background image

37

User Guide

© 2014  Luxul. All Rights Reserved.

Other trademarks and registered trademarks are the property of their respective owners

 

„

IP Security Option:

 Checks an IP packet to see if it contains a Security marker. If 

enabled, all packets without a Security marker will be dropped.

 

„

IP Stream Option: 

Check an IP packet to see if it contains a Stream ID. If enabled, any 

packet streams without a Stream ID will be dropped.

 

„

IP Record Route Option: 

Checks an IP packet to see if it contains a Record Route. If 

enabled, any packets without a Record Route will be dropped. 

 

„

IP Loose Source Route Option: 

Checks an IP packet to see if it contains a Loose 

Source Route. If enabled, any packets without a Loose Source Route will  
be dropped.

 

„

IP Strict Source Route Option:

 Checks an IP packet to see if it contains a Strict 

Source Route. If enabled, any packets without a Strict Source Route will be dropped.

 

„

Invalid IP Options:

 Checks an IP packet to see if it contains any integrity errors. If 

enabled, any packets containing Invalid IP Options will be dropped. 

Other Attacks

 

„

Filter Ping from WAN Port:

 If enabled, XBR-2300 will drop all ICMP packets

 

„

DDoS Attack Defense: 

If enabled, the XBR-2300 will attempt to drop all DDoS 

packets (i.e. ICMP, ARP, etc)

 

„

Shock Waves, Sasser and Other Viruses Defense:

 The XBR-2300 will block all well 

known virus attacks. 

 

NOTE:

 This requires updating the firmware as new updates are released

5.5.4 LAN Attack Defense

The settings options for this section are identical to WAN Attack Defense simply applied 
to the LAN ports of the XBR-2300. Please refer to section 3.4.3 WAN  
Attack Defense.

5.5.5 IP-MAC Binding 

In the IP-MAC Binding section there are two submenus: IP-MAC Binding and  
Dynamic Binding.

Summary of Contents for XBR-2300

Page 1: ...R 2300 Commercial Grade Dual WAN Router Use the XBR 2300 to Provide Core Functionality to Your Luxul Network Protect Your Network with Advanced Firewall and Security Features Enable VPN Access Optimize Network Applications with QoS ...

Page 2: ... product is covered by one or more U S and foreign patents Patents 7 379 717 6 606 075 6 373 448 other patents pending DOCUMENT CONVENTIONS The following graphical alerts are used in this document to indicate notable situations NOTE Tips hints or special requirements that you should take note of CAUTION Care is required Disregarding a caution can result in data loss or equipment malfunction WARNIN...

Page 3: ... 3 2 Package Contents 6 4 HARDWARE FEATURES AND INSTALLATION 7 4 1 Front View 7 4 2 Rear View 8 4 3 Environmental Requirements 8 4 4 Hardware Installation 9 4 5 Desktop Setup 9 4 6 Default IP Address 10 4 7 Connecting a Client Device 10 4 8 Verifying Connectivity 10 5 CONFIGURATION 10 5 1 Login 10 5 2 Status 11 5 3 Network 14 5 4 Internet Access 26 5 5 Security 33 5 6 Advanced Settings 39 5 7 VPN ...

Page 4: ...ring Failover Between WAN Lines Built in VPN Server QoS via Bandwidth Control Settings Simple Plug and Play Configuration Backup Recovery and Reset Simple Optimization with Downloadable Configuration Options 1 1 Warnings Read all installation instructions and site survey reports and verify correct equipment installation before connecting this device to its power source Connect all power cords to a...

Page 5: ...o MDI MDX Button Reset button Power Internal Switched Power AC 100 240V 50 60Hz input Dimensions L xWxH In mm 11 6 x7 x1 7 294x178 8x44 LEDs Per unit Power System Per port Link Activity Other Features Virtual Private Network VPN Support PPTP VPN server Support for 8 consecutive remote users Quality of Service QoS IP Address based bandwidth control Operating Temperature 32 F to 104 F 0 C to 40 C Op...

Page 6: ...Commercial Grade Dual WAN Router is designed for indoor use only DO NOT place this router outdoors DO NOT install this router in or near hot or humid places such as a kitchen or bathroom Take care to minimize exposure to excessive heat or moisture DO NOT pull any connected cable with force When disconnecting cables do so by disconnecting first from the router When reconnecting connect the router f...

Page 7: ...ready NOTE To hard reset the router use the power switch Turn the router off wait 10 seconds and turn the unit back on CAUTION Resetting the XBR 2300 to factory defaults will remove all custom settings Status Indicators The following table describes the LED functionality Indicator Description Power On The power is on Off No power check power connections System Flashing Indicates the XBR 2300 is fu...

Page 8: ...pped with a Web browser Supported Web browser versions include Microsoft IE 9 0 and up Safari 5 1 and up Mozilla Firefox 24 and up and Google Chrome 18 and up The Web browser is used to configure the XBR 2300 Install the XBR 2300 in a stable safe place to avoid any possible damage Make sure there is adequate space around the XBR 2300 for adequate ventilation and proper heat dissipation It is recom...

Page 9: ...ing the included screws attach the mounting ears to each side of the router Mount the router in the rack with the LEDs facing outwards Be sure the router is level and properly secured within the rack 4 5 Desktop Setup For use as a desktop device position and apply the included rubber feet to the bottom of the XBR 2300 Attaching the Rubber Feet to the XBR 2300 4 5 1 Connecting to the Power Source B...

Page 10: ...ent device is set to obtain an address automatically no further configuration is required 4 8 Verifying Connectivity After automatic configuration of the TCP IP parameters the ping command can be used to check connectivity between the XBR 2300 and the client device Windows Devices 1 Select Start Run input cmd in the Run line then press enter 2 At the newly opened command interface enter the follow...

Page 11: ...indow appears as shown below 6 Enter the user name and password default user name and default password are both set as admin and then click OK to login to the router configuration window 5 2 Status 5 2 1 WAN1 WAN1 displays the current WAN1 Connection Status Connection Mode WAN IP Subnet Mask Gateway DNS Server Alternate DNS Server WAN MAC Address and WAN Port Traffic Connection Status Displays the...

Page 12: ...rom ISP Dynamic only or the Static Alternate DNS server assigned by the ISP WAN MAC Address Displays the WAN MAC Address WAN Port Traffic Indicates the current bandwidth being used units are KB s 5 2 2 WAN2 WAN2 Status displays the current WAN2 Connection Status Connection Mode WAN IP Subnet Mask Gateway DNS Server Alternate DNS Server WAN MAC Address WAN Traffic and Connection Time Connection Sta...

Page 13: ... MAC Address Displays the WAN MAC Address WAN Port Traffic Indicates the current bandwidth being used units are KB s 5 2 3 LAN Displays the XBR 2300 s IP Address Subnet Mask LAN MAC Address DHCP Server status and NAT NAT Entries IP Address Displays the IP address assigned to the XBR 2300 This address will be the Gateway of all other devices on the network Subnet Mask Displays the subnet mask assig...

Page 14: ...nts Displays the current number of connected devices configured by the DHCP server on the XBR 2300 Firmware Version Displays the XBR 2300 firmware version Bootcore Version Displays the XBR 2300 bootcore version Hardware Version Displays the XBR 2300 hardware version 5 3 Network 5 3 1 LAN Settings LAN Settings designate the IP Address and Subnet mask for the internal network MAC Address Displays th...

Page 15: ...P Address in order to have Internet access NOTE If your client device is set to use DHCP the address must be re requested This can be done by simply unplugging and re plugging the Ethernet cable 5 3 2 WAN Settings This interface displays the status of the WAN connections as well as the port parameters To change the WAN interface settings select Edit next to the WAN interface you would like to chan...

Page 16: ... down stream bandwidth for WAN port1 If unsure of Bandwidths contact your ISP w w MTU Setting MTU Maximum Transmission Unit System default is Auto NOTE Typically there is no need to change this Improper MTU configuration may lead to poor network performance Dynamic IP If the access mode is Dynamic IP the XBR 2300 will obtain an IP address automatically from your ISP w w Upstream Downstream Bandwid...

Page 17: ...PTP If the connection is PPTP your ISP should provide information to set the fol lowing parameters PPTP can be Dynamic or Static w w PPTP Server IP Address IP Address of the ISPs PPTP server If you are not sure of the PPTP Server IP contact your ISP w w User Name Enter your PPTP user name If not sure of your User Name contact your ISP w w PPTP Password PPTP Password provided by your ISP If not sur...

Page 18: ...ddress IP Address of your ISPs L2TP server If not sure of your PPTP Server IP contact your ISP w w User Name Enter your L2TP User Name If not sure of your User Name contact your ISP w w L2TP Password L2TP password provided by your ISP If not sure of your Password contact your ISP w w Address Mode There are two modes available Dynamic IP With Dynamic the IP Address Subnet Mask and Default Gateway w...

Page 19: ...rolling how much bandwidth is given to each client Automatic Load Balancing The system searches for the WAN port with the lowest usage and automatically distributes load accordingly This load balancing mode automatically manages flow distribution and bandwidth overlap NOTE The system default mode is Automatic Load Balancing NOTE When using two connections for Automatic Load Balancing we recommend ...

Page 20: ...4 via ports 0 65535 you need to fill in the corresponding source IP Addresses Destination IP Addresses Destination Ports and Designate a WAN port To activate this setting check Enabled and click Add to the corresponding list See below for details NOTE All packets which are not included in the configured range will be handled by WAN2 NOTE If rules are configured more than once or have overlapping p...

Page 21: ... more addresses available on the network please add to the pool 192 168 0 20 254 are available in all Luxul networks NOTE In order to properly utilize the DHCP Server option the TCP IP network connection of the device must be set to Obtain an IP address automatically 5 3 5 Connected Clients The DHCP client list displays the Host Device Name IP Address MAC Address and Lease Time Host Name The name ...

Page 22: ...to identify Host IP Address Reserved DHCP IP Address Static address MAC Address The MAC address of the device to receive the Static address Add Adds the configured options to the Static Leases List Edit Modifies the current configuration Delete Deletes the current configuration NOTE No spaces or special characters permitted in Hostname 5 3 7 DMZ In some special cases a device on the network is req...

Page 23: ... XBR 2300 5 3 8 1 LAN Access Control Enable Enables access to the Web Interface IP Address Enter the IP address of the device allowed to access the Web interface NOTE If you use the default of 0 0 0 0 all devices can connect Port The TCP port number to access the Web interface The default port number for LAN traffic is 80 http NOTE When an IP address is set no other device can log on to the Web In...

Page 24: ... Port This setting will configure a port number to provide more security The default port is 8080 NOTE WAN based Access Control to the XBR 2300 can be modified according to your needs All WAN devices can access the XBR 2300 at the default Access Control IP Address 0 0 0 0 If the default Access Control IP Address is changed for example 58 60 111 221 then only the specified client device say 58 60 1...

Page 25: ... WAN2 and or LAN LAN MAC Address Use this if the specified MAC Address is to be used by the XBR 2300 in the internal network WAN1 MAC Address Use this if the specified MAC Address is to be used by the XBR 2300 for all Internet traffic across WAN interface 1 WAN2 MAC Address Use this if the specified MAC Address to be used by the XBR 2300 for all Internet traffic across WAN interface 2 Restore to D...

Page 26: ...up you create can then be used to manage Internet Access of the devices using those IP addresses Example Let s assume that a specific group of devices has an IP address range of 192 168 0 20 to 192 168 0 30 Click Add IP Group and enter the Group Name Group Description the IP address range and then click Add This will create your group To finish configuration and save the settings click on Save IP ...

Page 27: ...re allows you to set Group Internet access Schedules To use this feature select Add and then select the group for which you would like to make a schedule Example to enable Internet Access only during normal office hours you might select 06 00 19 00 on the work days from Monday to Friday as a schedule To do this simply click Add and the following will appear ...

Page 28: ...er that will either allow or block Internet access to an IP Group during a specified Schedule Internet Access Choose either Disable blocks access or Enable allows access w w Disable Blocks the traffic that meets the specified IP Group and Schedule criteria ALL other unrestricted traffic is allowed to pass w w Enable Allows the traffic that meets the IP Group and Schedule criteria entered Enable En...

Page 29: ...red Client Filter will only affect the devices in the range of the specified IP Group during the schedule you have selected All other traffic will be allowed to pass Example If you do not want the computers with IP addresses of 192 168 0 20 to 192 168 0 30 IP Group test to visit HTTP websites from 06 00 19 00 Schedule ttest Monday through Friday you would set the Client Filter rule as follows This...

Page 30: ...ule being created IP Group The name of the desired IP Group Schedule The name of the desired Schedule URL String The String you would like to filter i e test yahoo facebook etc Extension Domains or extension suffix i e com biz org exe rar etc NOTE The configured Client Filter will only affect the devices in the range of the specified IP Group during the schedule you have selected All other traffic...

Page 31: ...two submenus Bandwidth Settings and NAT Settings These settings allow for the control of how much Bandwidth is available to client devices as well as which WAN IP Address is used for NAT on a specific range of devices 5 4 5 1 Bandwidth Settings Bandwidth Settings allows the control of bandwidth allocated to each device on the network The XBR 2300 can control the bandwidth for up to 256 individual ...

Page 32: ...he specified limits are to be shared by devices in the range or if each individual device is allocated this limit Uplink Downlink Policy Selects whether or not surplus bandwidth can be used NOTE if you choose when the bandwidth has a surplus you can use more bandwidth the XBR 2300 will automatically manage the upload and download flow Description Name of Bandwidth Control Rule 5 4 5 2 NAT Settings...

Page 33: ...evice w w Shared Takes effect on the whole IP group and controls the total entries of the devices within the IP group NAT Connection Limit Indicates the maximum NAT entries allowed This can be a range from 1 to 9999 Enable Enables the NAT Connection Limit function NOTE In order for the new NAT Settings to take effect the XBR 2300 must be rebooted 5 5 Security The Security section consists of the f...

Page 34: ...device to be filtered Time The Start and End time of the rule The default value is 000 2400 hours Day Selects the days of the week the filter should be in effect 5 5 2 ARP Defense This function helps prevent ARP attacks and cheats To protect the network the ARP defense is enabled by default within the XBR 2300 The default ARP broadcast interval is one second and can be set from 1 60 seconds 5 5 3 ...

Page 35: ...tions NOTE This function takes effect on LAN ports Denial of Service DoS Attacks Defense ICMP Flood If ICMP request packets exceed the specified limit all ICMP traffic will be blocked UDP Flood If UDP packets exceed the specified limit all UDP traffic will be blocked SYN Flood If TCP SYN packets targeted to a specific IP Address exceed the specified limit all TCP SYN requests will be blocked LAND ...

Page 36: ...ve set both the SYN and FIN Flags TCP Packets only Set FIN without ACK TCP packets that have the FIN Flag but no ACK Flag set are considered abnormal This filter drops all TCP packets that have set the FIN Flag but are missing the ACK Flag Unknown Protocol If the character value in protocol type of an IP packet is 135 bytes or larger it is impossible to determine in advance whether this unknown pr...

Page 37: ...n Checks an IP packet to see if it contains a Strict Source Route If enabled any packets without a Strict Source Route will be dropped Invalid IP Options Checks an IP packet to see if it contains any integrity errors If enabled any packets containing Invalid IP Options will be dropped Other Attacks Filter Ping from WAN Port If enabled XBR 2300 will drop all ICMP packets DDoS Attack Defense If enab...

Page 38: ...ny IP Address that does not match the bound MAC Address IP Addresses not included in the binding list will communicate normally w w Mandatory Mode Only IP Addresses matching the MAC addresses on the Binding List are allowed to access the Internet All addresses not included in the list are blocked ARP List Displays the corresponding IP and MAC addresses in the ARP Table Select Connected Clients in ...

Page 39: ...e displays the devices on the network that have been detected by any LAN Attack Defense settings The device will be denied Internet access until it is removed from the list It is recommended that any devices appearing on this list are checked and thoroughly cleaned of any viruses before allowing them to access the Internet 5 6 Advanced Settings The Advanced Settings section includes 5 6 1 Port For...

Page 40: ...e accessed Protocol Sets which type of traffic is forwarded TCP UDP or All Enable Enables the port forwarding rule Modify Updates the port forwarding rule Description Arrows you to enter a description for easy identification of Port Fowarding rule NOTE If you set up Port Forwarding with a service port of 80 remote access to the Web Management interface will need to be through another port such as ...

Page 41: ...splays the configured message of the UPnP device serving traffic 5 6 3 One to One NAT Requires the IP Address of a local device to NAT behind the specified public WAN IP Address LAN Starting Address Enter the desired LAN IP Address WAN Starting Address Enter the WAN IP Address you wish to NAT behind IP Count Enter the number of IP Addresses immediately after the LAN Starting Address you wish to pe...

Page 42: ...nables Dynamic DNS support Service Provider Specifies the site providing your DDNS services i e DynDNS org User Name DDNS service account user name Password DDNS service account password Domain Information The Domain Name given by the DDNS service to your domain Connection Status The current connection status to the DDNS server NOTE The configuration is identical for WAN Interfaces 1 and 2 However...

Page 43: ...s of the XBR 2300 s entry for next hop If the traffic should be routed to the Internet this would be the WAN Interface address If the traffic should be routed to the internal network this would be the LAN IP Address 5 7 VPN 5 7 1 PPTP Server There are three sections in the PPTP Server submenu PPTP Server Client Setting and Connected Clients 5 7 1 1 PPTP Server The PPTP server supports the connecti...

Page 44: ...ilable to VPN clients must be exact eight addresses 128 bit Encryption Enables the PPTP VPN encryption Both the Client and Server must have encryption enabled to create a connection The XBR 2300 supports 128 bit data encryption 5 7 2 PPTP Users This section allows the creation of accounts that can be used by the PPTP clients to connect to the server User Name User name to connect to the PPTP Serve...

Page 45: ...net of the Remote Network i e 255 255 255 0 Remark Displays when the Client connection is used optional 5 7 2 1 PPTP Client PPTP Client supports the configuration of a connection between the XBR 2300 and another Router offering a VPN Server connection Example A home office requires secure access to the head office Two Routers can be configured to provide a secure link Enable PPTP Client Enables th...

Page 46: ...tus Displays the current PPTP connection status Obtained PPTP Address Displays the IP Address of the PPTP tunnel connection 5 7 3 Connected Clients This page shows the information of PPTP Clients that are connected User name User name of PPTP Client Internet IP PPTP Client remote IP address Assign IP Internal IP address assigned by the PPTP Server 5 8 Monitor There are three submenus in the Monito...

Page 47: ...rver Server IP Address IP address of Log Server Server Port Service port of Log Server Enable Enables remote logging 5 9 System Tools 5 9 1 Time This is where the Time Date and Time Zone are set for the XBR 2300 Time zone can be manually set by the user or GMT can be automatically obtained from the Internet If the automatic GMT option is selected time can only be set after the XBR 2300 has access ...

Page 48: ... Performs the upgrade with the selected Firmware File 3 Router automatically reboots after being upgraded WARNING Do not shut down power to the XBR 2300 during the upgrade process or the router will be damaged The XBR 2300 will automatically restart after a successful upgrade The upgrade process may take several minutes to finish 5 9 4 Restore Defaults This option can be used to restore the XBR 23...

Page 49: ...figuration interface Old User Name Current User Name Old Password Current Password New User Name The desired new User Name New Password The desired new Password CAUTION It is highly recommended that you change the default User Name and Password for security 5 10 Logout Logs you out of the configuration interface of the XBR 2300 Connect the equipment into an outlet on a circuit different from that ...

Page 50: ...quipment it is advised to verify that the adjacent equip ment is not adversely affected Power Supply Use only a Luxul approved power supply output rated at 100 240VDC and minimum 0 1A The power supply shall be Listed to UL CSA 60950 1 and certified to IEC60950 1 and EN60950 1 with SELV outputs The device can also be powered from a compliant POE source Use of alternative power supply will invalidat...

Page 51: ...ntes 1 l appareil ne doit pas produire de brouillage et 2 l utilisateur de l appareil doit accepter tout brouillage radioélectrique subi même si le brouillage est susceptible d en compromettre le fonctionnement The device meets the exemption from the routine evaluation limits in section 2 5 of RSS 102 and compli ance with RSS 102 RF exposure users can obtain Canadian information on RF exposure and...

Page 52: ...stem recognition Device sends a packet to the target host and asks for a response If the device receives a response from the target host it can then see the network response time and connection status between the local device and target host Must be run from the command line netstat Displays details of current active network connections including routing table and network interface information Can...

Reviews: