 LAN Area Connection Figure 3 2 LAN Connection Status Figure 3 3 TCP ...

Page 14: ... See Figure 3 5 3 In the LAN Area Connection Status window click Properties See Figure 3 6 4 Select Internet Protocol TCP IP and click Properties See Figure 3 7 5 Select the Obtain an IP address automatically and Obtain DNS server address automatically radio buttons See Figure 3 8 6 Click OK to finish the configuration Figure 3 5 LAN Area Connection Figure 3 6 LAN Connection Status Figure 3 7 TCP ...

Page 15: ... NE2000 Compatible or the name of any Network Interface Card NIC in your PC See Figure 3 9 3 Click Properties 4 Select the IP Address tab In this page click the Obtain an IP address automatically radio button See Figure 3 10 5 Then select the DNS Configuration tab See Figure 3 11 6 Select the Disable DNS radio button and click OK to finish the configuration Figure 3 9 TCP IP Figure 3 10 IP Address...

Page 16: ...o to Start Settings Control Panel In the Control Panel double click Network and choose the Protocols tab 2 Select TCP IP Protocol and click Properties See Figure 3 12 3 Select the Obtain an IP address from a DHCP server radio button and click OK See Figure 3 13 Figure 3 12 TCP IP Figure 3 13 IP Address ...

Page 17: ...d WAN Port Addresses The parameters of LAN and WAN ports are pre set in the factory The default values are shown below LAN Port WAN Port IP address 192 168 1 254 Subnet Mask 255 255 255 0 DHCP server function Enabled IP addresses for distribution to PCs 100 IP addresses continuing from 192 168 1 100 through 192 168 1 199 The PPPoE function is enabled to automatically get the WAN port configuration...

Page 18: ... and Domain Name System DNS IP address it can be automatically assigned by your ISP when you connect or be set manually PPPoA RFC2684 VPI VCI VC LLC based multiplexing Username Password and Domain Name System DNS IP address it can be automatically assigned by your ISP when you connect or be set manually MPoA RFC1483 RF C2684 VPI VCI VC LLC based multiplexing IP address Subnet mask Gateway address ...

Page 19: ... enter the IP address of your router which by default is 192 168 1 254 and click Go a user name and password window prompt will appear The default username and password are admin and admin respectively See Figure 3 14 Figure 3 14 User name Password Prompt Window Congratulations You are now successfully logon to the Router ...

Page 20: ...ks you directly to the desired setup page including Status ADSL Status ARP Table DHCP Table Routing Table NAT Sessions UPnP Portmap PPTP Status IPSec Status L2TP Status Email Status Event Log Error Log Diagnostic Quick Start Configuration LAN WAN System Firewall VPN QoS Virtual Server Time Schedule Advanced Language provides user interface in English and French languages ...

Page 21: ... way of determining the MAC address of the network interface of your PCs to use with the router s Firewall MAC Address Filter function See the Firewall section of this manual for more information on this feature IP Address A list of IP addresses of devices on your LAN Local Area Network MAC Address The MAC Media Access Control addresses for each device on your LAN Interface The interface name on t...

Page 22: ... 802 11g VPN Firewall Router Chapter 4 Configuration 19 DHCP Table Leased The DHCP assigned IP addresses information Expired The expired IP addresses information Permanent The fixed host mapping information ...

Page 23: ...a successful routing status Destination The IP address of the destination network Netmask The destination Netmask address Gateway Interface The IP address of the gateway or existing interface that this route will use Cost The number of hops counted as the cost of the route RIP Routing Table Destination The IP address of the destination network Netmask The destination Netmask address Gateway The IP...

Page 24: ...ng UPnP Universal Plug and Play See Advanced section of this manual for more details on UPnP and the router s UPnP configuration options PPTP Status This shows details of your configured PPTP VPN Connections Name The name you assigned to the particular PPTP connection in your VPN configuration Type The type of connection dial in dial out Enable Whether the connection is currently enabled Active Wh...

Page 25: ...tistics for this VPN Connection Local Subnet The local IP Address or Subnet used Remote Subnet The Subnet of the remote site Remote Gateway The Remote Gateway IP address SA The Security Association for this VPN entry L2TP Status This shows details of your configured L2TP VPN Connections Name The name you assigned to the particular L2TP connection in your VPN configuration Type The type of connecti...

Page 26: ...o this window such as when the router s ADSL connection is disconnected as well as Firewall events when you have enabled Intrusion or Blocking Logging in the Configuration Firewall section of the interface Please see the Firewall section of this manual for more details on how to enable Firewall logging Error Log Any errors encountered by the router e g invalid names given to entries are logged to ...

Page 27: ...e are two options you can choose ADSL Select ADSL from Connect Mode drop down menu and click Continue 2 If your ADSL line is not ready you need to check your ADSL line has been set or not 3 If your ADSL line is ready the screen appears ADSL Line is Ready Choose Auto radio button and click Apply It will automatically scan the recommended mode for you Manually mode makes you to set the ADSL line by ...

