UTT HiPER 840G Advanced Configuration Manual Download Page 151

Page: 151 / 212

UTT Technologies

Chapter 10 VPN

http://www.uttglobal.com

Page
18418418

an initiator or a responder. However, for a dynamic-to-static or static-to-dynamic IPSec

tunnel with IKE aggressive mode, the IPSec endpoint with a static IP address cannot

initiate IKE negotiation because it doesn’t know where to send request; therefore, it will

only act as a responder, and the IPSec endpoint with a dynamic IP address will only act as

an initiator.

On the UTT VPN gateway, IPSec tunnel implementation is based on security virtual

interface, which is quite different from the PPTP virtual interface. The following describes

the main differences between them.

1. Drive Mechanism

The PPTP virtual interface is driven by the routing table; and you cannot create different

PPTP virtual interfaces based on service type. But the IPSec virtual interface is driven by

the Security Policy Database (SPD); and you can create different virtual interfaces based

on service type. For example, the UTT VPN gateway will forward the packets destined for

the same destination network (such as a corporate network) through the same route;

however, the UTT VPN gateway can be configured to encrypt some of them (such as

email packets) by IPSec, but not encrypt others (such as http packets).

In the Web UI, you can go to the

VPN > IPSec > IPSec Settings

page to click the

Advanced Options

hyperlink, and then configure the filter parameters including

Protocol

and

Port

to define the packets that

are protected by IPSec (section6.1.2.1 and 6.1.2.2).

2. Creation Method

Once the PPTP tunnel parameters have been configured properly, the system will

automatically create a virtual interface for the new tunnel to transmit data, and add two

routes pointing to the virtual interface into the routing table (refer to section 2.2.2 and 3.2.2

for more information).

However, once the IPSec tunnel parameters have been configured properly, the system

will automatically add the new security policy in the Security Policy Database (SPD).

When the system receives an outbound packet, it will compare the packet against the

SPD to find the first matching entry. If the first matching entry requires IPSec processing,

the system will encrypt and/or authenticate the packet, and then sends it out. When the

system receives an inbound packet, it will check the packet to see whether it contains an

IPSec header; if not, the packet will be forwarded directly. Else, the UTT VPN gateway will

authenticate and/or decrypt the packet, and then forward the resulting packet (i.e., initial

packet) to its intend destination.

In the CLI, you can use the

show crypt ipsec sp

command to check if the security policy is created. As

shown in

Figure 11-14 Viewing IPSec Security Policy

, “found 1 items in eroute table” means

that

there

one

security

policy

entry

the

SPD

now.

Summary of Contents for HiPER 840G

Page 1: ...HiPER 840G Gigabit Router Advanced Configuration Guide V1 0 UTT Technologies Co Ltd http www uttglobal com...

Page 2: ...cording or otherwise or used for any commercial and profit purposes without the express prior written permission of UTT Technologies Co Ltd UTT Technologies Co Ltd has the patents patent applications...

Page 3: ...ter 1 Product Overview 9 1 1 Product Brief 9 1 2 Key Features 9 1 3 Physical Specification 10 Chapter 2 Hardware Installation 11 2 1 Physical Characteristics 11 2 1 1 Front Panel 11 2 1 2 Rear Panel 1...

Page 4: ...5 How to Configure Connection Detection Settings 47 5 3 LAN Settings 48 5 4 DHCP Server 49 5 4 1 DHCP Server Settings 49 5 4 2 Static DHCP 51 5 4 3 DHCP Client List 53 5 4 4 Configuration Example for...

Page 5: ...ment 100 7 2 1 Group Management Policy List 100 7 2 2 Group Management Policy Settings 101 7 2 3 Execution Order of Group Management Policies 103 7 2 4 Priorities of Global and Group Management Polici...

Page 6: ...1 Backup Configuration 138 10 3 2 Restore Configuration 138 10 3 3 Reset to Factory Defaults 139 10 4 Firmware Upgrade 140 10 5 Remote Access 142 10 6 Scheduled Task 143 10 6 1 Scheduled Task Setting...

Page 7: ...UTT Technologies Table of Contents http www uttglobal com Page 5 www argo contar com Appendix F Table Index 169...

Page 8: ...andard which is as follows Radio Button It allows you to choose only one of a predefined set of options Check Box It allows you to choose one or more options Button It allows you to click to perform a...

Page 9: ...bold font means the menu path to open a page For example Network DHCP Server means that in the Web UI click the first level menu item Network firstly and then click the second level menu item DHCP Ser...

Page 10: ...Features The Web UI contains two kinds of lists editable list and read only list An editable list is used to add display modify and delete the configuration entries A read only list is used to displa...

Page 11: ...ed clear the text box and then press Enter key Note that the matching rule is substring matching that is it will search for and display those entries that contain the specified text string Configured...

Page 12: ...use the administrator account to login to the Gigabit Router s Web UI Note Both the User Name and Password are case sensitive Administrator Password admin LAN IP Address 192 168 1 1 They are the IP a...

Page 13: ...ter 5 Network This chapter describes how to configure the basic network parameters of the Gigabit Router including WAN How to configure Internet connections and view their configuration and status Loa...

Page 14: ...to the LAN users based on schedule and to prevent external attacks Domain Filtering How to configure domain filtering feature to block access to the specified websites Attack Prevention How to configu...

Page 15: ...Technologies service system and enjoy the most intimate and professional services Appendix This guide provides six appendixes including Appendix A How to Configure Your PC How to configure TCP IP set...

Page 16: ...ations e g Bit Comet Bit Spirit and Thunder Search control the maximum upload and download rate limiting The HiPER 840G supports flexible firewall features like access control and domain filtering to...

Page 17: ...Supports IP packet filtering based on IP address protocol and TCP UDP port Supports URL and keyword filtering Supports DNS request filtering Supports HTTP remote management Provides the Web User Inter...

Page 18: ...2 1 describes these LEDs The front panel also offers a Reset button a USB port and 5 ports Table 2 2 describes these ports Figure 2 1 Front Panel of the Gigabit Router 1 LEDs LED Full Name State Desc...

Page 19: ...esponding port is sending or receiving data Off No link is established on the corresponding port Table 2 1 Description of LEDs on the Front Panel 2 Reset Button If you forget the administrator passwor...

Page 20: ...used to connect the Gigabit Router to the Internet Table 2 2 Description of Ports on the Rear Panel 2 1 2 Rear Panel As shown in Figure 2 2 the rear panel of the Gigabit Router contains a POWER conne...

Page 21: ...necting the Gigabit Router to the Internet Connect the network cable provided by the manufacturer from the DSL cable or fiber optic modem to a WAN port of the Gigabit Router or insert your 3G USB mode...

Page 22: ...steps Step 1 Connect the computer to a LAN port of the Gigabit Router Step 2 Install TCP IP protocol on your computer If it has been installed please ignore it Step 3 Configure TCP IP settings on your...

Page 23: ...ter and the Gigabit Router connected properly Verify that the LED corresponding to the Gigabit Router s LAN port and the LED on your computer s adapter are lit 2 Is the TCP IP configuration for your P...

Page 24: ...t Router do the following Open a Web browser enter the Gigabit Router s LAN interface IP address the default is 192 168 1 1 in the address bar and then press Enter key see Figure 3 1 Figure 3 1 Enteri...

Page 25: ...the forum homepage of the UTT website to participate in product discussions Feedback Click to link to send us your feedback by E mail 2 Main Pane It is the location where you can configure each featu...

Page 26: ...utomatically Launch the Wizard Again If you select this check box the system don t automatically launch the Setup Wizard the next time you login to the Gigabit Router instead directly open the Welcome...

Page 27: ...each Internet connection respectively For each Internet access mode the Internet connection settings are different For the WAN1 Internet connection there are three connection types PPPoE Static IP an...

Page 28: ...ver It specifies the IP address of your ISP s primary DNS server Secondary DNS Server It specifies the IP address of your ISP s secondary DNS server If it is available you may set it Else please leave...

Page 29: ...address subnet mask and gateway and DNS server addresses from your ISP s DHCP server Back Click to go back to the previous page of the Setup Wizard Cancel Click to revert to the last saved settings E...

Page 30: ...Name and Password They specify the PPPoE login user name and password provided by your ISP Please ask your ISP if you have any questions Back Click to go back to the previous page of the Setup Wizard...

Page 31: ...outer to operate properly view system status view interface traffic statistics and restart the Gigabit Router 4 1 Setup Wizard The Start Setup Wizard can help you configure the basic parameters for th...

Page 32: ...lude connection type status IP address subnet mask MAC address default gateway and DNS server addresses and up time LAN It displays the basic configuration of the LAN inteface which include IP address...

Page 33: ...y and DNS server addresses and up time APClient It displays the current status and basic configuration of the APClient Internet connection which are the same as those of the 3G Internection connection...

Page 34: ...gabit Router s interfaces LAN WAN1 3G and APClient have been configured Note If the SVG Viewer plug in isn t installed on your web browser the port traffic chart cannot be displayed properly Please cl...

Page 35: ...rse Click to toggle the colors of the two lines or filled areas LAN WAN1 APClient and 3G You can select an interface name at the top to view the traffic chart for that interface View Traffic Statistic...

Page 36: ...Gigabit Router Restart Click to restart the Gigabit Router If you click the Restart button the system will pop up a prompt dialog box see Figure 4 6 Then you can click OK to restart the Gigabit Route...

Page 37: ...section describes the Network WAN page If you have configured one or more Internet connections in the Start Quick Wizard you can view their configuration and status in this page and modify or delete...

Page 38: ...he connection There are four cases 1 PPPoE Connection Status For the PPPoE connection there are two kinds of status see Table 5 1 When it is connected it will also display the elapsed time days hours...

Page 39: ...dress and the connection is established successfully Table 5 3 Description of DHCP Connection Status 4 3G Connection Status For the 3G connection there are two kinds of status see Table 5 4 When it is...

Page 40: ...ck its Interface hyperlink or icon the related information will be displayed in the setup fields Then modify it and click the Save button Delete an Internet Connection To delete an Internet connection...

Page 41: ...gure 5 4 Internet Connection List DHCP Connection Renew Click to re obtain an IP address from the ISP s DHCP server The Gigabit Router will automatically release the assigned IP address firstly and th...

Page 42: ...fic destined for one ISP s servers will be forwarded through this ISP s connection 2 If you want to configure and use an APClient Internet connection please choose APClient Mode as the Operation Mode...

Page 43: ...subnet mask default gateway and DNS server addresses which are provided by your ISP ISP Policy It specifies the route policy database used for the Interent connection Update Policy Click to update th...

Page 44: ...to the last saved settings 5 1 2 1 3 PPPoE Internet Connection Settings Figure 5 8 PPPoE Internet Connection Settings Interface It specifies the name of the WAN interface Here please select WAN1 or A...

Page 45: ...hen it listens for packets destined for the Internet please select this option Dial Mode It specifies the dial mode of the PPPoE Internet connection The default value is Normal mode If the PPPoE conne...

Page 46: ...etailed information Save Click to save your changes Cancel Click to revert to the last saved settings Note It is strongly recommended that you configure only the 3G USB Modem and ISP of the 3G Interne...

Page 47: ...r the MAC address with your ISP To configure MAC address clone go to the Network WAN page and then select the MAC Address Clone tab to go to the setup page shown in Figure 5 10 MAC Address CloneFigure...

Page 48: ...tor an Internet connection by sending detection packets to the specified target IP address Detection Interval It indicates the time interval at which the Gigabit Router periodically sends detection pa...

Page 49: ...ey will use other normal Internet connections to access the Internet Note If you don t want to monitor an Internet connection please leave its Detection Interval at the default value of 0 5 2 1 2 Load...

Page 50: ...ll automatically switch back to the primary connection Note During connections switching some user applications such as some online games may be interrupted unexpectedly due to the nature of TCP conne...

Page 51: ...imary list box is a primary connection Backup It specifies the backup connection group An Internet connection in the Backup list box is a backup connection Select one or more Internet connections in t...

Page 52: ...oad Balancing List When you have configured load balancing global settings and connection detection settings you can view the related configuration and status in the Load Balancing List Refresh Load B...

Page 53: ...evice The Gigabit Router will monitor the Internet connection by sending the detection packets to the detection target IP address Bandwidth It specifies the Internet connection s bandwidth which is pr...

Page 54: ...ncing List page Step 2 Click an Internet connection s Interface hyperlink or icon to go the Connection Detection Settings page Step 3 Configure detection related parameters Detection Target IP Detecti...

Page 55: ...P Address It specifies the IP address of the LAN interface Subnet Mask It specifies the subnet mask that defines the range of the LAN MAC Address It specifies the MAC address of the LAN interface In m...

Page 56: ...igure 5 17 DHCP Server Settings Enable DHCP Server It allows you to enable or disable DHCP server If you want to enable DHCP server on the Gigabit Router please select this check box Start IP Address...

Page 57: ...stens for incoming DNS requests on the LAN interface relays the DNS requests to the current public DNS servers and replies as a DNS resolver to the requesting local computers ISP DNS Server 1 and ISP...

Page 58: ...tain the same IP address from the DHCP server More specifically each time the specified computer boots and requests its IP address from the Gigabit Router s DHCP server the DHCP server will recognize...

Page 59: ...e button View Static DHCP Entry s When you have configured one or more static DHCP entries you can view them in the Static DHCP List Modify a Static DHCP Entry To modify a configured static DHCP entry...

Page 60: ...you can view the static DHCP entry in the Static DHCP List Step 4 To add another static DHCP entry please repeat the above steps Note If you want to delete static DHCP entry s please follow the ways d...

Page 61: ...global com Page 5454 Refresh Click to view the latest information in the list Note The DHCP Client List only displays the DHCP clients with dynamically assigned IP addresses It doesn t display the DHC...

Page 62: ...ses is 100 Besides there are two computers that must always have the same IP address one s MAC address is 00 21 85 9B 45 46 and IP address is 192 168 1 15 the other s MAC address is 00 1f 3c 0f 07 f4...

Page 63: ...on to go to the Static DHCP Settings page see Figure 5 22 enter Server1 in the User Name text box 192 168 1 15 in the IP Address text box and 0021859B4546 in the MAC Address text box and then click th...

Page 64: ...the MAC Address text box and then click the Save button Figure 5 23 Adding the Static DHCP Entry 2 Example Now you have configured the two static DHCP entries You can view them in the Static DHCP Lis...

Page 65: ...suspend or terminate your use of some or all network services at any time for any reason The DDNS service providers supported by UTT Technologies Co Ltd currently provide free DDNS services but they m...

Page 66: ...rg and it allows you to use test 3322 org to access the Gigabit Router IP Address It specifies the IP address mapped to the registered domain name of the Gigabit Router Register Click to register the...

Page 67: ...ttp www 3322 org to go to this website to register a DDNS account for the Gigabit Router Host Name It specifies the host name of the Gigabit Router It must be identical to the host name that you enter...

Page 68: ...com cn ddns to go to this website to register a DDNS account for the Gigabit Router Registration Number It specifies the registration number of the Gigabit Router Host Name It specifies the host name...

Page 69: ...example ping avery12345 3322 org If the displayed page is similar to the screenshot below the domain name is resolved to an IP address successfully 58 246 187 126 in this example DDNS is updated succe...

Page 70: ...allows any local UPnP enabled device to perform a variety of actions including retrieving the public IP address enumerating existing port mappings and adding or removing port mappings By adding a port...

Page 71: ...rnal Port It displays the service port provided by the local computer Protocol It displays the transport protocol used by the service Remote IP It displays the IP address of the remote computer Extern...

Page 72: ...r a small group of IP addresses On the Internet there is only a single network device using a single or a small group of public IP addresses but the local computers can use any range of private IP add...

Page 73: ...ernal IP addresses and a single external IP addresses that is these multiple internal IP addresses will be translated to the same external IP address In this type of NAT to avoid ambiguity in the hand...

Page 74: ...ch as online game or video conferencing When receiving the requests initiated from outside users the Gigabit Router will directly forward these requests to the specified DMZ host Note When a local com...

Page 75: ...entry click its Name hyperlink or icon the related information will be displayed in the setup page Then modify it and click the Save button Delete Port Forwarding Entry s There are three ways to delet...

Page 76: ...are opened for outside users to access Internal IP Address It specifies the IP address of the local computer that provides the service Start Internal Port It specifies the lowest port number of the s...

Page 77: ...ses a range of consecutive ports you need to specify the Port Count Step 6 Select an interface from the Bind to drop down list as required The port forwarding entry will use the selected interface s I...

Page 78: ...gure 6 4 NAT Rule List Add a NAT Rule To add a new NAT rule first click the Add button to go to the NAT Rule Settings page next configure it lastly click the Save button View NAT Rule s When you have...

Page 79: ...e following sections describe the settings of the EasyIP NAT rule and One2One NAT rule respectively see Figure 6 5 and Figure 6 6 6 1 3 2 1 NAT Rule Settings EasyIP Figure 6 5 NAT Rule Settings EasyIP...

Page 80: ...l IP They specify the internal IP address range of the NAT rule Bind to It specifies the interface to which the NAT rule is bound Save Click to save your changes Cancel Click to revert to the last sav...

Page 81: ...IP and End Internal IP as required Step 5 Select an interface from the Bind to drop down list as required Step 6 Click the Save button to save the settings You can view the NAT rule in the NAT Rule L...

Page 82: ...lowing figure Figure 6 7 EasyIP NAT Rule Settings Example Step 2 Enter Example1 in the Name text box Step 3 Select EasyIP from the NAT Type drop down list Step 4 Enter 218 1 21 3 in the External IP te...

Page 83: ...168 1 0 24 The four local servers IP addresses are from 192 168 1 200 24 to 192 168 1 203 24 2 Analysis Firstly we need to configure a static IP Internet connection on the WAN1 interface in the Netwo...

Page 84: ...y Step 5 Select WAN1 from the Bind to drop down list Step 6 Click the Save button to save the settings Till now you have finished configuring the NAT rule and you can view it in the NAT Rule List 6 1...

Page 85: ...er 7 Advanced http www uttglobal com Page 78 Note When a local computer is designated as the DMZ host it loses firewall protection provided by the Gigabit Router The DMZ host can be accessed through a...

Page 86: ...The computer s IP address can easily be changed to a trusted address but MAC address cannot easily be changed as it is added to the Ethernet card at the factory 6 2 1 2 The Operation Principle of IP...

Page 87: ...ately to prevent IP spoofing 3 If the sender is an undefined user there are two cases 1 If the Allow Undefined LAN PCs check box is checked the packet will be allowed to pass and then be further proce...

Page 88: ...ated information will be displayed in the setup page shown in Figure 6 12 Then modify it and click the Save button Figure 6 12 Modifying an IP MAC Binding The Allow check box is used to allow or block...

Page 89: ...you will be prompted that the operation is not permitted see the following figure Figure 6 13 IP MAC Binding Error Message 6 2 4 IP MAC Binding Settings Figure 6 14 IP MAC Binding Settings Subnet It s...

Page 90: ...1 You can use the ipconfig all command at the command prompt to find a Windows based computer s IP address and MAC address 2 For an IP MAC address pair entry entered manually there can be one or more...

Page 91: ...er function modules 6 2 6 Internet Whitelist and Blacklist 6 2 6 1 Introduction to Internet Whitelist and Blacklist Based on IP MAC Binding By utilizing IP MAC binding feature you can flexibly configu...

Page 92: ...mation Step 3 Clear the Allow Undefined LAN PCs check box to block all the undefined users from accessing the Gigabit Router and Internet For example if you want to allow a local computer with IP addr...

Page 93: ...ers to access the Gigabit Router and Internet For example if you want to block a local computer with IP address 192 168 1 3 from accessing the Gigabit Router and Internet you can add an IP MAC binding...

Page 94: ...ol provide a secure network environment The disadvantage of using static routes is that they cannot dynamically adapt to the current operational state of the network When there is a change in the netw...

Page 95: ...allows you to enable or disable the static route The default value is checked which means the static route is in effect If you want to disable the static route temporarily instead of deleting it pleas...

Page 96: ...ced Static Route page and click the Add button to go to the setup page Step 2 Specify the Name for the static route and leave the Enable check box checked Step 3 Specify the Destination IP Subnet Mask...

Page 97: ...ced http www uttglobal com Page 90 Static Route List Step 7 To add another new static route please repeat the above steps Note If you want to delete static route s please follow the ways described in...

Page 98: ...ol for encapsulating PPP frames in Ethernet frames to provide point to point connection over an Ethernet network 6 4 1 1 PPPoE Stages As specified in RFC 2516 the PPPoE has two distinct stages a disco...

Page 99: ...ique PPPoE session ID and respond to the client with a PADS packet The PADS packet must contain a service name which indicates the service provided to the client When the discovery stage completes suc...

Page 100: ...that is available to a PPPoE client Secondary DNS Server It specifies the IP address of the secondary DNS server that is available to a PPPoE client PPP Authentication It specifies the PPP authentica...

Page 101: ...User Name hyperlink or icon the related information will be displayed in the setup page Then modify it and click the Save button Delete PPPoE Account s There are three ways to delete PPPoE account s...

Page 102: ...IP Address It specifies a static IP address that is assigned to the user who uses the current PPPoE account It must be a valid IP address within the range of IP addresses assigned by the PPPoE server...

Page 103: ...displays the PPPoE dial in user s IP address assigned by the PPPoE server MAC Address It displays the PPPoE dial in user s MAC address Online Time It displays the elapsed time since the PPPoE session...

Page 104: ...easily control and manage the Internet behaviors of the LAN users based on schedule which include allow or block the LAN users from using popular IM e g QQ MSN and P2P applications e g Bit Comet Bit S...

Page 105: ...en select any single day Monday Tuesday Wednesday Thursday Friday Saturday or Sunday or combinations of days as desired Time It specifies a range of hours and minutes during which the schedule is in e...

Page 106: ...to 17 00 The configuration steps are the following Step 1 Go to the User Global Management page Step 2 Select the Block MSN and Block BT check boxes Step 3 Define business hours clear the Everyday che...

Page 107: ...based on schedule For convenience a group can also contain a single user A group management policy is used to control the Internet behaviors of the users in the group which include allow or block thes...

Page 108: ...y To modify a configured group management policy click its Group Name hyperlink or icon the related information will be displayed in the setup page Then modify it and click the Save button Delete Grou...

Page 109: ...Max Tx Rate and Max Rx Rate Enter a value in the associated text box If you don t want to limit Max Tx Rate Max Rx Rate please leave the default value of 0 Select an option from the associated drop do...

Page 110: ...al computer the Gigabit Router will first check it against the access rules next the group management policies lastly the global management policy The first rule or policy that matches the packet is a...

Page 111: ...ments Group management policy 1 It allows the CEO to access all Internet services Group management policy 2 It blocks the Administration Department s employees from using QQ and MSN Group management p...

Page 112: ...to go to the Group Management Settings page to create the policy 2 The detailed settings are shown in Figure 7 8 Figure 7 8 Group Management Policy Example Policy 2 Step 4 Click the Add button to go...

Page 113: ...ttp www uttglobal com Page 10610610 Figure 7 9 Group Management Policy Example Policy 3 Step 5 After you have configured the three policies you can view them in the Group Management List see Figure 7...

Page 114: ...UTT Technologies Chapter 8 User Management http www uttglobal com Page 10710710 Figure 7 11 Group Management List Example Continue...

Page 115: ...lock the students from accessing game websites for a family you can only allow your children to access the Internet during the specified period of time for a business you can block the Financial Depar...

Page 116: ...and schedule 2 URL Filtering The URL filtering rules are used to filter URLs based on keyword in the URL It allows you to filter any web page whose URL contains the specified keyword For example if y...

Page 117: ...first access rule that matches a packet determines whether the Gigabit Router accepts or drops the packet If the rule s Action is Allow the packet is forwarded If the rule s Action is Deny the packet...

Page 118: ...ts Name hyperlink or icon the related information will be displayed in the setup page Then modify it and click the Save button Delete Access Rule s There are three ways to delete access rule s 1 To de...

Page 119: ...u want to disable the rule temporarily instead of deleting it please clear the check box Source IP Range It specifies a range of source IP addresses i e a group of local computers to which the access...

Page 120: ...the list of common services and their port numbers Dest Port Start and Dest Port End They specify a range of destination ports to which the access rule applies To specify a single port enter the port...

Page 121: ...ring Here please select URL Filtering Filtering Content It specifies the URL keyword that you want to filter The access rule is used to filter any web pages whose URL contains the specified keyword Yo...

Page 122: ...clude http 2 The URL filtering rules cannot be used to control users access to other services through a web browser For example to control users access to ftp ftp utt com cn you need to configure an I...

Page 123: ...Rule List Note 1 The keyword filtering rules only support the Deny action 2 The English keyword is case sensitive 8 1 4 Configuration Examples for Access Rule 8 1 4 1 Example 1 Only Allow a Group of...

Page 124: ...8 Access Rule List Example 1 Continue Figure 8 9 Access Rule List Example 1 Continue 8 1 4 2 Example 2 Only Block a Group of Users from Accessing Certain Services In this example we want to block a g...

Page 125: ...www bbc com Access rule 2 It blocks those users from accessing www cnn com Access rule 3 It allows those users to access all Internet services Therein both rule 1 and rule 2 must have a higher priorit...

Page 126: ...ds We need to create three access rules to meet the requirements Access rule 1 It allows those users to access DNS service during business hours And it is used to ensure that the domain names can be r...

Page 127: ...e want to allow a group of users IP address range 192 168 1 10 192 168 1 120 to access web service and block them from accessing all other services The exception is that the user with IP address 192 1...

Page 128: ...Technologies Chapter 9 Firewall http www uttglobal com Page 12112112 Figure 8 16 Access Rule List Example 4 Figure 8 17 Access Rule List Example 4 Continue Figure 8 18 Access Rule List Example 4 Conti...

Page 129: ...n Filtering Global Settings Enable Domain Filtering It allows you to enable or disable domain filtering If you select the check box to enable domain filtering the domain names in the Domain Name List...

Page 130: ...them in the Domain Name List and then click the Delete button Delete All To delete all the domain names in the Domain Name List at a time directly click the Delete All button Note 1 The Gigabit Router...

Page 131: ...vely protect the Gigabit Router against popular DoS DDoS attacks Enable Blaster Prevention It is used to enable or disable blaster virus prevention If you select the check box to enable this feature i...

Page 132: ...client or server encapsulates the original user packets inside PPP frames before sending them through a PPTP tunnel over the Internet while the peer performs decapsulation firstly and then forward th...

Page 133: ...information that identifies the specific PPTP tunnel for the data packet GRE is described in RFC 1701 The use of a separate GRE mechanism for PPTP data encapsulation has an interesting side effect for...

Page 134: ...tual interface for the new tunnel to listen for user data 1 in Figure 9 2 The PPTP client s virtual interface listens for the user packets destined for the remote LAN 3 in Figure 9 2 The PPTP client i...

Page 135: ...On the Gigabit Router it allows you to choose PAP CHAP or Either as the user authentication mode for a PPTP client It also allows you to choose None which means that no authentication is performed By...

Page 136: ...MTU it will be fragmented by the original computer before transmission The following two examples describe how to calculate PPTP tunnel MTU Figure 9 3 illustrates the format of the PPTP packet to be...

Page 137: ...effect If you want to disable the entry temporarily instead of deleting it please clear the check box Tunnel Name It specifies a unique name of the PPTP tunnel It is used to identify multiple tunnels...

Page 138: ...remote network Tunnel Server IP Domain Name It specifies the IP address or domain name of the remote PPTP L2TP server In most cases you may enter the WAN IP address or domain name of the remote VPN ap...

Page 139: ...York Now the company wants the head office and branch office to securely communicate with each other over the Internet As shown in Figure 9 8 we will use PPTP to establish a VPN tunnel deploy a HiPER...

Page 140: ...elopment of network safety standards and protocols various VPN technologies have emerged IPSec VPN is one of the most widely used VPN security technologies today IPSec is a set of open standards and p...

Page 141: ...UTT Technologies Chapter 10 VPN http www uttglobal com Page 13413413 1 Manual Key Gateway to Gateway IPSec VPN...

Page 142: ...that both have dynamic IP addresses 9 5 1 1Concepts and Protocols In order for the IPSec tunnel to be established and function properly the two IPSec endpoints must agree on the SAs The IPSec SAs dete...

Page 143: ...l choose to provide all of the supported security services including data confidentiality data integrity data origin authentication and anti replay for the data which are currently the highest level o...

Page 144: ...nnel Mode the IPSec AH and or ESP header is appended to the front of the original IP header and then a new IP header is appended to the front of the IPSec header The source and destination IP addresse...

Page 145: ...e more than 20 parameters that need to be configured at each endpoint Manual key management is feasible for small VPN networks such as a network with a few VPN appliances where the distribution mainte...

Page 146: ...Associations SAs The concept of a Security Association SA is fundamental to IPSec An SA is a relationship between two IPSec endpoints that describes how the endpoints will use security services to com...

Page 147: ...ase 1 proposal By default the UTT VPN gateway provides four phase 1 proposals which include 3des md5 group2 3des sha group2 des md5 group2 des sha group2 It also allows you to specify phase 1 proposal...

Page 148: ...esponder accepts the proposed SA authenticates the initiator and sends a nonce i e random number its IKE identity and its certificates if it is being used Third message The initiator authenticates the...

Page 149: ...E Phase 2 the two IPSec endpoints also exchange security proposals to determine which security parameters to be used in the IPSec SAs A phase 2 proposal consists of one or two IPSec security protocols...

Page 150: ...lts in a false connection SAs are normal but the tunnel is disconnected where packets are tunneled to oblivion Therefore it is necessary that either endpoint can detect a dead peer as soon as possible...

Page 151: ...PSec Settings page to click the Advanced Options hyperlink and then configure the filter parameters including Protocol and Port to define the packets that are protected by IPSec section6 1 2 1 and 6 1...

Page 152: ...IPSec SAs that is an IPSec tunnel After the IPSec tunnel is established the UTT VPN gateway will do the required IPSec processing e g encryption and or authentication before sending the packet to the...

Page 153: ...c policy in the SPD 3 3 IKE phase 1 negotiation takes place started by the initiator and the IKE SA is established 4 Refer to section 4 2 1 3 for more information 4 IKE phase 2 negotiation takes place...

Page 154: ...iate IPSec SAs as required 14 Refer to section 4 2 1 4 for more information Note In Manual Key mode IKE phase 1 and phase 2 negotiations are not required because all the necessary SA parameters are de...

Page 155: ...n illustrates the format of the IPSec packet to be sent over a static IP or DHCP Internet connection and Figure 11 18 IPSec Packet Format PPPoE Internet Connection illustrates the format of the IPSec...

Page 156: ...kets IPSec NAT T is designed to solve the problems inherent in using IPSec with NAT During IKE phase 1 negotiation the two IPSec NAT T capable endpoints can automatically determine Whether both of the...

Page 157: ...m value so you cannot create a new IPSec session Figure 11 20 Viewing IPSec Sessions Limit Related System Log CLI In the Web UI you can go to the Status System Log page view the related system log As...

Page 158: ...Connection Type It specifies the role of the UTT VPN gateway in the IPSec tunnel establishment The available options are Bidirectional Originate Only and Answer Only Here please select Bidirectional...

Page 159: ...ubnet IP text box and its mask in the Subnet Mask text box if you want to define a host please enter the IP address of that host in the Subnet IP text box and 255 255 255 255 in the Subnet Mask text b...

Page 160: ...uthentication for the local UTT gateway is required that is the local UTT gateway should provide its identity information to the remote IPSec endpoint for authentication but the identity authenticatio...

Page 161: ...s a required parameter Please enter an ID value according to the selected ID Type Local 3 Answer Only Static to Dynamic IPSec VPN If the local UTT VPN gateway has a static IP address and the remote en...

Page 162: ...PN gateway to authenticate the remote IPSec device ID Value Remote It specifies the identity of the remote IPSec device In this connection type it is an optional parameter Please enter an ID value acc...

Page 163: ...UTT Technologies Chapter 10 VPN http www uttglobal com Page 19619619 Figure 11 25 IPSec Settings AutoKey IKE Advanced Options Main Mode...

Page 164: ...re them Exchange Mode It specifies the exchange mode used for IKE phase 1 negotiation The available options are Main and Aggressive If the Connection Type is Bidirectional you should choose Main mode...

Page 165: ...gateway will periodically send DPD heartbeat messages at the specified time interval set by the Heartbeat Interval to the remote IPSec device to verify its availability Heartbeat Interval It specifies...

Page 166: ...fty three 6 3 3 1 53 phase 2 proposals supported The details are as follows 1 There are five phase 2 proposals for using ESP encryption only For example the proposal esp des means ESP encryption with...

Page 167: ...2 proposals in the CLI 9 5 3 IPSec List Figure 11 27 IPSec List After you have finished configuring an IPSec entry you can view its configuration and status information in the IPSec List see Figure 1...

Page 168: ...L2TP virtual interface it will display the corresponding tunnel s ID Local Subnet It displays the Subnet IP Local you specify in the VPN IPSec IPSec Settings page Connect In the AutoKey IKE mode the...

Page 169: ...nder Answer Only Static to Dynamic IPSec VPN The local UTT VPN gateway has a static IP address while the remote endpoint another UTT VPN gateway or compatible VPN appliance has a dynamic IP address In...

Page 170: ...phase 2 proposal is esp aes256 md5 ah sha in addition the preshared key is testing and the IP addresses are as follows The UTT VPN gateway at the head office WAN Interface IP Address 200 200 202 123 2...

Page 171: ...255 0 Bind to Local WAN1 Subnet IP Local 192 168 16 1 Subnet Mask Local 255 255 255 0 Preshared Key testing P2 Encrypt Auth Algorithms 1 esp aes256 md5 ah sha 3 Viewing the IPSec tunnel status After...

Page 172: ...s the connection type In this case the local UTT VPN gateway can only act as a responder and both IPSec endpoints should use aggressive mode for phase 1 IKE negotiation Figure 11 30 Network Topology U...

Page 173: ...168 123 1 24 The UTT VPN gateway at the branch office WAN Interface IP Address Dynamic DHCP LAN Interface IP Address 192 168 16 1 24 1 Configuring the UTT VPN gateway at the head office Go to the VPN...

Page 174: ...ive 3 Viewing the IPSec tunnel status After you have configured IPSec parameters on both UTT VPN gateways the IPSec tunnel establishment can be triggered manually or by traffic On the UTT VPN gateway...

Page 175: ...eway to UTT VPN Gateway Answer Only 2 Viewing the UTT VPN gateway at the branch office The following figure shows the configuration and status of the IPSec tunnel on the UTT VPN gateway with a dynamic...

Page 176: ...gned IP address PPPoE or DHCP and the remote endpoint another UTT VPN gateway or compatible VPN appliance has a static IP address you can choose Originate Only as the connection type In this case the...

Page 177: ...administrator accounts 10 1 1 Administrator List Figure 10 1 Administrator List Add an Administrator Account To add a new administrator account first click the Add button to go to the setup page next...

Page 178: ...it 10 1 2 Administrator Settings Figure 10 2 Administrator Settings User Name It specifies a unique login name case sensitive of the administrator Password It specifies a login password case sensitiv...

Page 179: ...he Internet It is suggested that you choose SNTP to automatically synchronize time in most cases Figure 10 3 System Time Settings Current System Time It displays the Gigabit Router s current date YYYY...

Page 180: ...r 1 is the primary server the default is 192 43 244 18 and the Server 2 is the first backup server the default is 129 6 15 28 and the Server 3 is the second backup server the default is 0 0 0 0 Save C...

Page 181: ...a text file on your local computer 10 3 2 Restore Configuration Figure 10 5 Restore Configuration Reset to Factory Defaults before Restore If you select this check box it will reset the Gigabit Router...

Page 182: ...it Router Note 1 After performing the reset operation you must manually restart the Gigabit Router in order for the default settings to take effect 2 The reset operation will clear all of the Gigabit...

Page 183: ...ow these steps Step 1 Downloading the latest firmware Click the Download Firmware hyperlink to download the latest firmware from the website of UTT Technologies Co Ltd Note 1 Please select the appropr...

Page 184: ...10 8 Prompt Dialog Box Firmware Upgrade Note 1 It is strongly recommended that you upgrade the firmware when the Gigabit Router is under light load 2 If you upgrade firmware timely the Gigabit Router...

Page 185: ...er http 218 21 31 3 8081 in your browser s address bar Remote Management Port It specifies the port number that will be open to outside access The default value is 8081 Interface It specifies the inte...

Page 186: ...t specifies a unique name of the task Repeat It specifies how often the Gigabit Router will perform the task The available options are Weekly Daily Hourly Minutely Start Time It specifies the time at...

Page 187: ...led tasks you can view them in the Scheduled Task List Modify a Scheduled Task To modify a configured scheduled task click its User Name hyperlink or icon the related information will be displayed in...

Page 188: ...ess status the traffic statistics for each interface and system information including the current system time system up time system resources usage information firmware version and system log 11 1 Sys...

Page 189: ...12 Status Figure 11 2 System Status Wireless Status Wired Status Refer to Section 4 2 1 Wired Status for detailed information Note The Wired Status page and Wireless Status page only display the stat...

Page 190: ...nt and LAN You can view the traffic statistics for each interface including the number of bytes received and transmitted and the number of packets received and transmitted Clear Click to clear all tra...

Page 191: ...g System information can help you identify and diagnose the source of current system problems or help you predict potential system problems Figure 11 4 System Information Current System Time It displa...

Page 192: ...the events that occur in the system such as system startup wireless enabled and so on Refresh Click to view the latest system information Note The CPU and Memory are displayed as a status bar and perc...

Page 193: ...1 Support As shown in Figure 12 1 it allows you to click each Learn More hyperlink to directly open the corresponding page of the UTT website UTTCare Link to the support page of the UTT website to do...

Page 194: ...nfiguring TCP IP settings with DHCP The following describes the two ways respectively Method One Manually Configuring TCP IP To configure the TCP IP protocol manually follow these steps 1 On the Windo...

Page 195: ...following DNS server address option enter the primary DNS server IP address in the Preferred DNS server text box and enter the secondary DNS server IP address in the Alternate DNS server text box opt...

Page 196: ...e A 0 3 select the Obtain an IP address automatically option and Obtain DNS server address automatically option Figure A 0 3 Internet Protocol TCP IP Properties 5 Click the OK button Now you have fini...

Page 197: ...15415 c Click Install d Click Protocol and then click Add e Click Have Disk f In the Copy manufacturer s files from box type System_Drive_Letter windows inf and then click OK g In the list of availabl...

Page 198: ...or the Internet connection you can choose Always On as the Dial Type else you can choose On Demand or Manual as the Dial Type and specify the Idle Timeout to avoid wasting online time due to that you...

Page 199: ...WAN port of the Gigabit Router Step 3 Configure the Static IP Internet connection related parameters in the Start Setup Wizard or the Network WAN page Step 4 After the Static IP connection is establi...

Page 200: ...ab and then change the MAC address of the corresponding interface lastly click the Save button Step 4 After the DHCP Internet connection is established successfully you can go to the view its configur...

Page 201: ...ttings via the Web UI The operation is as follows Go to the Administration Configuration page and then click the Reset button in the Reset to Factory Defaults configuration field lastly manually resta...

Page 202: ...IP in IP Tunnel Driver TCP 6 Transmission Control Protocol EGP 8 Exterior Gateway Protocol IGP 9 Interior Gateway Protocol PUP 12 PARC Universal Packet Protocol UDP 17 User Datagram Protocol HMP 20 H...

Page 203: ...time 13 tcp daytime 13 udp qotd 17 tcp Quote of the day qotd 17 udp Quote of the day chargen 19 tcp Character generator chargen 19 udp Character generator ftp data 20 tcp FTP data ftp 21 tcp FTP contr...

Page 204: ...Protocol Version 2 pop3 110 tcp Post Office Protocol Version 3 sunrpc 111 tcp SUN Remote Procedure Call sunrpc 111 udp SUN Remote Procedure Call auth 113 tcp Identification Protocol uucp path 117 tcp...

Page 205: ...l https 443 tcp MCom https 443 udp MCom microsoft ds 445 tcp microsoft ds 445 udp kpasswd 464 tcp Kerberos v5 kpasswd 464 udp Kerberos v5 isakmp 500 udp Internet Key Exchange exec 512 tcp Remote Proce...

Page 206: ...on kerberos adm 749 udp Kerberos administration kerberos iv 750 udp Kerberos version IV kpop 1109 tcp Kerberos POP phone 1167 udp Conference calling ms sql s 1433 tcp Microsoft SQL Server ms sql s 143...

Page 207: ...logies Appendix D Common Service Ports radacct 1813 udp RADIUS accounting protocol nfsd 2049 udp NFS server knetd 2053 tcp Kerberos de multiplexor man 9535 tcp Remote Man Server http www uttglobal com...

Page 208: ...onnection Settings WEP Figure 3 13 Setup Wizard APClient Connection Settings WPA PSK WAP2 PSK Figure 3 14 Setup Wizard Wireless Settings Figure 4 1 System Status Wired Status 25 Figure 4 2 System Stat...

Page 209: ...orwarding List 68 Figure 6 2 Port Forwarding Settings 69 Figure 6 3 Port Forwarding Settings Example 71 Figure 6 4 NAT Rule List 71 Figure 6 5 NAT Rule Settings EasyIP 72 Figure 6 6 NAT Rule Settings...

Page 210: ...e 1 Continue 117 Figure 8 10 Access Rule List Example 2 118 Figure 8 11 Access Rule List Example 2 Continue 118 Figure 8 12 Access Rule List Example 2 Continue 119 Figure 8 13 Access Rule List Example...

Page 211: ...ystem Status Wireless Status 146 Figure 11 3 Traffic Statistics 147 Figure 11 4 System Information 148 Figure 12 1 Support 150 Figure A 0 1 Local Area Connection Properties 152 Figure A 0 2 Internet P...

Page 212: ...3 Factory Default Settings 5 Table 2 1 Description of LEDs on the Front Panel 12 Table 2 2 Description of Ports on the Rear Panel 13 Table 2 3 Description of Components on the Rear Panel 13 Table 5 1...

Search results

Summary of Contents for HiPER 840G

Reviews:

Related manuals for HiPER 840G

Brands by name

Popular brands

UTT HiPER 840G, Advanced Configuration Manual

Search results

Summary of Contents for HiPER 840G

Reviews:

Related manuals for HiPER 840G

Brands by name

Popular brands