manualshive.com logo in svg

Netopia 4000 Series, Software Manual

The Honeywell 4000 Series is a versatile product designed for convenience and efficiency. If you're looking for its detailed specifications, installation guidelines, or troubleshooting tips, our website offers free downloads of the product data manual. Access it easily at manualshive.com and maximize the potential of your Honeywell 4000 Series.

Share
Download
background image

5-6  Firmware User Guide

that will be used to generate key material for IKE Phase 1.

The 

Encryption Algorithm

 pop-up menu specifies the IKE Phase 1 encr yption algorithm, and may be either 

DES (the default) or 3DES.

The 

Hash Algorithm

 pop-up menu specifies the IKE Phase 1 hash algorithm, and may be either SHA1 (the 

default) or MD5.

The 

Diffie-Hellman Group

 pop-up menu specifies the IKE Phase 1 Diffie-Hellman key exchange size, and 

may be either Group 1 (768 bits), Group 2 (1024 bits) (the default), or Group 5 (1536 bits).

If you select 

Advanced IKE Phase 1 Options

 the Advanced IKE Phase 1 Options screen appears.

Normally it is not necessar y to change the settings of the items on the Advanced IKE Phase 1 Options screen. 
Most of these settings exist for ensuring compatibility with remote IKE implementations that may have cer tain 
limitations.

The 

Negotiation

 pop-up menu allows you to specify the way the device will respond to a connection 

attempt. Normal (the default) is a two-way mode; Initiate Only or Respond Only permit limiting the 
connection to one-way only.

The 

SA Use Policy

 pop-up menu specifies the policy that the router will use to determine which Phase 1 

SAs to use when multiple valid Phase 1 SAs are available for transmitting traffic on an IPsec tunnel. 

Because the router normally re–keys prior to the expiration of the current Phase 1 SAs, multiple valid 
Phase 1 SAs may exist during the period of time after the router has re-keyed and established new Phase 
1 SAs and the time at which the old Phase 1 SAs expire. 

If you select

 Newest SAs Immediately

, the router will begin using the newly created Phase 1 SAs 

immediately after they are negotiated.

If you select

 Old SAs Until Expired

, the router will continue using the old Phase 1 SAs until they expire 

and will begin using the newly created Phase 1 SAs only after the old ones are no longer valid.

Allow Dangling Phase 2 SAs

 toggles whether or not Phase 2 SAs are permitted to sur vive the expiration of 

                         Advanced IKE Phase 1 Options

         Negotiation...                     Normal

         SA Use Policy...                   Newest SAs Immediately
         Allow Dangling Phase 2 SAs:        Yes
         Phase 1 SA Lifetime (seconds):     28800
         Phase 1 SA Lifetime (Kbytes):      0

         Send Initial Contact Message:      Yes
         Include Vendor ID Payload:         Yes
         Independent Phase 2 Re-keys:       Yes
         Strict Port Policy:                No

Return/Enter accepts * Tab toggles * ESC cancels.

Summary of Contents for 4000 Series

Page 1: ...e e e e N N N Ne e e et t t to o o op p p pi i i ia a a a 4 4 4 40 0 0 00 0 0 00 0 0 0 S S S Se e e er r r ri i i ie e e es s s s E E E Eq q q qu u u ui i i ip p p pm m m me e e en n n nt t t t N N N Ne e e et t t to o o op p p pi i i ia a a a F F F Fi i i ir r r rm m m mw w w wa a a ar r r re e e e V V V Ve e e er r r rs s s si i i io o o on n n n 5 5 5 5 4 4 4 4 ...

Page 2: ... registered U S Patent and Trademark Office Broadband Without Boundaries and 3 D Reach are trademarks belonging to Netopia Inc All other trademarks are the property of their respective owners All rights reserved Netopia Inc 6001 Shellmound Street Emeryville CA 94608 U S A Part Number Netopia part number 6161184 00 01 ...

Page 3: ...uration screen 2 3 G SHDSL Line Configuration screen 2 6 T1 Line Configuration screen 2 7 Frame Relay Configuration 2 9 Frame Relay DLCI configuration 2 11 Multiple ATM Permanent Virtual Circuits 2 16 Multiple ATM PVC overview 2 16 Multiple ATM PVC configuration 2 16 Editing circuits 2 20 Changing a circuit 2 21 Monitoring multiple virtual circuits 2 22 Creating a New Connection Profile 2 24 The D...

Page 4: ...t Protocol 2 43 Security 2 43 Upgrade Feature Set 2 43 RFC 1483 Transparent Bridging 2 44 Logging 2 46 Chapter 3 Multiple Network Address Translation 3 1 Overview 3 1 Features 3 2 Supported traffic 3 5 Support for Microsoft Network MSN Messenger 3 5 Support for AOL Instant Messenger AIM File Transfer 3 5 MultiNAT Configuration 3 6 Easy Setup Profile configuration 3 6 Server Lists and Dynamic NAT c...

Page 5: ...ion 4 11 ATMP PPTP Default Profile 4 11 VPN QuickView 4 13 Dial Up Networking for VPN 4 14 Installing Dial Up Networking 4 14 Creating a new Dial Up Networking profile 4 15 Configuring a Dial Up Networking profile 4 16 Installing the VPN Client 4 17 Windows 95 VPN installation 4 17 Windows 98 VPN installation 4 18 Connecting using Dial Up Networking 4 19 Allowing VPNs through a Firewall 4 19 PPTP ...

Page 6: ...ication configuration 6 10 Connection Profiles and Default Profile 6 16 IP Address Serving 6 17 IP Address Pools 6 20 DHCP NetBIOS Options 6 22 More Address Serving Options 6 24 Configuring the IP Address Server options 6 25 DHCP Relay Agent 6 30 Connection Profiles 6 32 Multicast Forwarding 6 34 Chapter 7 Line Backup 7 1 External Dial Backup Support 7 2 Configuring External Dial Backup 7 2 WAN Co...

Page 7: ...ols 9 1 Quick View Status Overview 9 1 General status 9 2 Current status 9 3 Status lights 9 3 Statistics Logs 9 4 Event Histories 9 4 IP Routing Table 9 7 General Statistics 9 7 System Information 9 9 Simple Network Management Protocol SNMP V2c 9 10 Enterprise specific SNMP Changes 9 10 The SNMP Setup screen 9 11 SNMP traps 9 12 Chapter 10 Security 10 1 Suggested Security Measures 10 1 Console Ti...

Page 8: ...a filter set 10 27 Deleting a filter set 10 31 A sample filter set 10 31 Policy based Routing using Filtersets 10 34 TOS field matching 10 35 Firewall Tutorial 10 37 General firewall terms 10 37 Basic IP packet components 10 37 Basic protocol types 10 37 Firewall design rules 10 38 Filter basics 10 40 Example filters 10 41 Configuration Management 10 44 TFTP and X Modem 10 47 Call Filtering 10 48 ...

Page 9: ...nsole connection problems A 2 Network problems A 2 How to Reset the Router to Factory Defaults A 3 Power Outages A 3 Technical Support A 4 How to reach us A 4 Appendix B Understanding IP Addressing B 1 What is IP B 1 About IP Addressing B 1 Subnets and subnet masks B 2 Example Using subnets on a Class C IP internet B 3 Example Working with a Class C subnet B 5 Distributing IP Addresses B 5 Technic...

Page 10: ...x Firmware User Guide Packet header types B 14 Appendix C Binary Conversion Table C 1 Index ...

Page 11: ...a Router Getting Started guide or the applicable User s Reference Guide You should read the Getting Started guide before reading this Firmware User Guide Note This Guide also includes descriptions of new features and changes to the functionality of the firmware for the current release Netopia Firmware Version 5 4 Such descriptions supersede the descriptions of the corresponding features given in t...

Page 12: ...rmit changing the values contained in the default connection profile You can use Easy Setup to initially configure the router directly through a console session Easy Setup menus contain up to five descendant screens for viewing or altering these values The number of screens depends on whether you have optional features installed The Getting Started manual describes the Easy Setup menus to get you ...

Page 13: ...ter your network and their history See Statistics Logs beginning on page 9 4 The Quick Menus screen is a shortcut entry point to the most commonly used configuration menus that are accessed through the other menu entry points The Quick View menu displays at a glance current real time operating information about your router See Quick View Status Overview on page 9 1 Netopia Models This Firmware Use...

Page 14: ...hing the console cable see Connecting a Console Cable to your Equipment on page 1 5 Telnet software installed on the computer you will use to configure the router Configuring Telnet software If you are configuring your device using a Telnet session your computer must be running a Telnet software program If you connect a PC with Microsoft Windows you can use a Windows Telnet application or simply ru...

Page 15: ... port Since Macintosh computers have different serial bus connectors you may need a USB to DB 9 or USB to serial adapter These are available from a variety of third party manufacturers This connection lets you use the computer to configure and monitor the Router via the console screens Example back panel To connect to your computer for serial console communication use a console cable appropriate t...

Page 16: ...uses Parameter Suggested Value Terminal type PC ANSI BBS Mac ANSI VT 100 or VT 200 Data bits 8 Parity None Stop bits 1 Speed 9600 57600 bits per second Flow Control None Note The router firmware contains an autobaud detection feature If you are at any screen on the serial console you can change your baud rate and press Return HyperTerminal for the PC requires a disconnect The new baud rate is disp...

Page 17: ...tem Configuration and press Return The System Configuration screen appears 2 Select IP Setup and press Return The IP Setup screen appears To go back in this sequence of screens use the Escape key To Use These Keys Move through selectable items in a screen or pop up menu Up Down Left and Right Arrow Set a change to a selected item or open a pop up menu of options for a selected item like entering a...

Page 18: ...1 8 Firmware User Guide ...

Page 19: ...g topics WAN Configuration on page 2 1 ADSL Line Configuration screen on page 2 2 SDSL IDSL Configuration screen on page 2 3 G SHDSL Line Configuration screen on page 2 6 T1 Line Configuration screen on page 2 7 Frame Relay Configuration on page 2 9 Multiple ATM Permanent Virtual Circuits on page 2 16 Creating a New Connection Profile on page 2 24 The Default Profile on page 2 28 Scheduled Connect...

Page 20: ...on or FDM the default 4 If you selected Multimode Circuit Type the Fast Retrain Enabled field appears Toggle it to On the default or Off 5 Select Data Link Encapsulation and press Return The pop up menu will offer you the choice of PPP or RFC1483 6 Press Escape to return to the WAN Configuration screen For multiple permanent virtual circuit PVC configurations see Multiple ATM Permanent Virtual Cir...

Page 21: ... the router must reboot and you will see a warning screen to confirm your choice IDSL configuration offers different options See IDSL Line Configuration screen on page 2 5 The Operation Mode pull down menu allows you to select the type of SDSL ATM DSLAM to which you will be connecting Generic Lucent Nokia EOC Fast Nokia Fixed Paradyne Nortel UE IMAS or Newbridge SDSL Line Conf Line Type SDSL ATM O...

Page 22: ...n is attempted If you choose Locked the Data Rate you select in the next menu will always be used The Data Rate pull down menu allows you to select the data rate for your connection This is usually assigned by your Service provider Your Data Link Encapsulation may be either PPP or RFC1483 as assigned by your Service Provider If you are using PPP the PPP Mode menu offers either VC Multiplexed or LL...

Page 23: ...using Frame Relay a PPP over Frame Relay Enabled option appears and allows you to tog gle it either On or Off If you enable PPP over Frame Relay the DLCI and LMI fields appear The DLCI field is editable the default is 16 The LMI pull down menu offers the choices None ANSI Annex D CCITT Annex A or LMI IDSL Line Configuration Line Type IDSL Data Rate kbps 144 2B D Data Link Encapsulation PPP Return ...

Page 24: ...unless your provider specifically tells you to do so Select Unused Cell Format and from the pop up menu select either Idle the default or Empty This setting must match the format used by your service provider Idle is the most common so you probably do not need to change it unless your provider specifically tells you to do so Select Data Link Encapsulation and from the pop up menu choose your DLE I...

Page 25: ...e to use the auto detection feature Toggle this item to Yes if your service provider uses equipment that supports DS0 channel auto detection Otherwise accept the default No Select Number of DS0 Channels and enter the number of DS0 channels that you and your telephone service provider have determined are necessary for your T1 line The default setting for DS0 Channels is 1 one Press Return Note Each...

Page 26: ...ing on your selection T1 Line Configuration Operation Mode Normal Line Encoding B8ZS Framing Mode ESF Number of DS0 Channels 1 First DS0 Channel 1 Channel Data Rate Nx64k Data Link Encapsulation RFC1483 RFC1483 Mode Bridged 1483 PPP over Ethernet PPPoE Off TO MAIN MENU NEXT SCREEN Return Enter goes to new screen Enter Information supplied to you by your telephone company T1 Line Configuration Oper...

Page 27: ... Relay as your data link encapsulation method see Frame Relay Configuration on page 2 9 for more information Frame Relay Configuration If you chose Frame Relay as your data link encapsulation type you can now configure the Frame Relay options from the WAN Configuration menu From the WAN Configuration screen select WAN Setup then select the Frame Relay Configuration option and press Return The Frame...

Page 28: ... if you want the frames on your line that exceed the configured service parameters to be dropped at the router Buffered if you want the frames on your line that exceed the link capacity to be delayed until the link is less busy or None if you want all of the frames on your line to be transmitted Press Return Note If you select None as the Tx Injection Management type the three Tx Injection Managem...

Page 29: ...Ns Forward Explicit Congestion Notification This feature is designed to notify you that congestion avoidance procedures should be initiated where applicable for traffic in the same direction as the received frame It indicates that the frame in question has encountered congested resources Note The Congestion Management Enabled field will only appear if Standard or Buffered is selected as the option...

Page 30: ...Change DLCIs in the Frame Relay DLCI Configuration screen and press Return The Frame Relay DLCI Configuration table is a handy way to quickly view the DLCI names and DLCI numbers that you attribute to your Frame Relay profiles Frame Relay DLCI Configuration Display Change DLCIs Add DLCI Delete DLCI Add delete and modify DLCIs from here Frame Relay DLCI Configuration DLCI Name DLCI Number DLCI 16 1...

Page 31: ...I Configuration screen Select a DLCI Name from the table and press Return to go to the Change DLCI screen The parameters in this screen are the same as the parameters in the Add DLCI screen To find out how to set them see Adding a Frame Relay DLCI configuration on page 2 14 Change DLCI DLCI Name DLCI 33 DLCI Enabled Yes DLCI Number 16 991 32 Remote IP Address 2 0 0 2 ...

Page 32: ...4 Select Remote IP Address and enter the remote IP address your ISP or network administrator gave you that represents the remote sites IP address for their router Press Return If you selected Standard or Buffered as the Tx Injection Management type in the Frame Relay Configuration screen go to the next bulleted item below If you selected None in the Frame Relay Configuration screen go to step 6 Be...

Page 33: ...mber of CIRs for all PVCs exceeds the line rate setup 5 Select ADD DLCI NOW to save the current static Frame Relay DLCI profile that you have just entered and press Return to go back to the Frame Relay DLCI Configuration screen Alternately you can cancel the Frame Relay DLCI profile you have just created by selecting CANCEL to exit the Add DLCI screen Deleting a Frame Relay DLCI configuration To de...

Page 34: ...r between one and eight corresponding to the circuit s position in the list of up to eight circuits You can also individually enable or disable a circuit without deleting it This is useful for temporarily removing a circuit without losing the configured attributes In order to function each circuit must be bound to a Connection Profile or to the Default Profile Among other attributes the profile bi...

Page 35: ...Virtual Path Identifier and the Virtual Channel Identifier in the Circuit VPI and Circuit VCI fields respectively ATM Circuits Configuration Show Change Circuit Add Circuit Delete Circuit Add Circuit Circuit Name Circuit 2 Circuit Enabled Yes Circuit VPI 0 255 0 Circuit VCI 32 65535 QoS UBR Peak Cell Rate 0 line rate CBR Use Connection Profile Default Profile Use Default Profile for Circuit ADD Ci...

Page 36: ...two ATM classes of ser vice for data connections Unspecified Bit Rate UBR and Constant Bit Rate CBR You can configure these classes of service on a per VC basis The default ATM class of service is UBR Then select a Connection Profile for the Circuit To use the Default Profile select Use Default Profile for Circuit and press Return For other options select a profile from the Use Connection Profile ...

Page 37: ... the Default Profile If you add a second VC it is initialized to the Default Profile and the menu screens display the VC Connection Profile related items allowing you to bind to a specific Connection Profile instead of the Default Profile In addition the router statically binds the first VC according to the rules used to select a profile for dynamic binding At this point each profile uses static b...

Page 38: ...he ATM Circuits Configuration screen From the Main Menu navigate to the ATM Circuits Configuration screen Select Show Change Circuit and press Return Main Menu WAN Configuration ATM Circuits Configuration ATM Circuits Configuration Show Change Circuit Add Circuit Delete Circuit ...

Page 39: ... character name with the circuit The default circuit name is Circuit n where n is some number between one and eight corresponding to the circuit s position in the list of up to eight circuits ATM Circuits Configuration Circuit Name VPI VCI Show Change Circuit Circuit 1 8 35 Add Circuit Voice Circuit 0 0 Delete Circuit Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit Change Circuit ...

Page 40: ...uit menu depends not on the number of Connection Profiles you have created but the number of data VCs you have added See Multiple ATM PVC configuration on page 2 16 If you have more than one data VC you can choose how Connection Profiles are associated with VCs otherwise you get default behavior and the Connection Profile Is field cannot be selected Monitoring multiple virtual circuits The General...

Page 41: ...iew Press Return A pop up window appears displaying detailed information for the selected circuit ATM VC Statistics VPI VCI Local IP Addr Frames Rx Frames Tx Bytes Rx Bytes Tx SCROLL UP 0 39 111 222 333 4 0 0 0 0 8 36 1 0 70 0 SCROLL DOWN ATM VC Statistics View St VPI VCI 0 39 Circuit Name Circuit 4 8 36 Connection Profile Name Profile 4 Bytes Rx 0 Bytes Tx 0 Frames Rx 0 Frames Tx 0 Frames Rx Disc...

Page 42: ... Add Connection Profile The Add Connection Profile screen appears On a Netopia Router you can add up to 15 more connection profiles for a total of 16 but you can only use one at a time unless you are using VPNs 1 Select Profile Name and enter a name for this connection profile It can be any name you wish For example the name of your ISP 2 Toggle Profile Enabled to Yes or No The default is Yes You ...

Page 43: ...file Name Profile 1 Profile Enabled Yes Encapsulation Type RFC1483 Mode Bridged 1483 Routed 1483 IP Profile Parameters COMMIT CANCEL Add Connection Profile Profile Name Profile 1 Profile Enabled Yes Encapsulation Type PPP Underlying Encapsulation None PPP Mode VC Multiplexed Encapsulation Options IP Profile Parameters Interface Group Primary COMMIT CANCEL Configure a new Conn Profile Finished COMM...

Page 44: ... the default or No See Line Backup on page 7 1 for more information Datalink PPP MP Options Data Compression Standard LZS Send Authentication PAP Send User Name Send Password Receive User Name Receive Password Dial on Demand Yes Data Compression defaults to Standard LZS You can select Ascend LZS if you are connecting to compatible equipment or None from the pull down menu The Send Authentication p...

Page 45: ...files in your device return to the WAN Configuration screen and select Display Change Connection Profile The list of Connection Profiles is displayed in a scrolling pop up screen IP Profile Parameters Address Translation Enabled Yes IP Addressing Numbered NAT Map List Easy PAT List NAT Server List Easy Servers Local WAN IP Address 0 0 0 0 Local WAN IP Mask 0 0 0 0 Filter Set Remove Filter Set RIP ...

Page 46: ... screen from the Main Menu by selecting WAN Configuration and then selecting Default Profile The Default Profile screen appears You can set Must Match a Defined Profile item to Yes or No the default This item controls whether or not the DSL link will come up without an explicitly configured connection profile If your ISP is serving you a dynamic IP Address you need not explicitly configure a conne...

Page 47: ...able it by toggling to Yes For details on setting up IP Parameters see IP Setup on page 6 2 Scheduled Connections Scheduled connections are useful for PPPoE PPTP and ATMP connection profiles To go to the Scheduled Connections screen from the WAN Configuration screen select Advanced Connection Options and then select Scheduled Connections IP Parameters Default Profile Address Translation Enabled No...

Page 48: ...resenting a day is capitalized the connection will be activated on that day a lower case letter means that the connection will not be activated on that day If the scheduled connection is configured for a once only connection the word once will appear instead of the days of the week Scheduled Connections Display Change Scheduled Connection Add Scheduled Connection Delete Scheduled Connection Naviga...

Page 49: ...connection To activate the connection select Scheduled Connection Enable and toggle it to On You can make the scheduled connection inactive by toggling Scheduled Connection Enable to Off Decide how often the connection should take place by selecting How Often and choosing Weekly or Once Only from the pop up menu The Schedule Type allows you to set the exact weekly schedule or once only schedule Op...

Page 50: ...Start Time and enter the time to initiate the scheduled connection You must enter the time in the format H M where H is a one or two digit number representing the hour and M is a one or two digit number representing the minutes The colon is mandatory For example the entry 1 3 or 1 03 would be accepted as 3 minutes after one o clock The entry 7 0 or 7 00 would be accepted as seven o clock exactly T...

Page 51: ...d be accepted as seven o clock exactly The entries 44 5 and 2 would be rejected Select AM or PM and choose AM or PM Select Scheduled Window Duration and enter the maximum duration allowed for this scheduled connection Use the same format restrictions noted above You are finished configuring the once only options Return to the Add Scheduled Connection screen to continue In the Add Scheduled Connect...

Page 52: ... are the same as the ones in the Add Scheduled Connection screen except that ADD SCHEDULED CONNECTION and CANCEL do not appear To find out how to set them see Adding a scheduled connection on page 2 31 Deleting a scheduled connection To delete a scheduled connection select Delete Scheduled Connection in the Scheduled Connections screen to display a table of scheduled connections Select a scheduled...

Page 53: ...the system configuration options described in later chapters System configuration of dynamic IP address distribution through DHCP or BootP Greater network security through the use of filters Use of Network Time Protocol To access the system configuration screens select System Configuration in the Main Menu then press Return IP Setup on page 2 36 Filter Sets on page 2 36 IP Address Serving on page ...

Page 54: ... configure IP address serving on your network by means of DHCP WANIP and BootP Details are given in IP Address Serving on page 6 17 Network Address Translation NAT These screens allow you to configure the Multiple Network Address Translation MultiNAT features Details are given in Multiple Network Address Translation on page 3 1 System Configuration IP Setup Filter Sets IP Address Serving Network A...

Page 55: ...UDP no activity time out The time in seconds after which a UDP session will be terminated if there is no traffic on the session TCP no activity time out The time in seconds after which an TCP session will be terminated if there is no traffic on the session Exposed Addresses The hosts specified in Exposed addresses will be allowed to receive inbound traffic even if there is no corresponding outboun...

Page 56: ... screen appears IP Profile Parameters Address Translation Enabled Yes IP Addressing Numbered NAT Map List Easy PAT List NAT Server List Easy Servers NAT Options Stateful Inspection Enabled No Local WAN IP Address 0 0 0 0 Local WAN IP Mask 0 0 0 0 Filter Set Remove Filter Set RIP Profile Options Return Enter to select among between Configure IP requirements for a remote network connection here IP P...

Page 57: ...te If Stateful Inspection is enabled on a base connection profile for example for PPP RFC1483 bridged routed or PPPoE Enable default mapping to router must be yes to allow inbound VPN terminations for example for PPTP ATMP client access to the router Deny Fragmented Packets Toggling this option to Yes causes the router to discard fragmented packets on this interface You can apply these parameters ...

Page 58: ...WAN interface The hosts specified in exposed addresses will be allowed to receive inbound traffic even if there is no corresponding outbound traffic Stateful Inspection Parameters Exposed Address List N Max TCP Sequ my_xposed_list 0 None Enable defaul No Deny Fragment No Exposed Addre Up Down Arrows to select then Return Enter ESC to cancel Add Exposed Address List Exposed Address List Name my_xpo...

Page 59: ...range The acceptable range is from 1 65535 You can edit or delete exposed address lists by selecting Show Change Exposed Address List or Delete Exposed Address List A list of previously configured exposed addresses appears This allows you to select an exposed address list for editing or deletion Change Exposed Address Range my_xposed_list First Exposed Address 192 168 1 10 Last Exposed Address Pro...

Page 60: ...ime server in the field Time Server Host Name IP Address 3 Select the Router s time zone from the Time Zone pop up menu and press Return 4 In the NTP Update Interval field enter how often to synchronize with the time server using the format HHHH MM where H is hours and M is minutes 5 Select a System Date Format the options are MM DD YY DD MM YY and YY MM DD where M is month D is day and Y is year ...

Page 61: ...hese screens allow you to monitor and configure your network by means of a standard Simple Network Management Protocol SNMP agent Details are given in Simple Network Management Protocol SNMP V2c on page 9 10 Security These screens allow you to add users and define passwords on your network Details are given in Security on page 10 1 Upgrade Feature Set You can upgrade your Router by adding new feat...

Page 62: ...elect Change Device to a Bridge and press Return You will be challenged to confirm this choice If you chose CONTINUE the device will reboot and restart in bridge mode Routing features will be disabled and the console menus corresponding configuration items such as Easy Setup will be removed System Configuration IP Setup Filter Sets IP Address Serving Network Address Translation NAT Date and Time C...

Page 63: ...dged mode with the WAN handling Frame Relay packets that are bridged to the Ethernet interface For these models LMI multiple DLCIs etc can be configured If you choose to run the router in bridged mode and select Frame Relay as the data link encapsulation method in the WAN Wide Area Network Setup menu the WAN Configuration menu now offers options to configure Frame Relay and Frame Relay DLCIs Netop...

Page 64: ...ch ones are logged and which are ignored You can enable or disable the syslog client dynamically When enabled it will report any appropriate and previously unreported events You can specify the syslog server s address either in dotted decimal format or as a DNS name up to 63 characters You can specify the UNIX syslog Facility to use by selecting the Facility pop up Erase the log by selecting DUMP ...

Page 65: ...xt netopia com ASYNC Modem carrier detected more Modem reports 26400 V34 May 5 10 14 06 tsnext netopia com WAN 56K Modem 1 activated at 115 Kbps May 5 10 14 06 tsnext netopia com Connect Confirmed to our DN 5108645534 May 5 10 14 06 tsnext netopia com PPP Channel 1 up Answer Profile name Default Profile May 5 10 14 06 tsnext netopia com PPP NCP up session 1 Channel 1 Final fallback negotiated auth...

Page 66: ...2 48 Firmware User Guide ...

Page 67: ...erview NAT Network Address Translation is a means of mapping one or more IP addresses and or IP service ports into different values This mapping serves two functions It allows the addresses of many computers on a LAN to be represented to the public Internet by only one or a few addresses saving you money It can be used as a security feature by obscuring the true addresses of important machines fro...

Page 68: ...ake it possible to provide access from the public network to hosts on the LAN Server lists allow you to define particular services such as Web ftp or e mail which are available via a public IP address You define the type of service you would like to make available and the internal IP address to which you would like to provide access You may also define a specific public IP address to use for this ...

Page 69: ...translation Netopia s NAT implementation makes it possible to have a static mapping of one public address to one private address thus allowing applications such as NetMeeting to work by assuring that any traffic sent back to the source IP address is forwarded through to the internal machine Static one to one mapping works well if you have enough IP addresses for all the workstations on your LAN If...

Page 70: ...t applies to the traffic being initiated is used For example if a connection is initiated from the public network and is destined for a public IP address configured on the Netopia Router the following comparisons are made in this order 1 The Netopia Router first checks its internal NAT cache to see if the data is part of a previously initiated connection if not 2 The Netopia Router checks the conf...

Page 71: ...at supports the following IP protocols PAT TCP UDP traffic which does not carry source or destination IP addresses or ports in the data stream i e HTTP Telnet r commands tftp NFS NTP SMTP NNTP etc Static NAT All IP protocol traffic which does not carry or otherwise rely on the source or destination IP addresses in the data stream Dynamic NAT All IP protocol traffic which does not carry or otherwis...

Page 72: ... Address is used to configure a NAT public address range consisting of the Local WAN IP Address and all its ports The public address map list is named Easy PAT List and the port map list is named Easy Servers The two map lists Easy PAT List and Easy Servers are created by default and NAT configuration becomes effective This will map all your private addresses 0 0 0 0 through 255 255 255 255 to you...

Page 73: ...e they are to be associated with 4 Associate the Map or Server List to your WAN interface via a Connection Profile or the Default Profile The three NAT features all operate completely independently of each other although they can be used simultaneously on the same Connection Profile You can configure a simple 1 to many PAT often referred to simply as NAT mapping using Easy Setup More complex setup...

Page 74: ...and ports so that connections initiated from the outside can access an interior server IP Setup Ethernet IP Address 192 168 1 1 Ethernet Subnet Mask 255 255 255 0 Define Additional Subnets Default IP Gateway 127 0 0 2 Primary Domain Name Server 0 0 0 0 Secondary Domain Name Server 0 0 0 0 Domain Name isp com Receive RIP Both Transmit RIP Off Static Routes IP Address Serving Network Address Transla...

Page 75: ...nd last exterior ports in the range These are the ports that will be used for traffic initiated from the private LAN to the out side world Note For PAT map lists and server lists if you use the Public Address 0 0 0 0 the list will acquire its public IP address from the WAN IP address specified by your WAN IP configuration in the Connection Profile If that is a static IP address then the PAT map li...

Page 76: ...he Network Address Translation screen Once the public ranges have been assigned the next step is to bind interior addresses to them Because these bindings occur in ordered lists called map lists you must first define the list then add mappings to it From the Network Address Translation screen select Add Map List and press Return The Add NAT Map List screen appears Select Map List Name and enter a ...

Page 77: ...ng the public ranges you have defined From the list of public ranges you defined select the one that you want to map to the interior range for this Add NAT Map my_map First Private Address 192 168 1 1 Last Private Address 192 168 1 254 Use NAT Public Range ADD NAT MAP CANCEL Add NAT Map my_map Public Address Range Type Name 0 0 0 0 pat Easy PAT 206 1 1 6 pat my_first_range 206 1 1 1 206 1 1 2 stat...

Page 78: ...u can create a new public range to be used by this map See Add NAT Public Range on page 3 9 The Add NAT Map screen now displays the range you have assigned Select ADD NAT MAP and press Return Your mapping is added to your map list Add NAT Map my_map First Private Address 192 168 1 1 Last Private Address 192 168 1 254 Use NAT Public Range my_first_range Public Range Type is pat Public Range Start A...

Page 79: ...ation screen select Show Change Map List and press Return Select the map list you want to modify from the pop up menu The Show Change NAT Map List screen appears Network Address Translation NAT Map List Name Add Out Easy PAT List Show Ch my_map Delete Add Map Show Ch Delete Add Ser Show Ch Delete NAT Ass Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit Show Change NAT Map List Map ...

Page 80: ...hen select CHANGE NAT MAP and press Return Your changes will become effective and you will be returned to the Show Change NAT Map List screen Show Change NAT Map List Private Address Range Type Public Address Range 192 168 1 1 192 168 1 254 pat 206 1 1 6 192 168 1 253 192 168 1 254 static 206 1 1 1 206 1 1 2 192 168 1 1 192 168 1 252 dynamic 206 1 1 3 206 1 1 5 Change NAT Map my_map First Private ...

Page 81: ... s port accessible and it isn t accessible through other means such as a static mapping you must create a server list Select Add Server List from the Network Address Translation screen The Add NAT Server List screen appears Select Server List Name and type in a descriptive name A new menu item Add Server appears Add NAT Server List Server List Name my_servers Add Server ...

Page 82: ...your own by selecting Other If you select Other a screen is displayed that allows you to enter the port number range for your customized service Add NAT Server my_servers Service Server Private IP Address 192 168 1 45 Public IP Address 206 1 1 1 ADD NAT SERVER CANCEL Add NAT Server my_servers Type Port s Service ftp 21 telnet 23 Server Private IP Address smtp 25 tftp 69 Public IP Address gopher 70...

Page 83: ... lists and server lists if you use the Public Address 0 0 0 0 the list will acquire its public IP address from the WAN IP address specified by your WAN IP configuration in the Connection Profile If that is a static IP address then the PAT map list and server lists will acquire that address If it is a negotiated IP address such as may be assigned via DHCP or PPP the PAT map list and server lists wi...

Page 84: ...tion screen Select the Server List Name you want to modify from the pop up menu and press Return The Show Change NAT Server List screen appears Network Address Translation NAT Server List Name A my_servers S D A S D A S D Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit Show Change NAT Server List Server List Name my_servers Add Server Show Change Server Delete Server ...

Page 85: ...press Return Your changes take effect and you are returned to the Show Change NAT Server List screen Show Change NAT Server List Private Address Public Address Port Se 192 168 1 254 206 1 1 6 smtp 192 168 1 254 206 1 1 5 smtp 192 168 1 254 206 1 1 4 smtp Ad 192 168 1 254 206 1 1 3 smtp 192 168 1 254 206 1 1 1 smtp Sh De Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit Change NAT Se...

Page 86: ...u lists your configured servers Select the one you want to delete and press Return A dialog box asks you to confirm your choice Choose CONTINUE and press Return The server is deleted from the list Show Change NAT Server List Internal Address External Address Port Se 192 168 1 254 206 1 1 6 smtp 19 19 Ad Are you sure you want to delete this Server Sh CANCEL CONTINUE De ...

Page 87: ...to a Connection Profile from the Main Menu go to the WAN Configuration screen then the Display Change Connection Profile screen From the pop up menu list of your Connection Profiles choose the one you want to bind your map list to Select IP Profile Parameters and press Return The IP Profile Parameters screen appears Main Menu WAN Configuration IP Profile Parameters Display Change Connection Profil...

Page 88: ...IP Addressing Also the Local WAN IP Address and Mask fields visibility are dependent only on the IP Addressing type IP Profile Parameters NAT Map List Name Address Trans Easy PAT s IP Addressing my_map mbered None NAT Map List sy PAT NAT Server Li Local WAN IP Remote IP Add 7 0 0 2 Remote IP Mas 5 255 255 255 Filter Set tBIOS Filter Remove Filter Receive RIP th Up Down Arrow Keys to select ESC to ...

Page 89: ...erver lists to a Connection Profile From the Main Menu go to the WAN Configuration screen then the Default Profile screen Select IP Parameters and press Return The IP Parameters Default Profile screen appears Toggle Address Translation Enabled to Yes Main Menu WAN Configuration IP Parameters WAN Default Profile IP Parameters Default Profile Address Translation Enabled Yes NAT Map List Easy PAT Lis...

Page 90: ... will now be bound to the default profile Note There is no interdependency between NAT and IP Addressing Also the Local WAN IP Address and Mask fields visibility are dependent only on the IP Addressing type IP Parameters Default Profile NAT Map List Name Easy PAT List my_map Address Trans None s NAT Map List NAT Server Li Filter Set F Remove Filter Receive RIP th Up Down Arrow Keys to select ESC t...

Page 91: ...twork Address Translation screen Select NAT Associations and press Return The NAT Associations screen appears You can toggle NAT On or Off for each Profile Interface name You do this by navigating to the NAT field associated with each profile using the arrow keys Toggle NAT on or off by using the Tab key You can reassign any of your map lists or server lists to any of the Profile Interfaces You do...

Page 92: ... associated with the corresponding profile or interface NAT Associations NAT Map List Name Profile Interface Name Nat Server List Name Easy Setup Profile On Easy PAT List my_servers Profile 01 On my_first_map my_servers Profile 02 On my_second_map my_server_list Profile 03 On my_map None Profile 04 On None None Default Answer Profile On my_servers Up Down Arrow Keys to select ESC to dismiss Return...

Page 93: ...ave a suitable subnet mask that is usable for example when using PPP or PPPoE the DHCP subnet configuration will default to a class C subnet mask Globally only one dynamically configured DHCP subnet is available If you configure multiple Connection Profiles to use IP Passthrough s DHCP option when any of these profiles is established the dynamic DHCP configuration will be overwritten In the case o...

Page 94: ... Parameters Address Translation Enabled Yes IP Addressing Numbered NAT Map List Easy PAT List NAT Server List Easy Servers NAT Options Stateful Inspection Enabled No Local WAN IP Address 0 0 0 0 Local WAN IP Mask 0 0 0 0 Filter Set Remove Filter Set RIP Profile Options Toggle to Yes if this is a single IP address ISP account Configure IP requirements for a remote network connection here NAT Option...

Page 95: ...ext client will get the IP passthrough address Note that there is no way to control which PC has the IP passthrough address without releasing all other DHCP leases on the LAN Note If you specify a non zeroes MAC address the DHCP Client Identifier must be in the format specified above Macintosh computers allow the DHCP Client Identifier to be entered as a name or text however Netopia routers accept...

Page 96: ...jected by the router For example suppose you are a teleworker using an IPSec tunnel from the router and from the passthrough host Both tunnels go to the same remote endpoint such as the VPN access concentrator at your employer s office In this case the first one to start the IPSec traffic will be allowed the second one since from the WAN it s indistinguishable will fail ...

Page 97: ...ough 206 1 1 6 255 255 255 248 subnet mask Your internal devices have IP addresses of 192 168 1 1 through 192 168 1 254 255 255 255 0 subnet mask In this example you will statically map the first five public IP addresses 206 1 1 1 206 1 1 5 to the first five corresponding private IP addresses 192 168 1 1 192 168 1 5 You will use these 1 to 1 mapped addresses to give your servers real addresses You...

Page 98: ... SCREEN NEXT SCREEN Enter a subnet mask in decimal and dot form xxx xxx xxx xxx Enter basic information about your WAN connection with this screen IP Easy Setup Ethernet IP Address 192 168 1 1 Ethernet Subnet Mask 255 255 255 0 Domain Name ISP net Primary Domain Name Server 173 166 101 1 Secondary Domain Name Server 173 166 102 1 Default IP Gateway 206 1 1 254 IP Address Serving On Number of Clien...

Page 99: ...ress Return This returns you to the Network Address Translation screen Select Add Public Range and press Return Type a name for this static range as shown below Enter the first and last public addresses your ISP assigned in their respective fields as shown The first five public IP addresses 206 1 1 1 206 1 1 5 in this example are statically mapped to the first five corresponding private IP address...

Page 100: ... to bind the Map List to the profile You do this through either the NAT Associations screen or the profile s configuration screens The PAT part of this example setup will allow any user on the Netopia Router s LAN with an IP address in the range of 192 168 1 6 through 192 168 1 254 to initiate traffic flow to the outside world for example the Internet No one on the Internet would be able to initia...

Page 101: ...er your Web server s address 192 168 1 2 and the public address for example 206 1 1 2 and then select ADD NAT SERVER Now return to Add Server choose the smtp port and enter 192 168 1 3 your Mail server s IP address for the Server Private IP Address You can decide if you want to present both your Web and Mail services as being on the same public address 206 1 1 2 or if you prefer to have your Mail ...

Page 102: ...3 36 Firmware User Guide ...

Page 103: ...you are creating a private network You can hold a conversation and exchange information about the happenings on opposite sides of the state or the continent that you are mutually interested in When your next door neighbor picks up the phone to call her daughter at college at the same time you are talking to your relatives your calls don t overlap but each is separate and private Neither house has ...

Page 104: ...for tunnelling Point to Point Tunnelling Protocol PPTP Ascend Tunnel Management Protocol ATMP and IP Security IPsec The Netopia Router can use any one Point to Point Tunneling Protocol PPTP is an extension of Point to Point Protocol PPP and uses a client and server model Netopia s PPTP implementation is compatible with Microsoft s and can function as either the client PAC or the server PNS As a cl...

Page 105: ...with the different protocols is done through the console based menu screens Each type is described in its own section About PPTP Tunnels on page 4 4 About IPsec Tunnels on page 4 7 About ATMP Tunnels on page 4 8 Your configuration depends on which protocol you and the router at the other end of your tunnel will use and whether or not you will be using the VPN client software in a standalone remote...

Page 106: ...PTP is a Datalink Encapsulation option in Connection Profiles It is not an option in device or link configuration screens as PPTP is not a native encapsulation Consequently the Easy Setup Profile does not offer PPTP datalink encapsulation See the Creating a New Connection Profile on page 2 24 for information on creating Connection Profiles Channel 4 and higher events such as connections and discon...

Page 107: ...e WAN the Tunnel Via Gateway field allows this path to be resolved From the pop up menu select an Authentication protocol for the PPP connection Options are PAP CHAP or MS CHAP The default is PAP The authentication protocol must be the same on both ends of the tunnel You can specify a Data Compression algorithm either None or Standard LZS for the PPTP connection Note When the Authentication protoc...

Page 108: ...g as a PNS Tunnels are normally initiated On Demand however you can disable this feature When disabled the tunnel must be manually established or may be scheduled using the scheduled connections feature See Scheduled Connections on page 2 29 Some networks that use Microsoft Windows NT PPTP Network Servers require additional authentication information called Windows NT Domain Name when answering PP...

Page 109: ...opia Routers support the more secure Tunnel mode Netopia Firmware Version 5 4 offers IPsec 3DES encryption over the VPN tunnel DES stands for Data Encryption Standard a popular symmetric key encryption method DES uses a 56 bit key Netopia Routers offer IPsec 3DES triple DES encryption as a standard option Some models support built in hardware acceleration of 3DES encryption at line speeds Internet...

Page 110: ...ent data within Generic Routing Encapsulation GRE The GRE data is then routed using standard methods ATMP configuration ATMP is a Datalink Encapsulation option in Connection Profiles It is not an option in device or link configuration screens since ATMP is not a native encapsulation The Easy Setup Profile does not offer ATMP datalink encapsulation See Creating a New Connection Profile on page 2 24 ...

Page 111: ... If the partner should be reached via an alternate port i e the LAN instead of the WAN the Tunnel Via Gateway field allows this path to be resolved You can specify a Network Name When the tunnel partner is another Netopia router this name may be used to match against a Connection Profile When the partner is an Ascend router in Gateway mode then Network Name is used by the Ascend router to match a ...

Page 112: ...The encryption process protects the data by making it difficult for any third party to get at the original data Netopia PPTP is fully compatible with Microsoft Point to Point Encryption MPPE data encryption for user data transfer over the PPTP tunnel Microsoft Windows NT Server provides MPPE encryption capability only when Microsoft Challenge Handshake Authentication Protocol MS CHAP is enabled Ne...

Page 113: ...ort MPPE at all the PPP session will be dropped This is done automatically and transparently ATMP PPTP Default Profile The WAN Configuration menu offers a ATMP PPTP Default Profile option Use this selection when your router is acting as the server for VPN connections that is when you are on the answering end of the tunnel establishment The ATMP PPTP Default Profile determines the way the attempted ...

Page 114: ...ntication and press Return A pop up menu offers the following options PAP the default CHAP or MS CHAP If you chose PAP or CHAP authentication from the Data Compression pop up menu select either None the default or Standard LZS If you chose MS CHAP authentication the Data Compression option is not required and this menu item becomes hidden ATMP PPTP Default Profile Answer ATMP PPTP Connections No P...

Page 115: ... Type Shows the data link encapsulation method PPTP or ATMP Rx Pckts Shows the number of packets received via the VPN tunnel Tx Pckts Shows the number of packets transmitted via the VPN tunnel Rx Discard Shows the number of packets discarded Remote Address Shows the tunnel partner s IP address Main Menu QuickView VPN QuickView VPN Quick View Profile Name Type Rx Pckts Tx Pckts RxDiscard Remote Add...

Page 116: ...ndows 95 and comes standard with Windows 98 and Windows NT The VPN tunnel behaves as a private network connection unrelated to other traffic on the network Once you have installed Dial Up Networking you will be able to connect to your remote site as if you had a direct private connection regardless of the intervening network s through which your data passes You may need to install the Dial Up Netw...

Page 117: ... have named it icon on your desktop Open the Dial Up Networking folder and then double click Make New Connection The Make New Connection wizard window appears 2 Type a name for this connection such as the name of your company or the computer you are dialing into From the pull down menu select the device you intend to use for the virtual private network connection This can be any device you have in...

Page 118: ...he profile you created in the previous section 2 Right click the icon and from the pop up menu select Properties 3 In the Properties window click the Server Type button From the Type of Dial up Server pull down menu select the appropriate type of server for your system version Windows 95 users select PPP Windows 95 Windows NT 3 5 Internet Windows 98 users select PPP Windows 98 Windows NT Server In...

Page 119: ...nstalled and have an established Internet connection Windows 95 VPN installation 1 From your Internet browser navigate to the following URL http www microsoft com NTServer nts downloads recommended dunl3win95 releasenotes aso Download the Microsoft Windows 95 VPN patch dun 1 3 to the Windows 95 computer you intend to use as a VPN client with PPTP Follow the installation instructions 2 From the Win...

Page 120: ... select Settings then Control Panel and click once The Control Panel screen appears 2 Double click Add Remove Programs The Add Remove Programs screen appears 3 Click the Windows Setup tab The Windows Setup screen will be displayed within the top center box 4 Double click Communications This displays a list of possible selections for the communications option Active components will have a check in ...

Page 121: ...ions that must cross the public network A strict firewall may not be provisioned to allow VPN traffic to pass back and forth as needed In order to ensure that a firewall will allow a VPN certain attributes must be added to the firewall s provisioning The provisions necessary vary slightly between ATMP and PPTP but both protocols operate on the same basic premise there are control and negotiation o...

Page 122: ...lay Change Input Filter screen Select Input Filter 1 and press Return In the Change Input Filter 1 screen set the Destination Port information as shown below Select Input Filter 2 and press Return In the Change Input Filter 2 screen set the Protocol Type to allow GRE as shown below Main Menu System Filter Sets Display Change Filter Set Configuration Basic Firewall Source IP Addr Dest IP Addr Proto...

Page 123: ...rce IP Address 0 0 0 0 Source IP Address Mask 0 0 0 0 Dest IP Address 0 0 0 0 Dest IP Address Mask 0 0 0 0 Protocol Type GRE Source IP Addr Dest IP Addr Proto Src Port D Port On Fwd 1 0 0 0 0 0 0 0 0 TCP NC 1723 Yes Yes 2 0 0 0 0 0 0 0 0 GRE Yes Yes Change Output Filter 1 Enabled Yes Forward Yes Source IP Address 0 0 0 0 Source IP Address Mask 0 0 0 0 Dest IP Address 0 0 0 0 Dest IP Address Mask 0...

Page 124: ...inbound and outbound GRE packets Protocol 47 Internet Assigned Numbers Document RFC 1700 enabling transport of the tunnel payload From the Main Menu navigate to Display Change IP Filter Set and from the pop up menu select Basic Firewall Select Display Change Input Filter Display Change Input Filter screen Change Output Filter 2 Enabled Yes Forward Yes Source IP Address 0 0 0 0 Source IP Address Ma...

Page 125: ...hown below Change Input Filter 1 Enabled Yes Forward Yes Source IP Address 0 0 0 0 Source IP Address Mask 0 0 0 0 Dest IP Address 0 0 0 0 Dest IP Address Mask 0 0 0 0 Protocol Type TCP Source Port Compare No Compare Source Port ID 0 Dest Port Compare Equal Dest Port ID 1723 Established TCP Conns Only No Change Input Filter 2 Enabled Yes Forward Yes Source IP Address 0 0 0 0 Source IP Address Mask ...

Page 126: ...ow GRE as shown below Source IP Addr Dest IP Addr Proto Src Port D Port On Fwd 1 0 0 0 0 0 0 0 0 TCP NC 1723 Yes Yes 2 0 0 0 0 0 0 0 0 GRE Yes Yes Change Output Filter 1 Enabled Yes Forward Yes Source IP Address 0 0 0 0 Source IP Address Mask 0 0 0 0 Dest IP Address 0 0 0 0 Dest IP Address Mask 0 0 0 0 Protocol Type UDP Source Port Compare No Compare Source Port ID 0 Dest Port Compare No Compare D...

Page 127: ... model router connects directly to the Internet or if it connects via an Ethernet connection through a cable or DSL modem The enabling feature is the same for both Using the Tab key toggle NetBIOS Proxy Enabled from the default No to Yes and press Return Your remote Network Neighborhood becomes accessible from your Windows desktop Note The remote IP address and subnet mask should strictly match th...

Page 128: ...P Profile Options Enter an IP address in decimal and dot form xxx xxx xxx xxx Configure IP requirements for a remote network connection here IP Profile Parameters Address Translation Enabled No Remote IP Address 192 168 1 1 Remote IP Mask 255 255 255 0 Filter Set Remove Filter Set NetBIOS Proxy Enabled Yes RIP Profile Options Enter an IP address in decimal and dot form xxx xxx xxx xxx Configure IP...

Page 129: ...rking traffic Make sure the NetBIOS filter is not enabled in your Internet Connection Profile Netopia includes the NetBIOS Proxy feature as an enhancement and convenience for our customers It has been lab tested and many customers use it successfully However Netopia cannot guarantee that this feature will automatically give you the networking functionality you expect There are many possible issues...

Page 130: ...4 28 Firmware User Guide ...

Page 131: ...reens on page 5 18 IPsec Manual Key Entry on page 5 19 Overview IPsec supports two encapsulation modes Transport and Tunnel Transport mode encrypts only the data portion payload of each packet but leaves the header untouched Tunnel mode encrypts both the header and the payload On the receiving side an IPsec compliant device decrypts each packet Netopia Routers support Tunnel mode DES stands for Da...

Page 132: ...n the remote member specification of that tunnel is not routed using the normal routing table Instead it is forwarded using the security policy database to the remote security gateway remote tunnel endpoint specified in the IPsec tunnel configuration It is not possible to send traffic outside the tunnel by bypassing the tunnel and the remote security gateway Note To fully protect against IP addres...

Page 133: ...figuration Add Connection Profile Add Connection Profile Profile Name Profile 1 Profile Enabled Encapsulation Type PPP Encapsulation Options HDLC Frame Relay RFC1483 IP Profile Parameters ATMP PPTP IPsec Interface Group Primary COMMIT CANCEL IPsec Tunnel Options Key Management IKE IKE Phase 1 Profile Encapsulation ESP ESP Encryption Transform DES ESP Authentication Transform HMAC MD5 96 Compressio...

Page 134: ...s contain the information that the two ends of a tunnel use to authenticate each other and the parameters that govern the public key cryptography exchanges that are required to generate new keys periodically Make sure to add an IKE Phase 1 Profile If an IKE Phase 1 Profile is not assigned to an IKE Connection Profile all VPN traffic for that profile will be discarded Select ADD PH1 PROFILE The Add...

Page 135: ... by a mask specified either by a slash and a bit count between 0 and 32 OR by a second dotted quad IPv4 Range Two IPv4 addresses in dotted quad notation a b c d separated by a space Host Name A fully qualified domain name FQDN E Mail Address An RFC 822 e mail address in the form user hostname Key ID ASCII An opaque string consisting of printable ASCII characters represented as a sequence of printa...

Page 136: ...y The SA Use Policy pop up menu specifies the policy that the router will use to determine which Phase 1 SAs to use when multiple valid Phase 1 SAs are available for transmitting traffic on an IPsec tunnel Because the router normally re keys prior to the expiration of the current Phase 1 SAs multiple valid Phase 1 SAs may exist during the period of time after the router has re keyed and establishe...

Page 137: ...ue zero specifies the absence of a secured data lifetime Note It is invalid to set both lifetime values to zero This condition is not enforced by the console in order to avoid order dependencies when configuring the items but will set defaults at runtime Send Initial Contact Message toggles whether or not the IKE negotiation process begins by sending an initial contact message The default is Yes I...

Page 138: ...reen is identical to the Add IKE Phase 1 Profile screen shown above Selecting Delete IKE Phase 1 Profile and choosing an IKE phase 1 profile name from the pop up list displays a confirmation alert asking you to confirm that you really want to delete the specified IKE phase 1 profile IPsec Configuration IKE Phase1 Profile D IKE Profile 2 1 Profile A Arthropods D Anthropoids e Anopheles Albigensians...

Page 139: ...e if you don t already know how to do that You can access the Key Management menus from the Change Connection Profile menu under the WAN Configuration screen for a Connection Profile you have already created or you can create a new Connection Profile with your IKE settings included as you go The IKE Key management settings are part of the Data Link Options that you specify in the Add Connection Pr...

Page 140: ...Group pop up menu as shown below From the Encapsulation Type pop up menu select IPsec Then select Encapsulation Options and press Return The IPsec Tunnel Options screen appears Add Connection Profile Profile Name Profile 1 Profile Enabled Yes Encapsulation Type IPsec Encapsulation Options IP Profile Parameters Interface Group Primary Backup Any Port COMMIT CANCEL IPsec Tunnel Options Key Managemen...

Page 141: ...1 Profile directly without first going to the IPsec Configuration screen and a NONE item to allow you to dissociate an existing IKE Phase 1 Profile from the IPsec tunnel The remainder of the screen allows you to configure the IKE Phase 2 parameters that control the contents of the single IKE Phase 2 proposal sent by the router These same items specify the values that must be offered by one of the ...

Page 142: ... is not enforced by the console in order to avoid order dependencies when configuring the items but rather is enforced at runtime and will cause the IPsec profile to assume the defaults Perfect Forward Secrecy toggles whether or not Perfect Forward Secrecy will be used Enabling Perfect Forward Secrecy the default causes IKE to perform a new Diffie Hellman exchange with each Phase 2 re key Because ...

Page 143: ...figuration screen under Advanced IP Profile Options See Add Network Configuration on page 5 15 Ping retry interval and Ping reply timeout options appear The defaults are 5 seconds and 90 seconds respectively You may adjust these to suit your network s tolerances Note ICMP Dead Peer Detection is not available when using manual re keying ICMP Dead Peer Detection does not initiate a series of phase 2...

Page 144: ...nality This feature allows you to define many local and remote network ranges for a given IPsec VPN profile Each of these ranges has its own IPsec tunnel However each tunnel has a common tunneling endpoint and encryption policy This is useful for example for branch office management of multiple IP subnets over an encrypted VPN tunnel The following diagram illustrates this feature Advantages of Mul...

Page 145: ...ber Last Address You supply these values Complete the Local Member 1st Address and Local Member Last Address fields If you choose Host Address you need only supply the Remote Member Address and the Local Mem ber Address the other fields are hidden Select COMMIT and press Return to add the configuration This returns you to the IP Profile Parameters screen Select COMMIT and press Return in the IP Pr...

Page 146: ...een the same scrolling list will display When you select one of the networks and press Return a warning screen will ask you to confirm your choice IP Profile Parameters Remote Tunnel Endpoint 0 0 0 0 Add Network Display Change Network Delete Network Address Translation Enabled No Filter Set None Remove Filter Set Advanced IP Profile Options COMMIT CANCEL Enter the IP Address or hostname of the rem...

Page 147: ...he default gateway to reach the partner If the partner should be reached via an alternate port for example the LAN instead of the WAN the Next Hop Gateway field allows this path to be resolved You can specify an Idle Timeout seconds value The idle timeout tells the router that if no traffic passes through the tunnel for the specified number of seconds no automatic SA re key should be performed Whe...

Page 148: ...KE Phase 1 Configuration screen appears WAN Configuration Main Menu IKE Phase 1 Configuration WAN Configuration WAN Wide Area Network Setup Display Change Connection Profile Add Connection Profile Delete Connection Profile WAN Default Profile ATMP PPTP Default Profile IKE Phase 1 Configuration Scheduled Connections Accounting Configuration Establish WAN Connection Disconnect WAN Connection From he...

Page 149: ...rmware has a redesigned layout and additional options for manual key entry If you selected Manual Key Management in the IPsec Tunnel Options screen you will need to enter your encryption keys in the IPsec Manual Keys screen IKE Phase 1 Configuration Display Change IKE Phase 1 Profile Add IKE Phase 1 Profile Delete IKE Phase 1 Profile IPsec Tunnel Options Key Management Manual Encapsulation ESP ESP...

Page 150: ...ith Manual Keys you must manually configure identical authentication and encryption keys at both ends of the tunnel The authentication keys are either 32 for MD5 or 40 for SHA1 ascii hex characters while the encryption keys are 16 for DES or 48 for triple DES ascii hex characters VPN Quickview Statistics are displayed on the VPN Quick View screen The VPN Quick View screen has been modified slightl...

Page 151: ...t was received and did not match any of the profiles stored in the local router IKE no matching proposal An IKE phase 1 request was received and the proposal did not match an allowed parameter or else the remote rejected the local router s proposal IKE phase 1 auth failure The phase 1 remote authentication failed IKE phase 1 resend timeout The attempt to resend the phase 1 remote authentication ti...

Page 152: ...e local router rejected the proposals of the remote or the remote rejected the local router s IKE ph2 resend timeout The attempt to resend the phase 2 authentication timed out IKE phase 2 complete The phase 2 negotiation completed successfully Event message Meaning ...

Page 153: ... Serving on page 6 17 More Address Serving Options on page 6 24 DHCP Relay Agent on page 6 30 Connection Profiles on page 6 32 Multicast Forwarding on page 6 34 Network Address Translation allows communication between the LAN connected to the Router and the Internet using a single or a few IP address es instead of a routed account with separate IP addresses for each computer on the network Network...

Page 154: ... Follow these steps to configure IP setup for your Router Select Ethernet IP Address and enter the IP address for the Router s Ethernet port Select Ethernet Subnet Mask and enter the subnet mask for the Ethernet IP address that you entered in the last step If you desire multiple subnets select Define Additional Subnets If you select this item you will be taken to the IP Subnets screen This screen ...

Page 155: ...Name and enter your network s domain name for example netopia com Netopia strongly recommends that you enter a domain name Routing Information Protocol RIP is needed if there are IP routers on other segments of your Ethernet network that the Router needs to recognize If this is the case select RIP Options and press Return This will take you to the Ethernet LAN RIP options screen where you can conf...

Page 156: ... Setup screen This screen displays up to eight rows of two editable columns preceded by a row number between one and eight If you have eight subnets configured there will be eight rows on this screen Otherwise there will be one more row than the number of configured subnets The last row will have the value 0 0 0 0 in both the IP address and subnet mask fields to indicate that you can edit the valu...

Page 157: ...ll the vacant fields The subnets configured on this screen are tied to the address serving pools configured on the IP Address Pools screen and that changes on this screen may affect the IP Address Pools screen In particular deleting a subnet configured on this screen will delete the corresponding address serving pool if any on the IP Address Pools screen IP Subnets IP Address Subnet Mask 1 192 128...

Page 158: ...tatic routes are used only if they appear in the IP routing table which contains all of the routes used by the Router see IP Routing Table on page 9 7 Static routes are helpful in situations where a route to a network must be used and other means of finding the route are unavailable For example static routes are useful when you cannot rely on RIP To go to the Static Routes screen select Static Rou...

Page 159: ... appear The table has the following columns Dest Network The network IP address of the destination network Static Routes Display Change Static Route Add Static Route Delete Static Route Configure View Delete Static Routes from this and the following Screens Dest Network Subnet Mask Next Gateway Priority Enabled 0 0 0 0 0 0 0 0 163 176 8 1 Low Yes Select a Static Route to modify ...

Page 160: ...t to No Be sure to read the rules on the installation of static routes in the IP routing table See Rules of static route installation on page 6 9 Select Destination Network IP Address and enter the network IP address of the destination network Select Destination Network Subnet Mask and enter the subnet mask used by the destination network Select Next Gateway IP Address and enter the IP address for...

Page 161: ...utes Select a static route from the table and go to the Change Static Route screen The parameters in this screen are the same as the ones in the Add Static Route screen see Adding a static route on page 6 8 Deleting a static route To delete a static route in the Static Routes screen select Delete Static Route to display a table of static routes Select a static route from the table and press Return...

Page 162: ...have lifetimes defined as a start date and time and an end date and time or infinite Key management Typically you configure only one key on a given interface and all of the interfaces that interact with that interface RIP updates are sent every 30 seconds Each RIP packet is authenticated using one key and sent When the Netopia router receives an authenticated RIP packet from a device it keeps trac...

Page 163: ...Subnet Mask 255 255 255 0 Define Additional Subnets Default IP Gateway 0 0 0 0 Backup IP Gateway 0 0 0 0 Primary Domain Name Server 0 0 0 0 Secondary Domain Name Server 0 0 0 0 Domain Name RIP Options Multicast Forwarding None Static Routes IP Address Serving Ethernet LAN RIP Options Receive RIP Off v1 Transmit RIP v2 Both v1 and v2 v2 MD5 Authentication ...

Page 164: ...cast from the pull down menu RIP v2 Authentication Keys is visible only if v2 MD5 Authentication is enabled for either Receive or Ethernet LAN RIP Options Receive RIP v2 MD5 Authentication Transmit RIP Off RIP v2 Authentication Keys Ethernet LAN RIP Options Receive RIP n Transmit RIP Off v1 RIP v2 Authentication Keys v2 broadcast v2 multicast v2 MD5 broadcast v2 MD5 multicast ...

Page 165: ...re immediately effective If you set the RIP Receive option to Both v1 and v2 the interface will ignore authenticated RIP packets since authenticated v1 packets do not exist Only v2 packets can be authenticated Select RIP v2 Authentication Keys The RIP v2 Authentication Keys screen appears RIP v2 Authentication Keys Display Change Key Add Key Delete Key ...

Page 166: ...ndefinitely End Date End Time and AM or PM do not appear if the End Time Mode is set to Infinite Infinite means that the key begins when it begins but it never expires The acceptable year range is from 1904 2039 When you are satisfied with your entries select COMMIT and press Return This menu will not accept a non unique Key ID on the same interface failure to enter an authentication key or a nega...

Page 167: ...e Valid field indicates yes otherwise it indicates no You modify the Change Key menu in the same way as in the Add Key menu see Adding a key on page 14 If you select Delete Key a pop up menu will ask you to confirm your choice RIP v2 Authentication Keys Key ID Start Date Start Time End Date End Time Valid 1 10 10 2002 12 00 AM Infinite yes 255 3 11 2000 3 17 PM 8 6 2002 1 24 AM no Delete Key Up Do...

Page 168: ...D5 Authentication from the pull down menu For MD5 authentication you must select v2 MD5 Authentication If NAT is disabled Transmit RIP is visible Here you select Off v1 v2 broadcast v2 multicast v2 MD5 broadcast or v2 MD5 multicast from the pull down menu For MD5 authentication you must select v2 MD5 either broadcast or multicast If you chose any Transmit RIP option other than Off TX RIP Policy is...

Page 169: ...g the UNIX operating system Addresses assigned via DHCP are leased or allocated for a short period of time if a lease is not renewed the address becomes available for use by another computer DHCP also allows most of the IP parameters for a computer to be configured by the DHCP server simplifying setup of each machine The second called BootP also known as Bootstrap Protocol is the predecessor to DH...

Page 170: ...he first client IP address that you will allocate to your first client machine For instance on your local area network you may want to first figure out which machines are going to be allocated specific static IP addresses so that you can determine the pool of IP addresses that you will be serving addresses from via DHCP BootP and or Dynamic WAN Example Your ISP has given your Router the IP address...

Page 171: ...ubnet the router will serve all available addresses If you explicitly configure the DHCP pool auto configuration of the DHCP pool is suppressed If you configure the router manually and you would like the router to auto configure DHCP you must explicitly set the IP Address and Subnet Mask to 0 0 0 0 and reboot If you have configured multiple Ethernet IP subnets the appearance of the IP Address Serv...

Page 172: ...interface address on the subnet You can edit the remaining columns in each row The 1st Client Addr and Clients columns allow you to specify the base and extent of the address serving pool for a particular subnet Entering 0 0 0 0 for the first client address or 0 for the number of clients indicates that no addresses will be served from the corresponding Ethernet IP subnet The Client Gateway column ...

Page 173: ... The client stores this address in non volatile storage for example on disk and the specific storage method location differs depending on the client operating system When requesting an address a client may provide a client identifier or if it does not the Netopia Firmware Version 5 4 may construct a pseudo client identifier for the client When the client subsequently requests an address the Router...

Page 174: ...OS a non IBM network operating system or network interface card must offer a NetBIOS emulator Many vendors either provide a version of NetBIOS to interface with their hardware or emulate its transport layer communications services in their network products A NetBIOS emulator is a program provided by NetWare clients that allow workstations to run applications that support IBM s NetBIOS calls Select...

Page 175: ...P NetBIOS Options To return to the IP Address Serving screen press Escape To enable BootP s address serving capability select Serve BOOTP Clients and toggle to Yes Note Addresses assigned through BootP are permanently allocated from the IP Address Serving pool until you release them To release these addresses navigate back to the Main Menu then Statistics Logs Served IP Addresses and Lease Managem...

Page 176: ...ar Ethernet MAC address The ability to view the host name associated with a client to which the router has leased an IP address The ability for the router s Ethernet IP address es to overlap the DHCP address serving pool s The ability to serve as a DHCP Relay Agent The Netopia Firmware Version 5 4 supports reserving an IP address only for a type 1 client identifier i e an Ethernet hardware address...

Page 177: ... still accessible in a Details pop up menu See below Note The server does not query the client for its host name Macintosh computers running versions of MacOS prior to MacOS version 8 5 OT 2 0 1 TCP IP 2 0 1 do not supply a host name option in their DHCP messages so no host name will appear in the Served IP Addresses list Served IP Statistics Logs Main Menu Addresses Served IP Addresses IP Address...

Page 178: ...tions are Details Exclude Include Release and Reserve The action popup is context sensitive and lists only those operations that apply to the selected IP address in its current lease state Served IP Addresses IP Address Type Expires Host Name Client Identifier SCROLL UP 192 168 1 100 192 168 1 101 192 168 1 102 192 168 1 103 192 168 1 104 192 168 1 105 192 168 1 106 192 168 1 107 192 168 1 108 Det...

Page 179: ...f the entry is not already excluded Selecting Exclude excludes the IP address from the address serving pool so the address will not be served to a client If the IP address is currently leased to or reserved for a client you will be presented with a warning dialog asking you to confirm the operation Served IP Addresses IP Address Type Expires Host Name Client Identifier SCROLL UP 192 168 1 100 192 ...

Page 180: ...is actively being used by a client is generally not recommended Reserve is displayed if the entry is available declined excluded leased offered or reserved Reserving an IP address for a client with a particular Ethernet MAC address guarantees that a client with the specified MAC address will be offered or leased the specified IP address Moreover it prevents the specified IP address from being offe...

Page 181: ...8 1 104 192 168 1 105 IP Address is 192 168 1 108 192 168 1 106 MAC Address 00 00 c5 45 89 ef 192 168 1 107 192 168 1 108 CANCEL OK 192 168 1 109 192 168 1 110 192 168 1 111 192 168 1 112 192 168 1 113 SCROLL DOWN Lease Management Served IP Addresses IP Address Type Expires Host Name Client Identifier SCROLL UP 192 168 1 1 Excluded for the router s IP address 192 168 1 2 Excluded 192 168 1 3 DHCP ...

Page 182: ...nd respond to the client s request itself However if the Netopia Router is configured to act as a DHCP relay agent it does not satisfy the DHCP request itself but instead forwards the request to one or more remote DHCP servers These servers process the request assign an address from an address pool configured on the remote server and forward the response back to the Netopia Router for delivery bac...

Page 183: ...IP address and press Return an additional field appears You can enter up to four DHCP server addresses In the example above DHCP requests from clients on the LAN will be relayed to the DHCP servers at IP addresses 10 1 1 1 20 1 1 1 and 30 1 1 1 IP Address Serving IP Address Serving Mode Disabled DHCP Server Number of Client IP Addresses DHCP Relay Agent 1st Client Address Client Default Gateway 19...

Page 184: ...tional profiles may be useful for creating VPNs Connection Profiles define the line and networking protocols necessary for the router to make a remote connection A connection profile is like an address book entry describing how the router is to get to a remote site or how to recognize and authenticate a remote user connecting to the router To create a new Connection Profile you navigate to the WAN...

Page 185: ...mation on NAT see Multiple Network Address Translation beginning on page 3 1 The Local WAN IP Address is displayed for numbered or NAT profiles The Local WAN IP Mask is displayed for numbered profiles The Remote IP Address and Remote IP Mask are displayed for unnumbered profiles IP Profile Parameters Address Translation Enabled Yes IP Addressing Numbered NAT Map List Easy PAT List NAT Server List ...

Page 186: ...u see and hear the channel you are interested in but not the others Since a router should not be used as a passive forwarding device Netopia routers use a protocol for forwarding multicasting This protocol is Internet Group Management Protocol IGMP Two versions of IGMP are available V1 and V2 Netopia routers can use either one however Multicast Forwarding will only work if your service provider su...

Page 187: ... select V1 otherwise allow the default V2 Navigate to the IP Profile Parameters screen IP System Configuration Main Menu Setup IP Setup Ethernet IP Address 192 168 1 1 Ethernet Subnet Mask 255 255 255 0 Define Additional Subnets Default IP Gateway 0 0 0 0 Backup IP Gateway 0 0 0 0 Primary Domain Name Server 0 0 0 0 Secondary Domain Name Server 0 0 0 0 Domain Name Receive RIP Both Transmit RIP Mult...

Page 188: ...ng is turned off None on Connection Profiles until you enable a specific Connection Profile to receive multicast data You enable it by selecting Rx from the pull down menu IP Profile Parameters Address Translation Enabled Yes IP Addressing Numbered NAT Map List Easy PAT List NAT Server List Easy Servers Local WAN IP Address 0 0 0 0 Local WAN IP Mask 0 0 0 0 Remote IP Address 0 0 0 0 Remote IP Mask...

Page 189: ...sing Scheduled Connections with Backup on page 7 8 Management Statistics on page 7 10 QuickView on page 7 12 Event Logs on page 7 12 SNMP Support on page 7 13 Backup Default Gateway on page 7 13 The purpose of backup is to provide a recovery mechanism in the event that the primary connection fails A failure can be either line loss for example by central site switch failure or physical cable breaka...

Page 190: ...t to be used for a modem the Backup Configuration menu under WAN Configuration Advanced Connection Options Here you select Backup is Automatic and Recovery is Automatic the Add Connection Profile menus under the WAN Configuration menus Here you choose Encapsulation Type PPP fill out the correct IP information select Backup as the interface group and fill out the Telco Options the Backup IP Gateway...

Page 191: ...onnection Profile Add Connection Profile Delete Connection Profile WAN Default Profile ATMP PPTP Default Profile IKE Phase 1 Configuration Scheduled Connections Backup Configuration Frame Relay Configuration Frame Relay DLCI Configuration Establish WAN Connection Disconnect WAN Connection Return Enter to create a new Connection Profile From here you will configure yours and the remote sites WAN in...

Page 192: ...connection attached to the serial console port A console connection is detected at the connection speed defined on the Console Configuration menu see Console Configuration on page 2 43 A modem will be detected at the data rate you specify in the following menu It will not auto detect the Console baud rate in Modem Auto mode Serial Port Configuration Serial Port Mode Console Only Modem Auto Serial ...

Page 193: ...e WAN Configuration screen and select Advanced Connection Options then Backup Configuration shown on page 7 5 Backup Configuration screen This screen is used to configure the conditions under which backup will occur if it will recover and how the Console port is configured For a modem connected to the Console port the Backup Configuration screen appears as follows Select Backup is and from the pop ...

Page 194: ... menu allows you to choose among 30 Sec onds 1 Min ute 2 Min utes 5 Min utes 10 Min utes or 15 Min utes This allows you to be sure that the primary WAN connection is well re established before the router switches back to it from the backup mode You can toggle Auto Recovery on loss of Layer 2 to Yes or No the default This setting determines whether the router should try to Auto Recover when the bac...

Page 195: ...n Profile on page 2 24 To associate this Connection Profile with your backup port interface choose Backup from the Interface Port pop up menu and press Return If you choose Backup Telco Options becomes visible The Telco Options screen allows you to set the parameters for the modem connection Add Connection Profile Profile Name Profile 1 Profile Enabled Yes Data Link Encapsulation PPTP Data Link Op...

Page 196: ...ections with Backup The backup link is a PPP dial up connection and only connects to the Internet service provider when traffic is initiated from the LAN If you want to use the backup link to provide redundancy for services such as a Web service that you provide to the outside world you must force the connection to stay up You do this by creating a scheduled connection entry that will be a permane...

Page 197: ... press Return The Set Weekly Schedule screen appears Scheduled Connections Display Change Scheduled Connection Add Scheduled Connection Delete Scheduled Connection Return Enter to add a Scheduled Connection Navigate from here to add modify change delete Scheduled Connections Add Scheduled Connection Scheduled Connection Enable On How Often Weekly Schedule Type Forced Up Set Weekly Schedule Use Con...

Page 198: ...link fails the backup link will become active and remain active until the primary link recovers For more information about Scheduled Connections see Scheduled Connections on page 2 29 Management Statistics The Statistics Logs menu offers a Backup Management Statistics option To view the Backup Management Statistics from the Main Menu select Statistics Logs Set Weekly Schedule Monday Yes Tuesday Ye...

Page 199: ...cause for the current state of Backup or Recovery Time Since Detection is a display only field that is only visible if backup or recovery is in progress It displays the elapsed time since detection of either primary WAN line failure or re establishment of the Statistics Logs WAN Event History Device Event History IP Routing Table Served IP Addresses Backup Management Statistics General Statistics ...

Page 200: ...AN Event History Quick View Default IP Gateway 0 0 0 0 CPU Load 4 Unused Memory 387 KB Domain Name Server 0 0 0 0 Current WAN Port Console Port Domain Name happyinternet com WAN Event History Current Date 8 17 02 10 57 12 AM Date Time Event SCROLL UP 08 17 02 10 39 37 Line Failure Switching to backup port 08 17 02 10 38 51 Line Recovery Switching to primary port 08 17 02 10 37 42 Line Failure Swit...

Page 201: ...nternet and designating the second router as the backup gateway Should the primary WAN connection fail traffic would be automatically redirected through your alternate gateway device to maintain Internet connectivity Two menus control the backup gateway feature the Backup Configuration screen in the WAN Configuration menu Here you enable the backup feature and set some parameters the IP Setup scre...

Page 202: ...loss is a Layer 2 loss Select Recovery to WAN_name where WAN_name is the type of WAN connection you have such as ADSL and press Return Choose either Manual or Automatic to determine how the system will return to the WAN link when it becomes available again If you choose Automatic the next two menu items become visible Note Automatic recovery only works upon loss of WAN connectivity If you chose Au...

Page 203: ...reen appears The IP Setup screen permits entry of a backup IP gateway address This field is always visible even if the Default IP Gateway field is not filled out as in the case of a DHCP acquired IP address and default gateway on the WAN interface For more information on IP Setup see the IP Setup on page 6 2 Note Backup and Recovery have resolutions of five seconds This is how often the router eva...

Page 204: ...sible if backup or recovery is in progress It displays the elapsed time since detection of either primary WAN line failure or re establishment of the connection Switchover Time is a display only field that is only visible if backup or recovery is in progress It displays the time until either automatic Backup or Recovery The FORCE BACKUP FORCE RECOVERY option is a selectable option that depending o...

Page 205: ...ickView The QuickView screen now has an information element to indicate which gateway is in use Quick View 1 29 2002 01 05 35 PM Default IP Gateway 0 0 0 0 CPU Load 5 Unused Memory 5582 KB Primary DNS Server 0 0 0 0 Gateway installed Backup Secondary DNS Server 0 0 0 0 Domain Name happyinternet com ...

Page 206: ...7 18 Firmware User Guide ...

Page 207: ...t telephone extensions and up to eight derived voice lines The 4700 Series IAD family includes the Netopia data routing engine for any number of attached computers or other network devices connected to a single 10 100 Ethernet port Key features include Fax Modem Configurable Voice port for incoming fax or modem calls This is another term for echo cancellation support Voice Gateway Interoperability...

Page 208: ...PBX Local Switching mode In this mode you have the ability to pick up the phone receive local dial tone and proceed to program the phone w local speed dial options In addition taking the phone off hook and pressing speed dial numbers will cause the stored speed dial digits to be sent out This is independent of the previous mode Configuring the Voice Features This section describes how to configure ...

Page 209: ...perCom Ring Cadence 20 Hz Port Configuration Voice Coding mu law LES Profile Number Profile 9 Port Configuration Port 1 Echo Cancellation Enabled Yes Compression is G726 ADPCM 32K Port 2 Echo Cancellation Enabled Yes Compression is G726 ADPCM 32K Port 3 Echo Cancellation Enabled Yes Compression is G726 ADPCM 32K Port 4 Echo Cancellation Enabled Yes Compression is G726 ADPCM 32K Port 5 Echo Cancell...

Page 210: ...Your service provider must supply you with the correct provisioning information The reason is that in those gateway types the voice gateway expects this type of provisioning to be done prior to making any voice calls If the voice gateway is not LES compliant the pop up menus are not available and these fields are for information only Once you have made your settings for each voice port press Escap...

Page 211: ...s This section covers the following topics Quick View Status Overview on page 9 1 Statistics Logs on page 9 4 Event Histories on page 9 4 IP Routing Table on page 9 7 General Statistics on page 9 7 System Information on page 9 9 Simple Network Management Protocol SNMP V2c on page 9 10 Quick View Status Overview You can get a useful overall status report from the Netopia Firmware Version 5 4 in the...

Page 212: ...ed an IP address as your primary default gateway it is shown here Secondary DNS Server If you are using the router s defaults DHCP and NAT this value will be 0 0 0 0 If you have assigned an IP address as a secondary gateway it is shown here Domain Name The domain name you have assigned typically the name of your ISP MAC Address The Router s hardware address for those interfaces that support DHCP I...

Page 213: ...Status lights This section shows the current real time status of the Router s status lights LEDs It is useful for remotely monitoring the router s status The Quick View screen s arrangement of LEDs corresponds to the physical arrangement of LEDs on the router These LEDs and the corresponding display in the console menu screen will vary by model Each LED representation can report one of four states...

Page 214: ...roblem occurs You can view two different event histories one for the router s system and one for the WAN Some Netopia Routers have a built in battery backup which prevents loss of event history from a shutdown or reset The router s event histories are structured to display the most recent events first and to make it easy to distinguish error messages from informational messages Error messages are ...

Page 215: ...he dialog box To clear the event history select Clear History at the bottom of the history screen and press Return Device Event History The Device Event History screen lists a total of 128 port and system events giving the time and date for each event as well as a brief description The most recent events appear at the top WAN Event History Current Date 10 11 2001 03 02 23 PM Date Time Event SCROLL...

Page 216: ...t the selected event appears Press Return or Escape to dismiss the dialog box To clear the Device Event History select Clear History and press Return Device Event History Current Date 10 11 2001 03 02 23 PM Date Time Event SCROLL UP 01 22 02 02 03 11 IP address server initialization complete 01 22 02 02 03 11 BOOT Warm start v5 3 01 22 02 02 02 32 IP address server initialization complete 01 22 02...

Page 217: ...ful for monitoring and troubleshooting your LAN Note that the counters roll over at their maximum field width that is they restart again at 0 Statistics Logs Main Menu IP Routing Table IP Routing Table Network Address Subnet Mask via Router Port Type SCROLL UP 0 0 0 0 255 0 0 0 0 0 0 0 Other 127 0 0 1 255 255 255 255 127 0 0 1 Loopback Local 192 168 1 0 255 255 255 240 192 168 1 1 Ethernet Local 1...

Page 218: ...Rx Bytes The number of bytes received Tx Bytes The number of bytes transmitted Rx Packets The number of packets received Tx Pkts The number of packets transmitted Rx Err The number of bad Ethernet packets received Tx Err The number of errors occurring when Ethernet packets are transmitted simultaneously by nodes on the LAN General Statistics Physical I F Rx Bytes Tx Bytes Rx Pkts Tx Pkts Rx Err Tx...

Page 219: ...rmation screen appears The information display varies by model firmware version feature set and so on You can tell at a glance your particular system configuration System Information Serial Number ff 70 00 16740352 Firmware Version 5 4 ModelNumber 4541200 Processor Speed Mhz 50 Flash Rom Capacity MBytes 2 DRAM Capacity MBytes 16 Hardware Acceleration Not Installed Ethernet Single 10 100 Port WAN I...

Page 220: ...s an SNMP OID The router will reboot if the value is changed These changes have been added to the SNMP MIB file NETOPIA MIB This MIB is available by anonymous ftp from the Netopia ftp server MIBs are available in a variety of formats Load this MIB into your SNMP management software Follow the instructions included with your SNMP manager on how to load MIBs The Netopia Firmware Version 5 4 supports...

Page 221: ... Trap Version and choose either SNMP V1 or SNMP V2c SNMP V2c is a more feature rich version but is not supported by all vendors Consult with your service provider System Name System Location and System Contact set the values returned by the Router SNMP agent for the SysName SysLocation and SysContact objects respectively in the MIB II system group Although optional the information you enter in the...

Page 222: ...ests and Get Next Requests will still be honored using the Read Only community string assuming that is not the empty string Setting only the Read Only community string to the empty string will not block Get Requests or Get Next Requests since those operations and Set Requests are still allowed using the non empty Read Write community string Even if you decide not to use SNMP you should change the ...

Page 223: ...Display Change IP Trap Receiver in the IP Trap Receivers screen Modifying IP trap receivers 1 To edit an IP trap receiver select Display Change IP Trap Receiver in the IP Trap Receivers screen 2 Select an IP trap receiver from the table and press Return 3 In the Change IP Trap Receiver screen edit the information as needed and press Return Deleting IP trap receivers 1 To delete an IP trap receiver...

Page 224: ...9 14 Firmware User Guide ...

Page 225: ...ilters and Filter Sets on page 10 26 Policy based Routing using Filtersets on page 10 34 Firewall Tutorial on page 10 37 Configuration Management on page 10 44 Call Filtering on page 10 48 Suggested Security Measures In addition to setting up user accounts Telnet access and filters all of which are covered later in this chapter there are other actions you can take to make the Router and your netwo...

Page 226: ...d passwords are specified in the Security Options screen From the Main Menu select System Configuration then Security The Security Options screen appears UPnP Support UPnP Enabled Universal Plug and Play UPnP is a set of protocols that allows a PC to automatically discover other UPnP devices anything from an internet gateway device to a light switch retrieve an XML description of the device and it...

Page 227: ...ruser account are not modifiable It is possible however to control who can log in as Superuser You can limit this to serial console only Select Superuser Configuration and press Return The Superuser Configuration screen appears Assign a Superuser Name It can be up to 19 characters long It is good practice not to use any easily guessed combination such as your birthday Assign a Password Keep this p...

Page 228: ...n Select Access Privileges and from the pull down menu choose which access privilege you want this user to have All LAN WAN or for IADs only VOX If you assign any of these privileges limited users will have full access to privileges associated with these interfaces You can customize these privileges further in order to limit access to only certain portions of those interfaces configuration by sele...

Page 229: ...ptions screen select Advanced Security Options The Advanced Security Options screen appears Access Privilege Default WAN Data Configuration No Connection Profile Configuration No Circuit PVC DLCI Configuration No LAN Data Configuration Yes LAN Subnet Configuration Yes NAT Filters Configuration Yes Preferences Global Configuration Yes Voice Configuration IADs only Yes Access Privileges Custom WAN D...

Page 230: ...er is by definition authentication of remote users the WAN related defaults are preset to Yes Toggle any that should be changed Advanced Security Options Security Databases Local only RADIUS Server Addr Name RADIUS Server Secret Alt RADIUS Server Addr Name Alt RADIUS Server Secret RADIUS Identifer RADIUS Server Authentication Port RADIUS Access Privileges All LAN WAN Telnet Server Port VOX Custom ...

Page 231: ...ayed is Change Access Password Selecting this option displays the Change Access Password screen When changing a password you will be challenged to enter it again to be sure you have entered it correctly System Configuration IP Setup Filter Sets IP Address Serving Network Address Translation NAT Date and Time Console Configuration Change Access Password Upgrade Feature Set Logging Use this screen i...

Page 232: ...nfiguration access is forbidden are usually hidden The Quick Menus screen reflects the security access level of the user Menus to which configuration access is forbidden are hidden Main Menu The following is an example comparison of the Main Menu as seen by the Superuser and by a Limited user Netopia Router Easy Setup WAN Configuration System Configuration Utilities Diagnostics Statistics Logs Qui...

Page 233: ...he following diagram Netopia Router Easy Setup WAN Configuration System Configuration Utilities Diagnostics Statistics Logs Quick Menus Quick View Return Enter goes to Easy Setup minimal configuration You always start from this main screen User Access Level Superuser WAN Conn Profiles PVC All All Global Voice All All WAN Configuration WAN Wide Area Network Setup ATM Circuits Configuration Display ...

Page 234: ...ity after creating a Connection Profile or a limited user in the Change Connection Profile screen Advanced Connection Options Configuration Changes Reset WAN Connection No IKE Phase 1 Configuration Scheduled Connections Accounting Configuration Backup Configuration User Access Level WAN Connection Profiles Connection Profiles Connection Profiles WAN Add Connection Profile Profile Name Profile 1 Pr...

Page 235: ...es access to the associated menu described previously IP Setup menu In the IP Setup menu users that do not have LAN Subnet Configuration access will see a screen similar to the following System Configuration IP Setup Filter Sets IP Address Serving Network Address Translation NAT Date and Time Console Configuration SNMP Simple Network Management Protocol Security Upgrade Feature Set Change Device t...

Page 236: ...s supported by the firmware Substantial differences exist among screens on a given router or IAD Here all selection options are shown Utilities Diagnostics Ping Trace Route Telnet Log off Serial Console Session Trivial File Transfer Protocol TFTP X Modem File Transfer Restart System Revert to Factory Defaults Send ICMP Echo Requests to a network host User Access Level Global Global Global All Glob...

Page 237: ...gs WAN Event History Device Event History Voice Log Voice Accounting Log Voice Error Log IP Routing Table Served IP Addresses Served IP Addresses Accounting Statistics Backup Management Statistics General Statistics System Information User Access Level Global Global Voice Global Voice Voice Global Global Global Global Global Global ...

Page 238: ...e Connection Profiles Fr Relay DLCI Config IP Filter Sets Delete Connection Profiles Backup Config Static Routes WAN Default Profile Telephone Setup Network Address Translation ATMP PPTP Default Profile IKE Phase 1 Config Scheduled Connections Add Scheduled Connection Change Scheduled Connection MacIP Setup Delete Scheduled Connection X Modem File Transfer AURP Setup TFTP Console Configuration SNM...

Page 239: ...s you can protect the most sensitive screens from unauthorized access User accounts are composed of name password combinations that can be given to authorized users Caution You are strongly encouraged to add protection to the configuration screens Unprotected screens could allow an unauthorized user to compromise the operation of your entire network Once user accounts are created users who attempt...

Page 240: ...account passwords Protecting the configuration screens You can protect the configuration screens with user accounts You can administer the accounts from the Security Options screen You can create up to four accounts To display a view only list of user accounts select Show Users in the Security Options screen Security Options Enable Telnet Console Access Yes Enable Telnet Access to SNMP Screens Yes ...

Page 241: ...counts Select an account from the list and press Return to delete it To exit the list without deleting the selected account press Escape Telnet Access Telnet is a TCP IP service that allows remote terminals to access hosts on an IP network The Netopia Firmware Version 5 4 supports Telnet access to its configuration screens Caution You should consider password protecting or restricting Telnet acces...

Page 242: ...Typically you use filters to selectively admit or refuse TCP IP connections from certain remote networks and specific hosts You will also use filters to screen particular types of connections This is commonly called firewalling your network Before creating filter sets you should read the next few sections to learn more about how these powerful security tools work What s a filter and what s a filter ...

Page 243: ...pects data packets like a customs inspector scrutinizing packages Filter priority Continuing the customs inspectors analogy imagine the inspectors lined up to examine a package If the package matches the first inspector s criteria the package is either rejected or passed on to its destination depending on the first inspector s particular orders In this case the package is never seen by the remaini...

Page 244: ...rd or reject it and so on Because of this hierarchical structure each filter is said to have a priority The first filter has the highest priority and the last filter has the lowest priority How individual filters work As described above a filter applies criteria to an IP packet and then takes one of three actions Forwards the packet to the local or remote network Blocks discards the packet Ignores ...

Page 245: ...onfigured to match the following The source port number the port on the sending host that originated the packet The destination port number the port on the receiving host that the packet is destined for By matching on a port number a filter can be applied to selected TCP or UDP services such as Telnet FTP and World Wide Web The following tables show a few common services and their associated port ...

Page 246: ... For the filter to match the packet s port number must be less than or equal to the port number specified in the filter Equal For the filter to match the packet s port number must equal the port number specified in the filter Greater Than For the filter to match the packet s port number must be greater than the port number specified in the filter Greater Than or Equal For the filter to match the p...

Page 247: ...h This is the port on the sending host that originated the packet D Port The destination port to match This is the port on the receiving host for which the packet is intended On Displays Yes when the filter is in effect or No when it is not Fwd Shows whether the filter forwards Yes a packet or discards No it when there s a match Protocol Number to use Full name N A 0 Ignores protocol type ICMP 1 I...

Page 248: ...n anything The mask for Source IP Addr must be 255 255 255 255 since an exact match is desired Source IP Addr 199 211 211 17 Source IP address mask 255 255 255 255 Dest IP Addr 0 0 0 0 Destination IP address mask 0 0 0 0 3 Using the tables on page 10 21 find the destination port and protocol numbers the local Telnet port Proto TCP or 6 D Port 23 4 The filter should be enabled and instructed to blo...

Page 249: ...ity will affect the set s actions Test the set on paper by determining how the filters would respond to a number of different hypothetical packets Consider the combined effect of the filters If every filter in a set fails to match on a particular packet the packet is Forwarded if all the filters are configured to discard not forward Discarded if all the filters are configured to forward Discarded ...

Page 250: ...at you take the latter and safer approach to all of your filter set designs Working with IP Filters and Filter Sets This section covers IP filters and filter sets To work with filters and filter sets begin by accessing the filter set screens Note Make sure you understand how filters work before attempting to use them Read the section About Filters and Filter Sets beginning on page 10 18 The proced...

Page 251: ...eturn The Add Filter Set screen appears Naming a new filter set All new filter sets have a default name The first filter set you add will be called Filter Set 1 the next filter will be Filter Set 2 and so on To give a new filter set a different name select Filter Set Name and enter a new name for the filter set To save the filter set select ADD FILTER SET The saved filter set is empty contains no f...

Page 252: ...tween the two involves their reference to source and destination From the perspective of an input filter your local network is the destination of the packets it checks and the remote network is their source From the perspective of an output filter your local network is the source of the packets and the remote network is their destination To add a filter select Display Change Filter Set in the Filt...

Page 253: ...it to Yes If Enabled is toggled to No the filter can still exist in the filter set but it will have no effect Display Change Filter Set Filter Set Name Filter Set 3 Add Input Filter to Filter Set Display Change Input Filter Delete Input Filter Move Input Filter Add Output Filter to Filter Set Display Change Output Filter Delete Output Filter Move Output Filter Add Input Filter Enabled Yes Forward ...

Page 254: ...23 Note If Protocol Type is set to TCP or UDP the settings for port comparison that you configure in steps 8 and 9 will appear These settings only take effect if the Protocol Type is TCP or UDP 9 Select Source Port Compare and choose a comparison method for the filter to use on a packet s source port number Then select Source Port ID and enter the actual source port number to match on see the tabl...

Page 255: ... filter set all of the filters it contains are deleted as well To reuse any of these filters in another set before deleting the current filter set you ll have to note their configuration and then recreate them To delete a filter set select Delete Filter Set in the Filter Sets screen to display a list of filter sets Select a filter set from the list and press Return Select CONTINUE and press Return...

Page 256: ...Input filter 3 This filter explicitly forwards all WAN originated ICMP traffic to permit devices on the WAN to ping devices on the LAN Ping is an Internet service that is useful for diagnostic purposes Input filters 4 and 5 These filters forward all TCP and UDP traffic respectively when the destination port is greater than 1023 This type of traffic generally does not allow a remote host to connect...

Page 257: ...ions are not intended to be combined Each modification is to be the only one used with Basic Firewall The results of combining filter set modifications can be difficult to predict It is recommended that you take special care if you are making more than one modification to the sample filter set Trusted host To allow unlimited access by a trusted remote host with the IP address a b c d corresponding...

Page 258: ...ion profiles to which it was added Policy based Routing using Filtersets Previous firmware versions routed IP packets only by destination IP address Netopia Firmware Version 5 4 offers the ability to route IP packets using criteria other than the destination IP address This is called policy based routing You are now able to route IP traffic based on the following source IP address source and or de...

Page 259: ...ield of the IP header This means that if such packets are not received rapidly the quality of service degrades If you expect to route significant amounts of such traffic you can configure your router to route this type of traffic to a gateway other than your normal gateway using this feature The TOS field matching check is consistent with source and destination address matching Example You want pa...

Page 260: ... other packets Management IP traffic If the Force Routing filter is applied to source IP addresses it may inadvertently block communication with the router itself You can avoid this by preceding the Force Routing filter with a filter that matches the destination IP address of the router itself Add Input Filter Enabled Yes Forward Yes Call Placement Idle Reset No Change Force Routing Yes Gateway IP...

Page 261: ...er information is what the packet filter uses to make filtering decisions It is important to note that a packet filter does not look into the IP data stream the User Data from above to make filtering decisions Basic protocol types TCP Transmission Control Protocol TCP provides reliable packet delivery and has a retransmission mechanism so packets are not lost RFC 793 is the specification for TCP U...

Page 262: ...er rule ordering is critical If a packet is forwarded through a series of filter rules and then the packet matches a rule the appropriate action is taken The packet will not forward through the remainder of the filter rules For example if you had the following filter set Allow WWW access Allow FTP access Allow SMTP access Deny all other packets and a packet goes through these rules destined for FT...

Page 263: ... are as follows 0 AND 0 0 0 AND 1 0 1 AND 0 0 1 AND 1 1 For example Filter rule Deny IP 163 176 1 15 BINARY 10100011 10110000 00000001 00001111 Mask 255 255 255 255 BINARY 11111111 11111111 11111111 11111111 Incoming Packet IP 163 176 1 15 BINARY 10100011 10110000 00000001 00001111 If you put the incoming packet and subnet mask together with AND the result is 10100011 10110000 00000001 00001111 wh...

Page 264: ...the local network Example filter set screen This is an example of the Netopia filter set screen Filter basics In the source or destination IP address fields the IP address that is entered must be the network address of the subnet A host address can be entered but the applied subnet mask must be 32 bits 255 255 255 255 The Netopia Firmware Version 5 4 has the ability to compare source and destinatio...

Page 265: ...eater Than or Equal Matches the port or any port greater Greater Than Matches anything greater than the port defined Filter Rule 200 1 1 0 Source IP Network Address 255 255 255 128 Source IP Mask Forward No What happens on match IP Address Binary Representation 200 1 1 28 00011100 Source address in incoming IP packet AND 255 255 255 128 10000000 Perform the logical AND Data Internet IP 200 1 1 Inp...

Page 266: ...4 This rule will forward this packet because the packet does not match Example 3 Incoming packet has the source address of 200 1 1 184 00000000 Logical AND result Filter Rule 200 1 1 0 Source IP Network Address 255 255 255 128 Source IP Mask Forward No What happens on match IP Address Binary Representation 200 1 1 184 10111000 Source address in incoming IP packet AND 255 255 255 128 10000000 Perfo...

Page 267: ...rded Example 5 Incoming packet has the source address of 200 1 1 96 255 255 255 240 11110000 Perform the logical AND 10110000 Logical AND result Filter Rule 200 1 1 96 Source IP Network Address 255 255 255 240 Source IP Mask Forward No What happens on match IP Address Binary Representation 200 1 1 104 01101000 Source address in incoming IP packet AND 255 255 255 240 11110000 Perform the logical AN...

Page 268: ... the current configuration Whenever you choose you can reboot into one of these configurations the copy of which becomes the current configuration You name the saved configurations giving you a reference for identifying each one The naming operation occurs when you decide to save a configuration or when downloading a configuration via TFTP or X Modem The configurations that are saved will persist ...

Page 269: ...ent screen If you choose to run one of your stored configurations you can select it from a pop up menu If you select Boot from a Configuration and select a different one you can reboot the router with your selected configuration Configuration Management Save Current Configuration as Replace Existing Conifiguration Boot from a Configuration Delete a Configuration Save Current Configuration Configur...

Page 270: ...een will ask you to confirm your choice Configuration Management Save Current Configuration as Configuration Name Type Replace Existing Configuration Boot from a Configuration Backup Config Binary Delete a Configuration HappyInternet Binary ...

Page 271: ...le Name Get Configuration Destination Current Configuration GET CONFIG FROM SERVER Backup Config HappyInternet Send Configuration Empty Type Name SEND CONFIG TO SERVER TFTP Transfer State Idle TFTP Current Transfer Bytes 0 Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit X Modem File Transfer Send Firmware to Netopia Get Configuration Destination Current Configuration Send Config t...

Page 272: ...sec The call filtering mechanism is useful if you have a time limited type of connection Such a connection may time out during a period of inactivity and may you want it to be re established or maintained automatically for certain types of traffic You manage Filters and Filter Sets in the Filter Sets management screen under the System Configuration menus The Add Output Filter menu appears as follo...

Page 273: ...ion will be taken If the connection is up the connection s idle timer will be refreshed and the packet forwarded as usual If the connection is down the packet is queued until a connection is established If you set the Call Placement Idle Reset to Disabled the call filtering attribute associated with the packet will be set such that the packet will be dropped if the connection is down and forwarded...

Page 274: ...10 50 Firmware User Guide ...

Page 275: ...ts on page 11 6 Transferring Configuration and Firmware Files with TFTP on page 11 6 Transferring Configuration and Firmware Files with XMODEM on page 11 9 Restarting the System on page 11 12 T1 Line Statistics and Diagnostics on page 11 12 Note These utilities and tests are accessible only through the console based management screens See the Getting Started Guide chapter Console Based Management ...

Page 276: ...4 967 295 3 Select Data Size to change the default setting This is the size in bytes of each Ping packet sent The default setting is adequate in most cases but you can change it to any value from 0 only header data to 1664 4 Select Delay seconds to change the default setting The delay in seconds determines the time between Ping packets sent The default setting is adequate in most cases but you can...

Page 277: ...age Description Resolving host name Finding the IP address for the domain name style address Can t resolve host name IP address can t be found for the domain name style address Pinging Ping test is in progress Complete Ping test was completed Cancelled by user Ping test was cancelled manually Destination unreachable from w x y z Ping test was able to reach the router with IP address w x y z which ...

Page 278: ...an traverse Ping packets that reach their TTL value are dropped and a destination unreachable notification is returned to the sender see the table on the previous page This ensures that no infinite routing loops occur The TTL value can be set and retrieved using the SNMP MIB II ip group s ipDefaultTTL object Trace Route You can count the number of routers between your Netopia Router and a given de...

Page 279: ...hat is you can initiate a Telnet client session when using a Telnet console session To activate the Telnet client select Telnet from the Utilities Diagnostics menu The Telnet client screen appears Enter the host name or the IP address in dotted decimal format of the machine you want to Telnet into and press Return Either accept the default control character Q used to suspend the Telnet session or ...

Page 280: ...n using the Reset switch Note Reset to factory defaults with caution You will need to reconfigure all of your settings in the router If you lose your password and are unable to access the console screens you can manually reset the router in an emergency See Appendix A Troubleshooting Transferring Configuration and Firmware Files with TFTP Trivial File Transfer Protocol TFTP is a method of transferr...

Page 281: ...Netopia website To update the router s firmware follow these steps Select TFTP Server Name and enter the server name or IP address of the TFTP server you will use The server name or IP address is available from the site where the server is located Select Firmware File Name and enter the name of the file you will download The name of the file is available from the site where the server is located Y...

Page 282: ...ed by downloading a configuration file using TFTP Once downloaded the file reconfigures all of the router s parameters as if someone had manually done so through the console port To download a configuration file follow these steps Select TFTP Server Name and enter the server name or IP address of the TFTP server you will use The server name or IP address is available from the site where the server...

Page 283: ...ile Name and enter a name for the file you will upload The file will appear with the name you choose on the TFTP server You may need to enter a file path along with the file name for example Mypc Netopia myfile 3 Select SEND CONFIG TO SERVER and press Return Netopia will begin to transfer the file 4 The TFTP Transfer State item will change from Idle to Writing Config The TFTP Current Transfer Byte...

Page 284: ...itiate an XMODEM transfer of the firmware file If you fail to initiate the transfer in that time the dialog box will disappear and the terminal emulation software will inform you of the transfer s failure You can then try again The system will reset at the end of a successful file transfer to put the new firmware into effect While the system resets the LEDs will blink on and off X Modem File Trans...

Page 285: ...terminal emulation software will inform you of the transfer s failure You can then try again The system will reset at the end of a successful file transfer to put the new configuration into effect Uploading configuration files A file containing a snapshot of the Router s current configuration can be uploaded from the router to disk The file can then be downloaded by a different Router to configure i...

Page 286: ...restart the system whenever you reconfigure the Router and want the new parameter values to take effect Under certain circumstances restarting the system may also clear up system or network malfunctions Some configuration processes automatically restart the system to apply the changes you have made T1 Line Statistics and Diagnostics For T1 models the Utilities and Diagnostics menu includes an opti...

Page 287: ...hifting the counted total to the next column to its right Utilities Diagnostics Ping Trace Route Telnet Trivial File Transfer Protocol TFTP X Modem File Transfer Restart System Revert to Factory Defaults T1 Line Statistics Diagnostics T1 Line Statistics Diagnostics Condition 00 16 00 27 00 12 1 57 1 42 24 hours Errored Seconds 007 000 000 000 000 00000 Unavailable Seconds 006 000 000 000 000 00000...

Page 288: ...e Payload Loopback sends an ANSI BPM payload loopback request to the remote CSU This pattern tells the remote device usually the CSU at the other end of the circuit that it should go into a looped state Use this pattern for putting up a loop to do testing from a remote portion of the circuit either by the Telco or by the CPE at the remote end of the circuit This test makes the remote CSU go into a...

Page 289: ... encounter problems during your initial configuration process review the following suggestions before calling for technical support There are four zones to consider when troubleshooting initial configuration 1 The computer s connection to the router 2 The router s connection to the telecommunication line s 3 The telecommunication line s connection to your ISP 4 The ISP s connection to the Internet...

Page 290: ... The default values are 9600 N 8 and 1 Characters are missing from some of the configuration screens Try changing the Router s default speed of 9600 bps and setting your terminal emulation software to match the new speed Network problems Problems communicating with remote IP hosts Verify the accuracy of the default gateway s IP address entered in the IP Setup or Easy Setup screen Use the Netopia Fi...

Page 291: ...r clip size Reset Switch slot 3 Carefully insert the larger end of a standard size paper clip until you contact the internal Reset Switch No need to unwind the paper clip 4 Press this switch 5 This will reset the unit to factory defaults and you will now be able to reprogram the router Power Outages If you suspect that power was restored after a power outage and the Router is connected to a remote...

Page 292: ...er Serial number Firmware version What kind of local network s do you have with how many devices Ethernet TCP IP How to reach us We can help you with your problem more effectively if you have completed the environment profile in the previous section If you contact us by telephone please be ready to supply Netopia Technical Support with the information you used to configure the Router Also please b...

Page 293: ...mation that surrounds the actual data being transmitted In e mail a header is usually the address and routing information found at the top of messages Note This guide uses the term IP in a very general and inclusive way to identify all of the following Networks that use the Internet Protocol along with accompanying protocols such as TCP UDP and ICMP Packets that include an IP header within their s...

Page 294: ...ess but never less than the class requires The following section gives more information on subnetting Class A networks have a small number of possible network numbers but a large number of possible host numbers Conversely Class C networks have a small number of possible host numbers but a large number of possible network numbers Thus the InterNIC assigns Class A addresses to large organizations th...

Page 295: ...t address The following table shows the proper subnet masks to use for each class of network when no subnets are required To know whether subnets are being used or not you must know what subnet mask is being used you cannot determine this information simply from an IP address Subnet mask information is configured as part of the process of setting up IP routers and gateways such as the Router Note ...

Page 296: ...255 128 mask 192 168 1 2 via router Usable IP Addresses available to Customer Site A 192 168 1 1 192 168 1 126 Router A IP Address 192 168 1 2 Subnet Mask 255 255 255 128 Remote IP 192 168 1 129 Remote Sub 255 255 255 128 Gateway 192 168 1 1 Usable IP Addresses available to Customer Site A 192 168 1 1 192 168 1 126 PC 1 IP Address 192 168 1 3 Subnet Mask 255 255 255 128 Gateway 192 168 1 1 PC 2 IP...

Page 297: ... to access Customer Site A but not the Internet If it is not possible to define a static route on Router B RIP could be enabled to serve the same purpose To use RIP instead of a static route enable Transmit RIP on Router A and Transmit and Receive RIP on Router B This will allow the route from Customer Site B to propagate on Router B and Customer Site A Example Working with a Class C subnet Suppos...

Page 298: ... information is helpful in determining dynamic address allocation for a network The term lease describes the action of a workstation requesting and using an IP address The address is dynamic and can be returned to the address pool at a later time The term renew refers to what the workstations do to keep their leased IP address At certain intervals the workstation talks to the DHCP or MacIP server ...

Page 299: ...and renews its lease every half hour The Mac workstation relinquishes its address upon shutdown in all but one case If the TCP IP control panel is set to initialize at startup and no IP services are used or the TCP IP control panel is not opened the DHCP address will NOT be relinquished upon shutdown However if the TCP IP control panel is opened or if an IP application is used the Mac WILL relinqu...

Page 300: ...manually distributed addresses are called static addresses Static addresses are useful in cases when you want to make sure that a host on your network cannot have its address taken away by the address server Appropriate candidates for a static address include a network administrator s computer a computer dedicated to communicating with the Internet and routers Using address serving The Router prov...

Page 301: ...e s IP Setup screen This method requires a static value to be used Thus any user dialing in can obtain the same IP address for every connection to the profile If you want to serve addresses statically define the address in the Connection Profile Notes The addresses that are to be served cannot be used elsewhere For example you wouldn t want to define a static address in a Connection Profile to be ...

Page 302: ...as the network address Address 199 1 1 47 is reserved as the broadcast address This leaves 14 addresses to allocate from 199 1 1 33 through 199 1 1 46 If you want to allocate a sub block of 10 addresses using DHCP enter 10 in the DHCP Setup screen s Number of Addresses to Allocate item Then in the same screen s First Address item enter the first address in the sub block to allocate so that all 10 ...

Page 303: ...address a b c 0 to be distributed among three networks This network address can be used on your main network while portions of it can be subnetted to the two remaining networks Note The IP address a b c 0 has letters in place of the first three numbers to generalize it for this example The figure shows a possible network configuration following this scheme The main network is set up with the Class...

Page 304: ...s for Routers B and C create entries in its IP routing table One entry points to the subnet a b c 128 while a second entry points to the subnet a b c 248 The IP routing table might look similar to the following Connection profile Remote IP address Remote IP mask Bits available for host address For Router B a b c 128 255 255 255 192 7 For Router C a b c 248 255 255 255 248 3 Internet Router A Route...

Page 305: ...he list and works up until there s a match or the route to the default gateway is reached When a b c 249 is masked by the first route s subnet mask it yields a b c 248 which matches the network address in the route The Router uses the connection profile associated with the route to connect to Router C and then forwards the packet Router C delivers the packet to the host on its local network IP Rou...

Page 306: ...kets as well as to packets addressed to their specific individual host addresses Depending on the age and type of IP equipment you use broadcasts will be addressed using either all zeros or all ones but not both If your network requires zeros broadcasting you must configure this through SNMP Packet header types As previously mentioned IP works with other protocols to allow communication over IP ne...

Page 307: ...0 104 1101000 9 1001 41 101001 73 1001001 105 1101001 10 1010 42 101010 74 1001010 106 1101010 11 1011 43 101011 75 1001011 107 1101011 12 1100 44 101100 76 1001100 108 1101100 13 1101 45 101101 77 1001101 109 1101101 14 1110 46 101110 78 1001110 110 1101110 15 1111 47 101111 79 1001111 111 1101111 16 10000 48 110000 80 1010000 112 1110000 17 10001 49 110001 81 1010001 113 1110001 18 10010 50 1100...

Page 308: ...173 10101101 205 11001101 237 11101101 142 10001110 174 10101110 206 11001110 238 11101110 143 10001111 175 10101111 207 11001111 239 11101111 144 10010000 176 10110000 208 11010000 240 11110000 145 10010001 177 10110001 209 11010001 241 11110001 146 10010010 178 10110010 210 11010010 242 11110010 147 10010011 179 10110011 211 11010011 243 11110011 148 10010100 180 10110100 212 11010100 244 111101...

Page 309: ...iguring with console based management 1 2 2 1 configuring terminal emulation software 1 4 configuring the console 2 43 Connection profiles 2 24 console configuring 2 43 connection problems A 2 console configuration 2 43 console based management configuring with 1 2 2 1 Constant Bit Rate CBR 2 18 D D port 10 23 Data Encryption Standard DES 4 10 date and time setting 2 42 dead peer detection 5 12 De...

Page 310: ... 24 filters actions a filter can take 10 20 adding to a filter set 10 28 defined 10 18 deleting 10 31 disadvantages of 10 25 input 10 28 modifying 10 30 output 10 28 using 10 26 viewing 10 30 firewall 10 31 firmware files updating with TFTP 11 7 updating with XMODEM 11 10 FTP sessions 10 34 G G SHDSL Line Configuration 2 6 general statistics 9 7 H how to reach us A 4 I IDSL Line Configuration 2 5 ...

Page 311: ...dding server lists 3 15 defined 6 1 Easy Setup Profile 3 6 IP profile parameters 3 21 IP setup 3 7 map lists 3 8 modifying map lists 3 13 outside ranges 3 8 server lists 3 8 navigating Easy Setup 1 7 NCSA Telnet 1 4 nested IP subnets B 11 NetBIOS 6 22 NetBIOS scope 6 23 Netopia distributing IP addresses 6 17 B 5 models 1 3 monitoring 9 1 security 10 1 system utilities and diagnostics 11 1 Network ...

Page 312: ...measures to increase 10 1 telnet 10 17 user accounts passwords 10 15 security options screen 10 15 protecting 10 16 Security Policy Database SPD 5 2 Simple Network Management Protocol see SNMP SNMP community strings 9 12 MIBs supported 9 10 setup screen 9 11 traps 9 12 SNMP V2c 9 10 src port 10 23 Stateful inspection 2 37 static IP addresses B 8 static route rules of installation 6 9 static routes...

Page 313: ...ed Bit Rate UBR 2 18 updating firmware with TFTP 11 7 with XMODEM 11 10 updating Netopia s firmware 11 7 upgrade 1 3 uploading configuration files 11 9 with TFTP 11 9 with XMODEM 11 11 user accounts 10 15 utilities and diagnostics 11 1 V viewing scheduled connections 2 30 Virtual Private Networks VPN 4 1 VPN 4 1 allowing through a firewall 4 19 ATMP tunnel options 4 8 default answer profile 4 11 e...

Page 314: ...Index 6 ...

Reviews:

No comments

Related manuals for 4000 Series

Keithley 7707 User Manual preview
7707
Brand: Keithley Pages: 59
N-Tron 702-W User Manual & Installation Manual preview
702-W
Brand: N-Tron Pages: 62
D-Link DSR-500 User Manual preview
DSR-500
Brand: D-Link Pages: 213
D-Link DGE-560T - Gigabit PCI-Express SNMP VLAN Flow Control Network... User Manual preview
DGE-560T - Gigabit PCI-Express SNMP VLAN Flow Control Network...
Brand: D-Link Pages: 53
NETGEAR DG834GT - 108 Mbps Super G Wireless ADSL Router Specifications preview
DG834GT - 108 Mbps Super G Wireless ADSL Router
Brand: NETGEAR Pages: 2
Lancom 7100 VPN Manual preview
7100 VPN
Brand: Lancom Pages: 70
Patton electronics SMARTNODE 4950 Quick Start Manual preview
SMARTNODE 4950
Brand: Patton electronics Pages: 12
Keithley 7011-C Instruction Manual preview
7011-C
Brand: Keithley Pages: 98
Patton electronics IPLink 2802 Specifications preview
IPLink 2802
Brand: Patton electronics Pages: 2
Lanner NCA-1525 User Manual preview
NCA-1525
Brand: Lanner Pages: 78
SAB SABVISION NVR32 Quick Start Manual preview
SABVISION NVR32
Brand: SAB Pages: 29
B&B Electronics Elinx ESW200 Series Quick Start Manual preview
Elinx ESW200 Series
Brand: B&B Electronics Pages: 20
Airlink101 AWMB100 User Manual preview
AWMB100
Brand: Airlink101 Pages: 46
Patton electronics IPLink 2803 Specifications preview
IPLink 2803
Brand: Patton electronics Pages: 2
Ubiquiti EdgeRouter ER-8 Quick Start Manual preview
EdgeRouter ER-8
Brand: Ubiquiti Pages: 20
ATTO Technology iPBridge 2500C Specifications preview
iPBridge 2500C
Brand: ATTO Technology Pages: 2
Vivint AirBridge VS-YOFIMN-000 Quick Reference preview
AirBridge VS-YOFIMN-000
Brand: Vivint Pages: 2
Buffalo TeraStation WSS WS5020N6 User Manual preview
TeraStation WSS WS5020N6
Brand: Buffalo Pages: 115

Brands by name

Popular brands

Load more brands