Page 28: ...r 4 Configuration 25 4 The list below has different mode applied for your choice Choose 0 33 PPPoE Recommended and click Apply 5 Please enter Username and Password as supplied by your ISP Internet Service Provider and click Apply to continue ...

Page 29: ...is the unique name of a wireless access point AP to be distinguished from another For security propose change to a unique ID name to the AP which is already built in to the router s wireless interface It is case sensitive and must not excess 32 characters Make sure your wireless clients have exactly the ESSID as the device in order to get connected to your network ESSID Broadcast It is function in...

Page 30: ...llowing sub items to configure the ADSL router LAN WAN System Firewall VPN QoS Virtual Server Time Schedule and Advanced These functions are described below in the following sections LAN Local Area Network Here are the items within the LAN section Bridge Interface Ethernet IP Alias Ethernet Client Filter Wireless Wireless Security Wireless Client Filter WPS Port Setting and DHCP Server ...

Page 31: ...group with caution Each Bridge Interface is arranged in this order Bridge Interface VLAN Port Always starts with ethernet P1 P2 P3 P4 ethernet1 P2 P3 P4 ethernet2 P3 P4 ethernet3 P4 Management Interface To specify which VLAN group has possibility to do device management like doing web management Note NAT NAPT can be applied to management interface only Ethernet Primary IP Address IP Address The de...

Page 32: ...nterface Security Interface Specify the firewall setting on this virtual interface Internal The network is behind NAT All traffic will do network address translation when sending out to Internet if NAT is enabled External There is no NAT on this IP interface and connected to the Internet directly Mostly it will be used when providing multiple public IP addresses by ISP In this case you can use pub...

Page 33: ...ace provided or click Make sure your PC s MAC is listed Blocked check to prevent unwanted device accessing your LAN by insert the MAC Address in the space provided or click Make sure your PC s MAC is not listed The maximum client is 16 The MAC addresses are 6 bytes long they are presented only in hexadecimal characters The number 0 9 and letters a f are acceptable Note Follow the MAC Address Forma...

Page 34: ...your wireless clients have exactly the ESSID as the device in order to get connected to your network Note It is case sensitive and must not excess 32 characters ESSID Broadcast It is function in which transmits its ESSID to the air so that when wireless client searches for a network router can then be discovered and recognized Default setting is Enabled Disable If you do not want broadcast your ES...

Page 35: ...y which no extra wireless client device is required to bridge between two access points and extending an existing wired or wireless infrastructure network to create a larger network It can connect up to 4 wireless APs for extending cover range at the same time In addition WDS enhances its link connection security in WEP mode WEP key encryption must be the same for both access points WDS Service Th...

Page 36: ...PA PSK and WPA2 PSK The WPA PSK adapts the TKIP Temporal Key Integrity Protocol encrypted algorithms which incorporates Message Integrity Code MIC to provide protection against hackers The WPA2 PSK adapts CCMP Cipher Block Chaining Message Authentication Code Protocol of the AES Advanced Encryption Security algorithms WPA Shared Key The key for network authentication The input format is in charact...

Page 37: ...nown as WEP If you require high security for transmissions there are two alternatives to select from WEP 64 and WEP 128 WEP 128 will offer increased security over WEP 64 Passphrase This is used to generate WEP keys automatically based upon the input string and a pre defined algorithm in WEP64 or WEP128 Default Used WEP Key Select the encryption key ID please refer to Key 1 4 below Key 1 4 Enter th...

Page 38: ...C is listed Blocked To prevent unwanted device accessing the LAN by insert the MAC Address in the space provided or click Make sure your PC s MAC is not listed The maximum client is 16 The MAC addresses are 6 bytes long they are presented only in hexadecimal characters The number 0 9 and letters a f are acceptable Note Follow the MAC Address Format xx xx xx xx xx xx Semicolon must be included Cand...

Page 39: ...plex 10M full duplex 100M half duplex 100M full duplex and Disable Sometimes there are Ethernet compatibility problems with legacy Ethernet devices and you can configure different types to solve compatibility issues The default is Auto which users should keep unless there are specific problems with PCs not being able to access your LAN IPv4 TOS priority Control Advanced users TOS Type of Services ...

Page 40: ...onfigure parameters of the DHCP Server including the IP pool starting IP address and ending IP address to be allocated to PCs on your network lease time for each assigned IP address the period of time the IP address assigned will be valid DNS IP address and the gateway IP address These details are sent to the DHCP client i e your PC when it requests an IP address from the DHCP server Click Apply t...

Page 41: ...haracters case sensitive This is in the format of username ispname instead of simply username Password Enter the password provided by your ISP You can input up to 128 alphanumeric characters case sensitive Service Name This item is for identification purposes If it is required your ISP provides you the information Maximum input is 15 alphanumeric characters NAT The NAT Network Address Translation ...

Page 42: ...2 Multicast Check to enable RIP function TCP MSS Clamp This option helps to discover the optimal MTU size automatically Default is enabled MAC Spoofing This option is required by some service providers You must fill in the MAC address that specify by service provider when it is required Default is disabled Obtain DNS A Domain Name System DNS contains a mapping table for domain name and IP addresse...

Page 43: ... PPP session when disconnected by the ISP Connect on Demand If you want to establish a PPP session only when there is a packet requesting access to the Internet i e when a program on your computer attempts to access the Internet Idle Timeout Auto disconnect the broadband firewall gateway when there is no activity on the line for a predetermined period of time Detail You can define the destination ...

Page 44: ...hat IP will attempt to send through the interface IP 0 0 0 0 Auto Your WAN IP address Leave this at 0 0 0 0 to obtain automatically an IP address from your ISP Netmask The default is 255 255 255 0 User can change it to other such as 255 255 255 128 Type the subnet mask assigned to you by your ISP if given Gateway Enter the IP address of the default gateway if given RIP RIP v1 RIP v2 and RIP v2 Mul...

Page 45: ...ram excluding media specific headers that IP will attempt to send through the interface IP 0 0 0 0 Auto Your WAN IP address Leave this at 0 0 0 0 to obtain automatically an IP address from your ISP Netmask The default is 255 255 255 0 User can change it to other such as 255 255 255 128 Type the subnet mask assigned to you by your ISP if given Gateway Enter the IP address of the default gateway if ...

Page 46: ...y which kind of traffic goes through this connection all traffic or only VLAN tagged Filter Type Specify the type of ethernet filtering performed by the named bridge interface All Allows all types of ethernet packets through the port Ip Allows only IP ARP types of ethernet packets through the port Pppoe Allows only PPPoE types of ethernet packets through the port Obtain DNS A Domain Name System DN...

Page 47: ...ion problem Profile Type Please keep the factory settings unless ADSL is detected as the symptom of low link rate or unstable problems You may need to change the profile setting to reach the best ADSL line rate it depends on the different DSLAM and location Activate Line Aborting false your ADSL line and making it active true again for taking effect with setting of Connect Mode Coding Gain It redu...

Page 48: ...er you have specified If you prefer to specify an SNTP server other than those in the list simply enter its IP address as shown above Your ISP may provide an SNTP server for you to use Daylight Saving is also known as Summer Time Period Many places in the world adapt it during summer time to move one hour of daylight from morning to the evening in local standard time Check Automatic box to auto se...

Page 49: ... i e from outside your LAN select a time period the router will permit remote access for and click Enable You may change other configuration options for the web administration interface using Device Management options in the Advanced section of the GUI If you wish to permanently enable remote access choose a time period of 0 minute ...

Page 50: ...t to operate and provides all its functionality Think of your router as a dedicated computer and the firmware as the software it runs Over time this software may be improved and revised and your router allows you to upgrade the software it runs to take advantage of these changes Clicking on Browse will allow you to select the new firmware image file you have downloaded to your PC Once the correct ...

Page 51: ...significant changes to your router s configuration Press Backup to select where on your local PC to save the settings file You may also change the name of the file when saving if you wish to keep multiple backups Press Browse to select a file from your PC to restore You should only restore settings files that have been generated by the Backup function and that were created when using the current v...

Page 52: ... factory default settings for example after a firmware upgrade or if you have saved an incorrect configuration select Factory Default Settings to reset to factory default settings You may also reset your router to factory settings by holding the small Reset pinhole button more than 6 seconds on the back of your router Caution After pressing the RESET button for more than 6 seconds to be sure you p...

Page 53: ... change the user s password whether their account is active and valid as well as add a comment to each user account Click Edit Delete button to save your revise You cannot delete the default admin account if you do you will be log out However you can delete any other created accounts by clicking Delete when editing the user You are strongly advised to change the password on the default admin accou...

Page 54: ...ccount Firewall and Access Control Your router includes a full SPI Stateful Packet Inspection firewall for controlling Internet access from your LAN as well as helping to prevent attacks from hackers Besides when using NAT the router acts as a natural Internet firewall as all PCs on your LAN will use private IP addresses that cannot be directly accessed from the Internet 1 2 3 4 1 2 ...

Page 55: ...ion to detect prevent and log malicious attacks Access Control Prevents access from PCs on your local network Firewall Security and Policy General Settings Outbound direction of Packet Filter rules to prevent unauthorized computers or applications accessing the Internet URL Filter To block PCs on your local network from unwanted websites Here are the items within the Firewall section General Setti...

Page 56: ...st of preset port filters that changes between each setting For more detailed on level of preset port filter information refer to Table 1 Predefined Port Filter If you choose of the preset security levels and add custom filters this level of filter rules will be saved even and do not need to re configure the rules again if you disable or switch to other firewall level The Block WAN Request is a st...

Page 57: ... available when the Firewall is enabled and one of these four security levels is chosen All blocked High Medium and Low The preset port filter rules in the Packet Filter must modify accordingly to the level of Firewall which is selected See Table1 Predefined Port Filter for more detail information ...

Page 58: ...ES NO YES DNS 53 TCP 6 53 53 NO YES NO YES NO YES FTP 21 TCP 6 21 21 NO YES NO YES NO NO Telnet 23 TCP 6 23 23 NO YES NO YES NO NO SMTP 25 TCP 6 25 25 NO YES NO YES NO YES POP3 110 TCP 6 110 110 NO YES NO YES NO YES NEWS NNTP Network News Transfer Protocol TCP 6 119 119 NO YES NO YES NO NO RealAudio RealVideo 7070 UDP 17 7070 7070 YES YES YES YES NO NO PING ICMP 1 N A N A NO YES NO YES NO YES H 32...

Page 59: ... the Subnet Mask of the IP address range you wish to allow block the traffic to or form set IP address and Subnet Mask to 0 0 0 0 to inactive the Address Filter rule Tip To block access to from a single IP address enter that IP address as the Host IP Address and use a Host Subnet Mask of 255 255 255 255 Source Port This Port or Port Ranges defines the port allowed to be used by the Remote WAN to c...

Page 60: ...sting predefined rules Time Schedule It is self defined time period You may specify a time schedule for your prioritization policy For setup and detail refer to Time Schedule section Protocol Number Insert the port number i e GRE 47 Inbound Outbound Select Allow or Block the access to the Internet Outbound or from the Internet Inbound Click Add button to apply your changes ...

Page 61: ... or low security level To setup a web server located on the local network when the firewall is enabled you have to configure the Port Filters setting for HTTP As you can see from the diagram below when the firewall is enabled with one of the three presets Low Medium High inbound HTTP access is not allowed which means remote access through HTTP to your router is not allowed Note Inbound indicates a...

Page 62: ...the low security level shown below Note You may click Edit the predefined rule instead of Delete it This is an example to show to how you add a filter on your own 2 Choose the radio button you want to delete the existing HTTP rule Click Edit Delete button to delete the existing HTTP rule 3 Input the Rule Name Time Schedule Source Destination IP Type Source Destination Port Inbound and Outbound 1 2...

Page 63: ...ort Filter Source Port 0 65535 I allow all ports to connect with the application Redirect Port 80 80 This is Port defined for HTTP Inbound Outbound Allow 4 The new port filter rule for HTTP is shown below 5 Configure your Virtual Server port forwarding settings so that incoming HTTP requests on port 80 will be forwarded to the PC running your web server Note For how to configure the HTTP in Virtua...

Page 64: ...IP address will be added to the Blacklist Any further attempts using this IP address will be blocked for the time period specified as the Block Duration The default setting for this function is false disabled Some attack types are denied immediately without using the Blacklist function such as Land attack and Echo CharGen scan Intrusion Detection If enabled IDS will block Smurf attack attempts Def...

Page 65: ...threshold value to decide whether a SYN Flood attempt is occurring or not Default value is 100 TCP SYN per seconds Max PING Count This is a threshold value to decide whether an ICMP Echo Storm is occurring or not Default value is 15 ICMP Echo Requests PING per second Max ICMP Count This is a threshold to decide whether an ICMP flood is occurring or not Default value is 100 ICMP packets per seconds...

Page 66: ...n Yes Yes CharGen Scan UDP Dst Port CharGen 19 Src IP Scan Yes Yes X mas Tree Scan TCP Flag X mas Src IP Scan Yes Yes IMAP SYN FIN Scan TCP Flag SYN FIN DstPort IMAP 143 SrcPort 0 or 65535 Src IP Scan Yes Yes SYN FIN RST ACK Scan TCP No Existing session And Scan Hosts more than five Src IP Scan Yes Yes Net Bus Scan TCP No Existing session DstPort Net Bus 12345 12346 3456 SrcIP Scan Yes Yes Back Or...

Page 67: ...nabled URL filter rules will be monitoring and checking at all hours of the day TimeSlot1 TimeSlot16 It is self defined time period You may specify the time period to check the URL filter rules i e during working hours For setup and detail refer to Time Schedule section Keywords Filtering Allows blocking by specific keywords within a particular URL rather than having to specify a complete URL e g ...

Page 68: ...m will be sent to the remote web server because it is listed in the trusted list whilst the URL request for www google or www google com will be dropped because www google is in the forbidden list Example Andy wishes to disable all WEB traffic except for ones listed in the trusted domain which would prevent Bobby from accessing other web sites Andy selects both functions in the Domain Filtering an...

Page 69: ...ult is set to Disabled Disabled Instant Message blocking is not triggered No action will be performed Always On Action is enabled TimeSlot1 TimeSlot16 This is the self defined time period You may specify the time period to trigger the blocking i e during working hours For setup and detail refer to Time Schedule section Yahoo MSN Messenger Check the box to block either or both Yahoo or and MSN Mess...

Page 70: ...hapter 4 Configuration 67 Firewall Log Firewall Log display log information of any unexpected action with your firewall settings Check the Enable box to activate the logs Log information can be seen in the Status Event Log after enabling ...

Page 71: ...nnel connection condition Type This refers to your router operates as a client or a server Dialout or Dialin respectively PPTP Connection Remote Access Name A given name for the connection e g connection to office Connection Type Remote Access or LAN to LAN Type Check Dial Out if you want your router to operate as a client connecting to a remote VPN server e g your office server check Dial In oper...

Page 72: ... can manually Enable or Disable encryption Key Length The data can be encrypted by MPPE algorithm with 40 bits or 128 bits Default is Auto it is negotiated when establishing a connection 128 bit keys provide stronger encryption than 40 bit keys Mode You may select Stateful or Stateless mode The key will be changed every 256 packets when you select Stateful mode If you select Stateless mode the key...

Page 73: ... 70 Example Configuring a Remote Access PPTP VPN Dial out Connection A company s office establishes a PPTP VPN connection with a file server located at a separate location The router is installed in the office connected to a couple of PCs and Servers Dial out ...

Page 74: ... of PPTP connection 2 Connection Type Remote Access Select Remote Access from Connection Type drop down menu Type Dial out Select Dial out from Type drop down menu 3 IP Address or Domain name 69 121 1 33 An Dialed server IP Username username 4 Password 123456 A given username password Auth Type Chap Auto Data Encryption Auto Key Length Auto 5 Mode stateful Keep as default value in most of the case...

Page 75: ...uthentication Protocol or PAP Password Authentication Protocol if you know which type the server is using when acting as a client or else the authentication type you want clients connecting to you to use when acting as a server When using PAP the password is sent unencrypted whilst CHAP encrypts the password before sending and also allows for challenges at different periods to ensure that the clie...

Page 76: ...ADSL2 802 11g VPN Firewall Router Chapter 4 Configuration 73 Click Edit Delete button to save your changes ...

Page 77: ...LAN VPN Connection The branch office establishes a PPTP VPN tunnel with head office to connect two private networks over the Internet The routers are installed in the head office and branch offices accordingly Both office LAN networks MUST in different subnet with LAN to LAN application Attention ...

Page 78: ...m Connection Type drop down menu Type Dial in Select Dial in from Type drop down menu 3 IP Address 192 168 1 200 IP address assigned to branch office network Peer Network IP 192 168 0 0 4 Netmask 255 255 255 0 Branch office network Username username 5 Password 123456 Input username password to authenticate branch office network Auth Type Chap Auto Data Encryption Auto Key Length Auto 6 Mode statef...

Page 79: ...tion Type LAN to LAN Select LAN to LAN from Connection Type drop down menu Type Dial out Select Dial out from Type drop down menu 3 IP Address or Domain name 69 121 1 33 IP address of the head office router in WAN side Peer Network IP 192 168 1 0 4 Netmask 255 255 255 0 Head office network Username username 5 Password 123456 Input username password to authenticate head office network Auth Type Cha...

Page 80: ...te When the Active checkbox is checked the function of Edit and Delete will not be available Name This is a given name of the connection Local Subnet Displays IP address and subnet of the local network Remote Subnet Displays IP address and subnet of the remote network Remote Gateway This is the IP address or Domain Name of the remote VPN device that is connected and established a VPN tunnel IPSec ...

Page 81: ...mote network IKE Internet key Exchange Mode Select IKE mode to Main mode or Aggressive mode This IKE provides secured key generation and key management Hash Function It is a Message Digest algorithm which coverts any length of a message into a unique set of bits It is widely used MD5 Message Digest and SHA 1 Secure Hash Algorithm algorithms SHA1 is more resistant to brute force attacks than MD5 ho...

Page 82: ... change encryption keys during the second phase of VPN negotiation This function will provide better security but extends the VPN negotiation time Diffie Hellman is a public key cryptography protocol that allows two parties to establish a shared secret over an unsecured communication channel i e over the Internet There are three modes MODP 768 bit MODP 1024 bit and MODP 1536 bit MODP stands for Mo...

Page 83: ...nnection is required Default setting is 0 0 0 0 which disables the function Interval This sets the time interval between Pings to the IP function to monitor the connection status Default interval setting is 10 seconds Time interval can be set from 0 to 3600 second 0 second disables the function Ping to the IP Interval sec Ping to the IP Action 0 0 0 0 0 No 0 0 0 0 2000 No xxx xxx xxx xxx A valid I...

Page 84: ...r IP 69 1 121 30 69 1 121 3 Remote Network ID 192 168 1 0 24 192 168 0 0 24 Remote Router IP 69 1 121 3 69 1 121 30 IKE Pre shared Key 12345678 12345678 VPN Connection Type Tunnel mode Tunnel mode Security Algorithm ESP MD5 with AES ESP MD5 with AES Both office LAN networks MUST in different subnet with LAN to LAN application Functions of Pre shared Key VPN Connection Type and Security Algorithm M...

Page 85: ...k drop down menu IP Address 192 168 1 0 2 Netmask 255 255 255 0 Head office network 3 Remote Secure Gateway IP or Hostname 69 121 1 30 IP address of the branch office router in WAN side Remote Network Subnet Select Subnet from Remote Network drop down menu IP Address 192 168 0 0 4 Netmask 255 255 255 0 Branch office network Authentication MD5 Encryption 3DES Prefer Forward Security None 5 Pre shar...

Page 86: ...twork drop down menu IP Address 192 168 0 0 2 Netmask 255 255 255 0 Branch office network 3 Remote Secure Gateway IP or Hostname 69 121 1 3 IP address of the head office router in WAN side Remote Network Subnet Select Subnet from Remote Network drop down menu IP Address 192 168 1 0 4 Netmask 255 255 255 0 Head office network Authentication MD5 Encryption 3DES Prefer Forward Security None 5 Pre sha...

Page 87: ... 802 11g ADSL2 VPN Firewall Router Chapter 4 Configuration 84 Example Configuring a IPSec Host to LAN VPN Connection ...

Page 88: ...ork drop down menu IP Address 192 168 1 0 2 Netmask 255 255 255 0 Head office network 3 Remote Secure Gateway IP or Hostname 69 121 1 30 Remote worker s IP address Remote Network Single Address Select Single Address from Remote Network drop down menu 4 IP Address 69 121 1 30 Remote worker s IP address Authentication MD5 Encryption 3DES Prefer Forward Security None 5 Pre shared Key 12345678 Securit...

Page 89: ...the L2TP connection Check Active checkbox if you want the protocol of tunnel to be activated and vice versa Note When the Active checkbox is checked the function of Edit and Delete will not be available Name This is a given name of the connection Connection Type It informs your L2TP tunnel connection condition Type This refers to your router operates as a client or a server Dialout or Dialin in re...

Page 90: ...s which may include numbers and characters Active as default route Commonly used by the Dial out connection which all packets will route through the VPN tunnel to the Internet therefore active the function may degrade the Internet performance Remote Host Name Optional Enter hostname of remote VPN device It is a tunnel identifier from the Remote VPN device matches with the Remote hostname provided ...

Page 91: ...ps Pre shared Key This is for the Internet Key Exchange IKE protocol a string from 4 to 128 characters Both sides should use the same key IKE is used to establish a shared security policy and authenticated keys for services such as IPSec that require a key Before any IPSec traffic can be passed each router must be able to verify the identity of its peer This can be done by manually entering the pr...

Page 92: ...ring a L2TP VPN Remote Access Dial in Connection A remote worker establishes a L2TP VPN connection with the head office using Microsoft s VPN Adapter included with Windows XP 2000 ME etc The router is installed in the head office connected to a couple of PCs and Servers Dial in ...

Page 93: ...Select Remote Access from Connection Type drop down menu Type Dial in Select Dial in from Type drop down menu 3 IP Address 192 168 1 200 An assigned IP address for the remote worker Username username 4 Password 123456 Input username password to authenticate remote worker 5 Auth Type Chap Auto Keep as default value in most of the cases IPSec Enable Enable for enhancing your L2TP VPN security Authen...

Page 94: ... 91 Example Configuring a Remote Access L2TP VPN Dial out Connection A company s office establishes a L2TP VPN connection with a file server located at a separate location The router is installed in the office connected to a couple of PCs and Servers Dial out ...

Page 95: ...rop down menu Type Dial out Select Dial out from Type drop down menu 3 IP Address or Hostname 69 121 1 33 An Dialed server IP Username username 4 Password 123456 A given username password 5 Auth Type Chap Auto Keep as default value in most of the cases IPSec Enable Enable for enhancing your L2TP VPN security Authentication MD5 Encryption 3DES Perfect Forward Secrecy None 6 Pre shared Key 12345678 ...

Page 96: ...ctions enter the Private IP Address Assigned to Dial in User address Peer Network IP Enter Peer network IP address Netmask Enter the subnet mask of peer network based on the Peer Network IP setting Username If you are a Dial Out user client enter the username provided by your Host If you are a Dial In user server enter your own username Password If you are a Dial Out user client enter the password...

Page 97: ...n method from the pull down menu There are four options DES 3DES AES and NULL NULL means it is a tunnel only with no encryption 3DES and AES are more powerful but increase latency DES Stands for Data Encryption Standard it uses 56 bits as an encryption method 3DES Stands for Triple Data Encryption Standard it uses 168 56 3 bits as an encryption method AES Stands for Advanced Encryption Standards i...

Page 98: ...VPN tunnel with head office to connect two private networks over the Internet The routers are installed in the head office and branch office accordingly Both office LAN networks MUST in different subnet with LAN to LAN application Functions of Pre shared Key VPN Connection Type and Security Algorithm MUST BE identically set up on both sides Attention ...

Page 99: ...ction Type drop down menu Type Dial in Select Dial in from Type drop down menu 3 IP Address 192 168 1 200 IP address assigned to branch office network Peer Network IP 192 168 0 0 4 Netmask 255 255 255 0 Branch office network Username username 5 Password 123456 Input username password to authenticate branch office network 6 Auth Type Chap Auto Keep as default value in most of the cases IPSec Enable...

Page 100: ...onnection Type LAN to LAN Select LAN to LAN from drop down menu Type Dial out Select Dial out from drop down menu 3 IP Address or Hostname 69 121 1 33 IP address of the head office router in WAN side Peer Network IP 192 168 1 0 4 Netmask 255 255 255 0 Head office network Username username 5 Password 123456 Input username password to authenticate head office network 6 Auth Type Chap Auto Keep as de...

Page 101: ...al 30 and Low 10 To delete the application you can choose Delete option and then click Edit Delete Name User define description to identify this new policy application Time Schedule Scheduling your prioritization policy Priority The priority given to each policy application Its default setting is set to High you may adjust this setting to fit your policy application Protocol The name of supported ...

Page 102: ... Table DSCP Mapping Table Wireless ADSL Router Standard DSCP Disabled None Best Effort Best Effort 000000 Premium Express Forwarding 101110 Gold service L Class 1 Gold 001010 Gold service M Class 1 Silver 001100 Gold service H Class 1 Bronze 001110 Silver service L Class 2 Gold 010010 Silver service M Class 2 Silver 010100 Silver service H Class 2 Bronze 010110 Bronze service L Class 3 Gold 011010...

Page 103: ...ify this new policy name Time Schedule Scheduling your prioritization policy Refer to Time Schedule for more information Protocol The name of supported protocol Rate Limit To limit the speed of outbound traffic Source IP Address Range The source IP address or range of packets to be monitored Source Port s The source port of packets to be monitored Destination IP Address Range The destination IP ad...

Page 104: ...is new policy application Time Schedule Scheduling your prioritization policy Refer to Time Schedule for more information Protocol The name of supported protocol Rate Limit To limit the speed of for inbound traffic Source IP Address Range The source IP address or range of packets to be monitored Source Port s The source port of packets to be monitored Destination IP Address Range The destination I...

Page 105: ...Configuration 102 Example QoS for your Network Connection Diagram Information and Settings Upstream 928 kbps Downstream 8 Mbps VoIP User 192 168 1 1 Normal Users 192 168 1 2 192 168 1 5 Restricted User 192 168 1 100 Restricted PC Normal PCs VoIP ...

Page 106: ...cation for doing data exchange between head and branch office The mission critical application must be sent out smoothly without any dropping Set priority as high level for preventing any other applications to saturate the bandwidth Voice application Voice is latency sensitive application Most VoIP devices are use SIP protocol and the port number will be assigned by SIP module automatically Better...

Page 107: ...settings that help to limit utilization of upstream of FTP Time schedule also help you to only limit utilization at daytime Advanced setting by using IP throttling With IP throttling you can specify more detail for allocating bandwidth even the applications are located in the same level Upstream 928kbps 29 32kbps Mission critical Application 192kbps 6 32kbps Voice Application 128kbps 4 32kbps Rest...

Page 108: ...r Chapter 4 Configuration 105 Sometime your customers or friends may upload their files to your FTP server and that will saturate your downstream bandwidth The settings below help you to limit bandwidth for the restricted application ...

Page 109: ... sharing applications and are using NAT Network Address Translation then you will usually need to configure your router to forward these incoming connection attempts using specific ports to the PC on your network running the application You will also need to use port forwarding if you want to host an online game server The reason for this is that when using NAT your publicly accessible IP address ...

Page 110: ...ne description to identify this entry or click drop down menu to select existing predefined rules 20 predefined rules are available Application Protocol and External Redirect Ports will be filled after the selection Protocol It is the supported protocol for the virtual server In addition to specifying the port number to be used you will also need to specify the protocol used The protocol used is d...

Page 111: ...ed the NAT option in the WAN ISP section the Virtual Server function will hence be invalid If the DHCP server option is enabled you have to be very careful in assigning the IP addresses of the virtual servers in order to avoid conflicts The easiest way of configuring Virtual Servers is to manually assign static IP address to each virtual server PC with an address that does not fall into the range ...

Page 112: ...tual Server entries Cautious This Local computer exposing to the Internet may face varies of security risks Go to Configuration Virtual Server Edit DMZ Host Enabled It activates your DMZ function Disabled As set in default setting it disables the DMZ function Internal IP Address Give a static IP address to the DMZ Host when Enabled radio button is checked Be aware that this IP will be exposed to t...

Page 113: ...our ISP If your ISP has provided this information you may insert it here Otherwise use IP Range method IP Range The IP address range of your public WAN IP addresses For example IP 192 168 1 1 end IP 192 168 1 10 Select the Apply button to apply your changes Check to create a new One to One NAT rule Application Users defined description to identify this entry or click drop down menu to select exist...

Page 114: ... public WAN IP address for this Application to use This Global IP address must be defined in the Global IP Address External Port The Port number on the Remote WAN side used when accessing the virtual server Redirect Port The Port number used by the Local server in the LAN network Internal IP Address The private IP in the LAN network which will be providing the virtual server application List all e...

Page 115: ...formation please see IANA s website at http www iana org assignments port numbers For help on determining which private port numbers are used by common applications on this list please see the FAQs Frequently Asked Questions at http www billion com Table 5 Well known and registered Ports Port Number Protocol Description 20 TCP FTP Data 21 TCP FTP Control 22 TCP UDP SSH Remote Login Protocol 23 TCP...

Page 116: ... restrict or allowing the usage of the Internet by users or applications This Time Schedule correlates closely with router s time since router does not have a real time clock on board it uses the Simple Network Time Protocol SNTP to get the current time from an SNTP server from the Internet Refer to Time Zone for details You router time should correspond with your local time If the time is not set...

Page 117: ...of the time slot Name A user define description to identify this time portfolio Day in a week The default is set from Monday through Friday You may specify the days for the schedule to be applied Start Time The default is set at 8 00 AM You may specify the start time of the schedule End Time The default is set at 18 00 6 00PM You may specify the end time of the schedule Choose Edit radio button an...

Page 118: ...ere are the items within the Advanced section Static Route Dynamic DNS Check Email Device Management IGMP and VLAN Bridge Static Route Go to Configuration Advanced Static Route Destination This is the destination subnet IP address Netmask Subnet mask of the destination IP addresses based on above destination subnet IP Gateway This is the gateway IP address to which packets are to be forwarded Inte...

Page 119: ...will first need to register and establish an account with the Dynamic DNS provider using their website for example http www dyndns org There are more than 5 DDNS services supported Dynamic DNS Disable Check to disable the Dynamic DNS function Enable Check to enable the Dynamic DNS function The following fields will be activated and required Dynamic DNS Server Select the DDNS service you have estab...

Page 120: ...ble the routers Email checking function The following fields will be activated and required Account Name Enter the name login of the POP3 account you wish to check Normally it is the text in your email address before the symbol If you have trouble with it please contact your ISP Password Enter the account s password POP3 Mail Server Enter your POP mail server name You Internet Service Provider ISP...

Page 121: ... value is the standard HTTP port 80 Users may specify an alternative if for example they are running a web server on a PC within their LAN Management IP Address You may specify an IP address allowed to logon and access the router s web server Setting the IP address to 0 0 0 0 will disable IP address restrictions allowing users to login from any IP address Expire to auto logout Specify a time frame...

Page 122: ...dentified as the Read Community and an IP address This community string will be checked against the string entered in the configuration file Once the string name is matched user obtains this IP address will be able to view the data Write Community Specify a name to be identified as the Write Community and an IP address This community string will be checked against the string entered in the configu...

Page 123: ...1dBase group dot1dTp group dot1dStp group if configured as spanning tree From RFC 1471 PPP LCP MIB pppLink group pppLqr group not applicable From RFC 1472 PPP Security MIB PPP Security Group From RFC 1473 PPP IP MIB PPP IP Group From RFC 1474 PPP Bridge MIB PPP Bridge Group From RFC1573 IfMIB ifMIBObjects Group From RFC1695 atmMIB atmMIBObjects From RFC 1907 SNMPv2 only snmpSetSerialNo OID ...

Page 124: ... group IGMP Forwarding Accepting multicast packet Default is set to Enable IGMP Snooping Allowing switched Ethernet to check and make correct forwarding decisions Default is set to Disable VLAN Bridge This section allows you to create VLAN group and specify the member Edit Edit your member ports in selected VLAN group Create VLAN To create another VLAN group ...

Page 125: ...cessing the configuration web pages at a time Once a PC has logged into the web interface other PCs cannot get access until the current PC has logged out of the web interface If the previous PC forgets to logout the second PC can access the page after a user defined period by default 3 minutes You can modify this value using the Advanced Device Management section of the web interface Please see th...

Page 126: ...ll jack The ADSL LED on the front panel of the router should be on Check that your VPI VCI encapsulation type and type of multiplexing settings are the same as those provided by your ISP Reboot the router GE If you still have problems you may need to verify these settings with your ISP Frequent loss of ADSL linesync disconnections Ensure that all other devices connected to the same telephone line ...

Page 127: ...he Troubleshooting section in the User s Manual If you cannot resolve the problem with the Troubleshooting chapter please contact the dealer where you purchased this product Contact Billion WORLDWIDE http www billion com Mac OS is a registered Trademark of Apple Computer Inc Windows 98 Windows NT Windows 2000 Windows Me and Windows XP are registered Trademarks of Microsoft Corporation ...

Reviews: