D-Link DSR-1000N User Manual Download | Manualshive

Page: 61 / 200

background image

Chapter 5. Securing the Private

Network

You can secure your network by creating and applying rules that your router uses to
selectively block and allow inbound and outbound Internet traffic. You then specify
how and to whom the rules apply. To do so, you must define the following:

•

Services or traffic types (examples: web browsing, VoIP, other standard services

and also custom services that you define)

•

Direction for the traffic by specifying the source and destination of traffic; this is

done by specifying the “From Zone” (LAN/WAN/DMZ) and “To Zone”

(LAN/WAN/DMZ)

•

Schedules as to when the router should apply rules

•

Any Keywords (in a domain name or on a URL of a web page) that the router

should allow or block

•

Rules for allowing or blocking inbound and outbound Internet traffic for specified

services on specified schedules

•

MAC addresses of devices that should not access the internet

•

Port triggers that signal the router to allow or block access to specified services as

defined by port number

•

Reports and alerts that you want the router to send to you

You  can,  for  example,  establish  restricted-access  policies  based  on  time-of-day,  web
addresses,  and  web  address  keywords.  You  can  block  Internet  access  by  applications
and  services  on  the  LAN,  such  as  chat  rooms  or  games.  You  can  block  just  certain
groups  of  PCs  on  your  network  from  being  accessed  by  the  WAN  or  public  DMZ
network.

5.1 Firewall Rules

Advanced > Firewall Settings > Firewall Rules

Inbound  (WAN  to  LAN/DMZ)  rules  restrict  access  to  traffic  entering  your  network,
selectively  allowing  only  specific  outside  users  to  access  specific  local  resources.  By
default  all  access  from  the  insecure  WAN  side  are  blocked  from  accessing  the  secure
LAN, except in response to requests from the LAN or DMZ. To allow outside devices
to  access  services  on  the  secure  LAN,  you  must  create  an  inbound  firewall  rule  for
each service.

If you want to allow incoming traffic, you must make the router’s WAN port IP
address known to the public. This is called “exposing your host.” How you make your
address known depends on how the WAN ports are configured; for this router you

«
...
59
60
61
62
63
...
»

Summary of Contents for DSR-1000N

Page 1: ...Unified Services Router User Manual DSR 500N 1000N Release 1 01 http www dlink com Building Networks for People ...

Page 2: ...User Manual Unified Services Router D Link Corporation Copyright 2010 http www dlink com ...

Page 3: ...particular purpose The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revision or changes Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER E G DAMAGES FOR LOSS OF PROFIT SOFTWARE RESTORATION W...

Page 4: ...es 27 3 2 5 WAN Configuration in an IPv6 Network 28 3 2 6 Checking WAN Status 29 3 3 Bandwidth Controls 32 3 4 Features with Multiple WAN Links 34 3 4 1 Auto Failover 34 3 4 2 Load Balancing 35 3 4 3 Protocol Bindings 36 3 5 Routing Configuration 37 3 5 1 Routing Mode 37 3 5 2 Dynamic Routing RIP 39 3 5 3 Static Routing 40 3 6 Configurable Port WAN Option 42 3 7 WAN Port Settings 44 Chapter 4 Wire...

Page 5: ... 2 1 Extended Authentication XAUTH 85 6 3 Configuring VPN clients 85 6 4 PPTP L2TP Tunnels 86 6 4 1 PPTP Tunnel Support 86 6 4 2 L2TP Tunnel Support 87 Chapter 7 SSL VPN 89 7 1 Users Groups and Domains 89 7 1 1 User Types and Passwords 90 7 2 Using SSL VPN Policies 92 7 2 1 Using Network Resources 94 7 3 Application Port Forwarding 95 7 4 SSL VPN Client Configuration 96 7 5 User Portal 98 7 5 1 Cr...

Page 6: ...ort Statistics 126 10 2 2 Wireless Statistics 127 10 3 Active Connections 128 10 3 1 Sessions through the Router 128 10 3 2 Wireless Clients 130 10 3 3 LAN Clients 130 10 3 4 Active VPN Tunnels 131 Chapter 11 Trouble Shooting 133 11 1 Internet connection 133 11 2 Date and time 135 11 3 Pinging to Test LAN Connectivity 135 11 3 1 Testing the LAN path from your PC to your router 135 11 3 2 Testing t...

Page 7: ... Traffic Selector Configuration 34 Figure 19 Load Balancing is available when multiple WAN ports are configured and Protocol Bindings have been defined 36 Figure 20 Protocol binding setup to associate a service and or LAN source to a WAN and or destination network 37 Figure 21 Routing Mode is used to configure traffic routing between WAN and LAN as well as Dynamic routing RIP 39 Figure 22 Static r...

Page 8: ... Binding binds a LAN host s MAC Address to an IP address If there is an IP MAC Binding violation the violating packet will be dropped and logs will be captured 76 Figure 47 Intrusion Prevention features on the router 77 Figure 48 Protecting the router and LAN from internet attacks 78 Figure 49 VPN Wizard launch screen 80 Figure 50 IPSec policy configuration 83 Figure 51 IPSec policy configuration ...

Page 9: ...ure 76 VPN logs displayed in GUI event viewer 114 Figure 77 Restoring configuration from a saved file will result in the current configuration being overwritten and a reboot 115 Figure 78 Firmware version information and upgrade option 116 Figure 79 Dynamic DNS configuration 117 Figure 80 Router diagnostics tools available in the GUI 118 Figure 81 Sample traceroute output 119 Figure 82 Device Stat...

Page 10: ...anual to allow new D Link Unified Services Router users to configure connectivity setup VPN tunnels establish firewall rules and perform general administrative tasks Typical deployment and use case scenarios are described in each section For more detailed setup instructions and explanations of each configuration parameter refer to the online help that can be accessed from each page in the router G...

Page 11: ...ws Internet Name Service WINS servers and the default gateway With the DHCP server enabled the router s IP address serves as the gateway address for LAN and WLAN clients The PCs in the LAN are assigned IP addresses from a pool of addresses specified in this procedure Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the default DHCP and...

Page 12: ...ents on the LAN can receive IP address leases and corresponding information from a DHCP server on a different subnet Specify the Relay Gateway and when LAN clients make a DHCP request it will be passed along to the server accessible via the Relay Gateway IP address If DHCP is being enabled enter the following DHCP server parameters Starting and Ending IP Addresses Enter the first and last continuo...

Page 13: ...eckbox 3 Click Save Settings to apply all changes Figure 1 Setup page for LAN TCP IP settings 2 1 1 LAN Configuration in an IPv6 Network Advanced IPv6 IPv6 LAN IPv6 LAN Config In IPv6 mode the LAN DHCP server is enabled by default similar to IPv4 mode The DHCPv6 server will serve IPv6 addresses from configured address pools with the IPv6 Prefix Length assigned to the LAN ...

Page 14: ...8 bit IPv6 address based on your network requirements The other field that defines the LAN settings for the router is the prefix length The IPv6 network subnet is identified by the initial bits of the address called the prefix By default this is 64 bits long All hosts in the network have common initial bits for their IPv6 address the number of common initial bits in the network s addresses is set ...

Page 15: ...ed to manage the router has obtained IP address from newly assigned pool or has a static IP address in the router s LAN subnet before accessing the router via changed IP address As with an IPv4 LAN network the router has a DHCPv6 server If enabled the router assigns an IP address within the specified range plus additional specified information to any LAN PC that requests DHCP served addresses The ...

Page 16: ...irectly By selecting Use DNS proxy this router acts as a proxy for all DNS requests and communicate with the ISP s DNS servers a WAN configuration parameter Primary and Secondary DNS servers If there are configured domain name system DNS servers available on the LAN enter the IP addresses here Lease Rebind time sets the duration of the DHCPv6 lease from this router to the LAN client IPv6 Address P...

Page 17: ...0 seconds RA Flags The router advertisements RA s can be sent with one or both of these flags Chose Managed to use the administered stateful protocol for address auto configuration If the Other flag is selected the host uses administered stateful protocol for non address auto configuration Router Preference this low medium high parameter determines the preference associated with the RADVD process ...

Page 18: ...whether the host is on the same link as the router The following prefix options are available for the router advertisements IPv6 Prefix Type To ensure hosts support IPv6 to IPv4 tunnel select the 6to4 prefix type Selecting Global Local ISATAP will allow the nodes to support all other IPv6 routing options SLA ID The SLA ID Site Level Aggregation Identifier is available when 6to4 Prefixes are select...

Page 19: ...traffic to and from that physical port can be isolated from the general LAN VLAN filtering is particularly useful to limit broadcast packets of a device in a large network VLAN support is disabled by default in the router In the VLAN Configuration page enable VLAN support on the router and then proceed to the next section to define the virtual network Setup VLAN Settings Available VLAN The Availab...

Page 20: ...ne of the four physical ports or a configured access point and clicking Edit The edit page offers the following configuration options Mode The mode of this VLAN can be General Access or Trunk The default is access In General mode the port is a member of a user selectable set of VLANs The port sends and receives data that is tagged or untagged with a VLAN ID If the data into the port is untagged it...

Page 21: ... All data going into and out of the port is tagged Untagged coming into the port is not forwarded except for the default VLAN with PVID 1 which is untagged Trunk ports multiplex traffic for multiple VLANs over the same physical link Select PVID for the port when the General mode is selected Configured VLAN memberships will be displayed on the VLAN Membership Configuration for the port By selecting...

Page 22: ...not have to be exposed on the LAN It is recommended that hosts that must be exposed to the internet such as web or email servers be placed in the DMZ network Firewall rules can be allowed to permit access specific services ports to the DMZ from both the LAN or WAN In the event of an attack to any of the DMZ nodes the LAN is not necessarily vulnerable as well Setup DMZ Setup DMZ Setup Configuration...

Page 23: ...e that allows the router to discovery devices on the network that can communicate with the router and allow for auto configuration If a network device is detected by UPnP the router can open internal or external ports for the traffic protocol required by that network device Once UPnP is enabled you can configure the router to detect UPnP supporting devices on the LAN or a configured VLAN If disabl...

Page 24: ...tworks with few switches Figure 9 UPnP Configuration UPnP Port map Table The UPnP Port map Table has the details of UPnP devices that respond to the router s advertisements The following information is displayed for each detected device Active A yes no indicating whether the port of the UPnP device that established a connection is currently active Protocol The network protocol i e HTTP FTP etc use...

Page 25: ...through a few straightforward configuration pages you can take the information provided by your ISP to get your WAN connection up and enable internet access for your network Figure 10 Internet Connection Setup Wizard You can start using the Wizard by logging in with the administrator password for the router Once authenticated set the time zone that you are located in and then choose the type of IS...

Page 26: ...particularly useful when configuring multiple PPPoE connections i e for Japan ISPs that have multiple PPPoE support ISP login information This is required for PPTP and L2TP ISPs User Name Password Secret required for L2TP only MPPE Encryption For PPTP links your ISP may require you to enable Microsoft Point to Point Encryption MPPE Split Tunnel supported for PPTP and L2TP connection This setting a...

Page 27: ...hat information dynamically from the ISP 3 2 2 WAN DNS Servers The IP Addresses of WAN Domain Name Servers DNS are typically provided dynamically from the ISP but in some cases you can define the static IP addresses of the DNS servers DNS servers map Internet domain names example www google com to IP addresses Click to indicate whether to get DNS server addresses automatically from your ISP or to ...

Page 28: ...Unified Services Router User Manual 26 Figure 11 Manual WAN configuration ...

Page 29: ...name can be selected on the WAN configuration page to reduce the configuration requirements for that WAN port The PPPoE profile is referenced on the WAN Configuration page The List of PPPoE profiles for a particular WAN see figure below outlines the available profile and their status and authentication type Figure 12 List of configured PPPoE profiles To create a new PPPoE profile select Add in the...

Page 30: ...gns you a fixed address to access the internet the static configuration settings must be completed In addition to the IPv6 address assigned to your router the IPv6 prefix length defined by the ISP is needed The default IPv6 Gateway address is the server at the ISP that this router will connect to for accessing the internet The primary and secondary DNS servers on the ISP s IPv6 network are used fo...

Page 31: ... DHCPv6 server available at the ISP rather ICMPv6 discover messages will originate from this gateway and will be used for auto configuration A third option to specify the IP address and prefix length of a preferred DHCPv6 server is available as well Figure 14 IPv6 WAN Setup page 3 2 6 Checking WAN Status Setup Internet Settings WAN Status The status and summary of configured settings for both WAN1...

Page 32: ...ate This is whether the WAN is connected or disconnected to an ISP The Link State is whether the physical WAN connection in place the Link State can be UP i e cable inserted while the WAN Connection State is down IP address subnet mask Gateway IP address ...

Page 33: ...gure 15 Connection Status information for both WAN ports The WAN status page allows you to Enable or Disable static WAN links For WAN settings that are dynamically received from the ISP you can Renew or Release the link parameters if required ...

Page 34: ...o that bandwidth profile can be applied to the traffic matching the selectors Selectors are elements like IP addresses or services that would trigger the configured bandwidth regulation Figure 16 List of Configured Bandwidth Profiles To create a new bandwidth profile click Add in the List of Bandwidth Profiles The following configuration parameters are used to define a bandwidth profile Profile Na...

Page 35: ...ds a bandwidth profile to a type or source of LAN traffic with the following settings Available profiles Assign one of the defined bandwidth profiles Service You can have the selected bandwidth regulation apply to a specific service i e FTP from the LAN If you do not see a service that you want you can configure a custom service through the Advanced Firewall Settings Custom Services page To have t...

Page 36: ...he link seems to be disconnected or the threshold of failures that determines if a WAN port is down 3 4 1 Auto Failover In this case one of your WAN ports is assigned as the primary internet link for all internet traffic The secondary WAN port is used for redundancy in case the primary link goes down for any reason Both WAN ports primary and secondary must be configured to connect to the respectiv...

Page 37: ...egregate and assign services over one WAN port in order to manage internet flow The configured failure detection method is used at regular intervals on all configured WAN ports when in Load Balancing mode Load balancing is particularly useful when the connection speed of one WAN port greatly differs from another In this case you can define protocol bindings to route low latency services such as VO...

Page 38: ...ces or any of the user defined services the type of traffic can be assigned to go over only one of the available WAN ports For increased flexibility the source network or machines can be specified as well as the destination network or machines For example the VOIP traffic for a set of LAN IP addresses can be assigned to one WAN and any VIOP traffic from the remaining IP addresses can be assigned t...

Page 39: ... 3 5 1 Routing Mode Setup Internet Settings Routing Mode This device supports classical routing network address translation NAT and transport mode routing With classical routing devices on the LAN can be directly accessed from the internet by their public IP addresses assuming appropriate firewall settings If your ISP has assigned an IP address for each of the computers that you use select Classic...

Page 40: ... you The computers that connect through the router will need to be assigned IP addresses from a private subnet Transparent mode routing between the LAN and WAN does not perform NAT Broadcast and multicast packets that arrive on the LAN interface are switched to the WAN and vice versa if they do not get filtered by firewall or VPN policies If the LAN and WAN are in the same broadcast domain select ...

Page 41: ...ed Services Router User Manual 39 Figure 21 Routing Mode is used to configure traffic routing between WAN and LAN as well as Dynamic routing RIP 3 5 2 Dynamic Routing RIP Setup Internet Settings Routing Mode ...

Page 42: ...ther routing devices in the LAN Disabled This is the setting when RIP is disabled RIP 1 is a class based routing version that does not include subnet information This is the most commonly supported version RIP 2 includes all the functionality of RIPv1 plus it supports subnet information Though the data is sent in RIP 2 format for both RIP 2B and RIP 2M the mode in which packets are sent is differe...

Page 43: ...broadcast if RIP is enabled Private Determines whether the route can be shared with other routers when RIP is enabled If the route is made private then the route will not be shared in a RIP broadcast or multicast This is only applicable for IPv4 static routes Destination the route will lead to this destination host or IP address IP Subnet Mask This is valid for IPv4 networks only and identifies th...

Page 44: ...o be configured as a secondary WAN Ethernet port or a dedicated DMZ port If the port is selected to be a secondary WAN interface all configuration pages relating to WAN2 are enabled Setup Internet Settings WAN2 Setup WAN2 configuration is identical to the WAN1 configuration with one significant exception configuration for the 3G USB modem is available only on WAN2 ...

Page 45: ...e cellular ISP that provides the 3G data plan will provide the authentication requirements to establish a connection The dial Number and APN are specific to the cellular carriers Once the connection type settings are configured and saved navigate to the WAN status page Setup Internet Settings WAN Status and Enable the WAN2 link to establish the 3G connection ...

Page 46: ...00 This is the largest packet size that can pass through the interface without fragmentation This size can be increased however large packets can introduce network lag and bring down the interface speed Note that a 1500 byte size packet is the largest allowed by the Ethernet protocol at the network layer The port speed can be sensed by the router when Auto is selected With this option the optimal ...

Page 47: ...e manufacturing process for the interfaces and can uniquely identify this router You can customize each WAN port s MAC address as needed either by letting the WAN port assume the current LAN host s MAC address or by entering a MAC address manually Figure 25 Physical WAN port settings ...

Page 48: ...ed clients in the environment but is actually running on the same physical radio integrated with this router You will need the following information to configure your wireless network Types of devices expected to access the wireless network and their supported Wi Fi modes The router s geographical region The security settings to use for securing the wireless network Profiles may be thought of as a...

Page 49: ...d key The wizard has the option to automatically generate a network key for the AP This key is the pre shared key for WPA or WPA2 type security Supported clients that have been given this PSK can associate with this AP The default auto assigned PSK is passphrase The last step in the Wizard is to click the Connect button which confirms the settings and enables this AP to broadcast its availability ...

Page 50: ...ss client The default mode is open i e no security This mode is insecure as it allows any compatible wireless clients to connect to an AP configured with this security profile To create a new profile use a unique profile name to identify the combination of settings Configure a unique SSID that will be the identifier used by the clients to communicate to the AP using this profile By choosing to bro...

Page 51: ...der wireless printer to connect to a secure AP where all the other wireless clients are using WPA2 Figure 27 List of Available Profiles shows the variety of options available to secure the wireless link 4 2 1 WEP Security If WEP is the chosen security option you must set a unique static key to be shared with clients that wish to access this secured wireless network This static key can be generated...

Page 52: ...hared with wireless clients to connect to this device Figure 28 Profile configuration to set network security 4 2 2 WPA or WPA2 with PSK A pre shared key PSK is a known passphrase configured on the AP and client both and is used to authenticate the wireless client An acceptable passphrase is between 8 to 63 characters in length ...

Page 53: ...quired to identify the server A secondary RADIUS server provides redundancy in the event that the primary server cannot be reached by the router when needed Authentication Port the port for the RADIUS server connection Secret enter the shared secret that allows this router to log into the specified RADIUS server s This key must match the shared secret on the RADIUS Server The Timeout and Retries f...

Page 54: ...available profiles This router supports multiple AP s referred to as virtual access points VAPs Each virtual AP that has a unique SSIDs appears as an independent access point to clients This valuable feature allows the router s radio to be configured in a way to optimize security and throughput for a group of clients as required by the user To create a VAP click the add button on the Setup Wireles...

Page 55: ... there are no wireless clients the start and stop time will enable disable the access point automatically Once the AP settings are configured you must enable the AP on the radio on the Setup Wireless Settings Access Points page The status field changes to Enabled if the AP is available to accept wireless clients If the AP is configured to broadcast its SSID a profile parameter a green check mark i...

Page 56: ...11b 802 11 g and 802 11n clients are expected to access the LAN via this router creating 3 VAPs will allow you to manage or shape traffic for each group of clients A unique SSID can be created for the network of 802 11b clients and another SSID can be assigned for the 802 11n clients Each can have different security parameters remember the SSID and security of the link is determined by the profile...

Page 57: ...onfigured APs Figure 32 Radio card configuration options The ratified 802 11n support on this radio requires selecting the appropriate broadcast NA or NG etc mode and then defining the channel spacing and control side band for 802 11n traffic The default settings are appropriate for most networks For example changing the channel spacing to 40 MHz can improve bandwidth at the expense of supporting ...

Page 58: ... Advanced Wireless Settings WPS WPS is a simplified method to add supporting wireless clients to the network WPS is only applicable for APs that employ WPA or WPA2 security To use WPS select the eligible VAPs from the dropdown list of APs that have been configured with this security and enable WPS status for this AP The WPS Current Status section outlines the security authentication and encryption...

Page 59: ...Push Button Configuration PBC for wireless devices that support PBC press and hold down on this button and within 2 minutes click the PBC connect button The AP will detect the wireless device and establish a link to the client More than one AP can use WPS but only one AP can be used to establish WPS links to client at any given time Figure 34 WPS configuration for an AP with WPA WPA2 profile ...

Page 60: ......

Page 61: ...fied services as defined by port number Reports and alerts that you want the router to send to you You can for example establish restricted access policies based on time of day web addresses and web address keywords You can block Internet access by applications and services on the LAN such as chat rooms or games You can block just certain groups of PCs on your network from being accessed by the WA...

Page 62: ... Policy page When the default outbound policy is allow always you can to block hosts on the LAN from accessing internet services by creating an outbound firewall rule for each service Figure 35 List of Available Firewall Rules 5 2 Defining Rule Schedules Tools Schedules Firewall rules can be enabled or disabled automatically if they are associated with a configured schedule The schedule configurat...

Page 63: ...und or inbound services rule do the following To edit a rule click the checkbox next to the rule and click Edit to reach that rule s configuration page To add a new rule click Add to be taken to a new rule s configuration page Once created the new rule is automatically added to the original table 3 Chose the From Zone to be the source of originating traffic either the secure LAN public DMZ or inse...

Page 64: ...ires configuring the router s logging feature separately QoS Priority Outbound rules where To Zone insecure WAN only can have the traffic marked with a QoS priority tag Select a priority level Normal Service ToS 0 lowest QoS Minimize Cost ToS 1 Maximize Reliability ToS 2 Maximize Throughput ToS 4 Minimize Delay ToS 8 highest QoS 6 Inbound rules can use Destination NAT DNAT for managing traffic fro...

Page 65: ...MZ In this way the LAN DMZ server can be accessed from the internet by its aliased public IP address 7 Outbound rules can use Source NAT SNAT in order to statically map bind all LAN DMZ traffic matching the rule parameters to a specific WAN interface or external IP address usually provided by your ISP Once the new or modified rule parameters are saved it appears in the master list of firewall rule...

Page 66: ...Unified Services Router User Manual 64 Figure 37 The firewall rule configuration page allows you to define the To From zone service action schedules and specify source destination IP addresses as needed ...

Page 67: ... videoconferencing to be initiated from a restricted range of outside IP addresses 132 177 88 2 132 177 88 254 from a branch office Solution Create an inbound rule as follows In the example CUSeeMe the video conference service used connections are allowed only from a specified range of external IP addresses Parameter Value From Zone Insecure WAN1 WAN2 To Zone Secure LAN Service CU SEEME UDP Action...

Page 68: ...hines Use Case Block all HTTP traffic on the weekends if the request originates from a specific group of machines in the LAN having a known range of IP addresses and anyone coming in through the Network from the WAN i e all remote users Configuration 1 Setup a schedule To setup a schedule that affects traffic on weekends only navigate to Security Schedule and name the schedule Weekend Define weeke...

Page 69: ...ekend isolates all day Saturday and Sunday from the rest of the week Figure 38 Schedule configuration for the above example 2 Since we are trying to block HTTP requests it is a service with To Zone Insecure WAN1 WAN2 that is to be blocked according to schedule Weekend ...

Page 70: ...re zone The Destination Users dropdown should be any 7 We don t need to change default QoS priority or Logging unless desired clicking apply will add this firewall rule to the list of firewall rules 8 The last step is to enable this firewall rule Select the rule and click enable below the list to make sure the firewall rule is active 5 4 Security on Custom Services Advanced Firewall Settings Custo...

Page 71: ... some cases enabling the ALG will allow the firewall to use dynamic ephemeral TCP UDP ports to communicate with the known ports a particular client application such as H 323 or RTSP requires without which the admin would have to open large number of ports to accomplish the same support Because the ALG understands the protocol used by the specific application that it supports it is a very secure an...

Page 72: ... VPN Passthrough This router s firewall settings can be configured to allow encrypted VPN traffic for IPSec PPTP and L2TP VPN tunnel connections between the LAN and internet A specific firewall rule or service is not appropriate to introduce this passthrough support instead the appropriate check boxes in the VPN Passthrough page must be enabled ...

Page 73: ...en configuring firewall rules This is because a port triggering rule does not have to reference a specific LAN IP or IP range As well ports are not left open when not in use thereby providing a level of security that port forwarding does not offer Port triggering is not appropriate for servers on the LAN since there is a dependency on the LAN device making an outgoing connection before incoming po...

Page 74: ...firewall rules web based content itself can be used to determine if traffic is allowed or dropped Content Filtering Advanced Website Filter Content Filtering Content filtering must be enabled to configure and use the subsequent features list of Trusted Domains filtering on Blocked Keywords etc Proxy servers which can be used to circumvent certain firewall rules and thus a potential security gap ca...

Page 75: ...om being downloaded Approved URLs Advanced Website Filter Approved URLs The Approved URLs is an acceptance list for all URL domain names Domains added to this list are allowed in any form For example if the domain yahoo is added to this list then all of the following URL s are permitted access from the LAN www yahoo com yahoo co uk etc ...

Page 76: ...Filter Blocked Keywords Keyword blocking allows you to block all website URL s or site content that contains the keywords in the configured list This is lower priority than the Approved URL List i e if the blocked keyword is present in a site allowed by a Trusted Domain in the Approved URL List then access to that site will be allowed ...

Page 77: ...atching the MAC address bound to it This is IP MAC Binding and by enforcing the gateway to validate the source traffic s IP address with the unique MAC Address of the configured LAN node the administrator can ensure traffic from that IP address is not spoofed In the event of a violation i e the traffic s source IP address doesn t match up with the expected MAC address having the same IP address th...

Page 78: ...tion IPS Advanced Advanced Network IPS The gateway s Intrusion Prevention System IPS prevents malicious attacks from the internet from accessing the private network Static attack signatures loaded to the device allow common attacks to be detected and prevented The checks can be enabled between the WAN and DMZ or LAN and a running counter will allow the administrator to see how many malicious intru...

Page 79: ...age WAN security threats such as continual ping requests and discovery via ARP scans TCP and UDP flood attack checks can be enabled to manage extreme usage of WAN resources Additionally certain Denial of Service DoS attacks can be blocked These attacks if uninhibited can use up processing power and bandwidth and prevent regular network services from running normally ICMP packet flooding SYN traffi...

Page 80: ...Unified Services Router User Manual 78 Figure 48 Protecting the router and LAN from internet attacks ...

Page 81: ...mote PC client is not known in advance The gateway in this case acts as a responder Remote client behind a NAT router The client has a dynamic IP address and is behind a NAT Router The remote PC client at the NAT router initiates a VPN tunnel as the IP address of the remote NAT router is not known in advance The gateway WAN port acts as responder PPTP server for LAN WAN PPTP client connections L2T...

Page 82: ...nt or gateway to establish the tunnel Determine the local gateway for this tunnel if there is more than 1 WAN configured the tunnel can be configured for either of the gateways 2 Step 2 Configure Remote and Local WAN address for the tunnel endpoints Remote Gateway Type identify the remote endpoint of the tunnel by FQDN or static IP address Remote WAN IP address FQDN This field is enabled only if t...

Page 83: ... IPSec policy with the following default values for a VPN Client or Gateway policy these can be accessed from a link on the Wizard page Parameter Default value from Wizard Exchange Mode Aggressive Client policy or Main Gateway policy ID Type FQDN Local WAN ID wan_local com only applies to Client policies Remote WAN ID wan_remote com only applies to Client policies Encryption Algorithm 3DES Authent...

Page 84: ...ther IPSec gateway or an IPSec VPN client on a host Only the data payload is encrypted and the IP header is not modified or encrypted Tunnel This mode is used for network to network IPSec tunnels where this gateway is one endpoint of the tunnel In this mode the entire IP packet including the header is encrypted and or authenticated When tunnel mode is selected you can enable NetBIOS and DHCP over ...

Page 85: ...tocol dynamically exchanges keys between two IPSec hosts The Phase 1 IKE parameters are used to define the tunnel s security association details The Phase 2 Auto policy parameters cover the security association lifetime and encryption authentication details of the phase 2 key negotiation The VPN policy is one half of the IKE VPN policy pair required to establish a Auto IPSec VPN tunnel The IP addr...

Page 86: ...PSec hosts The incoming and outgoing security parameter index SPI values must be mirrored on the remote tunnel endpoint As well the encryption and integrity algorithms and keys must match on the remote IPSec host exactly in order for the tunnel to establish successfully Note that using Auto policies with IKE are preferred as in some IPSec implementations the SPI security parameter index values req...

Page 87: ...s to a RADIUS server and passes to it the credentials that it receives from the VPN client You can secure the connection between the router and the RADIUS server with the authentication protocol supported by the server PAP or CHAP For RADIUS PAP the router first checks in the user database to see if the user credentials are available if they are not the router connects to the RADIUS server 6 3 Con...

Page 88: ...to the online help to determine how to populate the user database and or configure RADIUS authentication 6 4 PPTP L2TP Tunnels This router supports VPN tunnels from either PPTP or L2TP ISP servers The router acts as a broker device to allow the ISP s server to create a TCP control connection between the LAN VPN client and the VPN server 6 4 1 PPTP Tunnel Support Setup VPN Settings PPTP PPTP Server...

Page 89: ...bled a L2TP server is available on the router for LAN and WAN L2TP client users to access Once the L2TP server is enabled L2TP clients that are within the range of configured IP addresses of allowed clients can reach the router s L2TP server Once authenticated by the L2TP server the tunnel endpoint L2TP clients have access to the network managed by the router Figure 54 L2TP tunnel configuration L2...

Page 90: ......

Page 91: ...ileges At this point a virtual network interface is created on the user s host and this will be assigned an IP address and DNS server address from the router Once established the host machine can access allocated network resources Port Forwarding A web based ActiveX or Java client is installed on the client machine again Note that Port Forwarding service only supports TCP connections between the r...

Page 92: ...e used to assign access policies to a set of SSL users within a domain Groups are domain subsets that can be seen as types of SSL users some groups require access to all available network resources and some can be provided access to a select few With groups a very secure hierarchy of SSL VPN remote access can be created for all types of users with minimal number of policies to configure You must c...

Page 93: ...member The domain determined SSL VPN portal will be displayed when logging in with this user type XAuth User This user s authentication is performed by an externally configured RADIUS or other Enterprise server It is not part of the local user database L2TP User These are L2TP VPN tunnel LAN users that can establish a tunnel with the L2TP server on the WAN PPTP User These are PPTP VPN tunnel LAN u...

Page 94: ...l policies These policies can be applied to a specific network resource IP address or ranges on the LAN or to different SSL VPN services supported by the router The List of Available Policies can be filtered based on whether it applies to a user group or all users global A more specific policy takes precedence over a generic policy when both are applied to the same user group global domain I e a p...

Page 95: ...equent section IP address IP network or all devices on the LAN of the router Based on the selection of one of these four options the appropriate configuration fields are required i e choosing the network resources from a list of defined resources or defining the IP addresses For applying the policy to addresses the port range port number can be defined The final steps require the policy permission...

Page 96: ... saves time when creating similar policies for multiple remote SSL VPN users Adding a Network Resource involves creating a unique name to identify the resource and assigning it to one or all of the supported SSL services Once this is done editing one of the created network resources allows you to configure the object type either IP address or IP range associated with the service The Network Addres...

Page 97: ...r TCP applications must be specified as being made accessible to remote users Allowing access to a LAN server requires entering the local server IP address and TCP port number of the application to be tunneled The table below lists some common applications and corresponding TCP port numbers TCP Application Port Number FTP Data usually not needed 20 FTP Control Protocol 21 SSH 22 Telnet 23 SMTP sen...

Page 98: ...ation Setup VPN Settings SSL VPN Client SSL VPN Client An SSL VPN tunnel client provides a point to point connection between the browser side machine and this router When a SSL VPN client is launched from the user portal a network adapter with an IP address from the corporate subnet DNS and WINS settings is automatically created This allows local applications to access services on the private netw...

Page 99: ...router Split tunnel mode only sends traffic to the private LAN based on pre specified client routes These client routes give the SSL client access to specific private networks thereby allowing access control over specific LAN services Setup VPN Settings SSL VPN Client Configured Client Routes If the SSL VPN client is assigned an IP address in a different subnet than the corporate network a client ...

Page 100: ...work through an SSL tunnel either using the Port Forwarding or VPN tunnel service they login through a user portal This portal provides the authentication fields to provide the appropriate access levels and privileges as determined by the router administrator The domain where the user account is stored must be specified and the domain determines the authentication method and portal layout screen p...

Page 101: ...te users During domain setup configured portal layouts are available to select for all users authenticated by the domain The default portal LAN IP address is https 192 168 10 1 scgi bin userPortal portal This is the same page that opens when the User Portal link is clicked on the SSL VPN menu of the router GUI The router administrator creates and edits portal layouts from the configuration pages i...

Page 102: ...Unified Services Router User Manual 100 Figure 64 SSL VPN Portal configuration ...

Page 103: ...n obtain a digital certificate from a well known Certificate Authority CA such as VeriSign or generate and sign your own certificate using functionality available on this gateway The gateway comes with a self signed certificate and this can be replaced by one signed by a CA as per your networking requirements A CA certificate provides strong assurance of the server s identity and is a requirement ...

Page 104: ...is field Serial Number The serial number is maintained by the CA and used to identify this signed certificate Issuer Name This is the CA name that issued signed this certificate Expiry Time The date after which this signed certificate becomes invalid you should renew the certificate before it expires To request a self certificate to be signed by a CA you can generate a Certificate Signing Request ...

Page 105: ...interface The user type is set in the Advanced Users Users page The Admin or Guest user can be configured to access the router GUI from the LAN or the Internet WAN by enabling the corresponding Login Policy Figure 67 User Login policy configuration 9 1 1 Remote Management Both HTTPS and telnet access can be restricted to a subset of IP addresses The router administrator can define a known PC singl...

Page 106: ...outers in a network are being managed by a central Master system When an external SNMP manager is provided with this router s Management Information Base MIB file the manager can update the router s hierarchal variables to view or update configuration parameters The router as a managed device has an SNMP agent that allows the MIB configuration variables to be accessed by the Master the SNMP manage...

Page 107: ...gure 69 SNMP Users Traps and Access Control Tools Admin SNMP System Info The router is identified by an SNMP manager via the System Information The identifier settings The SysName set here is also used to identify the router for SysLog logging ...

Page 108: ...lock RTC If the router has access to the internet the most accurate mechanism to set the router time is to enable NTP server communication Accurate date and time on the router is critical for firewall schedules Wi Fi power saving support to disable APs at certain times of the day and accurate logging Please follow the steps below to configure the NTP server 1 Select the router s time zone relative...

Page 109: ...tacks or errors when they are detected by the router The following sections describe the log configuration settings and the ways you can access these logs 9 4 1 Defining What to Log Tools Log Settings Logs Facility The Logs Facility page allows you to determine the granularity of logs to receive from the router There are three core components of the router referred to as Facilities Kernel This ref...

Page 110: ... Notification Information Debugging When a particular severity level is selected all events with severity equal to and greater than the chosen severity are captured For example if you have configured CRITICAL level logging for the Wireless facility then 802 11 logs with severities CRITICAL ALERT and EMERGENCY are logged The severity levels available for logging are EMERGENCY system is unusable ALE...

Page 111: ...e the type of traffic through the router that is logged for display in Syslog E mailed logs or the Event Viewer Denial of service attacks general attack information login attempts dropped packets and similar events can be captured for review by the IT administrator Traffic through each network segment LAN WAN DMZ can be tracked based on whether the packet was accepted or dropped by the firewall Ac...

Page 112: ...AN machine tries to make an ssh connection those packets will be dropped and a message will be logged Make sure the log option is set to allow for this firewall rule Enabling accepted packet logging through the firewall may generate a significant volume of log messages depending on the typical network traffic This is recommended for debugging purposes only In addition to network segment logging un...

Page 113: ...t device s logs Once you enable the option to e mail logs enter the e mail server s address IP address or FQDN of the SMTP server The router will connect to this server when sending e mails out to the configured addresses The SMPT port and return e mail addresses are required fields to allow the router to package the logs and send a valid e mail that is accepted by one of the configured send to ad...

Page 114: ...hould send out logs E mail logs can be sent out based on a defined schedule by first choosing the unit i e the frequency of sending logs Hourly Daily or Weekly Selecting Never will disable log e mails but will preserve the e mail server settings Figure 74 E mail configuration as a Remote Logging option An external Syslog server is often used by network administrator to collect and store logs from ...

Page 115: ...bled Syslog server once you save this configuration page s settings Figure 75 Syslog server configuration for Remote Logging continued 9 4 3 Event Log Viewer in GUI Status Logs View All Logs The router GUI lets you observe configured log messages from the Status menu Whenever traffic through or to the router matches the settings determined in the Tools Log Settings Logs Facility or Tools Log Setti...

Page 116: ... factory default settings or execute a soft reboot of the router IMPORTANT During a restore operation do NOT try to go online turn off the router shut down the PC or do anything else to the router until the operation is complete This will take approximately 1 minute Once the LEDs are turned off wait a few more seconds before doing anything with the router For backing up configuration or restoring ...

Page 117: ...irmware You can upgrade to a newer software version from the Administration web page In the Firmware Upgrade section to upgrade your firmware click Browse locate and select the firmware image on your host and click Upgrade After the new firmware image is validated the new image is written to flash and the router is automatically rebooted with the new firmware The Firmware Information and also the ...

Page 118: ...mic DNS Dynamic DNS DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names To use DDNS you must setup an account with a DDNS provider such as DynDNS org D Link DDNS or Oray net Each configured WAN can have a different DDNS service if required Once configured the router will update DDNS services changes in the WAN IP address so tha...

Page 119: ...ter User Manual 117 Figure 79 Dynamic DNS configuration 9 8 Using Diagnostic Tools Tools System Check The router has built in tools to allow an administrator to evaluate the communication status and overall network health ...

Page 120: ...nd another device on the network connected to this router Enter an IP address and click PING The command output will appear indicating the ICMP echo request status 9 8 2 Trace Route This utility will display all the routers present between the destination IP address and this router Up to 30 hops intermediate routers between this router and the destination will be displayed ...

Page 121: ...ating Unknown Host indicates that the specified Internet Name does not exist This feature assumes there is internet access available on the WAN link s 9 8 4 Router Options The static and dynamic routes configured on this router can be shown by clicking Display for the corresponding routing table Clicking the Packet Trace button will allow the router to capture and display traffic through the devic...

Page 122: ...marized on the router s Dashboard 10 1 1 Device Status Status Device Info Device Status The Device Status page gives a summary of the router configuration settings configured in the Setup and Advanced menus The static hardware serial number and current firmware version are presented in the General section The WAN and LAN interface information shown on this page are based on the administrator confi...

Page 123: ...Unified Services Router User Manual 121 Figure 82 Device Status display ...

Page 124: ...rdware and usage statistics The CPU and Memory utilization is a function of the available hardware and current configuration and traffic through the router Interface statistics for the wired connections LAN WAN1 WAN2 DMZ VLANs provide indication of packets through and packets dropped by the interface Click refresh to have this page retrieve the most current statistics ...

Page 125: ...Unified Services Router User Manual 123 Figure 84 Resource Utilization statistics ...

Page 126: ...Unified Services Router User Manual 124 ...

Page 127: ...Unified Services Router User Manual 125 Figure 85 Resource Utilization data continued ...

Page 128: ...ecific packet level information provided for review Transmitted received packets port collisions and the cumulating bytes sec for transmit receive directions are provided for each interface along with the port up time If you suspect issues with any of the wired ports this table will help diagnose uptime or transmit level issues with the port The statistics table has auto refresh control which allo...

Page 129: ...ess link If you suspect that a radio or VAP may be down the details on this page would confirm if traffic is being sent and received through the VAP The clients connected to a particular AP can be viewed by using the Status Button on the list of APs in the Setup Wireless Access Points page Traffic statistics are shown for that individual AP as compared to the summary stats for each AP on this Stat...

Page 130: ... AP specific statistics 10 3 Active Connections 10 3 1 Sessions through the Router Status Active Sessions This table lists the active internet sessions through the router s firewall The session s protocol state local and remote IP addresses are shown ...

Page 131: ...Unified Services Router User Manual 129 Figure 89 List of current Active Firewall Sessions ...

Page 132: ... time connected to the corresponding AP The statistics table has auto refresh control which allows display of the most current port level data at each page refresh The default auto refresh for this page is 10 seconds Figure 90 List of connected 802 11 clients per AP 10 3 3 LAN Clients Status LAN Clients The LAN clients to the router are identified by an ARP scan through the LAN switch The NetBios ...

Page 133: ...ed packets since the tunnel was established If a VPN policy state is IPSec SA Not Established it can be enabled by clicking the Connect button of the corresponding policy The Active IPSec SAs table displays a list of active IPSec SAs Table fields are as follows Field Description Policy Name IKE or VPN policy associated with this SA Endpoint IP address of the remote VPN gateway or client Tx KB Kilo...

Page 134: ... Description User Name The SSL VPN user that has an active tunnel or port forwarding session to this router IP Address IP address of the remote VPN client Local PPP Interface The interface WAN1 or WAN2 through which the session is active Peer PPP Interface IP The assigned IP address of the virtual network adapter Connect Status Status of the SSL connection between this router and the remote VPN cl...

Page 135: ...o factory defaults this sets the firewall s IP address to 192 168 10 1 5 If you do not want to reset to factory default settings and lose your configuration reboot the router and use a packet sniffer such as Ethereal to capture packets sent during the reboot Look at the Address Resolution Protocol ARP packets to locate the router s LAN interface address 6 Launch your browser and ensure that Java J...

Page 136: ...indicate that it has resynchronized with the ISP reapply power to the router If the router still cannot obtain an ISP address see the next symptom Symptom Router still cannot obtain an IP address from the ISP Recommended action 1 Ask your ISP if it requires a login program PPP over Ethernet PPPoE or some other type of login 2 If yes verify that your configured login name and password are correct 3...

Page 137: ...ime 2 Verify your Internet access settings Symptom Time is off by one hour Possible cause The router does not automatically adjust for Daylight Savings Time Recommended action 1 Select Administration Time Zone and view the current date and time settings 2 Click to check or uncheck Automatically adjust for Daylight Savings Time then click Apply 11 3 Pinging to Test LAN Connectivity Most TCP IP term...

Page 138: ...ation and firewall 6 If the path is still not up test the network configuration Verify that the Ethernet card driver software and TCP IP software are installed and configured on the PC Verify that the IP address for the router and PC are correct and on the same subnet 11 3 2 Testing the LAN path from your PC to a remote device 1 From the PC s Windows toolbar select Start Run 2 Type ping n 10 IP_ad...

Page 139: ...e your firewall to clone or spoof the MAC address from the authorized PC 11 4 Restoring factory default configuration settings To restore factory default configuration settings do either of the following 1 Do you know the account password and IP address If yes select Administration Settings Backup Upgrade and click default If no do the following On the rear panel of the router press and hold the R...

Page 140: ......

Page 141: ...Chapter 12 Credits Microsoft Windows are registered trademarks of Microsoft Corp Linux is a registered trademark of Linus Torvalds UNIX is a registered trademark of The Open Group ...

Page 142: ...encryption keys in ISAKMP as part of building a VPN tunnel IPSec IP security Suite of protocols for securing VPN tunnels by authenticating or encrypting IP packets in a data stream IPSec operates in either transport mode encrypts payload but not packet headers or tunnel mode encrypts both payload and packet headers ISAKMP Internet Key Exchange Security Protocol Protocol for establishing security a...

Page 143: ...e Internet with guaranteed reliability and in order delivery UDP User Data Protocol Protocol for transmitting data over the Internet quickly but with no guarantee of reliability or in order delivery VPN Virtual private network Network that enables IP traffic to travel securely over a public TCP IP network by encrypting all traffic from one network to another Uses tunneling to encrypt all informati...

Page 144: ......

Page 145: ...92 168 10 1 IPv4 subnet mask 255 255 255 0 RIP direction None RIP version Disabled RIP authentication Disabled DHCP server Enabled DHCP starting IP address 192 168 10 2 DHCP ending IP address 192 168 10 100 Time zone GMT Time zone adjusted for Daylight Saving Time Disabled SNMP Disabled Remote management Disabled Firewall Inbound communications from the Internet Disabled except traffic on port 80 ...

Page 146: ...P DNS UDP DNS TCP FINGER FTP HTTP HTTPS ICMP TYPE 3 ICMP TYPE 4 ICMP TYPE 5 ICMP TYPE 6 ICMP TYPE 7 ICMP TYPE 8 ICMP TYPE 9 ICMP TYPE 10 ICMP TYPE 11 ICMP TYPE 13 ICQ IMAP2 IMAP3 IRC NEWS NFS NNTP PING POP3 PPTP RCMD REAL AUDIO REXEC RLOGIN RTELNET RTSP TCP RTSP UDP SFTP SMTP SNMP TCP SNMP UDP SNMP TRAPS TCP SNMP TRAPS UDP SQL NET SSH TCP SSH UDP STRMWORKS TACACS TELNET TFTP VDOLIVE ...

Page 147: ...lt FAILED DEBUG sqlite3QueryResGet failed Query s ERROR doDNS Result SUCCESS DEBUG ddns SQL error s ERROR Write Old Entry s s s to s DEBUG Illegal operation interface got deleted ERROR Write New Entry s s s to s DEBUG sqlite3QueryResGet failed Query s ERROR Write Old Entry s s s to s DEBUG sqlite3QueryResGet failed Query s ERROR Write New Entry s s s to s DEBUG sqlite3QueryResGet failed Query s ER...

Page 148: ...ess s DEBUG failed to open s ERROR nimfMacGet MacAddress s DEBUG failed to open s ERROR nimfMacGet MacAddress s DEBUG failed to query networkInterface table ERROR nimfMacGet Mac option Not changed DEBUG failed to query networkInterface table ERROR nimfMacGet MacAddress s DEBUG sqlite3QueryResGet failed Query s ERROR nimfMacGet MacAddress s DEBUG failed to enable IPv6 forwarding ERROR nimfMacGet Ma...

Page 149: ...g interface advanced ERROR Invalid lanmask DEBUG nimfAdvOptSetWrap error getting MTU size ERROR Invalid option DEBUG nimfAdvOptSetWrap unable to get Mac Address ERROR Failed to set config info DEBUG nimfAdvOptSetWrap error setting interface advanced ERROR Unknown option DEBUG nimfAdvOptSetWrap failed to get old connectiontype ERROR sshdTblHandler DEBUG nimfAdvOptSetWrap old connection type is s ER...

Page 150: ...itchConfig for port enable ERROR failed query s DEBUG Failed to execute ifconfig for port enable ERROR vlan disabled not applying vlan configuration DEBUG Failed to execute ethtool for ERROR removing s from bridge s s DEBUG Failed to execute switchConfig for port disable ERROR adding s to bridge d s DEBUG Failed to execute ifconfig for port disable ERROR restarting bridge DEBUG sqlite3QueryResGet ...

Page 151: ...ueryResGet failed DEBUG Failed to set vlan entries while enabling ERROR Failed to remove vlan Interface for vlanId DEBUG sqlite3QueryResGet failed ERROR sqlite3QueryResGet failed DEBUG Failed to execute vlanConfig binary for port number d ERROR Invalid oidp passed DEBUG Failed to execute vlanConfig binary for vlanId d ERROR Invalid oidp passed DEBUG Failed to enable vlan ERROR Failed to get oid fr...

Page 152: ... update handler ERROR pid d DEBUG are we getting invoked twice ERROR PID File for pptpd interface found DEBUG could not open s to append ERROR pid d DEBUG could not write nameserver s to s ERROR options pptpd file found DEBUG could not write nameserver s to s ERROR options pptpd file not found DEBUG could not open s to truncate ERROR Conf File for pptpd found DEBUG dnsResolverConfigMgmtInit unable...

Page 153: ...ndMgmt unable to open the ERROR pptpMgmtTblHandler MppeEncryptSupport s DEBUG Can t kill pptpd ERROR pptpMgmtTblHandler SplitTunnel s DEBUG pptpd restart failed ERROR pptpEnable ppp dial string s DEBUG Can t kill pptpd ERROR pptpEnable spawning command s DEBUG failed to get field value ERROR PID File for dhcpc found DEBUG failed to get field value ERROR pid d DEBUG unboundMgmt unable to open the E...

Page 154: ...UG pptpMgmtTblHandler dbRecordValueGet failed for s ERROR l2tpEnable command string s DEBUG pptpMgmtTblHandler pptp enable failed ERROR PID File for dhcpc found DEBUG pptpMgmtTblHandler pptp disable failed ERROR pid d DEBUG pptpMgmtDBUpdateHandler sqlite3QueryResGet ERROR l2tpMgmtDBUpdateHandler query string s DEBUG pptpMgmtDBUpdateHandler error in executing ERROR l2tpMgmtDBUpdateHandler returning...

Page 155: ...erver configuration update failed ERROR Failed to stop tcpdump ERROR DHCPv6 Server Restart failed ERROR Invalid tcpdumpEnable value ERROR sqlite3QueryResGet failed Query s ERROR Facility System VPN Log Message Severity Log Message Severity d command not supported by eapAuth DEBUG PEAP key derive ERROR ERROR pCtx NULL DEBUG PEAP context is NULL ERROR ERROR Current cert subject name s DEBUG Construc...

Page 156: ...t get Acknowledged result ERROR ERROR Got fragment n DEBUG Cannot understand AVP value ERROR ERROR Got last fragment DEBUG eapExtResp is NULL ERROR ERROR Got unfragmented message DEBUG eapWscCtxCreate EAPAUTH_MALLOC failed ERROR Got frag ack DEBUG eapWscProcess umiIoctl req to WSC failed status d ERROR Ext AVP parsed flags 0x x DEBUG eapWscCheck Invalid frame ERROR Mandatory bit not set WARNING DE...

Page 157: ...sponse ERROR ERROR Default EAP method state d decision d DEBUG Error checking authenticator response ERROR TTLS pkt data len d flags 0x x DEBUG Error generating NT response ERROR Got start DEBUG Username string more than 256 ASCII characters ERROR ERROR Got first fragment n DEBUG Invalid Value Size ERROR Got fragment n DEBUG Invalid MS Length Got d expected d ERROR Got last fragment DEBUG Error co...

Page 158: ...DEBUG Unexpected tlsGlueContinue return value ERROR Send req ptr 0x x Send resp ptr 0x x DEBUG NULL request or response PDU or NULL context ERROR Request ptr 0x x DEBUG Protocol version mismatch ERROR ERROR Response ptr 0x x DEBUG Creating receive buffer ERROR ERROR Rcvd AVP Code ul DEBUG Setting first fragment ERROR ERROR Rcvd AVP flags 0x 02x DEBUG Setting fragment ERROR ERROR Rcvd AVP len ul DE...

Page 159: ...tializing cipher context ERROR malloc failed ERROR Error creating digest context ERROR BIO_new_mem_buf failed ERROR Error initializing digest context ERROR malloc failed ERROR Error initializing DES in Klite ERROR BIO_new_mem_buf failed ERROR Error initializing MD4 in Klite ERROR SSL_CTX_new TLSv1_client_method failed ERROR Error initializing RC4 in Klite ERROR unable to set user configured CIPHER...

Page 160: ...R eapAuthTypeToType Invalid eapAuthType d ERROR invalid certificate data ERROR eapTypeToAuthType Invalid eapType d ERROR Query s ERROR unable to create method context ERROR Query s ERROR method ctxCreate failed ERROR Memory allocation failed ERROR Invalid condition methodState d respMethod d ERROR X509_ERROR Failed to validate the certficate ERROR A EAP Ctx map already exists ERROR Memory allocati...

Page 161: ...ng events enabled DEBUG radPairLocate Attribute d has invalid length ERROR s DEBUG radPairUnpackDefault Unknown Attribute d ERROR Mail sent and the Database is reset DEBUG radConfigure can t open s s ERROR Disabled syslog server DEBUG radConfigure s line d bogus format s ERROR Event logs are full sending logs to email DEBUG radConfAssert No AuthServer Specified ERROR Email logs sending failed DEBU...

Page 162: ...de d ERROR RADIUS Configured DEBUG radEapRecvTask Packet length mismatch d d ERROR d Server s d with DEBUG No attributes received in Access Challenge message ERROR DBUpdate event Table s opCode d rowId d DEBUG No State Attribute in Access Challenge message ERROR Host IP address s DEBUG radEapRecvTask ERROR Adding Packet for existing cookie p DEBUG failed to initialize UMI ERROR Adding Packet and c...

Page 163: ...s DEBUG default reached ERROR Could not read data from file DEBUG Unable to initialize ntpControl ERROR ntpTblHandler DEBUG ntpMgmt Couldn t open database s ERROR status d DEBUG ERROR incomplete DB update information ERROR tz d DEBUG empty update nRows d nCols d ERROR DayLightsaving d DEBUG Error in executing DB update handler ERROR pNtpControl ServerNames PRIMARY_SERVER s DEBUG requestNtpTime Inv...

Page 164: ... disconnected for old usb type DEBUG Sqlite update failed ERROR s 4 Disabled old usb type Now DEBUG USB1 Touch failed ERROR usbdevice is d s d DEBUG USB2 Touch failed ERROR USB failed to begin transaction s DEBUG Sqlite update failed ERROR USB SQL error s pSetString s DEBUG Failed query s ERROR USB failed to commit transaction s DEBUG Failed to execute usb database update handler ERROR USB updated...

Page 165: ... ERROR RADVD start failed ERROR sqlite3_mprintf failed ERROR RADVD stop failed ERROR no component id matching s ERROR failed to create open RADVD configuration file s ERROR umiIoctl s UMI_CMD_DB_UPDATE d failed ERROR Restoring old configuration ERROR sqlite3_mprintf failed ERROR failed to write update RADVD configuration file ERROR sqlite3_mprintf failed ERROR upnpDisableFunc failed ERROR no compo...

Page 166: ...ace DEBUG Disabling Firewall Rule for DHCP Relay Protocol DEBUG Disabling attack check for Stealth mode for tcp DEBUG Enabling Firewall Rule for DHCP Relay Protocol DEBUG Disabling attack check for Stealth mode for udp DEBUG prerouting Firewall Rule add for Relay failed DEBUG Disabling attack check for TCP Flood DEBUG prerouting Firewall Rule add for Relay failed DEBUG Disabling attack check for U...

Page 167: ...oup s DEBUG src firewall linux user firewalld c 60 un def ADP_DEBUG DEBUG Deleting lan host s from group s DEBUG src firewall linux user firewalld c 62 def ine ADP_DEBUG printf DEBUG Adding lan host s from group s DEBUG Restarting traffic meter with d mins d hours DEBUG Disabling Firewall Rule for IGMP Protocol DEBUG Updating traffic meter with d mins d hours DEBUG Enabling Firewall Rule for IGMP ...

Page 168: ...nabling DROP for INPUT DEBUG Enabling rule port triggering for protocol UDP DEBUG Enabling DROP for FORWARD DEBUG Enabling rule port triggering for protocol TCP DEBUG Disabling NAT based Firewall Rules DEBUG Enabling rule port triggering for protocol UDP DEBUG Enabling Firewall Rules for URL Filtering DEBUG Enabling DNS proxy DEBUG Adding Firewall Rule for RIP Protocol DEBUG Restarting DNS proxy D...

Page 169: ...ction s DEBUG Failed to s traffic from s to s to IPS ERROR s firewall rule s for service s with action s DEBUG failed to start IPS service ERROR Added firewall rule s for service s with action s DEBUG Timeout in waiting for IPS service to start ERROR Deleting inbound WAN LAN firewall rule DEBUG Usage s DBFile opType tblName rowId ERROR Deleting inbound WAN DMZ firewall rule DEBUG xlr8NatConfig ill...

Page 170: ...ved DEBUG KDOT11_GET_PARAM IEEE80211_I OC_CHANNEL failed ERROR unexpected reply from d cmd d DEBUG Failed to get the channel setting for s ERROR unexpected reply from d cmd d DEBUG sqlite3QueryResGet failed Query s ERROR Recvied DOT11_EAPOL_KEYMSG DEBUG sqlite3QueryResGet failed Query s ERROR shutting down AP s DEBUG profile s not found ERROR APCtx Found DEBUG sqlite3QueryResGet failed Query s ERR...

Page 171: ...c 1314 ADP_ERROR ERROR processing pairwise key message 2 DEBUG BSSID value passed is NULL ERROR RSN IE matching OK DEBUG reserved requestId is passed ERROR processing pairwise key message 4 DEBUG interface name is NULL ERROR processing group key message 2 DEBUG IP address value passed is NULL ERROR processing key request message from client DEBUG opening receive UDP socket failed ERROR WPA version...

Page 172: ...1InstallProfile unable to get interface index ERROR Failed to process user request DEBUG adpHmacInit s failed ERROR Failed to process user request s d DEBUG interface s not found ERROR pnacIfConfigUmiIoctl umiIoctl failed DEBUG AP not found on s ERROR pnacIfConfigUmiIoctl usrPnac returned d DEBUG keyLen PNAC_KEY_MAX_SIZE ERROR pnacIfConfigUmiIoctl usrPnac returned d DEBUG Invalid profile name pass...

Page 173: ...LEN failed ERROR pnacRecvASInfoMessage suppTimeout set to d DEBUG KDOT11_SET_PARAM IEEE80211_I OC_UCASTCIPHERS failed ERROR PORT SUCCESSFULLY DESTROYED DEBUG KDOT11_SET_PARAM IEEE80211_I OC_KEYMGTALGS failed ERROR creating physical port for s DEBUG KDOT11_SET_PARAM IEEE80211_I OC_WPA failed ERROR pnacAuthInit using defualt pnacAuthParams DEBUG unknow cipher type d ERROR pnacSuppInit using defualt ...

Page 174: ...heck failed ERROR doing pnacTxLogoff DEBUG wpaAuthRecvKeyReq unexpected packet received ERROR doing pnacTxRspId 1st cond DEBUG wpaAuthRecvKeyReq keyDataLength not zero ERROR doing pnacTxRspId entering 2nd cond DEBUG wpaAuthRecvKeyReq mic check failed ERROR from pnacTxRspId code d identifier d length d DEBUG invalid OUI x x x ERROR doing pnacTxRspId 2nd cond DEBUG s invalid OUI x x x ERROR doing pn...

Page 175: ...create a raw socket ERROR adpRand failed unable to generate random unicast key WARN pnacIsInterfaceUp failed to get interface flags ERROR using group key as unicast key WARN failed to allocate buffer ERROR Integrity check failed more than once in last 60 secs WARN UMI initialization failed ERROR MIC failed twice in last 60 secs taking countermeasures WARN UMI initialization failed ERROR Failed to ...

Page 176: ...ved Invalid IE data from WSC ERROR pnacIfNameToIndex failed ERROR Recd IE data for non existent AP s ERROR pnacPhyPortParamSet device invalid s d ERROR Recd WSC Start command without interface name ERROR pnacPhyPortParamSet EIOCGADDR ioctl failed ERROR Recd WSC start for non existent AP s ERROR pnacPhyPortParamSet multicast addr add ioctl failed ERROR Recd WSC start for wrong AP s ERROR pnacPhyPor...

Page 177: ...s not exist ERROR Error from pnacAuthConfig pAsArg cannot be NULL ERROR SSID should not be longer than d ERROR Error from pnacAuthConfig receive routine hook ERROR Profile s does not exist ERROR pnacAuthConfig pnacAuthInit failed ERROR Profile s does not exist ERROR kpnacPortPaeConfig failed ERROR Profile s does not exist ERROR Invalid arguments ERROR Profile s does not exist ERROR Error from pnac...

Page 178: ...or from pnacEAPPktCreate basic pkt create failed ERROR Profile s does not exist ERROR Error from pnacTxCannedFail eap pkt create failed ERROR Profile s does not exist ERROR Error from pnacTxCannedSuccess eap pkt create failed ERROR Profile s does not exist ERROR Error from pnacTxReqId eap pkt create failed ERROR invalid type value d supported values are 1 2 3 4 ERROR Error from pnacTxReq eap pkt c...

Page 179: ...te event expected on dot11RogueAP ERROR unable to create new EAP context ERROR sqlite3QueryResGet failed ERROR unable to apply s profile on the EAP context ERROR unhandled database operation d ERROR pnacUmiAuthConfig could not configure PNAC PAE ERROR sqlite3QueryResGet failed ERROR pnacUmiSuppConfig Invalid config data ERROR failed to configure WPS on s ERROR pnacUmiSuppConfig Invalid backend nam...

Page 180: ...BUG s d bad sequence number d expected d DEBUG TKIP DEBUG PPPIOCDETACH file f_count d DEBUG s cannot map channel to mode freq u flags 0x x DEBUG PPP outbound frame not passed DEBUG s s vap iv_dev name buf DEBUG PPP VJ decompression error DEBUG s s s vap iv_dev name DEBUG PPP inbound frame not passed DEBUG s s s vap iv_dev name ether_sprintf mac buf DEBUG PPP reconstructed packet DEBUG s s discard ...

Page 181: ...EBUG s module use_count is d __FUNCTION__ mod_use_count DEBUG s 0x p len u tag p len DEBUG PPPOL2TP s _fmt DEBUG 03d i DEBUG PPPOL2TP s __FUNCTION__ DEBUG 02x u_int8_t p i DEBUG PPPOL2TP s __FUNCTION__ DEBUG first difference at byte u i DEBUG s recv tunnel name DEBUG s t name DEBUG s xmit session name DEBUG FAIL ieee80211_crypto_newkey failed DEBUG s xmit session name DEBUG FAIL ieee80211_crypto_s...

Page 182: ...not compare DEBUG a guy asks for address mask Who is it DEBUG FAIL ccmp decap failed DEBUG icmp v4 hw csum failure DEBUG FAIL decap botch length mismatch DEBUG expire u d d d expire DEBUG FAIL decap botch data does not compare DEBUG expire u d d d expire DEBUG PASS DEBUG rt_cache 02x u u u u hash DEBUG u of u 802 11i AES CCMP test vectors passed pass total DEBUG rt_bind_peer 0 p NET_CALLER iph DEB...

Page 183: ..._VA_ARGS__ DEBUG expire u d d d expire DEBUG s Warning using only u entries in u key cache DEBUG rt_cache 02x u u u u hash DEBUG s TX99 support enabled dev name DEBUG rt_bind_peer 0 p DEBUG s grppoll Buf allocation failed __func__ DEBUG ip_rt_advice redirect to DEBUG s s unable to start recv logic DEBUG ip_rt_bug u u u u u u u u s DEBUG s s unable to start recv logic DEBUG s lookup policy list fou...

Page 184: ...allocation failed DEBUG ip_conntrack can t register local_out defrag hook DEBUG s HAL qnum u out of range max u DEBUG ip_conntrack can t register pre routing hook DEBUG s AC u out of range max u DEBUG ip_conntrack can t register local out hook DEBUG s unable to update hardware queue DEBUG ip_conntrack can t register local in helper hook DEBUG s bogus frame type 0x x s dev name DEBUG ip_conntrack c...

Page 185: ...tCtxEnqueue Calling xlr8NatIpFinishOutput status DEBUG ip_conntrack version s u buckets d max DEBUG xlr8NatSoftCtxEnqueue xlr8NatIpFinishOutput returned d status DEBUG ERROR registering port d DEBUG icmpExceptionHandler Exception DEBUG netfilter PSD loaded c astaro AG DEBUG fragExceptionHandler Exception DEBUG netfilter PSD unloaded c astaro AG DEBUG algExceptionHandler Exception DEBUG s SELF DEBU...

Page 186: ...DEBUG ERROR Failed to add entry to ipsec sa table DEBUG GATEWAY u u u u DEBUG ERROR Failed to add entry to ipsec sa table DEBUG MTU u ntohs ich un frag mtu DEBUG ERROR Failed to add entry to ipsec sa table DEBUG PROTO AH DEBUG ERROR Failed to add entry to ipsec sa table DEBUG INCOMPLETE u bytes DEBUG unknown oid s varName DEBUG SPI 0x x ntohl ah spi DEBUG could not find oid pointer for s varName D...

Page 187: ...ed to create procfs entry INFO ip_ct_q931 decoding error s DEBUG IPT_ACCOUNT_NAME checkentry failed to register match INFO ip_ct_q931 packet dropped DEBUG failed to create procfs entry INFO ip_ct_ras decoding error s DEBUG MPPE MPPC encryption compression module registered INFO ip_ct_ras packet dropped DEBUG MPPE MPPC encryption compression module unregistered INFO ERROR registering port d DEBUG P...

Page 188: ...end unregistered INFO s Len d msg len DEBUG wlan s acl policy registered iac iac_name INFO 02x uint8_t ptr i DEBUG wlan s acl policy unregistered iac iac_name INFO End DEBUG s tmpbuf INFO CVM_MOD_EXP_BASE MISMATCH cmd x base x cmd DEBUG VLAN2 INFO op sizeofptr ld op sizeofptr DEBUG VLAN3 INFO opcode cmd x cmd DEBUG VLAN4 d d INFO modexp opcode received DEBUG s s dev_info version INFO Memory Alloca...

Page 189: ...O bwMonitor multipath selection disabled DEBUG Unknown autocreate mode s INFO weightedHopPrefer set to d weightedHopPrefer DEBUG s s mem 0x lx irq d INFO bwMonitor sysctl registration failed DEBUG s s dev_info version INFO bwMonitor sysctl registered DEBUG s driver unloaded dev_info INFO bwMonitor sysctl not registered DEBUG s s dev_info version INFO Unregistered bwMonitor sysctl DEBUG s unloaded ...

Page 190: ...led Passed DEBUG mark only supports 32bit mark WARNIN G 3DES Software Test DEBUG ipt_time invalid argument WARNIN G 3DES Software Test s des3SoftTest 0 Failed Passed DEBUG ipt_time IPT_DAY didn t matched WARNIN G 3DES Hardware Test DEBUG Logs_kernel txt 45 KERN_WARNING WARNIN G 3DES Hardware Test s des3HardTest 0 Failed Passed DEBUG Logs_kernel txt 59 KERN_WARNING WARNIN G DES Software Test DEBUG ...

Page 191: ...odule_get failed WARNIN G SHA Software Test Duration d d DEBUG s unknown pairwise cipher d WARNIN G SHA Hardware Test d iterations iter DEBUG s unknown group cipher d WARNIN G SHA Hardware Test Duration d d DEBUG s unknown SIOCSIWAUTH flag d WARNIN G MD5 Software Test d iterations iter DEBUG s unknown SIOCGIWAUTH flag d WARNIN G MD5 Software Test Duration d d DEBUG s unknown algorithm d WARNIN G M...

Page 192: ...DBA send failed recipient is not a 11n node DEBUG martian source u u u u from WARNIN G Cannot Set Rate x value DEBUG ll header WARNIN G Getting Rate Series x vap iv_fixed_rate series DEBUG u u u u sent an invalid ICMP WARNIN G Getting Retry Series x vap iv_fixed_rate retries DEBUG dst cache overflow WARNIN G IC Name s ic ic_dev name DEBUG Neighbour table overflow WARNIN G usage rtparams rt_idx 0 1...

Page 193: ...BUG s cannot load SHA1 module fname ERROR s s s vap iv_dev name ether_sprintf mac buf DEBUG s CryptoAPI SHA1 digest size too small fname ERROR s s discard s frame s vap iv_dev name DEBUG s cannot allocate space for SHA1 digest fname ERROR s s discard frame s vap iv_dev name DEBUG s d trying to write outside history ERROR s s discard s information element s DEBUG s d trying to write outside history...

Page 194: ...ls vap iv_dev name DEBUG s d trying to write outside history ERROR Atheros HAL assertion failure s line u s DEBUG s d trying to write outside history ERROR ath_hal logging to s s ath_hal_logfile DEBUG s d too big uncompressed packet d ERROR ath_hal logging disabled DEBUG s d encryption negotiated but not an ERROR s s sep ath_hal_buildopts i DEBUG s d error not an MPPC or MPPE frame ERROR ath_pci N...

Page 195: ...nded at ERROR ath_hal logging to s s ath_hal_logfile DEBUG s s d BAD SESSION MAGIC ERROR ath_hal logging disabled DEBUG s s d BAD TUNNEL MAGIC ERROR s s sep ath_hal_buildopts i DEBUG msg msg_namelen wrong d msg msg_namelen ERROR failed to allocate rx descriptors d error DEBUG addr family wrong d usin sin_family ERROR ath_stoprecv rx queue p link p DEBUG udp addr x hu usin sin_addr s_addr usin sin_...

Page 196: ...ering char device failed ERROR p 08x 08x 08x 08x 08x 08x 08x 08x 08x 08x 08x 08x DEBUG unregistering char device failed ERROR d p lu 0x x 0x x 0x p 0x x 0x x 0x x 0x x DEBUG proc entry delete failed ERROR 08x 08x 08x 08x 08x 08x 08x 08x 08x 08x 08x 08x DEBUG proc entry initialization failed ERROR s unable to allocate device object __func__ DEBUG testCompHandler received s from d char pInBuf ERROR ...

Page 197: ... ERROR rx_clear d rx_frame d tx_frame d DEBUG s Wrong Key Length d __func__ des_key_len ERROR s resume beacon xmit after u misses DEBUG s Wrong parameters __func__ ERROR s stuck beacon resetting bmiss count u DEBUG s Wrong Key Length __func__ ERROR EMPTY QUEUE DEBUG s Wrong parameters __func__ ERROR SWRInfo seqno d isswRetry d retryCnt d wh u_int16_t wh i_seq 0 4 0 bf bf_isswretry bf bf_swretries ...

Page 198: ... range max zu DEBUG registering char device failed ERROR HAL AC u out of range max zu DEBUG unregistering char device failed ERROR s unable to update hardware queue u DEBUG s d ERROR non NULL node pointer in p p s ERROR Multicast Q DEBUG s d ERROR non NULL node pointer in p p s ERROR p buf DEBUG can t alloc name s name ERROR buf flags 0x 08x buf bf_flags DEBUG s unable to register device dev name ...

Page 199: ...numfilters DEBUG s SKB does not exist __FUNCTION__ ERROR filter d filterID d rf_numpulses u rf rf_minpri u rf rf_maxpri u rf rf_threshold u rf rf_filterlen u rf rf_mindur u rf rf_maxdur u j rf rf_pulseid DEBUG s recvd invalid skb ERROR NOL DEBUG unable to register KIFDEV to UMI ERROR WARNING 10 minute CAC period as channel is a weather radar channel DEBUG The system is going to factory defaults CR...

Page 200: ...ividually DEBUG POST proto u srcip u u u u sport u dstip u u u u dport u CRITICA L bogus frame type 0x x s DEBUG Clearing the ISR p p CRITICA L ERROR ieee80211_encap ret NULL DEBUG PROTO d u u u u u u u u CRITICA L ERROR ath_amsdu_attach not called DEBUG ESP DONE p p sav m CRITICA L s no memory for cwm attach __func__ DEBUG ESP BAD p p sav m CRITICA L s error acw NULL Possible attach failure __fun...

Reviews:

No comments

Related manuals for DSR-1000N

Brand: D-Link Pages: 28

Brand: D-Link Pages: 2

DIR-655 - Xtreme N Gigabit Router Wireless

Brand: D-Link Pages: 3

Brand: D-Link Pages: 11

Brand: D-Link Pages: 35

Brand: D-Link Pages: 12

Brand: D-Link Pages: 12

Brand: D-Link Pages: 24

Brand: D-Link Pages: 20

Brand: D-Link Pages: 44

Brand: D-Link Pages: 52

Brand: D-Link Pages: 103

Brand: Vanguard Pages: 4

Brand: Aewin Technologies Pages: 86

Brand: Leviton Pages: 4

Brand: Perle Pages: 491

airMAX NanoBridge M NBM3

Brand: Ubiquiti Pages: 24

Brand: ADTRAN Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands