Netopia 3300-ENT Series Firmware User Manual Download Page 265 | Manualshive

Page: 265 / 334

background image

Security 10-1

Chapter 10

Security

Netopia Firmware Version 8.7 provides a number of security features to help protect its configuration screens
and your local network from unauthorized access. Although these features are optional, it is strongly
recommended that you use them.

This section covers the following topics:

•

“Suggested Security Measures” on page 10-1

•

“Telnet Tiered Access – Two Password Levels” on page 10-2

•

“Advanced Security Options” on page 10-6

•

“RADIUS ser ver authentication” on page 10-7

•

“ ser ver authentication” on page 10-8

•

“Warning aler ts” on page 10-9

•

“Telnet Access” on page 10-20

•

“About Filters and Filter Sets” on page 10-21

•

“Working with IP Filters and Filter Sets” on page 10-28

•

“Policy-based Routing using Filtersets” on page 10-36

•

“Firewall Tutorial” on page 10-39

•

“Configuration Management” on page 10-46

Suggested Security Measures

In addition to setting up user accounts, Telnet access, and filters (all of which are covered later in this chapter),
there are other actions you can take to make the Router and your network more secure:

•

Change the SNMP community strings (or passwords). The default community strings are universal and
could easily be known to a potential intruder.

•

Set the answer profile so it must match incoming calls to a connection profile.

«
...
263
264
265
266
267
...
»

Summary of Contents for 3300-ENT Series

Page 1: ...id d d de e e e 3 3 3 33 3 3 30 0 0 00 0 0 0 E E E EN N N NT T T T E E E En n n nt t t te e e er r r rp p p pr r r ri i i is s s se e e e S S S Se e e er r r ri i i ie e e es s s s N N N Ne e e et t...

Page 2: ...3 D Reach are registered trademarks belonging to Netopia Inc registered U S Patent and Trademark Office All other trademarks are the property of their respective owners All rights reserved Netopia Inc...

Page 3: ...New Connection Profile 2 9 Advanced Connection Options 2 15 Configuration Changes Reset WAN Connection 2 15 Scheduled Connections 2 16 Backup Configuration 2 21 Diffserv Options 2 22 Priority Queuing...

Page 4: ...otocol 3 36 Security 3 36 Upgrade Feature Set 3 36 Router Bridge Set 3 37 IGMP Internet Group Management Protocol 3 39 Logging 3 42 Log event dispositions 3 43 Procedure for Default Installation for I...

Page 5: ...PPTP configuration 5 4 About IPsec Tunnels 5 7 About L2TP Tunnels 5 8 L2TP configuration 5 8 About GRE Tunnels 5 11 VPN force all 5 14 About ATMP Tunnels 5 15 ATMP configuration 5 15 Encryption Suppor...

Page 6: ...nfiguration Screens 6 21 IPsec Manual Key Entry 6 22 VPN Quickview 6 23 WAN Event History Error Reporting 6 24 Chapter 7 IP Setup 7 1 IP Setup 7 2 IP subnets 7 4 Static routes 7 6 RIP Options 7 10 Ove...

Page 7: ...up Management Statistics 8 17 QuickView 8 18 Chapter 9 Monitoring Tools 9 1 Quick View Status Overview 9 1 General status 9 2 Current status 9 2 Status lights 9 3 Statistics Logs 9 3 Event Histories 9...

Page 8: ...individual filters work 10 22 Design guidelines 10 27 Working with IP Filters and Filter Sets 10 28 Adding a filter set 10 29 Deleting a filter set 10 33 A sample filter set 10 33 Policy based Routin...

Page 9: ...firmware 11 7 Downloading configuration files 11 7 Uploading configuration files 11 8 Restarting the System 11 8 Appendix A Troubleshooting A 1 Configuration Problems A 1 Network problems A 2 How to R...

Page 10: ...x Firmware User Guide...

Page 11: ...open ports See Open ports in default Stateful Inspection installation on page 3 10 Additional Syslog messages See Log event dispositions on page 3 43 Procedure for Default Installation for ICSA firew...

Page 12: ...Netopia Telnet Menus Telnet based management screens contain the main entry points to Netopia Firmware Version 8 7 configuration and monitoring features The entry points are displayed in the Main Men...

Page 13: ...how information about your Router your network and their history See Statistics Logs beginning on page 9 3 The Quick Menus screen is a shortcut entry point to a variety of the most commonly used confi...

Page 14: ...er Con guring Telnet software If you are configuring your device using a Telnet session your computer must be running a Telnet software program If you connect a PC with Microsoft Windows you can use a...

Page 15: ...press Return The System Configuration screen appears 2 Select IP Setup and press Return The IP Setup screen appears To go back in this sequence of screens use the Escape key To Use These Keys Move th...

Page 16: ...1 6 Firmware User Guide...

Page 17: ...n page 2 4 Creating a New Connection Profile on page 2 9 Advanced Connection Options on page 2 15 Configuration Changes Reset WAN Connection on page 2 15 Scheduled Connections on page 2 16 Backup Conf...

Page 18: ...s otherwise the router obtains a subnet mask via DHCP The NAT Map List and NAT Server List options are set to the defaults Easy PAT List and Easy Servers These provide standard NAT mappings For more a...

Page 19: ...ardware address of the Netopia device Some service providers require a specific MAC address as part of their authentication process In such a case you can enter the MAC address that your service provi...

Page 20: ...d the Netopia Firmware Version 8 7 will generate RIP packets only to other RIP v1 routers With Transmit RIP v2 broadcast selected the Netopia Firmware Version 8 7 will generate RIP packets to all othe...

Page 21: ...entify the circuit for management purposes as a convenience to aid in selecting circuits from lists The default circuit name is Circuit n where n is some number between one and eight corresponding to...

Page 22: ...Firmware Version 8 7 supports three ATM classes of ser vice for data connections Unspecified Bit Rate UBR Constant Bit Rate CBR and Variable Bit Rate VBR You can configure these classes of service on...

Page 23: ...Peak Cell Rate which should be less than or equal to the line rate VBR has two sub classes a VBR non real time VBR nrt Typical applications are non real time traffic such as IP data traffic This clas...

Page 24: ...efault Profile If you add a second VC it is initialized to the Default Profile and the menu screens display the VC Connection Profile related items allowing you to bind to a specific Connection Profil...

Page 25: ...ate to the WAN Configuration screen from the Main Menu and select Add Connection Profile The Add Connection Profile screen appears 1 Select Profile Name and enter a name for this connection profile It...

Page 26: ...ame Profile 1 Profile Enabled Yes Encapsulation Type RFC1483 Mode Bridged 1483 Routed 1483 IP Profile Parameters COMMIT CANCEL Add Connection Profile Profile Name Profile 1 Profile Enabled Yes Encapsu...

Page 27: ...Line Backup on page 8 1 for more information Datalink PPP MP Options Data Compression Standard LZS Send Authentication PAP Send User Name Send Password Receive User Name Receive Password Dial on Deman...

Page 28: ...rameters screen IP Profile Parameters Address Translation Enabled Yes IP Addressing Numbered NAT Map List Easy PAT List NAT Server List Easy Servers NAT Options Stateful Inspection Enabled No Local WA...

Page 29: ...mware Version 8 7 will accept routing information provided by RIP packets from other routers that use different subnet masks For more information on v2 MD5 Authentication see RIP Options on page 7 10...

Page 30: ...guration screen and select Display Change Connection Profile The list of Connection Profiles is displayed in a scrolling pop up screen You can also delete Connection Profiles by selecting them in the...

Page 31: ...f this feature is to defer configuration changes only when remotely configuring or reconfiguring the Netopia Router to prevent premature Telnet disconnection When this feature is enabled no changes to...

Page 32: ...ges are committed and the router comes up using the newly created configuration Scheduled Connections Scheduled connections are useful for PPPoE PPTP and ATMP connection profiles To go to the Schedule...

Page 33: ...y is capitalized the connection will be activated on that day a lower case letter means that the connection will not be activated on that day If the scheduled connection is configured for a once only...

Page 34: ...e and toggle it to On You can make the scheduled connection inactive by toggling Scheduled Connection Enable to Off Decide how often the connection should take place by selecting How Often and choosin...

Page 35: ...w Often reads Set Weekly Schedule If How Often is set to Once Only the item directly below How Often reads Set Once Only Schedule Set Weekly Schedule If you set How Often to Weekly select Set Weekly S...

Page 36: ...a date in the format MM DD YY or MM DD YYYY month day year Note You must enter the date in the format specified The slashes are mandatory For example the entry 5 7 98 would be accepted as May 7 1998 T...

Page 37: ...y a scheduled connection select Display Change Scheduled Connection in the Scheduled Connections screen to display a table of scheduled connections Select a scheduled connection from the table and pre...

Page 38: ...ld travel across your network For example you may want streaming video conferencing to use high quality but more restrictive connections or you might want e mail to use less restrictive but less relia...

Page 39: ...ld set it to something less than 100 since the low priority traffic might have to wait too long to be passed and consequently be subject to time outs You can then define custom Rules If your applicati...

Page 40: ...or both from the pop up menu Start Port For TCP or UDP protocols you can optionally specify a range of ports Enter the starting port here End Port Enter the ending port here QoS Setting TOS Bit Value...

Page 41: ...rned to the Diffserv Options screen and your settings will take effect Priority Queuing TOS bit Netopia Firmware Version 8 7 offers the ability to prioritize delay sensitive data over the WAN link on...

Page 42: ...the Netopia Router will continuously Ping one or two hosts that you specify to determine when a link fails even if the physical connection remains established If Layer 3 WAN Link Failure Detection is...

Page 43: ...ction is assumed to be lost and the Virtual Router will relinquish Master status The Delay s field allows you to specify the time in seconds between Pings The default is five 5 seconds The Ping failur...

Page 44: ...2 28 Firmware User Guide...

Page 45: ...vanced system configuration options This section covers the following topics To access the system configuration screens select System Configuration in the Main Menu and press Return IP Setup on page 3...

Page 46: ...ns of DHCP WANIP and BootP Details are given in IP Address Serving on page 7 17 Network Address Translation NAT These screens allow you to configure the Multiple Network Address Translation MultiNAT f...

Page 47: ...if you toggle this option to Yes the device will monitor packets for Denial of Service DoS attack Offending packets may be discarded if it is determined to be a DoS attack Add Exposed Address List Ac...

Page 48: ...escriptive name for the list and press Return A new field Add Exposed Address Range appears Stateful Inspection UDP no activity timeout sec 180 TCP no activity timeout sec 14400 Add Exposed Address Li...

Page 49: ...t for the range of IP addresses you want to expose Add Exposed Address List Exposed Address List Name xposed_list_1 Add Exposed Address Range Return Enter goes to new screen Add Exposed Address Range...

Page 50: ...e range to be allowed to the host range The acceptable range is from 1 65535 Port End End port of the range to be allowed to the host range The acceptable range is from 1 65535 Add Exposed Address Ran...

Page 51: ...sed address list for editing or deletion Note Add Edit or Delete exposed addresses options are active only if NAT is disabled on a WAN interface The hosts specified in exposed addresses will be allowe...

Page 52: ...Address Translation Enabled Yes IP Addressing Numbered NAT Map List Easy PAT List NAT Server List Easy Servers NAT Options Stateful Inspection Enabled No Local WAN IP Address 0 0 0 0 Local WAN IP Mask...

Page 53: ...s interface for example ICMP Echo requests Note If Stateful Inspection is enabled on a base connection profile for example for PPP RFC1483 bridged routed or PPPoE Enable default mapping to router must...

Page 54: ...Bootpc Yes No 80 TCP HTTP Yes No 137 UDP Netbios ns Yes No 138 UDP Netbios dgm Yes No 161 UDP SNMP Yes No 500 UDP ISAKMP Yes No 520 UDP Router Yes No 1701 UDP L2TP Yes No 1900 UDP UPnP Yes No 1723 TC...

Page 55: ...es VLANs very flexible VLANs behave like separate and independent networks Beginning with Firmware Version 8 6 1 your Router supports the following Global Enable Disable of VLANs VLANs of Global type...

Page 56: ...ion 8 7 and 4094 VLAN Configuration VLAN Enable On Add VLAN Authentication Server Configuration Return Enter to select among between Set Up VLAN from this and the following Menus Add VLAN VLAN ID 0 40...

Page 57: ...Network From the VLAN Network pop up menu select None Primary LAN or if you have configured an Additional LAN ALAN an Additional LAN See Additional LANs on page 7 37 Note VLAN changes require a reboot...

Page 58: ...t case Wireless Privacy can be any setting Wireless does not currently support separate privacy modes per SSID When enabling WPA 802 1x wireless will default to the RADIUS configuration specified in A...

Page 59: ...e server CHAP secret here as above RADIUS Identifier Enter the RADIUS Network Access Server NAS identifier The default NAS identi fier is an ASCII representation of the server s base MAC address RADIU...

Page 60: ...To make a set of VLANs non routable the Primary LAN port must be included in at least one VLAN and must be excluded from any VLANs that are non routable Note Beginning with Firmware Version 8 5 you c...

Page 61: ...ee parameters Tag Packets transmitted from this port through this VLAN must be tagged with the VLAN VID Packets received through this port destined for this VLAN must be tagged with the VLAN VID by th...

Page 62: ...he port you have selected Note VLAN changes require a reboot to take effect See Restarting the System on page 11 8 Changing or Deleting a VLAN You can change or delete a VLAN by returning to the VLAN...

Page 63: ...CONTINUE the profile will be deleted Authentication Server Configuration Profile Name Display Change Server ATE1 V1 Add Server Profile Delete Server Profile Up Down Arrow Keys to select ESC to dismis...

Page 64: ...ess Return Select Add Server Profile and press Return VLAN Configuration Display Change VLAN Add VLAN Delete VLAN Authentication Server Configuration Set Up VLAN from this and the following Menus Auth...

Page 65: ...take effect See Restarting the System on page 11 8 Add Server Profile Profile Name Authentication Profile 2 Remote Server Addr Name Remote Server Secret Alt Remote Server Addr Name Alt Remote Server S...

Page 66: ...this screen will change to allow you to manually enter the time and date parameters Netopia Firmware Version 8 7 updates timestamps reported in the system logs with new timestamps as these are updated...

Page 67: ...ay for the change to take effect See Restarting the System on page 11 8 SSID Wireless ID The SSID is preset to a number that is unique to your unit You can either leave it as is or change it by enteri...

Page 68: ...m a full two to three second scan and switch to the best channel it can find remaining on that channel until the next reboot Continuous performs the at startup scan and will continuously monitor the c...

Page 69: ...ferent operating systems accomplish connecting to a wireless LAN and enabling WEP in a variety of ways Consult the documentation for your particular wireless card and or operating system Wireless Mult...

Page 70: ...PSK Pre Shared Key from the pop up menu Wireless LAN Configuration Enable Wireless Yes SSID 0271 1000 Block Wireless Bridging No Channel 6 AutoChannel Closed System Wireless Multimedia WMM Off Enable...

Page 71: ...iguration on page 3 11 Wireless LAN Configuration Enable Wireless Yes SSID 0271 1000 Block Wireless Bridging No Channel 6 AutoChannel Off Closed System Open Enable Privacy WPA PSK Pre Shared Key Pre S...

Page 72: ...ersion s selected in order to successfully connect WEP Alternatively you can provide a level of data security by enabling WEP Wired Equivalent Privacy for encryption of network data You can enable 40...

Page 73: ...rase that you choose in the Passphrase field The passphrase can be any string of words or numbers Note While clients may also have a passphrase feature these are vendor specific and may not necessaril...

Page 74: ...to break the encryption Examples 40bit 02468ACE02 128bit 0123456789ABCDEF0123456789 256bit 592CA140F0A238B0C61AE162F592CA140F0A238B0C61AE162F21A09C Multiple SSIDs Wireless Multiple SSID Setup This fea...

Page 75: ...SSIDs are WPA PSK WPA 802 1x or Off Multiple SSID Configuration Enable Multiple SSIDs No Second SSID 0000 0000 Enable Privacy Off Third SSID 0000 0000 Enable Privacy Off Fourth SSID 0000 0000 Enable...

Page 76: ...ridging on page 3 24 Multiple SSID Configuration Enable Multiple SSIDs On Second SSID GameRoom Enable Privacy WPA Version Key All WPA Version 1 Third SSID WPA Version 2 Enable Privacy Fourth SSID 0000...

Page 77: ...MAC Address Authentication and press Return The Authorized MAC Addresses screen appears From the MAC Authentication Mode pull down menu select the mode you want to implement Disabled turns MAC Authen...

Page 78: ...The Add MAC Address screen appears Enter the MAC hardware address of the client PC you want to authorize for access to your wireless LAN MAC Allowed is set to Yes enabled by default Toggling this to...

Page 79: ...erminal emulator application you can change the default terminal communications parameters to suit your requirements To go to the Console Configuration screen select Console Configuration in the Syste...

Page 80: ...ils are given in Simple Network Management Protocol SNMP on page 9 9 Security These screens allow you to add users and define passwords on your network Details are given in Security on page 10 1 Upgra...

Page 81: ...dge Set and form the pop up menu choose the option you want Router retains the full routing features and corresponding menus Bridge the device becomes a simple bridge offering no routing features Corr...

Page 82: ...lnet menus corresponding configuration items such as Easy Setup will be removed Example of Bridge only mode menus If you decide to return to the previous mode you can repeat the process Remember that...

Page 83: ...rs reside by noting IGMP general queries used in the querier selection process and by listening to other router protocols From the host point of view the snooping function listens at a port level for...

Page 84: ...than the query interval Unsolicited Report Interval s the amount of time in seconds between repetitions of a particular computer s initial report of membership in a group The default unsolicited repor...

Page 85: ...are no members of the host group being queried on this interface The default last member query count is 2 Fast Leave Toggling this option to On enables a non standard expedited leave mechanism The que...

Page 86: ...appropriate and previously unreported events You can specify the syslog server s address either in dotted decimal format or as a DNS name up to 63 characters You can specify the UNIX syslog Facility...

Page 87: ...d Clear Confirm for our DN 5108645534 May 5 10 14 06 tsnext netopia com Link 1 down No answer May 5 10 14 06 tsnext netopia com Device restarted May 5 10 14 06 tsnext netopia com Received Speech Setup...

Page 88: ...ent 10 dropped no route found 11 dropped possible land attack 12 dropped reassembly timeout 13 dropped illegal size 14 dropped invalid IP version 15 TCP SYN flood detected 16 Telnet receive DoS attack...

Page 89: ...e Local mode mode Remote mode mode 12 PPP sessionID authentication failed Channel channelID Reason reason 13 PPP authentication type remote accepted us Channel ChannelID Remote name name 14 PPP authen...

Page 90: ...cal addr profile Name spi SPI sg IP Address 50 IPsec rx spi mismatch profile Name spi SPI sg IP Address 51 IPsec rx auth fail profile Name spi SPI sg IP Address 52 IPsec rx crypt fail profile Name spi...

Page 91: ...ddress profile Name sg IP Address 72 IKE phase 2 complete sg IP Address profile Name sg IP Address 73 IPSEC Dead Peer Detected sg IP Address profile Name sg IP Address 74 L2TP tunnel up rem IP Address...

Page 92: ...on Profile See Creating a New Connection Profile on page 2 9 2 Go to Easy Setup 3 Set Data Circuit VPI 0 255 to the desired value 4 Set Data Circuit VCI 32 65535 to the desired value 5 Select NEXT SCR...

Page 93: ...e Idle Timeout seconds to whatever you prefer The default value is 300 seconds g Escape once back to the Add Connection Profile screen h Press Enter on COMMIT to save this profile 10 Select Display Ch...

Page 94: ...iagnostics h Select Restart System and CONTINUE Set up Syslog See Logging on page 3 42 for more information 1 Go to System Configuration and select Logging 2 Under Syslog Parameters a Set Syslog Enabl...

Page 95: ...Parameters Set Stateful Inspection Enabled to Yes 7 Select Stateful Inspection Options a Under Stateful Inspection Parameters configure Max TCP Sequence Number Difference if desired b Set Enable defa...

Page 96: ...3 52 Firmware User Guide...

Page 97: ...values This mapping serves two functions It allows the addresses of many computers on a LAN to be represented to the public Internet by only one or a few addresses saving you money It can be used as a...

Page 98: ...ke it possible to provide access from the public network to hosts on the LAN Server lists allow you to define particular services such as Web ftp or e mail which are available via a public IP address...

Page 99: ...ranslation Netopia s NAT implementation makes it possible to have a static mapping of one public address to one private address thus allowing applications such as NetMeeting to work by assuring that a...

Page 100: ...applies to the traffic being initiated is used For example if a connection is initiated from the public network and is destined for a public IP address configured on the Netopia Router the following...

Page 101: ...llowing IP protocols PAT TCP UDP traffic which does not carry source or destination IP addresses or ports in the data stream i e HTTP Telnet r commands tftp NFS NTP SMTP NNTP etc Static NAT All IP pro...

Page 102: ...elow For the more advanced features such as server lists and dynamic NAT follow the instructions in System Configuration described on page 4 7 IP profile parameters described on page 4 22 Easy Setup P...

Page 103: ...see 2 Create a List name that will act as a rule or server holder 3 Create a map or rule that specifies the internal range of NATed addresses and the external range they are to be associated with 4 As...

Page 104: ...d ports so that connections initiated from the outside can access an interior server System Configuration IP Setup Filter Sets IP Address Serving Network Address Translation NAT Stateful Inspection VL...

Page 105: ...d last exterior ports in the range These are the ports that will be used for traffic initiated from the private LAN to the out side world Note For PAT map lists and server lists if you use the Public...

Page 106: ...creen Once the public ranges have been assigned the next step is to bind interior addresses to them Because these bindings occur in ordered lists called map lists you must first define the list then a...

Page 107: ...your preconfigured ranges are suitable for this mapping you can select NEW RANGE and create a new range If you choose NEW RANGE the Add NAT Public Range screen displays and you can create a new public...

Page 108: ...work Address Translation screen select Show Change Map List and press Return Select the map list you want to modify from the pop up menu Add NAT Map my_map First Private Address 192 168 1 1 Last Priva...

Page 109: ...e list Selecting Show Change Maps or Delete Map displays the same pop up menu Scroll to the map you want to modify using the arrow keys and press Return Show Change NAT Map List Map List Name my_map A...

Page 110: ...ges will become effective and you will be returned to the Show Change NAT Map List screen Change NAT Map my_map First Private Address 192 168 1 253 Last Private Address 192 168 1 254 Use NAT Public Ra...

Page 111: ...essible through other means such as a static mapping you must create a server list Select Add Server List from the Network Address Translation screen The Add NAT Server List screen appears Select Serv...

Page 112: ...r the port number range for your customized service Add NAT Server my_servers External Service Server Private IP Address 0 0 0 0 Public IP Address 0 0 0 0 Protocol TCP and UDP Internal Port Start 0 AD...

Page 113: ...ublic addresses your ISP or corporate site s Router must also be configured for static routes to these public addresses on the Netopia Router Enter the Public IP Address to which you are exporting the...

Page 114: ...7649 In MultiNat you may use a port range export Without the export CUSeeMe will fail to work This is true unless a static mapping is in place for the host using CUSeeMe In that case no server list e...

Page 115: ...Change Server or Delete Server displays the same pop up menu Network Address Translation NAT Server List Name A my_servers S D A S D A S D Up Down Arrow Keys to select ESC to dismiss Return Enter to E...

Page 116: ...Change NAT Server List menu and press Return Show Change NAT Server List Private Address Public Address Port Protocol 192 168 1 254 206 1 1 1 smtp TCP and UDP 192 168 1 254 206 1 1 2 ftp TCP and UDP 1...

Page 117: ...rn A dialog box asks you to confirm your choice Choose CONTINUE and press Return The server is deleted from the list Show Change NAT Server List Private Address Public Address Port Protocol 192 168 1...

Page 118: ...hange Connection Profile screen From the pop up menu list of your Connection Profiles choose the one you want to bind your map list to Select IP Profile Parameters and press Return The IP Profile Para...

Page 119: ...dependent only on the IP Addressing type IP Profile Parameters NAT Map List Name Address Trans s IP Addressing Easy PAT List mbered NAT Map List my_map sy PAT List NAT Server Li None sy Servers NAT O...

Page 120: ...to the WAN Configuration screen then the Default Profile screen Select IP Parameters and press Return The IP Parameters Default Profile screen appears Toggle Address Translation Enabled to Yes Select...

Page 121: ...le Note There is no interdependency between NAT and IP Addressing Also the Local WAN IP Address and Mask fields visibility are dependent only on the IP Addressing type IP Parameters Default Profile NA...

Page 122: ...and press Return The NAT Associations screen appears You can toggle NAT On or Off for each Profile Interface name You do this by navigating to the NAT field associated with each profile using the arr...

Page 123: ...e or interface NAT Associations NAT Map List Name Profile Interface Name Nat Server List Name Easy Setup Profile On Easy PAT List my_servers Profile 01 On my_first_map my_servers Profile 02 On my_seco...

Page 124: ...sable for example when using PPP or PPPoE the DHCP subnet configuration will default to a class C subnet mask Note Globally only one dynamically configured DHCP subnet is available If you configure mu...

Page 125: ...Profile Parameters Address Translation Enabled Yes IP Addressing Numbered NAT Map List Easy PAT List NAT Server List Easy Servers NAT Options Stateful Inspection Enabled No Local WAN IP Address 0 0 0...

Page 126: ...t will get the IP passthrough address Note that there is no way to control which PC has the IP passthrough address without releasing all other DHCP leases on the LAN Note If you specify a non zeroes M...

Page 127: ...ll be rejected by the router For example suppose you are a teleworker using an IPSec tunnel from the router and from the passthrough host Both tunnels go to the same remote endpoint such as the VPN ac...

Page 128: ...1 1 6 255 255 255 248 subnet mask Your internal devices have IP addresses of 192 168 1 1 through 192 168 1 254 255 255 255 0 subnet mask In this example you will statically map the first five public I...

Page 129: ...55 255 255 248 PREVIOUS SCREEN NEXT SCREEN Return Enter takes you back to previous screen Enter basic information about your WAN connection with this screen IP Easy Setup Ethernet IP Address 192 168 1...

Page 130: ...rn This returns you to the Network Address Translation screen Select Add Public Range and press Return Type a name for this static range as shown below Enter the first and last public addresses your I...

Page 131: ...the NAT Associations screen or the profile s configuration screens The PAT part of this example setup will allow any user on the Netopia Router s LAN with an IP address in the range of 192 168 1 6 th...

Page 132: ...1 1 2 and then select ADD NAT SERVER Now return to Add Server choose the smtp port and enter 192 168 1 3 your Mail server s IP address for the Server Private IP Address You can decide if you want to p...

Page 133: ...he happenings on opposite sides of the state or the continent that you are mutually interested in When your next door neighbor picks up the phone to call her daughter at college at the same time you a...

Page 134: ...lling Protocol PPTP IP Security IPsec Layer 2 Transport Protocol L2TP Generic Routing Encapsulation GRE and Ascend Tunnel Management Protocol ATMP The Netopia Router can use any of these Point to Poin...

Page 135: ...e with the different protocols is done through the Telnet based menu screens Each type is described in its own section About PPTP Tunnels on page 5 4 About IPsec Tunnels on page 5 7 About L2TP Tunnels...

Page 136: ...ion option in Connection Profiles It is not an option in device or link configuration screens as PPTP is not a native encapsulation Consequently the Easy Setup Profile does not offer PPTP datalink enc...

Page 137: ...WAN the Tunnel Via Gateway field allows this path to be resolved From the pop up menu select an Authentication protocol for the PPP connection Options are PAP CHAP or MS CHAP The default is PAP The au...

Page 138: ...as a PNS Tunnels are normally initiated On Demand however you can disable this feature When disabled the tunnel must be manually established or may be scheduled using the scheduled connections featur...

Page 139: ...pia Routers support the more secure Tunnel mode Netopia Firmware Version 8 7 offers IPsec 3DES encryption over the VPN tunnel DES stands for Data Encryption Standard a popular symmetric key encryption...

Page 140: ...s not a native encapsulation Consequently the Easy Setup Profile does not offer L2TP datalink encapsulation See the Creating a New Connection Profile on page 2 9 for information on creating Connection...

Page 141: ...l an editable Pass phrase field appears where you can specify a password between eight and 15 characters long From the pop up menu select a PPP Authentication protocol for the PPP connection Options a...

Page 142: ...econds an inactivity timer whose expiration will terminate the tunnel A value of zero disables the timer Because tunnels are subject to abrupt termination when the underlying datalink is torn down use...

Page 143: ...with any sensitive data GRE offers no encryption and authentication of data integrity is limited to checksum verification if enabled To set up a GRE tunnel you create a Connection Profile including t...

Page 144: ...g is mainly needed if compression is being used You can enter a 32 bit Key of up to 10 digits numbers only The receiver can use this key to identify the source of the packet The key is a way to match...

Page 145: ...ection profile screen select COMMIT and press Return Your GRE Connection Profile will be enabled IP Profile Parameters Address Translation Enabled No IP Addressing Unnumbered Remote IP Address 173 167...

Page 146: ...sk Data Link Encapsulation 1483 1490 HDLC PPP IP Default Gateway 127 0 0 2 Gateway Static Route Destination Network GRE Remote_Tunnel_End_Point Destination Netmask Remote_Tunnel_End_Point_ netmask Nex...

Page 147: ...in Generic Routing Encapsulation GRE The GRE data is then routed using standard methods ATMP con guration ATMP is a Datalink Encapsulation option in Connection Profiles It is not an option in device o...

Page 148: ...and the Tunnel Via Gateway field is hidden If the partner should be reached via an alternate port i e the LAN instead of the WAN the Tunnel Via Gateway field allows this path to be resolved You can s...

Page 149: ...y making it difficult for any third party to get at the original data Netopia PPTP is fully compatible with Microsoft Point to Point Encryption MPPE data encryption for user data transfer over the PPT...

Page 150: ...E at all the PPP session will be dropped This is done automatically and transparently ATMP PPTP Default Pro le The WAN Configuration menu offers a ATMP PPTP Default Profile option Use this selection w...

Page 151: ...uthentication and press Return A pop up menu offers the following options PAP the default CHAP or MS CHAP If you chose PAP or CHAP authentication from the Data Compression pop up menu select either No...

Page 152: ...Shows the data link encapsulation method PPTP or ATMP Rx Pckts Shows the number of packets received via the VPN tunnel Tx Pckts Shows the number of packets transmitted via the VPN tunnel Rx Discard Sh...

Page 153: ...ows 95 and comes standard with Windows 98 Windows NT and Windows XP The VPN tunnel behaves as a private network connection unrelated to other traffic on the network Once you have installed Dial Up Net...

Page 154: ...named it icon on your desktop Open the Dial Up Networking folder and then double click Make New Connection The Make New Connection wizard window appears 2 Type a name for this connection such as the n...

Page 155: ...or the profile you created in the previous section 2 Right click the icon and from the pop up menu select Properties 3 In the Properties window click the Server Type button From the Type of Dial up Se...

Page 156: ...onnection Type box that appears select the Connect to the network at my workplace radio button Click Next 4 In the Network Connection box that appears select the Virtual Private Network connection rad...

Page 157: ...s necessary vary slightly between ATMP and PPTP but both protocols operate on the same basic premise there are control and negotiation operations and there is the tunnelled traffic that carries the pa...

Page 158: ...ion Basic Firewall Source IP Addr Dest IP Addr Proto Src Port D Port On Fwd 1 0 0 0 0 0 0 0 0 TCP NC 2000 Yes No 2 0 0 0 0 0 0 0 0 TCP NC 6000 Yes No Change Input Filter 1 Enabled Yes Forward Yes Call...

Page 159: ...shown below Change Input Filter 2 Enabled Yes Forward Yes Call Placement Idle Reset No Change Force Routing No Source IP Address 0 0 0 0 Source IP Address Mask 0 0 0 0 Dest IP Address 0 0 0 0 Dest IP...

Page 160: ...IP Filter Set and from the pop up menu select Basic Firewall Change Output Filter 1 Enabled Yes Forward Yes Call Placement Idle Reset No Change Force Routing No Source IP Address 0 0 0 0 Source IP Ad...

Page 161: ...guration Basic Firewall Source IP Addr Dest IP Addr Proto Src Port D Port On Fwd 1 0 0 0 0 0 0 0 0 TCP NC 2000 Yes No 2 0 0 0 0 0 0 0 0 TCP NC 6000 Yes No Change Input Filter 1 Enabled Yes Forward Yes...

Page 162: ...e Reset No Change Force Routing No Source IP Address 0 0 0 0 Source IP Address Mask 0 0 0 0 Dest IP Address 0 0 0 0 Dest IP Address Mask 0 0 0 0 TOS 0 TOS Mask 0 Protocol Type GRE Return Enter accepts...

Page 163: ...ddress Mask 0 0 0 0 Dest IP Address 0 0 0 0 Dest IP Address Mask 0 0 0 0 TOS 0 TOS Mask 0 Protocol Type UDP Source Port Compare No Compare Source Port ID 0 Dest Port Compare No Compare Dest Port ID 51...

Page 164: ...router connects directly to the Internet or if it connects via an Ethernet connection through a cable or DSL modem The enabling feature is the same for both Using the Tab key toggle NetBIOS Proxy Ena...

Page 165: ...Enabled No Stateful Inspection Enabled No Filter Set None Remove Filter Set NetBIOS Proxy Enabled Yes Advanced IP Profile Options COMMIT CANCEL IP Profile Parameters Remote Tunnel Endpoint 192 168 1...

Page 166: ...traffic Make sure the NetBIOS filter is not enabled in your Internet Connection Profile Netopia includes the NetBIOS Proxy feature as an enhancement and convenience for our customers It has been lab t...

Page 167: ...nel mode encrypts both the header and the payload On the receiving side an IPsec compliant device decrypts each packet Netopia Routers support Tunnel mode DES stands for Data Encryption Standard a pop...

Page 168: ...ified in the IPsec tunnel configuration It is not possible to send traffic outside the tunnel by bypassing the tunnel and the remote security gateway Note To fully protect against IP address spoofing...

Page 169: ...ose Manual skip to IPsec Manual Key Entry on page 6 22 If you choose IKE the default continue below Select IKE Phase 1 Profile and press Return Add Connection Profile Profile Name Profile 1 Profile En...

Page 170: ...tion Profile all VPN traffic for that profile will be discarded Select ADD PH1 PROFILE The Add IKE Phase 1 Profile screen appears IKE Phase1 Profile ADD PH1 PROFILE NONE Key Management IKE Phase 1 Pro...

Page 171: ...it count between 0 and 32 OR by a second dotted quad IPv4 Range Two IPv4 addresses in dotted quad notation a b c d separated by a space Host Name A fully qualified domain name FQDN E Mail Address An R...

Page 172: ...the Router to acquire its IP parameters The NAT PAT IP address can now be left at the default 0 0 0 0 indicating that the address is to be requested from the remote address server and dynamically appl...

Page 173: ...e database to be used for authentication Local If you choose this option the Gateway will use the locally configured username and password for both concentrator and client modes RADIUS If you choose t...

Page 174: ...duration of the Phase 2 SA s lifetime but it is convenient because a Delete message may be sent Phase 1 SA Lifetime seconds specifies the duration in seconds for which the SA will remain valid The ra...

Page 175: ...uring idle periods since tunneled traffic is itself evidence of liveliness Once enabled and negotiated all tunnels established by the IKE phase 1 instance when the peer no longer responds to IKE keepa...

Page 176: ...o the Add IKE Phase 1 Profile screen shown on page 6 4 Selecting Delete IKE Phase 1 Profile and choosing an IKE phase 1 profile name from the pop up list displays a confirmation alert asking you to co...

Page 177: ...hat You can access the Key Management menus from the Change Connection Profile menu under the WAN Configuration screen for a Connection Profile you have already created or you can create a new Connect...

Page 178: ...ng the interface from the Interface Group pop up menu as shown below Example 2 Add Connection Profile menu showing Interface Group pop up From the Encapsulation Type pop up menu select IPsec Then sele...

Page 179: ...LE item to allow you to define a new IKE Phase 1 Profile directly without first going to the IPsec Configuration screen and a NONE item to allow you to dissociate an existing IKE Phase 1 Profile from...

Page 180: ...cated using the SA before it expires and becomes invalid The range of permissible values is the set of non negative integer values between 0 and 2 32 1 The default value is 0 Kilobytes The value zero...

Page 181: ...not arrive within that time the peer is considered dead the current phase 2 SAs are torn down and the IKE SA starts a new phase 1 negotiation followed by the normal phase 2 negotiation thereafter When...

Page 182: ...pts either an IP address in the familiar dotted quad notation a b c d or a hostname to be resolved using the Domain Name System DNS Note When the Remote Tunnel Endpoint is an IP address it will drop I...

Page 183: ...combination of remote local network ranges support for sub netting host and network range addressing modes works with manual keying and Internet Key Exchange IKE including Xauth IKE extension see page...

Page 184: ...meters screen This returns you to the Change Connection Profile screen Select COMMIT and press Return in the Change Connection Profile screen Note Any two IPsec tunnels differ only by the local remote...

Page 185: ...g list will display When you select one of the networks and press Return a warning screen will ask you to confirm your choice Display Change Network Configuration Local Members Remote Members Net Type...

Page 186: ...fic does pass through the tunnel the idle timeout interval resets again when the current SAs expire If you set the value to zero the Router will re key the SA whenever the SA Lifetime interval specifi...

Page 187: ...e 1 Configuration screen appears WAN Configuration Main Menu IKE Phase 1 Configuration WAN Configuration WAN Wide Area Network Setup ATM Circuits Configuration Display Change Connection Profile Add Co...

Page 188: ...gned layout and additional options for manual key entry If you selected Manual Key Management in the IPsec Tunnel Options screen you will need to enter your encryption keys in the IPsec Manual Keys sc...

Page 189: ...encryption keys With Manual Keys you must manually configure identical authentication and encryption keys at both ends of the tunnel The authentication keys are either 32 for MD5 or 40 for SHA1 ascii...

Page 190: ...did not match any of the profiles stored in the local Router IKE no matching proposal An IKE phase 1 request was received and the proposal did not match an allowed parameter or else the remote rejecte...

Page 191: ...roposal Either the local Router rejected the proposals of the remote or the remote rejected the local Router s IKE ph2 resend timeout The attempt to resend the phase 2 authentication timed out IKE pha...

Page 192: ...6 26 Firmware User Guide...

Page 193: ...page 7 23 DHCP Relay Agent on page 7 28 Connection Profiles on page 7 30 Multicast Forwarding on page 7 33 Network Address Translation allows communication between the LAN connected to the Router and...

Page 194: ...or your Router Select Ethernet IP Address and enter the IP address for the Router s Ethernet port Select Ethernet Subnet Mask and enter the subnet mask for the Ethernet IP address that you entered in...

Page 195: ...Name and enter your network s domain name for example netopia com Netopia strongly recommends that you enter a domain name Routing Information Protocol RIP is needed if there are IP routers on other...

Page 196: ...address subnet mask pairs Note You need not use this screen if you have only a single Ethernet IP subnet In that case you can continue to enter or edit the IP address and subnet mask for the single su...

Page 197: ...fill the vacant fields The subnets configured on this screen are tied to the address serving pools configured on the IP Address Pools screen and changes on this screen may affect the IP Address Pools...

Page 198: ...ear in the IP routing table which contains all of the routes used by the Router see IP Routing Table on page 9 6 Static routes are helpful in situations where a route to a network must be used and oth...

Page 199: ...appear The table has the following columns Dest Network The network IP address of the destination network Static Routes Display Change Static Route Add Static Route Delete Static Route Configure View...

Page 200: ...Rules of static route installation on page 7 9 Select Destination Network IP Address and enter the network IP address of the destination network Select Destination Network Subnet Mask and enter the s...

Page 201: ...ers in this screen are the same as the ones in the Add Static Route screen see Adding a static route on page 7 8 Deleting a static route To delete a static route in the Static Routes screen select Del...

Page 202: ...ned as a start date and time and an end date and time or infinite Key management Typically you configure only one key on a given interface and all of the interfaces that interact with that interface R...

Page 203: ...ateway 0 0 0 0 Backup IP Gateway 0 0 0 0 Primary Domain Name Server 0 0 0 0 Secondary Domain Name Server 0 0 0 0 Domain Name Rip Options Proxy Arp Enabled No Multicast Forwarding None VRRP Options Sta...

Page 204: ...ion Keys is visible only if v2 MD5 Authentication is enabled for either Receive or Transmit RIP Ethernet LAN RIP Options Receive RIP v2 MD5 Authentication Transmit RIP Off RIP v2 Authentication Keys E...

Page 205: ...the RIP Receive option to Both v1 and v2 the interface will ignore authenticated RIP packets since authenticated v1 packets do not exist Only v2 packets can be authenticated Select RIP v2 Authenticat...

Page 206: ...ans that the key begins when it begins but it never expires The acceptable year range is from 1904 2039 When you are satisfied with your entries select COMMIT and press Return This menu will not accep...

Page 207: ...y menu in the same way as in the Add Key menu see Adding a key on page 13 If you select Delete Key a pop up menu will ask you to confirm your choice RIP v2 Authentication Keys Key ID Start Date Start...

Page 208: ...Connection Profile screen The connection profile RIP Profile Parameters screen appears Receive RIP is always visible Here you select Off v1 v2 Both v1 and v2 or v2 MD5 Authentication from the pop up m...

Page 209: ...Dynamic Host Configuration Protocol DHCP is widely supported on PC networks as well as Apple Macintosh computers using Open Transport and computers using the UNIX operating system Addresses assigned v...

Page 210: ...elect 1st Client Address and enter the first client IP address that you will allocate to your first client machine For instance on your local area network you may want to first figure out which machin...

Page 211: ...ng from 100 199 with the new IP Address If you configure the gateway with a subnet smaller than a Class C subnet the gateway will serve all available addresses If you explicitly configure the DHCP poo...

Page 212: ...interface address on the subnet You can edit the remaining columns in each row The 1st Client Addr and Clients columns allow you to specify the base and extent of the address serving pool for a partic...

Page 213: ...ed to the client Otherwise the Netopia will select the least recently used available address starting from the first address in the first pool and ending with the last address in the last pool Note Th...

Page 214: ...e scope To serve DHCP clients with the IP address of a NetBIOS name server select Serve NetBIOS Name Server and toggle it to Yes DHCP NetBIOS Options Serve NetBIOS Type Yes NetBIOS Type Type B Serve N...

Page 215: ...Lease Management Select Release BootP Leases and press Return Back in IP Address Serving the Serve Dynamic WAN Clients toggle More Address Serving Options The Netopia Firmware Version 8 7 includes a n...

Page 216: ...nt did not provide a Host Name in its DHCP messages the second and third clients did The rightmost column displays the host name supplied by the client if one was provided otherwise it displays the cl...

Page 217: ...The action popup is context sensitive and lists only those operations that apply to the selected IP address in its current lease state Details is displayed if the entry is associated with both a host...

Page 218: ...alog asking you to confirm the operation Include is displayed if the entry is either excluded or declined Served IP Addresses IP Address Type Expires Host Name Client Identifier SCROLL UP 192 168 1 10...

Page 219: ...ss for a client with a particular Ethernet MAC address guarantees that a client with the specified MAC address will be offered or leased the specified IP address Moreover it prevents the specified IP...

Page 220: ...wards the request to one or more remote DHCP servers These servers process the request assign an address from an address pool configured on the remote server and forward the response back to the Netop...

Page 221: ...fault and DHCP Relay Agent If you select DHCP Relay Agent and press Return the screen changes as shown below Main Menu System Configuration IP Address Serving IP Address Serving IP Address Serving Mod...

Page 222: ...the Netopia Router s primary Ethernet LAN subnet There is no mechanism for DHCP clients to receive an address on a secondary subnet via a relayed DHCP request Connection Pro les Since you will probabl...

Page 223: ...be any name you wish For example the name of your ISP 2 Toggle the Profile Enabled value to Yes or No The default is Yes 3 Select IP Profile Parameters and press Return The IP Profile Parameters scree...

Page 224: ...want to view the connection profiles in your gateway return to the WAN Configuration screen and select Display Change Connection Profile The list of connection profiles is displayed in a scrolling po...

Page 225: ...service provider IGMP forwarding is enabled per IP Profile and WAN Connection Profile You configure Multicast Forwarding in two Telnet menu screens First you enable Multicast Forwarding in the IP Set...

Page 226: ...a software abstraction consisting of a group of two or more hardware routers protecting one or more IP addresses One of the routers is designated as the Master while the others are backups VRRP is a...

Page 227: ...ve one associated Virtual IP Address The Virtual IP Address VIP must be in the range of IP addresses covered by the IP interface or the subnets must not match the IP address of any other VIP Ethernet...

Page 228: ...perate in Master mode You can configure only one Virtual Router to be a Master by default priority of 255 for an interface Preempt Mode Toggle Preempt Mode either Yes or No This setting specifies whet...

Page 229: ...DHCP gateway and server IP instead of the configured DHCP gateway on the interface This behavior only happens if the Virtual Router associated with the configured DHCP gateway address is in Master st...

Page 230: ...IDs and ATM RFC 1483 bridged VCs to these interfaces on platforms with more than one Ethernet encapsulated interface The additional LAN IP routed interfaces duplicate all the same parameters that appl...

Page 231: ...face See RIP Options on page 7 10 VRRP Options Same as the primary interface Two Virtual routers can be added to each of the ALANs See Virtual Router Redundancy VRRP on page 7 34 Multicast Forwarding...

Page 232: ...and select Additional LANs The Additional LAN Configuration screen appears If you select either Show Change ALAN or Delete ALAN a pop up window allows you to choose the ALAN you want to modify or dele...

Page 233: ...N connection to using a built in V 92 modem Alternatively you can choose backup to an alternate gateway on the Ethernet LAN In the event of a loss of primary connectivity you have the option of switch...

Page 234: ...u have already created one Connection Profile For the backup modem you create a second Connection Profile and associate it with the backup modem interface Profile Name Give the profile a descriptive n...

Page 235: ...kup Select Encapsulation Options Add Connection Profile Profile Name Profile 1 Profile Enabled Encapsulation Type PPP RFC1483 ATMP Encapsulation Options PPTP IPsec L2TP IP Profile Parameters COMMIT CA...

Page 236: ...r a Host Name and Secret Unless otherwise instructed you can leave the other defaults unchanged Press Escape Datalink PPP MP Options Data Compression rd LZS Send Authentication None PAP Send User Name...

Page 237: ...e Backup for the Interface Group Telco Options became visible Select Telco Options The Telco Options screen allows you to set the parameters for the modem connection IP Profile Parameters Address Tran...

Page 238: ...of inactivity You can also toggle Callback to No or Yes In most cases since this is a backup connection you can leave this set to the default No In some cases your service provider or corporate office...

Page 239: ...see Backup Default Gateway on page 8 14 System Configuration Main Menu IP Setup IP Setup Ethernet IP Address 192 168 1 1 Ethernet Subnet Mask 255 255 255 0 Define Additional Subnets Default IP Gateway...

Page 240: ...on Main Menu Setup WAN Configuration WAN Wide Area Network Setup ATM Circuits Configuration Display Change Connection Profile Add Connection Profile Delete Connection Profile WAN Default Profile ATMP...

Page 241: ...want to hear dialing and connection tones generated by the modem or you can turn them off from the pop up menu Options are Never Until Carrier During Answer Always Speaker Volume You can set how loud...

Page 242: ...ost Name or IP Address 1 and 2 and enter IP address es or resolvable DNS name s that the Router will ping These are optional items that are particularly useful for testing if the remote end of a VPN c...

Page 243: ...nnection fails at layer 1 the Requires Recovery of minutes parameter determines the amount of time the primary layer 1 connec tion must be up recovered before the router will tear down the backup conn...

Page 244: ...ection entry that will be a permanent forced up connection for the backup modem The backup modem will be activated upon primary WAN link failure and remain active until primary WAN link recovery To co...

Page 245: ...connection Press Escape to return to the Add Scheduled Connection screen Add Scheduled Connection Scheduled Connection Enable On How Often Weekly Schedule Type Forced Up Set Weekly Schedule Use Conne...

Page 246: ...nection from your ENT Enterprise Series Router to another gateway that has for example an ISDN or analog modem connection to the Internet and designating the second gateway as the backup gateway Shoul...

Page 247: ...ng both addresses simultaneously at five second intervals recording the ping responses from each host The Router will proceed into backup mode only if neither of the configured remote hosts responds W...

Page 248: ...P Gateway field is not filled out as in the case of a DHCP acquired IP address and default gateway on the WAN interface For more information on IP Setup see the IP Setup on page 7 2 Note Backup and Re...

Page 249: ...ery Reason becomes visible when a failure of or recovery to the Primary interface is in progress During backup the following reasons may appear Loss of Layer 1 Indicates a loss of sync on the Primary...

Page 250: ...and a recovery condition exists it will display the Requires Recovery of value The displayed value does not change Rather it indicates how high the Time Since Detection must count before the switchove...

Page 251: ...w on page 9 1 Statistics Logs on page 9 3 Event Histories on page 9 4 IP Routing Table on page 9 6 General Statistics on page 9 6 System Information on page 9 8 Simple Network Management Protocol SNMP...

Page 252: ...ed typically the name of your ISP MAC Address The Router s hardware address for those interfaces that support DHCP IP Address The Router s IP address entered in the IP Setup screen Current status The...

Page 253: ...LEDs and the corresponding display in the Telnet menu screen will vary by model Each LED representation can report one of four states The LED is off R The LED is red G The LED is green Y The LED is y...

Page 254: ...Each entry in the list contains the following information Date Date of the event Time Time of the event Event A brief description of the event Ch The channel involved in the event WAN Event History S...

Page 255: ...Device Event History screen appears If the event history exceeds the size of the screen you can scroll through it by using SCROLL UP and SCROLL DOWN To scroll up select SCROLL UP at the top of the li...

Page 256: ...ful for monitoring and troubleshooting your LAN Note that the counters roll over at their maximum field width that is they restart again at 0 Statistics Logs Main Menu IP Routing Table IP Routing Tabl...

Page 257: ...Bytes The number of bytes received Tx Bytes The number of bytes transmitted Rx Packets The number of packets received Tx Pkts The number of packets transmitted Rx Err The number of bad Ethernet packet...

Page 258: ...tion screen appears The information display varies by model firmware version feature set and so on You can tell at a glance your particular system configuration System Information Serial Number 00 aa...

Page 259: ...ety of formats Load this MIB into your SNMP management software Follow the instructions included with your SNMP manager on how to load MIBs Netopia Firmware Version 8 7 supports the following manageme...

Page 260: ...me SysLocation and SysContact objects respectively in the MIB II system group Although optional the information you enter in these items can help a system administrator manage the network more efficie...

Page 261: ...revents unauthorized access to the Router through SNMP For more information on security issues see Suggested Security Measures on page 10 1 SNMP traps An SNMP trap is an informational message sent fro...

Page 262: ...nity String if you enabled one in the SNMP Setup screen and enter the appropriate password IP Trap Receivers Display Change IP Trap Receiver Add IP Trap Receiver Delete IP Trap Receiver Return Enter t...

Page 263: ...Receiver in the IP Trap Receivers screen Modifying IP trap receivers 1 To edit an IP trap receiver select Display Change IP Trap Receiver in the IP Trap Receivers screen 2 Select an IP trap receiver f...

Page 264: ...9 14 Firmware User Guide...

Page 265: ...10 8 Warning alerts on page 10 9 Telnet Access on page 10 20 About Filters and Filter Sets on page 10 21 Working with IP Filters and Filter Sets on page 10 28 Policy based Routing using Filtersets on...

Page 266: ...u select System Configuration then Security The Security Options screen appears UPnP Support UPnP Enabled Universal Plug and Play UPnP is a set of protocols that allows a PC to automatically discover...

Page 267: ...iguration and press Return The Superuser Configuration screen appears Assign a Superuser Name It can be up to 19 characters long It is good practice not to use any easily guessed combination such as y...

Page 268: ...r Configuration screen Select Access Privileges and from the pop up menu choose which access privilege you want this user to have All LAN or WAN If you assign any of these privileges limited users wil...

Page 269: ...e Default WAN Data Configuration No Connection Profile Configuration No Circuit PVC DLCI Configuration No LAN Data Configuration Yes LAN Subnet Configuration Yes NAT Filters Configuration Yes Preferen...

Page 270: ...CACS from the pop up menu Configuration information is given in the following sections RADIUS server authentication on page 10 7 TACACS server authentication on page 10 8 Advanced Security Options Rem...

Page 271: ...Remote then Lcl Ser Only causes the router to attempt to authenticate a user first using a RADIUS server and then if that fails using the local authentication database If RADIUS authentica tion fails...

Page 272: ...d using the Domain Name System DNS information configured in the router or by using an IP address in dotted quad notation The RADIUS Server Addr Name items are limited to 63 characters In addition to...

Page 273: ...ting transaction The CLI command is then executed regardless of the return code from the server Warning alerts Certain security related configuration changes cause the router to display a warning aler...

Page 274: ...to present the following warning alert Advanced Security Options You have no local passwords defined If you continue you will be unable to configure this device unless a Remote Server is available to...

Page 275: ...mote users the WAN related defaults are preset to Yes Toggle any that should be changed Advanced Security Options Remote Authentication RADIUS Security Databases Local only Remote Server Addr Name Rem...

Page 276: ...displayed is Change Access Password Selecting this option displays the Change Access Password screen When changing a password you will be challenged to enter it again to be sure you have entered it c...

Page 277: ...ation access is forbidden are usually hidden The Quick Menus screen reflects the security access level of the user Menus to which configuration access is forbidden are hidden Main Menu The following i...

Page 278: ...ptions according to the following diagram Netopia Router Easy Setup WAN Configuration System Configuration Utilities Diagnostics Statistics Logs Quick Menus Quick View Return Enter goes to Easy Setup...

Page 279: ...r accessibility after creating a Connection Profile or a limited user in the Change Connection Profile screen Advanced Connection Options Configuration Changes Reset WAN Connection No Scheduled Connec...

Page 280: ...non Superusers and provides access to the associated menu described previously IP Setup menu In the IP Setup menu users that do not have LAN Subnet Configuration access will see a screen similar to th...

Page 281: ...mware Substantial differences exist among screens on a given gateway Here all selection options are shown Based on access level the Statistics Logs menu displays its options according to the following...

Page 282: ...gs WAN Event History Device Event History IP Routing Table Served IP Addresses Served IP Addresses Backup Management Statistics General Statistics System Information User Access Level Global Global Gl...

Page 283: ...s Serving Setup Change Connection Profiles Fr Relay DLCI Config IP Filter Sets Delete Connection Profiles Backup Config Static Routes WAN Default Profile Telephone Setup Network Address Translation AT...

Page 284: ...outer if you suspect there is a chance of tampering To password protect the configuration screens select Easy Setup from the Main Menu and go to the Easy Setup Security Configuration screen By enterin...

Page 285: ...at sort of data can flow in and out of your network A particular filter can be either an input filter one that is used on data packets coming in to your network from the Internet or an output filter o...

Page 286: ...d inspector to see it A package from Paris is ignored by the first inspector rejected by the second inspector and never seen by the others A package from London is ignored by the first two inspectors...

Page 287: ...cket attributes A typical filter can match a packet on any one of the following attributes The source IP address where the packet was sent from The destination IP address where the packet is going The...

Page 288: ...ilter Equal For the filter to match the packet s port number must equal the port number specified in the filter Greater Than For the filter to match the packet s port number must be greater than the p...

Page 289: ...This is the port on the sending host that originated the packet D Port The destination port to match This is the port on the receiving host for which the packet is intended On Displays Yes when the f...

Page 290: ...anything The mask for Source IP Addr must be 255 255 255 255 since an exact match is desired Source IP Addr 199 211 211 17 Source IP address mask 255 255 255 255 Dest IP Addr 0 0 0 0 Destination IP a...

Page 291: ...packets Consider the combined effect of the filters If every filter in a set fails to match on a particular packet the packet is Forwarded if all the filters are configured to discard not forward Disc...

Page 292: ...ts begin by accessing the filter set screens Note Make sure you understand how filters work before attempting to use them Read the section About Filters and Filter Sets beginning on page 10 21 The pro...

Page 293: ...set All new filter sets have a default name The first filter set you add will be called Filter Set 1 the next filter will be Filter Set 2 and so on To give a new filter set a different name select Fil...

Page 294: ...een the two involves their reference to source and destination From the perspective of an input filter your local network is the destination of the packets it checks and the remote network is their so...

Page 295: ...t to Yes If Enabled is toggled to No the filter can still exist in the filter set but it will have no effect Display Change Filter Set Filter Set Name Filter Set 3 Add Input Filter to Filter Set Displ...

Page 296: ...25 Note If Protocol Type is set to TCP or UDP the settings for port comparison that you configure in steps 8 and 9 will appear These settings only take effect if the Protocol Type is TCP or UDP 9 Sele...

Page 297: ...filter set all of the filters it contains are deleted as well To reuse any of these filters in another set before deleting the current filter set you ll have to note their configuration and then recr...

Page 298: ...nput filter 3 This filter explicitly forwards all WAN originated ICMP traffic to permit devices on the WAN to ping devices on the LAN Ping is an Internet service that is useful for diagnostic purposes...

Page 299: ...ons are not intended to be combined Each modification is to be the only one used with Basic Firewall The results of combining filter set modifications can be difficult to predict It is recommended tha...

Page 300: ...e deleted set will no longer appear in the answer profile or any connection profiles to which it was added Policy based Routing using Filtersets Previous firmware versions routed IP packets only by de...

Page 301: ...ic not to keep the link up you would create a filter which forwards a ping but with the Call Placement Idle Reset set to Disabled Toggle Force Routing to Yes Enter the Gateway IP Address in standard d...

Page 302: ...rd then action on a packet matching none of the filters is to block any traffic Therefore if the behavior you want is to force the routing of a certain type of packet and pass all others through the n...

Page 303: ...information is what the packet filter uses to make filtering decisions It is important to note that a packet filter does not look into the IP data stream the User Data from above to make filtering de...

Page 304: ...r rule ordering is critical If a packet is forwarded through a series of filter rules and then the packet matches a rule the appropriate action is taken The packet will not forward through the remaind...

Page 305: ...are as follows 0 AND 0 0 0 AND 1 0 1 AND 0 0 1 AND 1 1 For example Filter rule Deny IP 163 176 1 15BINARY 10100011 10110000 00000001 00001111 Mask 255 255 255 255BINARY 11111111 11111111 11111111 111...

Page 306: ...he local network Example lter set screen This is an example of the Netopia filter set screen Filter basics In the source or destination IP address fields the IP address that is entered must be the net...

Page 307: ...ter Than or Equal Matches the port or any port greater Greater Than Matches anything greater than the port defined Filter Rule 200 1 1 0 Source IP Network Address 255 255 255 128 Source IP Mask Forwar...

Page 308: ...This rule will forward this packet because the packet does not match Example 3 Incoming packet has the source address of 200 1 1 184 00000000 Logical AND result Filter Rule 200 1 1 0 Source IP Networ...

Page 309: ...ded Example 5 Incoming packet has the source address of 200 1 1 96 255 255 255 240 11110000 Perform the logical AND 10110000 Logical AND result Filter Rule 200 1 1 96 Source IP Network Address 255 255...

Page 310: ...ot into one of these configurations the copy of which becomes the current configuration You name the saved configurations giving you a reference for identifying each one The naming operation occurs wh...

Page 311: ...you can select it from a pop up menu If you select Boot from a Configuration and select a different one you can reboot the gateway with your selected configuration Configuration Management Save Curren...

Page 312: ...figuration pop up menu select the configuration you want to designate as the Factory Default Configuration Management Configuration Name Type Save Current Configuration as Replace Existing Configurati...

Page 313: ...nus in the TFTP File Transfer screen in the Utilities Diagnostics menu as shown Configuration Management Save Current Configuration as Replace Existing Configuration Boot from a Configuration Delete a...

Page 314: ...10 50 Firmware User Guide...

Page 315: ...n and Firmware Files with TFTP on page 11 6 Restarting the System on page 11 8 Note These utilities and tests are accessible only through the Telnet based management screens See the Getting Started Gu...

Page 316: ...7 295 3 Select Data Size to change the default setting This is the size in bytes of each Ping packet sent The default setting is adequate in most cases but you can change it to any value from 0 only h...

Page 317: ...e Description Resolving host name Finding the IP address for the domain name style address Can t resolve host name IP address can t be found for the domain name style address Pinging Ping test is in p...

Page 318: ...traverse Ping packets that reach their TTL value are dropped and a destination unreachable notification is returned to the sender see the table on the previous page This ensures that no infinite rout...

Page 319: ...can initiate a Telnet client session when using a Telnet console session To activate the Telnet client select Telnet from the Utilities Diagnostics menu The Telnet client screen appears Enter the host...

Page 320: ...aving to completely reconfigure the Router by saving a Factory Default configuration See Factory Default to a saved configuration on page 10 48 Transferring Con guration and Firmware Files with TFTP T...

Page 321: ...ET GATEWAY FIRMWARE FROM SERVER and press Return You will see the following dialog box Select CANCEL to exit without downloading the file or select CONTINUE to download the file The system will reset...

Page 322: ...Router unit to configure its parameters see Downloading configuration files on page 11 7 This is useful for configuring a number of gateways with identical parameters or just for creating configuratio...

Page 323: ...u reconfigure the Router and want the new parameter values to take effect Under certain circumstances restarting the system may also clear up system or network malfunctions Some configuration processe...

Page 324: ...11 10 Firmware User Guide...

Page 325: ...lowing suggestions before calling for technical support There are four zones to consider when troubleshooting initial configuration 1 The computer s connection to the gateway 2 The gateway s connectio...

Page 326: ...7 s Ping utility in the Utilities Diagnostics screen and try to Ping local and remote hosts See Ping on page 11 2 for instructions on how to use the Ping utility If you can successfully Ping hosts usi...

Page 327: ...the Gateway will perform a factory reset clear all settings and configurations except those saved as Saved Configuration s See Factory Default to a saved configuration on page 10 48 The Router will t...

Page 328: ...devices Ethernet TCP IP How to reach us We can help you with your problem more effectively if you have completed the environment profile in the previous section If you contact us by telephone please b...

Page 329: ...uring terminal emulation software 1 4 configuring the console 3 35 Connection profiles 2 9 console configuring 3 35 console configuration 3 35 console based management configuring with 1 2 2 1 3 1 Con...

Page 330: ...ing 10 33 disadvantages of 10 27 input 10 30 modifying 10 32 output 10 30 using 10 27 10 28 viewing 10 32 firewall 10 33 firmware files updating with TFTP 11 7 FTP sessions 10 36 G general statistics...

Page 331: ...Telnet 1 4 NetBIOS 7 21 NetBIOS scope 7 22 Netopia distributing IP addresses 7 17 models 1 3 monitoring 9 1 security 10 1 system utilities and diagnostics 11 1 Network Address Translation see NAT 7 1...

Page 332: ...te rules of installation 7 9 static routes 7 3 7 6 strong encryption 5 18 subnets multiple 7 4 support technical A 3 syslog 3 42 T technical support A 3 telnet 1 4 access 10 20 terminal emulation soft...

Page 333: ...y Protocol 7 34 VLAN 3 11 VPN 5 1 allowing through a firewall 5 25 ATMP tunnel options 5 15 default answer profile 5 18 encryption support 5 17 PPTP tunnel options 5 4 VRID 7 35 VRRP 7 34 VRRP Options...

Page 334: ...Index 6...

Reviews:

No comments

Related manuals for 3300-ENT Series

Brand: D-Link Pages: 29

DGS-3700 Series

Brand: D-Link Pages: 292

Brand: D-Link Pages: 140

DGS-1224T - Web Smart Switch

Brand: D-Link Pages: 61

DI-LB604 - Load Balancing Router

Brand: D-Link Pages: 14

Brand: D-Link Pages: 2

Brand: D-Link Pages: 45

Brand: D-Link Pages: 218

DES-3528 - xStack Switch - Stackable

Brand: D-Link Pages: 322

DIR-130 - Broadband VPN Router

Brand: D-Link Pages: 10

DIR-130 - Broadband VPN Router

Brand: D-Link Pages: 4

DIR-130 - Broadband VPN Router

Brand: D-Link Pages: 13

Brand: D-Link Pages: 13

DI-804HV - Express ENwork Router

Brand: D-Link Pages: 19

Brand: D-Link Pages: 12

Brand: D-Link Pages: 8

Brand: D-Link Pages: 16

Brand: D-Link Pages: 7

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands