background image

(Wireless) ADSL VPN Firewall Router with 3DES Accelerator 
 
 

Chapter 4: Configuration 

 

 

 

81 

Idle Time

: Auto-disconnect the VPN connection when there is no activity on the connection 

for a predetermined period of time. 0 means this connection is always on. Click 

Apply

 after 

changing settings. 

IPSec: 

Enable for enhancing your LT2P VPN security. 

Authentication: 

Authentication establishes the integrity of the datagram and ensures it is 

not tampered with in transmit. There are three options, Message Digest 5 (

MD5

), Secure 

Hash Algorithm (

SHA-1

) or 

NONE

. SHA-1 is more resistant to brute-force attacks than MD5, 

however it is slower. 

  

MD5: 

A one-way hashing algorithm that produces a 128

bit hash. 

  

SHA-1: 

A one-way hashing algorithm that produces a 160

bit hash.  

Encryption: 

Select the encryption method from the pull-down menu. There are four options, 

DES

3DES

AES

 and 

NONE

. NONE means it is a tunnel only with no encryption. 3DES and 

AES are more powerful but increase latency. 

  

DES: 

Stands for Data Encryption Standard, it uses 56 bits as an encryption method. 

  3DES: 

Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an 

encryption method.  

  AES: 

Stands for Advanced Encryption Standards, it uses 128 bits as an encryption 

method. 

Perfect Forward Secrecy: 

Choose whether to enable PFS using Diffie-Hellman public-key 

cryptography to change encryption keys during the second phase of VPN negotiation. This 
function will provide better security, but extends the VPN negotiation time. Diffie-Hellman is 
a public-key cryptography protocol that allows two parties to establish a shared secret over 
an unsecured communication channel (i.e. over the Internet). There are three modes, 
MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular 
Exponentiation Groups. 

Pre-shared Key: 

This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128 

characters. Both sides should use the same key. IKE is used to establish a shared security 
policy and authenticated keys for services (such as IPSec) that require a key. Before any 
IPSec traffic can be passed, each router must be able to verify the identity of its peer. This 
can be done by manually entering the pre-shared key into both sides (router or hosts). 

 

 

Summary of Contents for HRDSL742

Page 1: ...Version Release 1 54c HRDSL742 HRDSL742W Wireless ADSL VPN Firewall Router User s Manual...

Page 2: ......

Page 3: ...T LEDS 6 THE REAR PORTS 7 CABLING 8 C CH HA AP PT TE ER R 3 3 B BA AS SI IC C I IN NS ST TA AL LL LA AT TI IO ON N 9 9 CONNECTING YOUR ROUTER 9 CONFIGURING PCS IN WINDOWS 10 For Windows XP 10 For Wind...

Page 4: ...e Area Network 35 ISP 35 DNS 45 ADSL 46 System 47 Time Zone 47 Remote Access 48 Firmware Upgrade 49 Backup Restore 50 Restart Router 51 User Management 52 Firewall and Access Control 53 General Settin...

Page 5: ...t 109 SAVE CONFIGURATION TO FLASH 113 LOGOUT 114 C CH HA AP PT TE ER R 5 5 T TR RO OU UB BL LE ES SH HO OO OT TI IN NG G 1 11 15 5 PROBLEMS STARTING UP THE ROUTER 115 PROBLEMS WITH THE WAN INTERFACE 1...

Page 6: ......

Page 7: ...speed suiting their needs and budgets It is compliant with Multi Mode standard ANSI T1 413 Issue 2 G dmt G 992 1 G lite G992 2 The Annex A and B are supported in different H W platforms Wireless Ethe...

Page 8: ...his router will be forwarded to the real DNS in the outside network Dynamic Domain Name System DDNS The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname This dynamic I...

Page 9: ...outing capability Simple Network Management Protocol SNMP It is an easy way to remotely manage the router via SNMP Web based GUI Supports web based GUI for configuration and management It is user frie...

Page 10: ...Router with 3DES Accelerator Chapter 1 Introduction 4 Wireless ADSL Router Wireless ADSL Router Figure 1 1 Application Diagram of Wireless ADSL Router Thank you for your purchase and welcome to the w...

Page 11: ...er 12V DC 1A Quick Start Guide DO NOT use the Wireless ADSL Router in high humidity or high temperatures DO NOT use the same power source for the Wireless ADSL Router as other equipment DO NOT open or...

Page 12: ...mail in the Inbox 12 ADSL Lit when successfully connected to an ADSL DSLAM linesync 8 11 LAN Port 1X 4X RJ 45 connector Lit when connected to an Ethernet device Green for 100Mbps Orange for 10Mbps Bli...

Page 13: ...s is used when you cannot login to the router E g forgot the password 4 LAN 1X 4X RJ 45 connector Connect a UTP Ethernet cable Cat 5 or Cat 5e to one of the four LAN ports when connecting to a PC or a...

Page 14: ...using the proper cables Ensure that all other devices connected to the same telephone line as your router e g telephones fax machines analogue modems have a line filter connected between them and the...

Page 15: ...he PC to get an IP address automatically from the router using DHCP If you encounter any problems accessing the router s web interface it may also be advisable to uninstall any kind of software firewa...

Page 16: ...Connection See Figure 3 1 3 In the LAN Area Connection Status window click Properties See Figure 3 2 4 Select Internet Protocol TCP IP and click Properties See Figure 3 3 5 Select the Obtain an IP ad...

Page 17: ...ion See Figure 3 5 3 In the LAN Area Connection Status window click Properties See Figure 3 6 4 Select Internet Protocol TCP IP and click Properties See Figure 3 7 5 Select the Obtain an IP address au...

Page 18: ...IP NE2000 Compatible or the name of any Network Interface Card NIC in your PC See Figure 3 9 3 Click Properties 4 Select the IP Address tab In this page click the Obtain an IP address automatically ra...

Page 19: ...1 Go to Start Settings Control Panel In the Control Panel double click Network and choose the Protocols tab 2 Select TCP IP Protocol and click Properties See Figure 3 12 3 Select the Obtain an IP addr...

Page 20: ...d password are admin and admin respectively LAN and WAN Port Addresses The parameters of LAN and WAN ports are pre set in the factory The default values are shown below LAN Port WAN Port IP address 19...

Page 21: ...em DNS IP address it can be automatically assigned by your ISP when you connect or be set manually PPPoA VPI VCI VC based LLC based multiplexing Username Password and Domain Name System DNS IP address...

Page 22: ...browser enter the IP address of your router which by default is 192 168 1 254 and click Go a user name and password window prompt will appear The default username and password are admin and admin See...

Page 23: ...ng Status ARP Table Wireless Association Routing Table DHCP Table PPTP Status IPSec Status L2TP Status Email Status Event Log Error Log NAT Sessions and UPnP Portmap Quick Start Configuration LAN WAN...

Page 24: ...rface of your PCs to use with the router s Firewall MAC Address Filter function See the Firewall section of this manual for more information on this feature IP Address A list of IP addresses of device...

Page 25: ...sk The destination netmask address Gateway Interface The IP address of the gateway or existing interface that this route will use Cost The number of hops counted as the cost of the route RIP Routing T...

Page 26: ...d Table IP Address The IP address that assigned to client Client UID hw addr The MAC address of client Client Host Name The Host Name Computer Name of client Expiry The current lease time of client Ex...

Page 27: ...articular PPTP connection in your VPN configuration Type The type of connection dial in dial out Enable Whether the connection is currently enabled Active Whether the connection is currently active Tu...

Page 28: ...gned to the particular VPN entry Active Whether the VPN Connection is currently Active Connection State Whether the VPN is Connected or Disconnected Statistics Statistics for this VPN Connection Local...

Page 29: ...in dial out Enable Whether the connection is currently enabled Active Whether the connection is currently active Tunnel Connected Whether the VPN Tunnel is currently connected Call Connected If the Ca...

Page 30: ...hen the router s ADSL connection is disconnected as well as Firewall events when you have enabled Intrusion or Blocking Logging in the Configuration Firewall section of the interface Please see the Fi...

Page 31: ...ction lists all current NAT sessions between interface of types external WAN and internal LAN UPnP Portmap The section lists all port mapping established using UPnP Universal Plug and Play Please see...

Page 32: ...you will need for the Quick Start wizard to get you online are your login often in the form of username ispname your password and the encapsulation type Your ISP will be able to supply all the detail...

Page 33: ...ffered by your ISP If the scan is successful you will then be presented with a list of supported options Select the desired option from the list and click Apply to return to the Quick Start interface...

Page 34: ...ibed below in the following sections LAN Local Area Network There are four items within the LAN section Ethernet Wireless Wireless Security Port Setting and DHCP Server Ethernet The router supports tw...

Page 35: ...can discover the Access Point AP in question Regulation Domain There are five Regulation Domains for you to choose from including North America N America Europe France etc The Channel ID will be diff...

Page 36: ...ed Key WPA Algorithms TKIP Temporal Key Integrity Protocol utilizes a stronger encryption method and incorporates Message Integrity Code MIC to provide protection against hackers WPA Shared Key The ke...

Page 37: ...fined algorithm in WEP64 or WEP128 You can input the same string in both the AP and Client card settings to generate the same WEP keys Please note that you do not have to enter Key 0 3 as below when t...

Page 38: ...types to solve compatibility issues The default is Auto which users should keep unless there are specific problems with PCs not being able to access your LAN IPv4 TOS priority Control Advanced users T...

Page 39: ...PCs to the IP address of the router by default this is 192 168 1 254 To configure the router s DHCP Server check DHCP Server and click Next You can then configure parameters of the DHCP Server includ...

Page 40: ...you check DHCP Relay Agent and click Next then you will have to enter the IP address of the DHCP server which will assign an IP address back to the DHCP client in the LAN Use this function only if adv...

Page 41: ...are two items within the WAN section ISP DNS and ADSL ISP The factory default is PPPoE If your ISP uses this access protocol click Edit to input other parameters as below If your ISP does not use PPP...

Page 42: ...ncapsulation method Select the encapsulation format the default is LlcBridged Select the one provided by your ISP DHCP client Enable or disable the DHCP client specify if the Router can get an IP addr...

Page 43: ...e Enter the username provided by your ISP You can input up to 128 alphanumeric characters case sensitive This will usually be in the format of username ispname instead of simply username Password Ente...

Page 44: ...Selects encapsulation mode true for using LLC or false for using VC Mux Create Route This setting specifies whether a route is added to the system after IPCP Internet Protocol Control Protocol negoti...

Page 45: ...PP peer Once IPCP has discovered the DNS server IP address it automatically gives the address to the local DNS client so that a connection can be established Give DNSto DHCP Server Similar to the abov...

Page 46: ...method Select the encapsulation format this is provided by your ISP Ether Filter Type Specify the type of ethernet filtering performed by the named bridge interface All Allows all types of ethernet p...

Page 47: ...s the Internet directly the NAT function can be disabled Username Enter the username provided by your ISP You can input up to 128 alphanumeric characters case sensitive This will usually be in the for...

Page 48: ...ute will be created which directs packets to the remote end of the PPP link Specific Route Specifies whether the route created when a PPP link comes up is a specific or default route If set to enabled...

Page 49: ...established Give DNSto DHCP Server Similar to the above but gives the DNS server address to the DHCP server Discover Primary NBNS Discover Secondary NBNS This setting enables disables whether the pri...

Page 50: ...nternet directly the NAT function can be disabled DHCP client Enable or disable the DHCP client specifying if the router can obtain an IP address from the Internet Service Provider ISP automatically o...

Page 51: ...P Address is hard to remember the DNS converts the friendly name into its equivalent IP Address You can obtain a Domain Name System DNS IP address automatically if your ISP has provided it when you lo...

Page 52: ...active true again for taking effect with setting of Connect Mode Coding Gain Configure the ADSL coding gain from 0 dB to 7dB or automatic Tx Attenuation Setting ADSL transmission gain the value is bet...

Page 53: ...button After a successful connection to the Internet the router will retrieve the correct local time from the SNTP server you have specified If you prefer to specify an SNTP server other than those in...

Page 54: ...r LAN select a time period the router will permit remote access for and click Enable You may change other configuration options for the web administration interface using Device Management options in...

Page 55: ...lows it to operate and provides all its functionality Think of your router as a dedicated computer and the firmware as the software it runs Over time this software may be improved and modified and you...

Page 56: ...aking any significant changes to your router s configuration Press Backup to select where on your local PC to save the settings file You may also change the name of the file when saving if you wish to...

Page 57: ...ation If you wish to restart the router using the factory default settings for example after a firmware upgrade or if you have saved an incorrect configuration select Factory Default Settings to reset...

Page 58: ...ce you have clicked on Edit you are shown the following options You can change the user s password whether their account is active and Valid as well as add a comment to each user account These options...

Page 59: ...at cannot be directly accessed from the Internet Firewall Prevents access from outside your network The router provides three levels of security support NAT natural firewall This masks LAN users IP ad...

Page 60: ...Filter rules To prevent unauthorized computers accessing the Internet URL Filter To block PCs on your local network from unwanted websites You can find six items under the Firewall section General Se...

Page 61: ...LAN and outbound LAN to Internet packets will be blocked Users have to add their own filter rules for further access to the Internet High Medium Low security level the pre defined port filter rules fo...

Page 62: ...Wireless ADSL VPN Firewall Router with 3DES Accelerator Chapter 4 Configuration 56 Packet Filter...

Page 63: ...CP 6 53 53 NO YES NO YES YES YES FTP 21 TCP 6 21 21 NO NO NO YES NO YES Telnet 23 TCP 6 23 23 NO NO NO YES NO YES SMTP 25 TCP 6 25 25 NO YES NO YES NO YES POP3 110 TCP 6 110 110 NO YES NO YES NO YES N...

Page 64: ...und and the other is outbound The rules can be set to prevent unauthorized users hosts or network to access the Internet from LAN outbound and or access LAN from the Internet inbound Host IP Address T...

Page 65: ...whether the firewall is set to a high medium or low security level To setup a web server located on the local network when the firewall is enabled you have to configure the Port Filters setting for H...

Page 66: ...defined port filter rules screen in this case for the low security level shown below 3 Click Delete to delete the existing HTTP rule 4 Click Add TCP Filter 5 Input the port number 80 and set both Inb...

Page 67: ...ettings so that incoming HTTP requests on port 80 will be forwarded to the PC running your web server To enable the HTTP service in Virtual Server settings input the web server PC s IP address Tip If...

Page 68: ...cklist function such as Land attack and Echo CharGen scan Block Duration DoS Attack Block Duration This is the duration for blocking hosts that attempt a possible Denial of Service DoS attack Possible...

Page 69: ...P Victim Protection Yes Yes Land attack SrcIP DstIP Yes Yes Echo CharGen Scan UDP Echo Port and CharGen Port Yes Yes Echo Scan UDP Dst Port Echo 7 Src IP Scan Yes Yes CharGen Scan UDP Dst Port CharGen...

Page 70: ...ic from specified machines or else to block specific machines from accessing your LAN There are no pre defined MAC address filter rules you can add the filter rules to meet your requirements Enable Di...

Page 71: ...ys check the URL filter rules i e at all hours of the day Block from Specify the time period to check the URL filter rules e g during work hours Keywords Filtering Allows blocking by specific keywords...

Page 72: ...tch either of the above two items it is sent to the remote web server 4 Please be note that the domain only should be specified not the full URL For example to block traffic to www sex com enter sex o...

Page 73: ...elerator Chapter 4 Configuration 67 Firewall Log Firewall Log display log information of any unexpected action with your firewall settings Check the Enable box to activate the logs Log information can...

Page 74: ...router support three main types of VPN Virtual Private Network PPTP IPSec and L2TP and these are the two major section choices from the menu on the left PPTP There are two types of PPTP VPN supported...

Page 75: ...enter your own password PPP Authentication Type Default is Auto if you want the router to determine the authentication type to use or else manually specify CHAP Challenge Handshake Authentication Prot...

Page 76: ...key will be changed every 256 packets when you select Stateful mode If you select Stateless mode the key will be changed in each packet Idle Time Auto disconnect the VPN connection when there is no a...

Page 77: ...If you are a Dial In user server enter your own username Password If you are a Dial Out user client enter the password provided by the your Host If you are a Dial In user server enter your own passwor...

Page 78: ...keys provide stronger encryption than 40 bit keys Mode You may select Stateful or Stateless mode The key will be changed every 256 packets when you select Stateful mode If you select Stateless mode t...

Page 79: ...Wireless ADSL VPN Firewall Router with 3DES Accelerator Chapter 4 Configuration 73 IPSec Click Create to configure a new IPSec VPN connection...

Page 80: ...1 1 i e 192 168 1 1 through to 192 168 1 254 IP Range The IP address range of the local network For example IP 192 168 1 1 end IP 192 168 1 10 Remote Secure Gateway Address or hostname The IP address...

Page 81: ...Advanced Encryption Standards it uses 128 bits as an encryption method Perfect Forward Secrecy Choose whether to enable PFS using Diffie Hellman public key cryptography to change encryption keys duri...

Page 82: ...tay active before new encryption and authentication key will be exchanged There are two kinds of SAs IKE and IPSec IKE negotiates and establishes SA on behalf of IPSec an IKE SA is used by IKE Phase 1...

Page 83: ...wall Router with 3DES Accelerator Chapter 4 Configuration 77 L2TP There are two types of L2TP VPN supported Remote Access and LAN to LAN please refer below for more information Click Create to configu...

Page 84: ...Out user client enter the password provided by your Host If you are a Dial In user server enter your own password PPP Authentication Type Default is Auto if you want the router to determine the authen...

Page 85: ...method AES Stands for Advanced Encryption Standards it uses 128 bits as an encryption method Perfect Forward Secrecy Choose whether to enable PFS using Diffie Hellman public key cryptography to chang...

Page 86: ...the Peer Network IP setting Username If you are a Dial Out user client enter the username provided by your Host If you are a Dial In user server enter your own username Password If you are a Dial Out...

Page 87: ...uses 56 bits as an encryption method 3DES Stands for Triple Data Encryption Standard it uses 168 56 3 bits as an encryption method AES Stands for Advanced Encryption Standards it uses 128 bits as an e...

Page 88: ...s a PPTP VPN connection with the head office using Microsoft s VPN Adapter included with Windows 2000 ME etc The router is installed in the head office connected to a couple of PCs and Servers Configu...

Page 89: ...e worker Username username 3 Password 123456 Input username password to authenticate remote worker Auth Type Chap Auto Data Encryption Auto Key Length Auto 4 Mode stateful Keep as default value in mos...

Page 90: ...nection A company s office establishes a PPTP VPN connection with a file server located at a separate location The router is installed in the office connected to a couple of PCs and Servers Configurin...

Page 91: ...IP Username username 3 Password 123456 A given username password Auth Type Chap Auto Data Encryption Auto Key Length Auto 4 Mode stateful Keep as default value in most of the cases PPTP server client...

Page 92: ...AN to LAN PPTP VPN Connection The branch office establishes a PPTP VPN tunnel with head office to connect two private networks over the Internet The routers are installed in the head office and branch...

Page 93: ...92 168 1 200 IP address assigned to branch office network Peer Network IP 192 168 0 0 Branch office network 3 Netmask 255 255 255 0 Username username 4 Password 123456 Input username password to authe...

Page 94: ...Dial out 2 Server IP Address or Hostname 69 121 1 33 IP address of the head office router in WAN side Peer Network IP 192 168 1 0 3 Netmask 255 255 255 0 Head office network Username username 4 Passw...

Page 95: ...ocal Router IP 69 1 121 30 69 1 121 3 Remote Network ID 192 168 1 0 24 192 168 0 0 24 Remote Router IP 69 1 121 3 69 1 121 30 IKE Pre shared Key 12345678 12345678 VPN Connection Type Tunnel mode Tunne...

Page 96: ...Address 192 168 1 0 2 Netmask 255 255 255 0 Head office network 3 Secure Gateway Address or Hostname 69 121 1 30 IP address of the head office router in WAN side Subnet Check Subnet radio button IP Ad...

Page 97: ...heck Subnet radio button IP Address 192 168 0 0 2 Netmask 255 255 255 0 Branch office network 3 Secure Gateway Address or Hostname 69 121 1 3 IP address of the head office router in WAN side Subnet Ch...

Page 98: ...le Configuring a Remote Access L2TP VPN Dial in Connection A remote worker establishes a L2TP VPN connection with the head office using Microsoft s VPN Adapter included with Windows XP 2000 ME etc The...

Page 99: ...gned to Dialing User 192 168 1 200 An assigned IP address for the remote worker Username username 3 Password 123456 Input username password to authenticate remote worker 4 Auth Type Chap Auto Keep as...

Page 100: ...figuration 94 Example Configuring a Remote Access L2TP VPN Dial out Connection A company s office establishes a L2TP VPN connection with a file server located at a separate location The router is inst...

Page 101: ...d server IP Username username 3 Password 123456 A given username password 4 Auth Type Chap Auto Keep as default value in most of the cases 5 Idle Timeout 0 The connection will be disconnected when the...

Page 102: ...lerator Chapter 4 Configuration 96 Example Configuring your Router to Dial in to the Server Currently Microsoft Windows operation system does not support L2TP incoming service Additional software may...

Page 103: ...es a L2TP VPN tunnel with head office to connect two private networks over the Internet The routers are installed in the head office and branch office accordingly Both office LAN networks MUST in diff...

Page 104: ...1 200 IP address assigned to branch office network Peer Network IP 192 168 0 0 Branch office network 3 Netmask 255 255 255 0 Username username 4 Password 123456 Input username password to authenticat...

Page 105: ...out 2 Server IP Address or Hostname 69 121 1 33 IP address of the head office router in WAN side Peer Network IP 192 168 1 0 3 Netmask 255 255 255 0 Head office network Username username 4 Password 12...

Page 106: ...ur network traffic for each application from LAN Ethernet and or Wireless to WAN Internet It facilitates you to control the different quality and speed of through put for each application when the sys...

Page 107: ...to activate the function Application A name that identifies an existing rule Priority High or Low the priority for existing rule All of traffic will be set to normal priority until you change it The...

Page 108: ...A name that identifies an existing rule Protocol The name of supported protocol Source Port The source port of packets to be monitored Destination Port The destination port of packets to be monitored...

Page 109: ...icly accessible IP address will be used by and point to your router which then needs to deliver all traffic to the private IP addresses used by your PCs Please see the WAN configuration section of thi...

Page 110: ...your router needs to allow outside users to access internal servers e g a web server FTP server Email server or game server the router can act as a virtual server You can set up a local server with a...

Page 111: ...es If you have disabled the NAT option in the WAN ISP section the Virtual Server function will hence be invalid Attention If the DHCP server option is enabled you have to be very careful in assigning...

Page 112: ...here are four items within the Advanced section Static Route Dynamic DNS Checking Email and Device Management Static Routing Click on Routing Table and then choose Create Route add a routing table Des...

Page 113: ...by your ISP You will first need to register and establish an account with the Dynamic DNS provider using their website for example http www dyndns org There are more than 5 DDNS services supported Dis...

Page 114: ...the routers Emailing checking function The following fields will be activated and required Account Name Enter the name login of the POP3 account you wish to check Normally it is the text in your email...

Page 115: ...if for example they are running a web server on a PC within their LAN Management IP Address You may specify an IP address allowed to logon and access the router s web server Setting the IP address to...

Page 116: ...2800 It is highly recommended for users to use this port value If this value conflicts with other ports already being used you may wish to change the port SNMP Access Control Software on a PC within t...

Page 117: ...as the SNMPv2 standard SNMPv3 is a strong authentication mechanism authorization with fine granularity for remote monitoring Traps supported Cold Start Authentication Failure The following MIBs are s...

Page 118: ...12 pppLink group pppLqr group From RFC 1472 PPP Security MIB PPP Security Group From RFC 1473 PPP IP MIB PPP IP Group From RFC 1474 PPP Bridge MIB PPP Bridge Group From RFC1573 IfMIB ifMIBObjects Grou...

Page 119: ...iguration 113 Save Configuration to Flash After changing the router s configuration settings you must save all of the configuration parameters to FLASH to avoid them being lost after turning off or re...

Page 120: ...y one PC accessing the configuration web pages at a time Once a PC has logged into the web interface other PCs cannot get access until the current PC has logged out of the web interface If the previou...

Page 121: ...forgotten your router login and or password Try the default login and password please refers to Chapter 3 If this fails you can restore your router to its factory settings by holding the Reset button...

Page 122: ...all line filters are correctly installed and the right way around Missing line filters or line filters installed the wrong way around can cause problems with your ADSL connection including causing fr...

Reviews: