TRENDnet TW100-BRV304 - Advanced VPN Firewall Router User Manual Download

Page: 1 / 123

TW100-BRV304

Advanced VPN Firewall

Router

Cable/DSL Internet Access

4-Port Switching Hub

User's Guide

Summary of Contents for TW100-BRV304 - Advanced VPN Firewall Router

Page 1: ...TW100 BRV304 Advanced VPN Firewall Router Cable DSL Internet Access 4 Port Switching Hub User s Guide...

Page 2: ...HAPTER 5 OPERATION AND STATUS 31 Operation 31 Status Screen 31 Connection Status PPPoE 33 Connection Status PPTP 35 Connection Status Telstra Big Pond 36 Connection Details SingTel RAS 37 Connection D...

Page 3: ...g 111 Firmware Upgrade 115 UPNP 116 APPENDIX A TROUBLESHOOTING 117 Overview 117 General Problems 117 Internet Access 117 APPENDIX B SPECIFICATIONS 119 TW100 BRV304 119 FCC Statement 119 CE Marking War...

Page 4: ...ugh the TW100 BRV304 using only a single external IP Address The local invalid IP Addresses are hidden from external sources This process is called NAT Network Ad dress Translation DSL Cable Modem Sup...

Page 5: ...asy to create or extend your LAN DHCP Server Support Dynamic Host Configuration Protocol provides a dynamic IP address to PCs and other devices upon request The TW100 BRV304 can act as a DHCP Server f...

Page 6: ...attacks Rule based Policy Firewall To provide additional protection against malicious pack ets you can define your own firewall rules This can also be used to control the Internet services available...

Page 7: ...ing LAN hub port Flashing Data is being transmitted or received via the corre sponding LAN hub port 100 On Corresponding LAN hub port is using 100BaseT Off Corresponding LAN hub port connection is usi...

Page 8: ...ower On 3 Keep holding the Reset Button for a few seconds until the RED LED has flashed TWICE 4 Release the Reset Button The TW100 BRV304 is now using the factory default values WAN port 10 100BaseT C...

Page 9: ...the TW100 BRV304 Ensure the TW100 BRV304 and the DSL Cable modem are powered OFF 2 Connect LAN Cables Use standard LAN cables to connect PCs to the Switching Hub ports on the TW100 BRV304 Both 10BaseT...

Page 10: ...a normal port not an uplink port PCs connected to the DMZ port are on the same LAN segment as PCs connected to the Hub ports They must use the same IP address range PCs connected to the DMZ port are...

Page 11: ...the required functions To Do this Refer to Configure PCs on your LAN Chapter 4 PC Configuration Check TW100 BRV304 operation and Status Chapter 5 Operation and Status Use any of the following Internet...

Page 12: ...be installed and powered ON If the TW100 BRV304 s default IP Address 192 168 0 1 is already used by another device the other device must be turned OFF until the TW100 BRV304 is allocated a new IP Add...

Page 13: ...ing or your PC s IP address is not compatible with the TW100 BRV304 s IP Address See next item If your PC is using a fixed IP Address its IP Address must be within the range 192 168 0 2 to 192 168 0 2...

Page 14: ...d dress button to copy the MAC address from your PC to the TW100 BRV304 Common Connection Types Cable Modems Type Details ISP Data required Dynamic IP Address Your IP Address is allocated automaticall...

Page 15: ...IP Address is allocated automatically when you connect to you ISP Usually none However some ISP s may require you to use a particular Hostname Domain name or MAC physical address Static Fixed IP Addre...

Page 16: ...igation Data Input Use the menu bar on the top of the screen and the Back button on your Browser for navigation Changing to another screen without clicking Save does NOT save any changes you may have...

Page 17: ...IP Address This is the default and the most common Leave this selected if your ISP allocates an IP Address to the Wire less Router upon connection Specified IP Address Also called Static IP Address S...

Page 18: ...ou are on Server IP Address If using PPTP or Big Pond Cable enter the IP address of your ISP s server Connect automatically If Enabled default a connection will automatically be made as required If di...

Page 19: ...ame value as the PCs on that LAN segment DHCP Server If Enabled the TW100 BRV304 will allocate IP Addresses to PCs DHCP clients on your LAN when they start up The default and recommended value is Enab...

Page 20: ...our LAN Using the TW100 BRV304 s DHCP Server This is the default setting The DHCP Server settings are on the LAN screen On this screen you can Enable or Disable the TW100 BRV304 s DHCP Server function...

Page 21: ...each PC TCP IP Settings Overview If using the default TW100 BRV304 settings and the default Windows TCP IP settings no changes need to be made By default the TW100 BRV304 will act as a DHCP Server au...

Page 22: ...owing Figure 10 IP Address Win 95 Ensure your TCP IP settings are correct as follows Using DHCP To use DHCP select the radio button Obtain an IP Address automatically This is the default Windows setti...

Page 23: ...AN administrator can advise you of the IP Address they assigned to the TW100 BRV304 Figure 11 Gateway Tab Win 95 98 On the DNS Configuration tab ensure Enable DNS is selected If the DNS Server Search...

Page 24: ...ng TCP IP Settings Windows NT4 0 1 Select Control Panel Network and on the Protocols tab select the TCP IP protocol as shown below Figure 13 Windows NT4 0 TCP IP 2 Click the Properties button to see a...

Page 25: ...CP Server Restart your PC to ensure it obtains an IP Address from the TW100 BRV304 Specify an IP Address If your PC is already configured check with your network administrator before making the follow...

Page 26: ...dows NT4 0 Add Gateway 2 The DNS should be set to the address provided by your ISP as follows Click the DNS tab On the DNS screen shown below click the Add button under DNS Service Search Order and en...

Page 27: ...TW100 BRV304 User Guide 24 Figure 16 Windows NT4 0 DNS...

Page 28: ...up Connection 2 Right click the Local Area Connection icon and select Properties You should see a screen like the following Figure 17 Network Configuration Win 2000 3 Select the TCP IP protocol for y...

Page 29: ...o ensure it obtains an IP Address from the TW100 BRV304 Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the f...

Page 30: ...nnection 2 Right click the Local Area Connection and choose Properties You should see a screen like the following Figure 19 Network Configuration Windows XP 3 Select the TCP IP protocol for your netwo...

Page 31: ...it obtains an IP Address from the TW100 BRV304 Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the following...

Page 32: ...and Internet Connections 2 Select Set up or change your Internet Connection 3 Select the Connection tab and click the Setup button 4 Cancel the pop up Location Information screen 5 Click Next on the N...

Page 33: ...changes Fixed IP Address By default most Unix installations use a fixed IP Address If you wish to continue using a fixed IP Address make the following changes to your configuration Set your Default Ga...

Page 34: ...receives an incoming connection Refer to Chapter 6 Internet Features for fur ther details Applications which use non standard connections or port numbers may be blocked by the TW100 BRV304 s built in...

Page 35: ...k for the IP Address above DHCP Server This shows the status of the DHCP Server function either Enabled or Disabled For additional information about the PCs on your LAN and the IP addresses allocated...

Page 36: ...s This address is allocated by your ISP Internet Service Provider Network Mask The Network Mask associated with the IP Address above PPPoE Link Status This indicates whether or not the connection is c...

Page 37: ...lly Able to login to ISP s Server and establish a PPP connection Idle time out reached The connection has been idle for the time period specified in the Idle Time out field The connection will now be...

Page 38: ...t users This address is allocated by your ISP Internet Service Provider PPTP Status This indicates whether or not the connection is currently established If the connection does not exist the Connect b...

Page 39: ...t to the hardware address seen by devices on the local LAN IP Address The IP Address of this device as seen by Internet users This address is allocated by your ISP Internet Service Provider Connection...

Page 40: ...sier to read new messages Refresh Update the data on screen Connection Details SingTel RAS If using the SingTel RAS access method a screen like the following example will be displayed when the Connect...

Page 41: ...button if you wish to manually renew the lease immediately Buttons Release Renew Button will display EITHER Release OR Renew This button is only useful if the IP address shown above is allocated auto...

Page 42: ...Mask The Network Mask associated with the IP Address above Default Gateway The IP Address of the remote Gateway or Router associated with the IP Address above DNS IP Address The IP Address of the Doma...

Page 43: ...icking the Renew button will attempt to re establish the connection and obtain an IP Address from the ISP s DHCP Server If an IP Address has been allocated to the TW100 BRV304 by the ISP s DHCP Server...

Page 44: ...features are provided Advanced Internet Communication Applications Special Applications DMZ URL filter Dynamic DNS Virtual Servers Options Advanced Internet Screen Figure 27 Internet Screen This scre...

Page 45: ...n on the advanced menu For each application listed above you can choose a destina tion PC There is no need to Save after each change you can set the destination PC for each application then click Save...

Page 46: ...data you receive Outgoing Ports Type Select the protocol TCP or UDP used when you send data to the remote system or service Start Enter the beginning of the range of port numbers used by the applicat...

Page 47: ...as the DMZ PC The DMZ feature can be Enabled and Disabled on the Advanced Internet screen The DMZ PC is effectively outside the Firewall mak ing it more vulnerable to attacks For this reason you shou...

Page 48: ...ill be empty Add Filter String To add an entry to the list enter it here and click the Add button An entry may be a Domain name e g www trash com or simply a string e g ads Any URL which contains ANY...

Page 49: ...ired Domain name 3 Enter your data from www dyndns org in the TW100 BRV304 s DDNS screen 4 The TW100 BRV304 will then automatically ensure that your current IP Address is recorded at http www dyndns o...

Page 50: ...g The name should consist only of letters and the hyphen dash Using any other characters may cause problems DDNS Status This message is returned by the DDNS Server at www dyndns org Normally this mess...

Page 51: ...nternet users to connect to your servers as illustrated below Figure 31 Virtual Servers IP Address seen by Internet Users Note that in this illustration both Internet users are connecting to the same...

Page 52: ...the standard port on the hub Virtual Servers Screen The Virtual Servers screen is reached by the Virtual Servers link on the Internet menu An example screen is shown below Figure 32 Virtual Servers S...

Page 53: ...http 203 70 212 52 ftp 203 70 212 52 It is more convenient if you are using a Fixed IP Address from your ISP rather than Dynamic However you can use the Dynamic DNS feature described in the following...

Page 54: ...advised to do so by Technical Support Enter a value between 1 and 1500 This device will still auto negotiate with the remote server to set the MTU size The smaller of the 2 values auto negotiated or...

Page 55: ...urity Options Scheduling Services Admin Login The Admin Login screen allows you to assign a user name and password to the TW100 BRV304 Figure 34 Admin Login Screen 1 The default login name is admin Ch...

Page 56: ...Security Configuration 53 Figure 35 Password Dialog Enter the User Name and Password you set on the Admin Login screen above...

Page 57: ...group 2 Set the desired restrictions on the other groups Group 1 Group 2 Group 3 and Group 4 as needed 3 Assign PC to the groups as required Restrictions are imposed by blocking Services or types of...

Page 58: ...a group Block by Schedule If Internet access is being blocked you can choose to apply the blocking only during scheduled times If access is not blocked no Scheduling is possible and this setting has...

Page 59: ...fault group Access Control Log To check the operation of the Access Control feature an Access Control Log is provided Click the View Log button on the Access Control screen to view this log This log s...

Page 60: ...anced administrators only Firewall Rules Screen Click the Firewall Rules option on the Security menu to see a screen like the following exam ple This example contains two 2 rules for outgoing traffic...

Page 61: ...section for more details Edit To Edit or modify an existing rule select it and click the Edit button Move There are 2 ways to change the order of rules Use the up and down indicators on the right to...

Page 62: ...ewall Rules screen will display a screen like the example below Figure 39 Define Firewall Rule Data Define Firewall Rule Screen Name Enter a suitable name for this rule Type This determines the source...

Page 63: ...Select the desired option Any All traffic from the source port is covered by this rule Single address Enter the required IP address in the Start IP address field You can ignore the Subnet Mask field...

Page 64: ...t to a Syslog Server Figure 40 Logs Screen Data Logs Screen Enable Logs DoS Attacks If enabled this log will show details of DoS Denial of Service attacks which have been blocked by the built in Firew...

Page 65: ...the Send setting Send Select the desired option for sending the log by E mail When log is full The time is not fixed The log will be sent when the log is full which will depend on the volume of traf f...

Page 66: ...u can not use it the service is unavailable This device uses Stateful Inspection technology This system can detect situations where individual TCP IP packets are valid but collectively they become a D...

Page 67: ...re allowed If not checked IPSec connections are blocked Allow PPTP PPTP Point to Point Tunneling Protocol is widely used by VPN Virtual Private Networking programs If checked PPTP connections are allo...

Page 68: ...the time for a particular day is blank no action will be performed Define Schedule Screen This screen is accessed by the Scheduling link on the Security menu Figure 42 Define Schedule Screen Data Def...

Page 69: ...te any Service you have added Pre defined Services can not be deleted Add New Service Name Enter a descriptive name to identify this service Type Select the protocol TCP UDP ICMP used to the remote sy...

Page 70: ...ns Delete Delete the selected service from the list Add Add a new entry to the Service list using the data shown in the Add New Service area on screen Cancel Clear the Add New Service area ready for e...

Page 71: ...SAs one in each direction If IKE Internet Key Exchange is used to generate and exchange keys there are also SA s for the IKE connection as well as the IPsec connection There are two security modes po...

Page 72: ...and the first matching policy will be used VPN Configuration The general rule is that each endpoint must have matching Policies as follows Remote VPN address Each VPN endpoint must be configured to in...

Page 73: ...eway requires no VPN configuration since it is not acting as a VPN endpoint Client PC to VPN Gateway Figure 45 Client PC to VPN Server In this situation the PC must run appropriate VPN client software...

Page 74: ...t gain secure access to the remote LAN The 2 LANs MUST use different IP address ranges The VPN Policies at each end determine when a VPN tunnel will be established and what systems on the remote LAN c...

Page 75: ...or particular traffic In that case the first matching policy for the traffic under consideration will be used Data VPN Policies Screen VPN List Policy Name The name of the policy When creating a polic...

Page 76: ...click the Copy button Remember that the new policy must have a different name and there can only be one active enabled policy for each remote VPN endpoint Delete To delete an exiting policy select it...

Page 77: ...e enabled at any time Remote VPN Endpoint The Internet IP address of the remote VPN endpoint Gateway or client Dynamic Select this if the Internet IP address is unknown In this case only incoming conn...

Page 78: ...t would not be forwarded to the Gateway Local IP addresses Type Any no additional data is required Any IP address is accept able For outgoing connections this allows any PC on the LAN to use the VPN t...

Page 79: ...ess in the Finish IP ad dress field Subnet address enter the desired IP address in the Start IP address field and the network mask in the Subnet Mask field The remote VPN should have these IP addresse...

Page 80: ...ble both Encryption and Authentication The 3DES algorithm provides greater security than DES but is slower The in key here must match the out key on the remote VPN and the out key here must match the...

Page 81: ...ocal Identity on the remote VPN IP address is the more common method Authentication RSA Signature requires that both VPN endpoints have valid Certificates issued by a CA Certification Authority For Pr...

Page 82: ...should match the remote endpoint Click Next to see the following IKE Phase 2 screen Figure 53 VPN Wizard IKE Phase 2 IKE Phase 2 IPsec SA IPsec SA Life Time This setting does not have to match the rem...

Page 83: ...ensure the remote VPN endpoint uses the same method The 3DES algorithm provides greater security than DES but is slower ESP Authentication Generally you should enable ESP Authentication There is littl...

Page 84: ...ndpoint 205 17 11 43 202 11 13 211 Other endpoint s WAN Internet IP address Local IP addresses Any Any Use a more restrictive definition if possible Remote IP addresses 192 168 1 1 to 192 168 1 254 19...

Page 85: ...it Group 1 768 bit Must match IKE SA Life time 28800 28800 Does not have to match Shorter period will be used IKE PFS Disable Disable Must match IPSec SA Parameters IPSec SA Life time 28800 28800 Does...

Page 86: ...Subnet address 192 168 0 0 255 255 255 0 Allows access to entire LAN Use a more restrictive definition if possible Remote IP addresses 172 16 9 10 For a single client this address is the same as the...

Page 87: ...tication Enable MD5 Must match client PC ESP encryption Enable DES Must match client PC Windows Client Configuration 1 Select Start Programs Administrative Tools Local Security Policy 2 Right click IP...

Page 88: ...in use Two 2 rules are required incoming and outgoing The outgoing rule will be added first 6 Deselect the Use Add Wizard checkbox then click Add to view the screen below Figure 58 IP Filter List 7 T...

Page 89: ...address is My IP address and the Destination IP address is the address range used on the remote LAN Ensure the Mirrored option is checked 9 Click OK to save your settings and close this dialog Figure...

Page 90: ...Properties Filter Action 11 Select Require Security then click the Edit button to view the Require Security Proper ties screen Figure 62 Require Security Properties 12 Select Negotiate security this s...

Page 91: ...ity Properties screen Figure 64 Require Security Properties 14 Ensure the following settings are correct then click OK to return to the Filter Action tab of the Edit Rule Properties screen VPN Setting...

Page 92: ...then click the Edit to see the screen like the example below Figure 66 Authentication Method 17 Select Use this string to protect the key exchange preshared key then enter your pre shared key in the...

Page 93: ...r To Win2K then click Add Figure 68 Windows 2000 XP Client to Broadband VPN Gateway 21 Enter the Source IP address and the Destination IP address as shown below Since this is the incoming filter the S...

Page 94: ...VPN 91 Figure 69 Filter Properties Addressing 22 Click OK to save your changes then Close Figure 70 Filter List 23 Ensure the To Win2K filter is selected then click the Filter Action tab...

Page 95: ...r Action 24 Select Require Security then click Edit On the Require Security Methods screen below select Negotiate security Figure 72 Security Methods 25 Click the Add button On the resulting Modify Se...

Page 96: ...click OK again to return to the Filter Action screen 27 Select the Tunnel Setting tab and enter the WAN Internet IP address of this PC 172 16 9 10 in this example Figure 74 Tunnel Setting 28 Select th...

Page 97: ...ct the key exchange preshared key then enter your pre shared key in the field provided 30 Click OK to save your settings then Close to return to the DUT to Win2K Properties screen There should now be...

Page 98: ...VPN 95 Figure 77 Properties General Tab 32 Click the Advanced button to see the screen below Figure 78 Key Exchange Settings 33 Click the Methods button to see the screen below...

Page 99: ...s 35 Select SHA1 for Integrity Algorithm 3DES for Encryption algorithm and Low 1 for the Diffie Hellman Group 36 Click OK to save then OK again and then Close to return to the Local Security Settings...

Page 100: ...82 TW100 BRV304 to Windows 2000 Server TW100 BRV304 Configuration This is the same as for the client setup earlier with the exception of the IP address range for the remote endpoint Setting Single Cli...

Page 101: ...for both IP Filters the Filter Properties Addressing should be completed as follows Figure 83 Windows 2000 Server Addressing The Source Address should be set to A specific IP Subnet and the IP address...

Page 102: ...suer Name The CA Certification Authority which issued the Certificate Expiry Time The date on which the Certificate expires You should renew the Certificate before it expires Delete button Use this bu...

Page 103: ...ad the certificate file to the TW100 BRV304 6 Click Back to return to the Trusted Certificate list The new Certificate will appear in the list Adding a Self Certificate This process is different to ob...

Page 104: ...data displayed in the Certificate Details section is correct This data is used to generate the Certificate request If the data is not correct click the Back button and correct the previous screen 5 I...

Page 105: ...e only necessary if using Certificates CRL Certificate Revocation List files show Certificates which have been revoked and are no longer valid Each CA issues their own CRLs It is VERY IMPORTANT to kee...

Page 106: ...e the CRL file on your PC Select the file The name will appear in the File to Upload field Click Upload to upload the CRL file to the TW100 BRV304 Click Back to return to the CRL list The new CRL will...

Page 107: ...r This file contains all the configuration data PC Database This is the list of PCs shown when you select the DMZ PC Virtual Server or Internet Application This database is maintained automati cally b...

Page 108: ...below Figure 91 Config Screen Data Config File Screen Backup Config Use this to download a copy of the current configuration and store the file on your PC Click Download to start the download Restore...

Page 109: ...ents are automatically added to the database and updated as required By default non Server versions of Windows act as DHCP Clients this setting is called Obtain an IP Address automatically The TW100 B...

Page 110: ...connected or not powered On you will not be able to add it Buttons Add This will add the new PC to the list The PC will be sent a ping to determine its hardware address If the PC is not available not...

Page 111: ...control than the standard PC Database screen Figure 93 PC Database Admin Data PC Database Admin Screen Known PCs This lists all current entries Data displayed is name IP Address type The type indicate...

Page 112: ...his to have the TW100 BRV304 contact the PC and find its MAC address This is only possible if the PC is connected to the LAN and powered On MAC is Enter the MAC address on the PC The MAC address is al...

Page 113: ...will prevent the use of a Web Virtual Server on your LAN See Advanced Internet Virtual Servers Current IP Address You must use this IP Address to connect see below This IP Address is allocated by you...

Page 114: ...BRV304 and ensure the following Windows 2000 settings are correct Open Routing and Remote Access In the console tree select Routing and Remote Access server name IP Routing RIP In the Details pane rig...

Page 115: ...o the selected entry Properties Destination Network The network address of the remote LAN segment For standard class C LANs the network address is the first 3 fields of the Destination IP Address The...

Page 116: ...to use the TW100 BRV304 as the Default Route or Default Gateway Local Router The local router is the Router installed on the same LAN segment as the TW100 BRV304 This router requires that the Default...

Page 117: ...ndard Class C Gateway IP Address 192 168 0 100 TW100 BRV304 s local Router Metric 2 Entry 2 Segment 2 Destination IP Address 192 168 2 0 Network Mask 255 255 255 0 Standard Class C Gateway IP Address...

Page 118: ...Figure 97 Upgrade Firmware Screen To perform the Firmware Upgrade 1 Click the Browse button and navigate to the location of the upgrade file 2 Select the upgrade file It s name will appear in the Upg...

Page 119: ...sers can change the configuration If Disabled UPnP users can only view the configuration But currently this restriction only applies to users running Windows XP who access the Properties via UPnP e g...

Page 120: ...68 0 254 and thus com patible with the TW100 BRV304 s default IP Address of 192 168 0 1 Also the Network Mask should be set to 255 255 255 0 to match the TW100 BRV304 In Windows you can check these se...

Page 121: ...rent Use the Special Applications feature to allow the use of Internet applications which do not function correctly If this does solve the problem you can use the DMZ function This should work with al...

Page 122: ...ructions may cause harmful interference to radio communica tions However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interf...

Page 123: ...15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interferenc...

Search results

Summary of Contents for TW100-BRV304 - Advanced VPN Firewall Router

Reviews:

Related manuals for TW100-BRV304 - Advanced VPN Firewall Router

Brands by name

Popular brands

TRENDnet TW100-BRV304 - Advanced VPN Firewall Router, User Manual

Search results

Summary of Contents for TW100-BRV304 - Advanced VPN Firewall Router

Reviews:

Related manuals for TW100-BRV304 - Advanced VPN Firewall Router

Brands by name

Popular brands