manualshive.com logo in svg

Draytek VigorPro 5510 Series, User Manual

The Draytek VigorPro 5510 Series is a powerful network security appliance designed to provide robust protection to your network. Ensure smooth and secure operations by referring to our comprehensive User Manual, available for free download at manualshive.com. Discover how to maximize the potential of your product with this essential resource.

Share
Download
background image

 

 

Summary of Contents for VigorPro 5510 Series

Page 1: ......

Page 2: ...ight No part may be reproduced transmitted transcribed stored in a retrieval system or translated into any language without written permission from the copyright holders The scope of delivery and other details are subject to change without prior notice Microsoft is a registered trademark of Microsoft Corp Windows Windows 95 98 Me NT 2000 XP Vista and Explorer are trademarks of Microsoft Corp Apple...

Page 3: ...VigorPro5510 Series User s Guide iii ...

Page 4: ...hase should the product have indications of failure due to faulty workmanship and or materials we will at our discretion repair or replace the defective products or components without charge for either parts or labor to whatever extent we deem necessary tore store the product to proper operating condition Any replacement will consist of a new or re manufactured functionally equivalent product of e...

Page 5: ... radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one of the following measures z Reorient or relocate the receiving antenna z Incre...

Page 6: ...PoE 16 2 2 2 PPTP 18 2 2 3 Static IP 19 2 2 4 DHCP 20 2 3 Service Activation Wizard 21 2 4 Online Status 25 2 5 Saving Configuration 27 3 AdvancedWebConfiguration 29 3 1 WAN 29 3 1 1 Basics of Internet Protocol IP Network 29 3 1 2 Network Connection by 3G USB Modem 30 3 1 3 General Setup 30 3 1 4 Internet Access 33 3 1 5 Load Balance Policy 42 3 2 LAN 45 3 2 1 Basics of LAN 45 3 2 2 General Setup ...

Page 7: ...7 4 Activation for Anti Intrusion Anti Virus Anti Spam Web Filter Service 120 3 7 5 AI AV Auto Block 122 3 7 6 Signature Upgrade 124 3 7 7 Status 127 3 8 Bandwidth Management 128 3 8 1 Sessions Limit 128 3 8 2 Bandwidth Limit 129 3 8 3 Quality of Service 131 3 9 Applications 138 3 9 1 Dynamic DNS 138 3 9 2 Schedule 140 3 9 3 RADIUS LDAP 142 3 9 4 UPnP 144 3 9 5 IGMP 146 3 9 6 Wake On LAN 146 3 10 ...

Page 8: ...plication 218 3 15 4 User Account 220 3 15 5 Online User Status 222 3 16 System Maintenance 223 3 16 1 System Status 223 3 16 2 TR 069 Setting 224 3 16 3 Administrator Password 226 3 16 4 Configuration Backup 227 3 16 5 Syslog Mail Alert 228 3 16 6 Time and Date 231 3 16 7 Management 232 3 16 8 Reboot System 233 3 16 9 Firmware Upgrade 234 3 17 Diagnostics 235 3 17 1 Dial out Trigger 235 3 17 2 Ro...

Page 9: ...onnection Between Remote Office and Headquarter 273 5 2 Create a Remote Dial in User Connection Between the Teleworker and Headquarter 280 5 3 QoS Setting Example 284 5 4 LAN Created by Using NAT 287 5 5 Upgrade Firmware for Your Router 289 5 6 Request a certificate from a CA server on Windows CA Server 292 5 7 Request a CA Certificate and Set as Trusted on Windows CA Server 297 6 Trouble Shooting...

Page 10: ......

Page 11: ...ers control and management in IM Instant Messenger P2P Peer to Peer Web Content Filter and URL Content Filter more efficiency than before By the way DoS DDoS prevention and URL Web content filter strengthen the security outside and control inside 1 1 1 1 W We eb b C Co on nf fi ig gu ur ra at ti io on n B Bu ut tt to on ns s E Ex xp pl la an na at ti io on n Several main buttons appeared on the we...

Page 12: ...ilter application has been activated It is enabled from Firewall General Setup CSM Off No IM P2P Web Content Filter and or URL Content Filter application has been activated LED on Connector On The port is connected with 10Mbps Off The port is disconnected 10 left LED Blinking The data is transmitting On The port is connected with 100Mbps Off The port is disconnected WAN 100 right LED Blinking The ...

Page 13: ...Connecter for remote networked devices LAN Monitor Connecter for local networked devices LAN 1 4 Connecter for local networked devices USB Connecter for a USB device Connecter for a power cord with 100 240VAC inlet Power Switch 1 is ON 0 is OFF ...

Page 14: ...l Setup CSM Off No IM P2P Web Content Filter and or URL Content Filter application has been activated On The ISDN service function is active ISDN Blinking A successful connection on the ISDN BRI B1 B2 channel LED on Connector On The port is connected with 10Mbps Off The port is disconnected 10 left LED Blinking The data is transmitting On The port is connected with 100Mbps Off The port is disconne...

Page 15: ...for ISDN line WAN 1 2 Connecter for remote networked devices LAN Monitor Connecter for local networked devices LAN 1 4 Connecter for local networked devices USB Connecter for a USB device Connecter for a power cord with 100 240VAC inlet Power Switch 1 is ON 0 is OFF ...

Page 16: ...nect one end of an Ethernet cable RJ 45 to one of the LAN ports of the router and the other end of the cable RJ 45 into the Ethernet port on your computer The LAN LED Left or Right will light up according to the speed 100 or 10 of the device that it connected 3 Connect one end of the power adapter to the router s power port on the rear panel and the other side into a wall outlet 4 Power on the dev...

Page 17: ...connected this router can print documents via the router The example provided here is made based on Windows XP 2000 For Windows 98 SE please visit www draytek com Before using it please follow the steps below to configure settings for connected computers or wireless clients 1 Connect the printer with the router through USB parallel port 2 Open Start Settings Printer and Faxes ...

Page 18: ...d a New Computer A welcome dialog will appear Please click Next 4 Click Local printer attached to this computer and click Next 5 In this dialog choose Create a new port Type of port and use the drop down list to select Standard TCP IP Port Click Next ...

Page 19: ...e following dialog type 192 168 1 1 router s LAN IP in the field of Printer Name or IP Address and type IP_192 168 1 1 as the port name Then click Next 7 Click Standard and choose Generic Network Card 8 Then in the following dialog click Finish ...

Page 20: ...ion click Next 10 For the final stage you need to go back to Control Panel Printers and edit the property of the new printer you have added 11 Select LPR on Protocol type p1 number 1 as Queue Name Then click OK Next please refer to the red rectangle for choosing the correct protocol and UPR name The printer can be used for printing now Most of the printers with different manufacturers are compatib...

Page 21: ...ot know whether your printer is supported or not please visit www draytek com to find out the printer list Open Support FAQ find out the link of Printer Server and click it then click the What types of printers are compatible with Vigor router link Note 2 Vigor router supports printing request from computers via LAN ports but not WAN port ...

Page 22: ...VigorPro5510 Series User s Guide 12 This page is left blank ...

Page 23: ... P Pa as ss sw wo or rd d To change the password for this device you have to access into the web browse with default password first 1 Make sure your computer connects to the router correctly Notice You may either simply set up your computer to get IP dynamically from the router or set up the IP address of the computer to be the same subnet as the default IP address of Vigor router 192 168 1 1 For ...

Page 24: ...m Maintenance page and choose Administrator Password 5 Enter the login password the default is blank on the field of Old Password Type a new one in the field of New Password and retype it on the field of Confirm New Password Then click OK to continue 6 Now the password has been changed Next time use the new password to access the Web Configurator for this router ...

Page 25: ...d is entering login password After typing the password please click Next On the next page as shown below please select the WAN interface that you use Choose Auto negotiation as the physical type for your router Then click Next for next step On the next page as shown below please select the appropriate Internet access type according to the information from your ISP For example you should select PPP...

Page 26: ... such as a single DSL line wireless device or cable modem All the users over the Ethernet can share a common connection PPPoE is used for most of DSL modem users All local users can share one PPPoE connection for accessing the Internet Your service provider will provide you information about user name password and authentication mode If your ISP provides you the PPPoE connection please select PPPo...

Page 27: ...VigorPro5510 Series User s Guide 17 Click Finish A page of Quick Start Wizard Setup OK will appear Then the system status of this protocol will be shown ...

Page 28: ...Click PPTP as the protocol Type in all the information that your ISP provides for this protocol Click Next for viewing summary of such connection Click Finish A page of Quick Start Wizard Setup OK will appear Then the system status of this protocol will be shown ...

Page 29: ...ic IP as the protocol Type in all the information that your ISP provides for this protocol After finishing the settings in this page click Next to see the following page Click Finish A page of Quick Start Wizard Setup OK will appear Then the system status of this protocol will be shown ...

Page 30: ...the protocol Type in all the information that your ISP provides for this protocol After finishing the settings in this page click Next to see the following page Click Finish A page of Quick Start Wizard Setup OK will appear Then the system status of this protocol will be shown ...

Page 31: ...n Wizard 2 The screen of Service Activation Wizard will be shown as follows Choose the one you need and click Next In this case we choose to activate free trail edition Free trial edition if it is the first time that you register the service please use the option Formal edition with license key you can extend the license valid time manually ...

Page 32: ... service at the same time or individually When you finish the selection please click Next 4 Setting confirmation page will be displayed as follows please click Next 5 Wait for a moment till the following page appears When such page appears you can enable or disable these services for your necessity Then click Finish ...

Page 33: ...510 Series User s Guide 23 6 Now the web page will display the service s with valid time that you have activated according to your selection s 7 Open Defense configuration Activation to check the services status ...

Page 34: ...ies User s Guide 24 If you need to extend the license valid time you can also use the Service Activation Wizard again to reach your goal by clicking the radio button of Formal edition with license key and clicking Next ...

Page 35: ...tus WAN status ADSL Information and other status related to this router within one page If you select PPPoE PPTP as the protocol you will find out a link of Dial PPPoE PPPoA or Drop PPPoE PPPoA in the Online Status web page Online status for PPPoE WAN2 Online status for PPTP for WAN2 Online status for Static IP for WAN1 ...

Page 36: ...in WAN1 WAN web page Mode Displays the type of WAN connection e g PPPoE Up Time Displays the total uptime of the interface IP Displays the IP address of the WAN interface GW IP Displays the IP address of the default gateway TX Packets Displays the total transmitted packets at the WAN interface TX Rate Displays the speed of transmitted octets at the WAN interface RX Packets Displays the total numbe...

Page 37: ...ra at ti io on n Each time you click OK on the web page for saving the configuration you can find messages showing the system interaction with you Ready indicates the system is ready for you to input settings Settings Saved means your settings are saved once you click Finish or OK button ...

Page 38: ...VigorPro5510 Series User s Guide 28 ...

Page 39: ...1 255 255 From 192 168 0 0 to 192 168 255 255 W Wh ha at t a ar re e P Pu ub bl li ic c I IP P A Ad dd dr re es ss s a an nd d P Pr ri iv va at te e I IP P A Ad dd dr re es ss s As the router plays a role to manage and further protect its LAN it interconnects groups of host PCs Each of them has a private IP address assigned by the built in DHCP server of the Vigor router The router itself will als...

Page 40: ...an be used and Load Balance can be done in the router Besides 3G USB Modem in WAN2 also can be used as backup device Therefore when WAN1 is not available the router will use 3 5G for supporting automatically The supported 3G USB Modem will be listed on Draytek web site Please visit www draytek com for more detailed information Below shows the menu items for WAN 3 3 1 1 3 3 G Ge en ne er ra al l S ...

Page 41: ...ough Ethernet port yet the physical connection for WAN2 is done through an Ethernet port P1 or USB port You cannot change it To use 3G network connection through 3G USB Modem choose 3G USB Modem as the physical mode in WAN2 Next go to WAN Internet Access 3G USB Modem is available for WAN2 You can choose PPP as the access mode and click Details Page for further configuration Physical Type You can c...

Page 42: ...Internet Access In addition there are three selections for you to choose for different purposes WAN2 Fail It means the connection for WAN1 will be activated when WAN2 is failed WAN2 Upload speed exceed XX kbps It means the connection for WAN1 will be activated when WAN2 Upload speed exceed certain value that you set in this box for 15 seconds WAN2 Download speed exceed XX kbps It means the connect...

Page 43: ...at this router supports WAN1 is the default WAN interface for accessing into the Internet WAN2 is the optional WAN interface for accessing into the Internet when WAN 1 is inactive for some reason Display Name It shows the name of the WAN1 WAN2 that entered in general setup Physical Mode It shows the physical connection for WAN1 Ethernet WAN2 Ethernet or 3G USB Modem according to the real network c...

Page 44: ...e following web page will be shown PPPoE Client Mode Click Enable for activating this function If you click Disable this function will be closed and all the settings that you adjusted in this page will be invalid ISP Access Setup Enter your allocated username password and authentication parameters according to the information provided by your ISP If you want to connect to Internet all the time you...

Page 45: ...ect for the system to execute for WAN detection Ping IP If you choose Ping Detect as detection mode you have to type IP address in this field for pinging TTL Time to Live Displays value for your reference TTL value is set by telnet command MTU Mean maximum transmission unit of one packet The default value is 1442 PPP MP Setup PPP Authentication Select PAP only or PAP or CHAP for PPP Idle Timeout S...

Page 46: ...f fo or r S St ta at ti ic c o or r D Dy yn na am mi ic c I IP P For static IP mode you usually receive a fixed public IP address or a public subnet namely multiple public IP addresses from your DSL or Cable ISP service providers In most cases a Cable service provider will offer a fixed public IP while a DSL service provider will offer a public subnet If you have a public subnet you could assign a...

Page 47: ... is available for i model only Due to the absence of the ISDN interface in some models the ISDN dial backup feature and its associated setup options are not available to them Please refer to the previous part for further information None Disable the backup function Packet Trigger The backup line is not on until a packet from a local host triggers the router to establish a connection Always On If t...

Page 48: ...isplays value for your reference TTL value is set by telnet command MTU Mean maximum transmission unit of one packet The default value is 1442 RIP Protocol Routing Information Protocol is abbreviated as RIP RFC1058 specifying how routers exchange routing tables information Click Enable RIP for activating this function WAN IP Network Settings This group allows you to obtain an IP address automatica...

Page 49: ...PT TP P To use PPTP as the accessing protocol of the internet please choose Internet Access from WAN menu Then select PPTP mode for WAN The following web page will be shown PPTP Setup PPTP Link Click Enable to enable a PPTP client to establish a tunnel to a DSL modem on the WAN interface PPTP Server Specify the IP address of the PPTP server ISP Access Setup Username Type in the username provided b...

Page 50: ...ve only when the Active on demand option for Active Mode is selected in WAN General Setup page IP Address Assignment Method IPCP Fixed IP Usually ISP dynamically assigns IP address to you each time you connect to it and request In some case your ISP provides service to always assign you the same IP address whenever you request In this case you can fill in this IP address in the Fixed IP field Plea...

Page 51: ...ing protocol of the internet please choose Internet Access from WAN menu Then select PPP mode for WAN2 The following web page will be shown PPP Client Mode Click Enable to activate this mode for WAN2 SIM PIN code Type PIN code of the SIM card that will be used to access Internet Modem Initial String Such value is used to initialize USB modem Please use the default value If you have any question pl...

Page 52: ...gn traffic with protocol type IP address for specific host a subnet of hosts and port range to be allocated in WAN1 or WAN2 interface The user can assign traffic category and force it to go to dedicate network interface based on the following web page setup Twenty policies of load balance are supported by this router Note Load Balance Policy is running only when both WAN1 and WAN2 are activated In...

Page 53: ...dress for the end of the destination IP Dest Port Start Displays the IP address for the start of the destination port Dest Port End Displays the IP address for the end of the destination port Move UP Move Down Use Up or Down link to move the order of the policy Click Index 1 to access into the following page for configuring load balance policy Enable Check this box to enable this policy Protocol U...

Page 54: ...e source IPs inside the LAN will be passed through the WAN interface Dest IP Start Type the destination IP start for the specified WAN interface Dest IP End Type the destination IP end for the specified WAN interface If this field is blank it means that all the destination IPs will be passed through the WAN interface Dest Port Start Type the destination port start for the destination IP Dest Port ...

Page 55: ...ts private IP address What NAT does is to translate the packets from public IP address to private IP address to forward the right packets to the right host and vice versa Besides Vigor router has a built in DHCP server that assigns private IP address to each local host See the following diagram for a briefly understanding In some special case you may have a public IP subnet from your ISP such as 2...

Page 56: ...S St ta at ti ic c R Ro ou ut te e When you have several subnets in your LAN sometimes a more effective and quicker way for connection is the Static routes function rather than other method You may simply set rules to forward data from one specified subnet to another specified subnet without the presence of RIP W Wh ha at t a ar re e V Vi ir rt tu ua al l L LA AN Ns s a an nd d R Ra at te e C Co o...

Page 57: ...ault 192 168 1 1 1st Subnet Mask Type in an address code that determines the size of the network Default 255 255 255 0 24 For IP Routing Usage Click Enable to invoke this function The default setting is Disable 2nd IPAddress Type in secondary IP address for connecting to a subnet Default 192 168 2 1 24 2nd Subnet Mask An address code that determines the size of the network Default 255 255 255 0 24...

Page 58: ...subnet with neighboring routers DHCP Server Configuration DHCP stands for Dynamic Host Configuration Protocol The router by factory default acts a DHCP server for your network so it automatically dispatch related IP settings to any local user configured as a DHCP client It is highly recommended that you leave the router enabled as a DHCP server if you do not have a DHCP server for your network If ...

Page 59: ... router will automatically apply default DNS Server IP address 194 109 6 66 to this field Secondary IPAddress You can specify secondary DNS server IP address here because your ISP often provides you more than one DNS Server If your ISP does not provide it the router will automatically apply default secondary DNS Server IP address 194 98 0 1 to this field The default DNS Server IP address can be fo...

Page 60: ... St ta at ti ic c R Ro ou ut te es s t to o P Pr ri iv va at te e a an nd d P Pu ub bl li ic c N Ne et tw wo or rk ks s Here is an example of setting Static Route in Main Router so that user A and B locating in different subnet can talk to each other via the router Assuming the Internet access has been configured and the router works properly z use the Main Router to surf the Internet z create a p...

Page 61: ...rol on 1st Subnet The first is that the LAN interface can exchange RIP packets with the neighboring routers via the 1st subnet 192 168 1 0 24 The second is that those hosts on the internal private subnets ex 192 168 10 0 24 can access the Internet via the router and continuously exchange of IP routing information with different subnets 1 Click the LAN Static Route and click on the Index Number 1 C...

Page 62: ...3 2 2 4 4 V VL LA AN N Virtual LAN function provides you a very convenient way to manage hosts by grouping them based on the physical port You can also manage the in out rate of each port Go to LAN page and select VLAN The following page will appear Click Enable to invoke VLAN function Note VLAN menu item is only available for VigorPro 5510 To add or remove a VLAN please refer to the following exa...

Page 63: ...e results 3 3 2 2 5 5 B Bi in nd d I IP P t to o M MA AC C This function is used to bind the IP and MAC address in LAN to have a strengthen control in network When this function is enabled all the assigned IP and MAC address binding together cannot be changed If you modified the binding IP or MAC address it might cause you not access into the Internet Click LAN and click Bind IP to MAC to open the...

Page 64: ...cking Add below Add and Edit IP Address Type the IP address that will be used for the specified MAC address Mac Address Type the MAC address that is used to bind with the assigned IP address Refresh It is used to refresh the ARP table When there is one new PC added to the LAN you can click this link to obtain the newly ARP table information IP Bind List It displays a list for the IP bind to MAC in...

Page 65: ... of IP address NAT allows the internal IP addresses of local hosts to be translated into one public IP address thus you can have only one IP address on behalf of the entire internal hosts z Enhance security of the internal network by obscuring the IP address There are many attacks aiming victims based on the IP address Since the attacker cannot be aware of any private IP addresses the NAT function...

Page 66: ...y to incoming traffic To use this function please go to NAT page and choose Port Redirection web page The Port Redirection Table provides 20 port mapping entries for the internal hosts Press any number under Index to access into next page for configuring port redirection ...

Page 67: ...es Private IP Specify the private IP address of the internal host providing the service If you choose Range as the port redirection mode you will see two boxes on this field Simply type the IP address in the first box as the starting point The second one is assigned automatically after you type the private port number below Private Port Specify the private port number of the service offered by the...

Page 68: ...VigorPro5510 Series User s Guide 58 You then will access the admin screen of by suffixing the IP address with 8080 e g http 192 168 1 1 8080 instead of port 80 ...

Page 69: ...maps ALL unsolicited data on any protocol to a single host in the LAN Regular web surfing and other such Internet activities from other clients will continue to work without inappropriate interruption DMZ Host allows a defined internal user to be totally exposed to the Internet which usually helps some special applications such as Netmeeting or Internet Games etc Note The inherent security propert...

Page 70: ...you previously have set up WAN Alias in Internet Access PPPoE you will find them in Aux WAN IP list for your selection Enable Check to enable the DMZ Host function Private IP Enter the private IP address of the DMZ host or click Choose PC to select one Choose PC Click this button and then a window will automatically pop up as depicted below The window consists of a list of private IP addresses of ...

Page 71: ...he relative number for the particular entry that you want to offer service in a local host You should click the appropriate index number to edit or clear the corresponding entry Comment Specify the name for the defined network service WAN Interface Display the WAN interface for the entry Local IP Address Display the private IP address of the local host offering the service Status Display the state...

Page 72: ... offered by the local host End Port Specify the ending port number of the service offered by the local host 3 3 3 3 4 4 A Ad dd dr re es ss s M Ma ap pp pi in ng g This page is used to map specific private IP to specific WAN IP alias If you have a group of IP Addresses and want to apply to the router please use WAN IP alias function to record these IPs first Then use address mapping function to ma...

Page 73: ...ntry enable or disable Click the index number link to open the configuration page Enable Check to enable this entry Protocol Specify the transport layer protocol It could be TCP UDP or ALL for selection WAN IP Select an IP address the selections provided here are set in IP Alias List of Network WAN interface Local host can use this IP to connect to Internet If you want to choose any one of the Pub...

Page 74: ...rovided with secured protection by the following firewall facilities z User configurable IP filter Call Filter Data Filter z Stateful Packet Inspection SPI tracks packets and denies unsolicited incoming data z Selectable Denial of Service DoS Distributed DoS DDoS attacks protection z URL Content Filter I IP P F Fi il lt te er rs s Depending on whether there is an existing Internet connection or in...

Page 75: ...usually categorized into two types the flooding type attacks and the vulnerability attacks The flooding type attacks will attempt to exhaust all your system s resource while the vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the protocol or operation system The DoS Defense function enables the Vigor router to inspect every incoming packet based on the att...

Page 76: ...usion menu refer to section 3 6 However the mechanism must be enabled either in Firewall General Setup or Firewall Filter Setup web page After you choose proper Anti Virus profile and check Anti Intrusion box the Anti Virus and Anti Intrusion LEDs on the front panel will light up Below shows the menu items for Firewall 3 3 4 4 2 2 G Ge en ne er ra al l S Se et tu up p General Setup allows you to a...

Page 77: ...y to record information for IM P2P by checking the Log box It will be sent to Syslog server Please refer to section 3 13 4 Syslog Mail Alert for more detailed information URL Content Filter Select one of the URL Content Filter profile settings created in CSM URL Content Filter for applying with this router Please set at least one profile for choosing in CSM URL Content Filter web page first For tr...

Page 78: ...large incoming Some on line games for example Half Life will use lots of fragmented UDP packets to transfer game data Instinctively as a secure firewall Vigor router will reject these fragmented packets to prevent attack unless you enable Accept large incoming fragmented UDP or ICMP Packets By checking this box you can play these kinds of on line games If security concern is in higher priority you...

Page 79: ...sing suitable codepage please open Syslog From Codepage Information of Setup dialog you will see the recommended codepage listed on the dialog box Window size It determines the size of TCP protocol 0 65535 The more the value is the better the performance will be However if the network is not stable small value will be proper Session timeout Queue timeout Setting timeout for sessions can make the b...

Page 80: ...urity Checking For the sake of security you might want the router executing strict security checking for data transmission The router performance will be affected if you invoke strict security checking Anti Virus Check this box to execute the critical checking for virus Anti Spam Check this box to execute the critical checking for e mails In sequence Check this box to execute the critical checking...

Page 81: ...e Click a button numbered 1 7 to edit the filter rule Click the button will open Edit Filter Rule web page For the detailed information refer to the following page Active Enable or disable the filter rule Comment Enter filter set comments description Maximum length is 23 character long Move Up Down Use Up or Down link to move the order of the filter rules Next Filter Set Set the link to the next f...

Page 82: ...e up to 4 schedules out of the 15 schedules pre defined in Applications Schedule setup The default setting of this field is blank and the function will always work Direction Set the direction of packet flow LAN WAN WAN LAN It is for Data Filter only For the Call Filter this setting is not available since Call Filter is only applied to outgoing traffic Source Destination IP Click Edit to access int...

Page 83: ...ose Group and Objects as the Address Type From the IP Group drop down list choose the one that you want to apply Or use the IP Object drop down list to choose the object that you want Service Type Click Edit to access into the following dialog to choose a suitable service type To set the service type manually please choose User defined as the Service Type and type them in this dialog In addition i...

Page 84: ...y Packets matching the rule will be dropped immediately Pass Immediately Packets matching the rule will be passed immediately Block If No Further Match A packet matching the rule and that does not match further rules will be dropped Pass If No Further Match A packet matching the rule and that does not match further rules will be passed through Branch to other Filter Set If the packet matches the f...

Page 85: ...er Please refer to section Syslog Mail Alert for more detailed information Anti Intrusion Check the Enable box to invoke anti intrusion filter function For troubleshooting needs you can specify to record information for Anti Intrusion by checking the Log box It will be sent to Syslog server Please refer to section Syslog Mail Alert for more detailed information Anti Spam Select one of the anti spa...

Page 86: ...not stable small value will be proper Session timeout Queue timeout Setting timeout for sessions can make the best utilization of network resources However Queue timeout is configured for TCP protocol only session timeout is configured for the data flow which matched with the firewall rule Max Queue length When the network connection is not stable you can set large number for this setting to get b...

Page 87: ...of two IP filters call filter or data filter You may preset 12 call filters and data filters in Filter Setup and even link them in a serial manner Each filter set is composed by 7 filter rules which can be further defined After that in General Setup you may specify one set for call filter and one set for data filter to execute first ...

Page 88: ... attempt to exhaust the limited resource of Vigor router By default the threshold and timeout values are set to 50 packets per second and 10 seconds respectively Enable UDP flood defense Check the box to activate the UDP flood defense function Once detecting the Threshold of the UDP packets from the Internet has exceeded the defined value the Vigor router will start to randomly discard the subsequ...

Page 89: ... Vigor router not to forward any trace route packets Block SYN fragment Check the box to activate the Block SYN fragment function The Vigor router will drop any packets having SYN flag and more fragment bit set Block Fraggle Attack Check the box to activate the Block fraggle Attack function Any broadcast UDP packets received from the Internet is blocked Activating the DoS DDoS defense functionalit...

Page 90: ...ined at this time Therefore the router should have ability to detect and reject this kind of packets Warning Messages We provide Syslog function for user to retrieve message from Vigor router The user as a Syslog Server shall receive the report sending from Vigor router which is a Syslog Client All the warning messages related to DoS defense will be sent to user and user can review it through Sysl...

Page 91: ...in a limited range and keywords usually will be applied for configuring router s settings we can define them with objects and bind them with groups for using conveniently Later we can select that object service for applying For example all the IPs in the same department can be defined with an IP object a range of IP address ...

Page 92: ...Type a name for this profile Maximum 15 characters are allowed Interface Choose a proper interface WAN LAN or Any For example the Direction setting in Edit Filter Rule will ask you specify IP or IP range for WAN or LAN or any IP address If you choose LAN as the Interface here and choose LAN as the direction setting in Edit Filter Rule then all the IP addresses specified with LAN interface will be ...

Page 93: ...ntains one subnet for IP address Select Any Address if this object contains any IP address Start IP Address Type the start IP address for Single Address type End IP Address Type the end IP address if the Range Address type is selected Subnet Mask Type the subnet mask if the Subnet Address type is selected Invert Selection If it is checked all the IP addresses except the ones listed above will be a...

Page 94: ... for settings in detail Name Type a name for this profile Maximum 15 characters are allowed Interface Choose WAN LAN or Any to display all the available IP objects with the specified interface Available IP Objects All the available IP objects created in IP Object web page with the specified interface chosen above will be shown in this box Selected IP Objects Click button to add the selected IP obj...

Page 95: ...r this profile Protocol Specify the protocol s which this profile will apply to Source Destination Port Source Port and the Destination Port column are available for TCP UDP protocol It can be ignored for other protocols The filter rule will filter out any port number when the first and last value are the same it indicates one port when the first and last values are different it indicates a range ...

Page 96: ...rvice type the port number greater than this value is available the port number less than this value is available for this profile Below is an example of service type objects settings 3 3 5 5 4 4 S Se er rv vi ic ce e T Ty yp pe e G Gr ro ou up p This page allows you to bind several service types into one group Set to Factory Default Clear all profiles Click the number under Index column for setti...

Page 97: ...cts will be shown in this box Selected Service Type Objects Click button to add the selected IP objects in this box 3 3 5 5 5 5 K Ke ey yw wo or rd d O Ob bj je ec ct t You can set 200 keyword object profiles for choosing as black white list in Anti Spam Profile Setting Set to Factory Default Clear all profiles Click the number under Index column for setting in detail ...

Page 98: ... information will be watched out and be passed blocked based on the configuration on Firewall settings 3 3 5 5 6 6 K Ke ey yw wo or rd d G Gr ro ou up p This page allows you to bind several keyword objects into one group The keyword groups set here will be chosen as black white list in Anti Spam Profile Setting Set to Factory Default Clear all profiles Click the number under Index column for setti...

Page 99: ...e E Ex xt te en ns si io on n O Ob bj je ec ct t This page allows you to set eight profiles which will be applied in CSM URL Content Filter and Defense Configuration Anti Virus All the files with the extension names specified in these profiles will be processed according to the chosen action Profile 1 with name of default is the default profile some files with the file extensions specified in this...

Page 100: ...0 Series User s Guide 90 Profile Name Type a name for this profile Type a name for such profile and check all the items of file extension that will be processed in the router Finally click OK to save this profile ...

Page 101: ... to Factory Default Clear all profiles Click the number under Profile column for configuration in details There are several types of Instant Messenger IM provided here for you to choose to disallow people using Simple check the box es and then click OK Later in the CSM IM P2P Filter Profile page you can use IM Object drop down list to choose the proper profile configured here as the standard for t...

Page 102: ...orPro5510 Series User s Guide 92 Profile Name Type a name for this profile Type a name for such profile and check all the items that not allowed to be used in the host Finally click OK to save this profile ...

Page 103: ...efault Clear all profiles Click the number under Profile column for configuration in details There are several items for P2P protocols provided here for you to choose to disallow people using Simple check the box es and then click OK Later in the CSM IM P2P Filter Profile page you can use P2P Object drop down list to choose the proper profile configured here as the standard for the host s to follo...

Page 104: ...rofiles will be applied in Firewall IM P2P Filter Profile for filtering Set to Factory Default Clear all profiles Click the number under Profile column for configuration in details Applications for tunneling and streaming are listed in the page for you to choose to disallow people using Simple check the box es and then click OK Later in the CSM IM P2P Filter Profile page you can use Misc Object dr...

Page 105: ...ications since file sharing can be convenient but insecure at the same time C Co on nt te en nt t F Fi il lt te er ri in ng g To provide an appropriate cyberspace to users Vigor router equips with URL Content Filter not only to limit illegal traffic from to the inappropriate web sites but also prohibit other web feature where malicious code may conceal Once a user type in or click on an URL with o...

Page 106: ...tering service of the Vigor router you can protect your business from common primary threats such as productivity legal liability network and security threats For parents you can protect your children from viewing adult websites or chat rooms Once you have activated your Web Filtering service in Vigor router and chosen the categories of website you wish to restrict each URL address requested e g w...

Page 107: ...you to click to set different policy Name Display the name of the APP Enforcement Profile Click the number under Index column for settings in detail Profile Name Type a name for the CSM profile Each profile can contain three objects settings IM Object P2P Object and Misc Object Such profile can be applied in the Firewall General Setup and Firewall Filter Setup pages as the standard for the host s ...

Page 108: ... com Also the Vigor router will discard any request that tries to retrieve the malicious code Click CSM and click URL Content Filter to open the profile setting page You can set eight profiles as URL content filter Simply click the index number under Profile to open the following web page Profile Name Type the name for such profile Priority It determines the action that this router will apply Both...

Page 109: ...rofile Pass Only the log about Pass will be recorded in Syslog Block Only the log about Block will be recorded in Syslog All All the actions Pass and Block will be recorded in Syslog URL Access Control Enable URL Access Control Check the box to activate URL Access Control Note that the priority for URL Access Control is higher than Restrict Web Feature If the web content match the setting set in U...

Page 110: ...ture Enable Restrict Web Feature Check this box to make the keyword being blocked or passed Action This setting is available only when Either URL Access Control First or Either Web Feature Firs is selected Pass allows accessing into the corresponding webpage with the keywords listed on the box below Pass Allow accessing into the corresponding webpage with the keywords listed on the box below Block...

Page 111: ...aytek com Therefore you need to register an account on http myvigor draytek com for using corresponding service Please refer to section 4 1 for more information of creating MyVigor account Note If you have used Service Activation Wizard to activate WCF service you can skip this section WCF adopts the mechanism developed and offered by certain service provider e g DrayTek No matter activating WCF f...

Page 112: ...will check the URL that the user wants to access via WCF precisely however the processing rate is normal Such item can provide the most accurate URL matching L1 the router will check the URL that the user wants to access via WCF If the URL has been accessed previously it will be stored for a short time about 1 second in the router to be accessed quickly if required Such item can provide accurate U...

Page 113: ... web page The items listed in Categories will be changed according to the different service providers If you have and activate another web content filter license the items will be changed simultaneously All of the configuration made for web content filter will be deleted automatically Therefore please backup your data before you change the web content filter license Profile Name Type a name for su...

Page 114: ...racters listed on Group Object Selections If the web pages do not match with the specified feature set here they will be processed with the categories listed on the box below Block restrict accessing into the corresponding webpage with the characters listed on Group Object Selections If the web pages do not match with the specified feature set here they will be processed with the categories listed...

Page 115: ...trusion it is suggested for you to register your router by entering www vigorpro com When you finished the registration you can get and activate a wide range of anti intrusion rules from the website In addition you will be allowed to download update new rules if they are released from the websites lately during the valid time of the license key you purchased after completing the registration You a...

Page 116: ...ng outgoing packets which match all the severity rules including high medium and low The degree of severity for each rule is defined in Advance Setup Medium Security Click this radio button to activate the anti intrusion service with medium detecting conditions That is the router will detect and block the incoming outgoing packets which match the highest and medium severity rules The degree of sev...

Page 117: ...ou Search It can help the user to find out specific anti intrusion rule quickly Type links Click any anti intrusion type link to access into next page for configuring the rules settings Here we provide several rules for each type The factory types and rules for anti intrusion are shown in this page If you want to acquire more types and rules please go to www vigorpro com and finish the registratio...

Page 118: ...fect which might crash your computer L representing that this type will cause small effect which might not crash your computer Log In order to show the detection log with such rule on the window of Draytek Syslog you have to check the log box here and enable the SysLog Access Setup from System Maintenance Syslog Mail Alert Action Pass Click this radio button to detect if there is any intrusion occ...

Page 119: ...b page will be scanned for finding out virus while passing through the router Note Files with three layer compression the files are compressed with three times also can be scanned by this router 3 3 7 7 2 2 1 1 P Pr ro of fi il le e S Se et tt ti in ng g This page allows you to set eight profiles for anti virus scanning These profiles can be invoked through firewall configuration It is recommended...

Page 120: ...ce The system will not do any advanced action for such condition Destroy Destroy the infected file found by the router system However the file will be downloaded still Reset Break down the communication between your computer and specific link which might have virus included Enable Virus Scan Check this box to enable the general virus scan procedure for different protocols Enable Log In order to sh...

Page 121: ...ed with the ratio specified here Append Message This function is available for SMTP and POP3 protocols If you check it the message typed under the box of Administration Message will be sent out with e mail File Filter Click this link to open Defense Configuration Anti Virus File Pattern List for viewing current settings Block Fragmented Mail The file with fragmentations will be passed destroyed re...

Page 122: ...ut all the virus rules related to the SID NAME that you entered The page of the searching result will be shown as the following picture Click each name link to check the detailed information of the anti virus rule D De et ta ai il le ed d V Vi ie ew w f fo or r A An nt ti i V Vi ir ru us s From the fourteen types of anti virus list click any one of them to access into next page The detailed view l...

Page 123: ...3 F Fi il le e F Fi il lt te er r P Pr ro of fi il le e To avoid confidential file being leaked out by someone else through network and cause severe consequence you can specify the file name in this page and determine to destroy or scan or pass it while the file passes through the router Before activating the File Filter Profile you have to set one Anti Virus profile on Defense Configuration Anti ...

Page 124: ... Destroy as the default action if the file does not meet the conditions configured below Keyword You can set three sets of keywords for this profile Action Choose the action that you want to apply to the selected keyword Destroy Destroy the file with name specified here which is found by the router system Non Scan The file will not be scanned and will not be processed by using general rules set in...

Page 125: ...le to be executed as filtering condition Destroy the file if the file name is over length Check this box to destroy the file with filename over 76 characters Syslog Mail Alert Specify the condition for the system to send Syslog Mail Alert for the default action None No action will be recorded in Syslog Match Only Only the log that matching with the above condition will be recorded in Syslog No Mat...

Page 126: ... of fi il le e S Se et tt ti in ng g Open Defense Configuration Anti Spam Profile Setting menu to access into the following page There are sixteen profiles provided by this system for you to define Profile 1 16 There are sixteen profiles provided for you to define Simply click the number link under Profile the setting page for that number will be open for you to configure Name List the name for th...

Page 127: ...ll check it again and the email will be accepted If the mail is from a spammer it will probably not be retried since a spammer goes through thousands of email addresses and can not afford the time delay to retry Check this button to enable SPAM grey list defense function In addition you can check Log Grey List Events to send record of events to syslog Enable Black White List Check this box to enab...

Page 128: ... and categorized into Spam Bulk or normal mails For the one that is confirmed as spam will be processed with the rule of Spam and the one that is probably spam will be processed with the rule of Bulk Please set different process action for Spam and Bulk respectively Action When the system fails due to system timeout or network problem you can specify specific action Pass or Tag for the system to e...

Page 129: ...ansfer agent MTA using grey list will temporarily reject any email from a sender it does not recognize If the mail is legal the server will check it again and the email will be accepted If the mail is from a spammer it will probably not be retried since a spammer goes through thousands of email addresses and can not afford the time delay to retry This page allows user to set conditions to block ma...

Page 130: ...ctivate the mechanism for your computer Click Defense Configuration Activation to open the following page for accessing http myvigor draytek com Activate via interface Choose WAN interface used by such device for activating Web Content Filter Activate The Activate link brings you accessing into www vigorpro com to finish the activation of the account and the router Authentication Message As for au...

Page 131: ...VigorPro5510 Series User s Guide 121 ...

Page 132: ...b page Enable Disable Click Enable to activate AI AV Count Setting The AI AV auto block setting result will be seen in Diagnostics LAN Security Monitor Default setting is Disable General Setup Settings configured here will be applied for most of the defense events intrusion virus except settings configured in Specific Limitation AI Count type the number for the system to block the connection of th...

Page 133: ...ce IP within the range of specific limitation for AI events AV Count type the number for the system to block the connection of the source IP within the range of specific limitation for AV events Time Interval type the time for the system to wait and execute the action of blocking Add Click this button to add one new condition for AI AV count to the list above Edit Click this button to modify selec...

Page 134: ...nce There are three levels for the signature basic If you did not register and activate your account you can just own the default 200 or more anti intrusion and anti virus rules for your router DT DT DT KL_XXXXXX If you have registered and activated your AI AV account and downloaded the newest rules from www vigorpro com you can see DT DT DT KL in this field that means you have obtained the latest...

Page 135: ...any effect even if you click them Import You can import a saved file to manually upgrade the signature Click Browse to choose the right file with sig file format Next click Upgrade Backup You can backup current signature information with the filename vigorpro sig Download Now This button will download newly update anti intrusion and anti virus from VigorPro website While downloading the file a pro...

Page 136: ...y It means the downloading procedure will be executed automatically whenever passing through the time hours and minutes that you set here Daily It means the downloading procedure will be automatically executed every day at the time hours and minutes that you set here Weekly It means the downloading procedure will be automatically executed at the time hours and minutes that you set here every week ...

Page 137: ...L signature used 3 3 7 7 7 7 S St ta at tu us s This field will shows the status for the license start date and expire date for Anti Intrusion Anti Virus service If your account or router is still not activated the word Not Activated will be displayed here to inform you ...

Page 138: ...dress can access to the Internet via NAT router The router will generate the records of NAT sessions for such connection The P2P Peer to Peer applications e g BitTorrent always need many sessions for procession and also they will occupy over resources which might result in important accesses impacted To solve the problem you can use limit session to limit the session procession for specified Hosts...

Page 139: ...dresses If you do not set the session number in this field the system will use the default session limit for the specific limitation you set for each index Add Adds the specific session limitation onto the list above Edit Allows you to edit the settings for the selected limitation Delete Delete the selected settings existing on the limitation list Index 1 15 in Schedule Setup You can type in four ...

Page 140: ...fault speed of the downstream for each computer in LAN Allow auto adjustment to make the best utilization of available bandwidth Router will detect if there is enough bandwidth remained for using according to the bandwidth limit set by the user If yes the router will adjust the available bandwidth for users to enhance the total utilization Limitation List Display a list of specific limitations tha...

Page 141: ...riation Another reason is due to congestions at network intersections where speeds of interconnected circuits mismatch or traffic aggregates packets will queue up and traffic can be throttled back to a lower speed If there s no defined priority to specify which packets should be discarded or in another term dropped from an overflowing queue packets of sensitive applications mentioned above might b...

Page 142: ...business deal of SLA among different DS domain owners It s not easy to achieve deterministic and consistent high priority QoS traffic throughout the whole network with merely Vigor router s effort In the Bandwidth Management menu click Quality of Service to open the web page This page displays the QoS settings result of the WAN interface Click the Setup link to access into next page for the genera...

Page 143: ...upstream please set 256kbps for this box The default value is 10000kbps Note The rate of outbound inbound must be smaller than the real bandwidth to ensure correct calculation of QoS It is suggested to set the bandwidth value for inbound outbound as 80 85 of physical network speed provided by ISP to maximize the QoS performance Reserved Bandwidth Ratio It is reserved for the group index in the for...

Page 144: ...l Setup web page and click Setup again for WAN1 WAN2 on the Bandwith Management Quality of Service E Ed di it t t th he e C Cl la as ss s R Ru ul le e f fo or r Q Qo oS S The first three Class 1 to Class 3 class rules can be adjusted for your necessity To add edit or delete the class rule please click the Edit link of that one After you click the Edit link you will see the following page Now you c...

Page 145: ...Subnet Address you have to fill in Start IP address and Subnet Mask DiffServ CodePoint All the packets of data will be divided with different levels and will be processed according to the level type by the system Please assign one of the level of the data for processing with QoS control Service Type It determines the service type of the data for processing with QoS control It can also be edited Yo...

Page 146: ...he e S Se er rv vi ic ce e T Ty yp pe e f fo or r C Cl la as ss s R Ru ul le e To add a new service type edit or delete an existed service type please click the Edit link under Service Type field After you click the Edit link you will see the following page ...

Page 147: ...onfiguration Click Single or Range If you select Range you have to type in the starting port number and the end porting number on the boxes below Port Number Type in the starting port number and the end porting number here if you choose Range as the type By the way you can set up to 40 service types If you want to edit delete an existed service type please select the radio button of that one and c...

Page 148: ... Dynamic DNS feature you have to apply for free DDNS service to the DDNS service providers The router provides up to three accounts from three different DDNS service providers Basically Vigor routers are compatible with the DDNS services supplied by most popular DDNS service providers such as www dyndns org www no ip com www dtdns com www changeip com www dynamic nameserver com You should visit th...

Page 149: ... the WAN interface order to apply settings here Service Provider Select the service provider for the DDNS account Service Type Select a service type Dynamic Custom Static If you choose Custom you can modify the domain that is chosen in the Domain Name field Domain Name Type in the domain name that you applied previously Use the drop down list to choose the desired domain Login Name Type in the log...

Page 150: ...so restrict Internet access to certain hours so that users can connect to the Internet only during certain hours say business hours The schedule is also applicable to other functions You have to set your time before set schedule In System Maintenance Time and Date menu press Inquire Time button to set the Vigor router s clock to current time of your PC The clock will reset once if you power down o...

Page 151: ...e Dial On Demand Specify the connection to be up when it has traffic on the line Once there is no traffic over idle timeout the connection will be down and never up again during the schedule Idle Timeout Specify the duration or period for the schedule How often Specify how often the schedule will be applied Once The schedule will be applied just once Weekdays Specify which days in one week should ...

Page 152: ... performing mutual authentication It enables centralized remote access authentication for network management Lightweight Directory Access Protocol LDAP is a communication protocol for using in TCP IP network It defines the methods to access distributing directory server by clients work on directory and share the information in the directory by clients The LDAP standard is established by the work t...

Page 153: ...oth sides must be configured to use the same shared secret Confirm Shared Secret Re type the Shared Secret for confirmation Common Name Identifier Type or edit the common name identifier for the LDAP server The common name identifier for most LDAP server is cn Distinguished Name Type or edit the distinguished name used to look up entries on the LDAP server ...

Page 154: ...N Messenger to allow full use of the voice video and messaging features Enable UPNP Service Accordingly you can enable either the Connection Control Service or Connection Status Service After setting Enable UPNP Service setting an icon of IP Broadband Connection on Router on Windows XP Network Connections will appear The connection status and control status will be able to be activated The NAT Tra...

Page 155: ...nction on your network may incur some security threats You should consider carefully these risks before activating the UPnP function Some Microsoft operating systems have found out the UPnP weaknesses and hence you need to ensure that you have applied the latest service packs and patches Non privileged users can control some router functions including removing and adding port mappings The UPnP fun...

Page 156: ...This field displays the ID port for the multicast group The available range for IGMP starts from 224 0 0 0 to 239 255 255 254 P1 to P4 It indicates the LAN port used for the multicast group Refresh Click this link to renew the working multicast group status If you check Enable IGMP Proxy you will get the following page All the multicast groups will be listed and all the LAN ports P1 to P4 are avai...

Page 157: ...Wake by IP Address you have to choose the correct IP address IP Address The IP addresses that have been configured in LAN Bind IP to MAC will be shown in this drop down list Choose the IP address from the drop down list that you want to wake up MAC Address Type any one of the MAC address of the binded PCs Wake Up Click this button to wake up the selected IP See the following figure The result will...

Page 158: ... a manner that emulates the properties of a point to point private link Below shows the menu items for VPN and Remote Access 3 3 1 10 0 1 1 R Re em mo ot te e A Ac cc ce es ss s C Co on nt tr ro ol l Enable the necessary VPN service as you need If you intend to run a VPN server inside your LAN you should disable the VPN service of Vigor Router to allow VPN tunnel pass through as well as the approp...

Page 159: ...Otherwise the MPPE encryption scheme will be used to encrypt the data Require MPPE 40 128bits Selecting this option will force the router to encrypt packets by using the MPPE encryption algorithm In addition the remote dial in user will use 40 bit to perform encryption prior to using 128 bit for encryption In other words if 128 bit MPPE encryption method is not available then 40 bit encryption sch...

Page 160: ...se 2 Phase 2 negotiation IPSec security methods including Authentication Header AH or Encapsulating Security Payload ESP for the following IKE exchange and mutual examination of the secure tunnel establishment There are two encapsulation methods used in IPSec Transport and Tunnel The Transport mode will add the AH ESP payload and use original IP header to encapsulate the data payload only It can j...

Page 161: ...data will be authenticated but not be encrypted By default this option is active High Encapsulating Security Payload ESP means payload data will be encrypted and authenticated You may select encryption algorithm from Data Encryption Standard DES Triple DES 3DES and AES 3 3 1 10 0 4 4 I IP PS Se ec c P Pe ee er r I Id de en nt ti it ty y To use digital certificate for peer authentication in either ...

Page 162: ...accept any peer regardless of its identity Accept Subject Alternative Name Click to check one specific field of digital signature to accept the peer with matching value The field can be IP Address Domain or E mail address The box under the Type will appear according to the type you select and ask you to fill in corresponding setting Accept Subject Name Click to check the specific fields of digital...

Page 163: ...ough the built in RADIUS client function The following figure shows the summary table Set to Factory Default Click to clear all indexes Index Click the number below Index to access into the setting page of Remote Dial in User User Display the username for the specific dial in user of the LAN to LAN profile The symbol represents that the profile is empty Status Display the access state of the speci...

Page 164: ...e dial in user below This feature is for i model only PPTP Allow the remote dial in user to make a PPTP VPN connection through the Internet You should set the User Name and Password of remote dial in user below IPSec Tunnel Allow the remote dial in user to make an IPSec VPN connection through Internet L2TP Allow the remote dial in user to make a L2TP VPN connection through the Internet You can sel...

Page 165: ...ted or not please open Draytek SSL VPN portal interface From the web page you will see the message to indicate the SSL Tunnel is activated Specify Remote Node Check the checkbox You can specify the IP address of the remote dial in user ISDN number or peer ID used in IKE aggressive mode Uncheck the checkbox This means the connection type you select above will apply the authentication methods and se...

Page 166: ... one s you need as SSL VPN To check if SSL Web Proxy is activated or not please open Draytek SSL VPN portal interface From the web page you will see the message to indicate that you have the privilege for the SSL Web Proxy Set SSL Application If you ve already set up SSL application profiles you ll see some check boxes here Please check the profiles that you want to enable for this account If you ...

Page 167: ...ot be encrypted By default this option is invoked You can uncheck it to disable it High Encapsulating Security Payload ESP means payload data will be encrypted and authenticated You may select encryption algorithm from Data Encryption Standard DES Triple DES 3DES and AES Local ID Specify a local ID to be used for Dial in setting in the LAN to LAN Profile setup This item is optional and can be used...

Page 168: ...nnels simultaneously The following figure shows the summary table Set to Factory Default Click to clear all indexes Name Indicate the name of the LAN to LAN profile The symbol represents that the profile is empty Status Indicate the status of individual profiles The symbol V and X represent the profile to be active and inactive respectively Click each index to edit each profile and you will get th...

Page 169: ...ile of the LAN to LAN connection Enable this profile Check here to activate this profile VPN Connection Through Use the drop down menu to choose a proper WAN interface for this profile This setting is useful for dial out only WAN1 First While connecting the router will use WAN1 ...

Page 170: ... connection Idle Timeout The default value is 300 seconds If the connection has been idled over the value the router will drop the connection Enable PING to keep alive This function is to help the router to determine the status of IPSec VPN connection especially useful in the case of abnormal VPN IPSec tunnel disruption For details please refer to the note below Check to enable the transmission of...

Page 171: ...DN or Server IP Host Name for You can specify the IP address of the remote dial out user Link Type Link Type There are three link types provided here for different purpose Disable disables the ISDN connection function 64Kbps allows you to use one ISDN channel for Internet access 128Kbps allows you to use both ISDN B channels for Internet access BOD stands for bandwidth on demand The router will us...

Page 172: ... to choose one of the certificates configured in Certificate Management Local Certificate IPSec Security Method This group of fields is a must for IPSec Tunnels and L2TP with IPSec Policy Medium AH Authentication Header means data will be authenticated but not be encrypted By default this option is active High ESP Encapsulating Security Payload means payload data will be encrypted and authenticate...

Page 173: ...tion that covers the most algorithms IKE phase 1 key lifetime For security reason the lifetime of key should be defined The default value is 28800 seconds You may specify a value in between 900 and 86400 seconds IKE phase 2 key lifetime For security reason the lifetime of key should be defined The default value is 3600 seconds You may specify a value in between 600 and 86400 seconds Perfect Forwar...

Page 174: ...del only Allowed Dial In Type Determine the dial in connection with different types ISDN Allow the remote ISDN LAN to LAN connection You should set the User Name and Password of remote dial in user below This feature is useful for i model only In addition you can further set up Callback function below PPTP Allow the remote dial in user to make a PPTP VPN connection through the Internet You should ...

Page 175: ...security methods in the general settings User Name This field is applicable when you select ISDN PPTP or L2TP with or without IPSec policy above Password This field is applicable when you select ISDN PPTP or L2TP with or without IPSec policy above VJ Compression VJ Compression is used for TCP IP protocol header compression This field is applicable when you select ISDN PPTP or L2TP with or without ...

Page 176: ... data in encryption with GRE over IPSec packet after configuring IPSec Dial Out setting Both ends must match for each other by setting same virtual IP address for communication Logical Traffic Such technique comes from RFC2890 Define logical traffic for data transmission between both sides of VPN tunnel by using the characteristic of GRE Even hacker can decipher IPSec encryption he she still canno...

Page 177: ...RX Both TX Only RX Only and Disable From first subnet to remote network you have to do If the remote network only allows you to dial in with single IP please choose NAT otherwise choose Route Change default route to this VPN tunnel Only single WAN supports this Check this box to change the default route with this VPN tunnel Be aware that this setting is available only for one WAN interface is enab...

Page 178: ...r re es s o of f V VP PN N T TR RU UN NK K V VP PN N L Lo oa ad d B Ba al la an nc ce e M Me ec ch ha an ni is sm m VPN Load Balance Mechanism can set multiple VPN tunnels for using as traffic load balance tunnel It can assist users to do effective load sharing for multiple VPN tunnels according to real line bandwidth Moreover it offers three types of algorithms for load balancing and binding tunn...

Page 179: ...Backup Profile field Display the dial out profile selected from the Member1 drop down list below Active on Backup Profile field Yes means normal condition No means the state might be disabled or that profile currently is set with Dial in mode for call direction in LAN to LAN Type on Backup Profile field Display the connection type for that profile such as IPSec PPTP L2TP L2TP over IPSec NICE L2TP ...

Page 180: ...me Display the name of VPN TRUNK VPN Load Balance mechanism profile Member1 Display the dial out profile selected from the Member1 drop down list below Active Yes means normal condition No means the state might be disabled or that profile currently is set with Dial in mode for call direction in LAN to LAN Type Display the connection type for that profile such as IPSec PPTP L2TP L2TP over IPSec NIC...

Page 181: ...ber 1 Member2 Display the selection for LAN to LAN dial out profiles configured in VPN and Remote Access LAN to LAN for you to choose for grouping under certain VPN TRUNK VPN Backup Load Balance mechanism profile No Index number of LAN to LAN dial out profile Name Profile name of LAN to LAN dial out profile Connection Type Connection type of LAN to LAN dial out profile VPN ServerIP Private Network...

Page 182: ...ion for one tunnel the other tunnel will dial out automatically within two seconds Therefore you can choose any one of members under VPN Load Balance for dialing out T Ti im me e f fo or r a ac ct ti iv va at ti in ng g V VP PN N T TR RU UN NK K D Di ia al l o ou ut t w wh he en n V VP PN N L Lo oa ad d B Ba al la an nc ce e D Di is sc co on nn ne ec ct te ed d For there is one Tunnel created and ...

Page 183: ...ism profile the selected LAN to LAN profiles will be released and expressed in black H Ho ow w c ca an n y yo ou u s se et t a a G GR RE E o ov ve er r I IP PS Se ec c p pr ro of fi il le e 1 Please go to LAN to LAN to set a profile with IPSec 2 If the router will be used as the VPN Server i e with virtual address 192 168 50 200 Please type 192 168 50 200 in the field of My GRE IP Type IP address ...

Page 184: ...ing profiles for load balance you can choose any one of them and click Advance for more detailed configuration The windows for advanced load balance and backup are different Refer to the following explanation Advanced Load Balance Profile Name List the load balance profile name Load Balance Algorithm Round Robin Based on packet base both tunnels will send the packet alternatively Such method can r...

Page 185: ... Balance profile Active In active Delete can delete this binding tunnel table Active can activate this binding tunnel table Binding Dial Out Index Specify connection type for transmission by choosing the index LAN to LAN Profile Index for such binding tunnel table Binding Set IP Start End Specify source IP addresses as starting point and ending point Binding Dest IP Start End Specify destination I...

Page 186: ... here and IGMP Service Port also fits the number here such binding tunnel table can be established Other means when the source IP destination IP destination port and fragment conditions match with the settings specified here with different TCP Service Port UDP Service Port ICMP IGMP such binding tunnel table can be established Detail Information This field will display detailed information for Bin...

Page 187: ...al out VPN TRUNK backup profiles being activated alternatively Recover Timer choose this mode to detect VPN connection periodically and type the value for it the unit is second If VPN server for Member 1 has completed the network connection current VPN Tunnel backup connection will be off Resume when VPN connection breaks down or disconnects Member 1 will be the top priority for the system to do V...

Page 188: ...nnect any VPN connection by clicking Drop button You may also aggressively Dial out by using Dial out Tool and clicking Dial button Dial Click this button to execute dial out function with general mode backup mode or load balance mode Refresh Seconds Choose the time for refresh the dial information among 5 10 and 30 Refresh Click this button to refresh the whole connection status ...

Page 189: ...ose trusted CA servers Here you can manage generate and manage the local digital certificates and set trusted CA certificates Remember to adjust the time of Vigor router before using the certificate so that you can get the correct valid period of certificate Below shows the menu items for Certificate Management 3 3 1 11 1 1 1 L Lo oc ca al l C Ce er rt ti if fi ic ca at te e This page allows users...

Page 190: ...igor router allows you to generate a certificate request and submit it the CA server then import it as Local Certificate If you have already gotten a certificate from a third party you may import it directly The supported types are PKCS12 Certificate and Certificate with a private key Click this button to import a saved file as the certification information There are three types of local certifica...

Page 191: ...ally pfx or p12 And these certificates usually need passwords Note PKCS12 is a standard for storing private keys and certificates securely It is used in among other things Netscape and Microsoft Internet Explorer with their import and export options Upload Certificate and Private Key It is useful when users have separated certificates and private keys And the password is needed if the private key ...

Page 192: ...to copy the certificate request information from above window Next access your CA server and enter the page of certificate request copy the information into it and submit a request A new certificate will be issued to you by the CA server You can save it ...

Page 193: ... click IMPORT to open the following window Use Browse to find out the saved text file Then click Import The one you imported will be listed on the Trusted CA Certificate window Then click Import to use the pre saved file For viewing each trusted CA certificate click View to open the certificate detail information window If you want to delete a CA certificate choose the one and click Delete to remo...

Page 194: ...ertificate for this router can be saved within one file Please click Backup on the following screen to save them If you want to set encryption password for these certificates please type characters in both fields of Encrypt password and Retype password Also you can use Restore to retrieve these two settings to the router whenever you want ...

Page 195: ...l l S Se et tu up p This web page allows you to enable ISDN function Country Code For proper operation on your local ISDN network you should choose the correct country code D Channel Mode It allows you to configure ISDN layer2 protocol as Point to Point Configure ISDN port to use static TEI Terminal Endpoint Identifier Point to Multipoint Configure ISDN port to use Dynamic TEI 3 3 1 12 2 3 3 D Di ...

Page 196: ...N B channel for Internet access Dialup 128Kbps allows you to use both ISDN B channels for Internet access Dialup BOD stands for bandwidth on demand The router will use only one B channel in low traffic situations Once the single B channel bandwidth is fully used the other B channel will be activated automatically through the dialup For more detailed BOD parameter settings please refer to the secti...

Page 197: ...Setup Link Type There are three link types provided here for different purpose Link Disable disables the ISDN dial out function Dialup 128Kbps allows you to use both ISDN B channels for Internet access Dialup BOD for detailed information of configuration please refer to section 3 10 5 stands for bandwidth on demand The router will use only one B channel in low traffic situations Once the single B ...

Page 198: ... Dial Number Enter the ISDN access number provided by the ISP Username Enter the username provided by your ISP Password Enter the password provided by your ISP IP Address Assignment Method IPCP for secondary ISP setup In most environments you should not change these settings as most ISPs provide a dynamic IP address for the router when it connects to the ISP If your ISP provides a fixed IP address...

Page 199: ...blishment and release of connections The Virtual TA client which is installed on the local hosts or PCs creates a CAPI based driver to relay all CAPI messages between the applications and the router CAPI module Before describing the configuration of Virtual TA in the Vigor routers please notice the following limitations As depicted in the above application scenario the Virtual TA client can make a...

Page 200: ... for Multiple Subscriber Number It means you can apply to more than one ISDN lines number over a single subscribed line Note that the service must be acquired from your telecom Specify the MSN numbers for a specific client If you have no MSN services leave this field blank Active Check it to enable the client to access the server I In ns st ta al ll l a a V Vi ir rt tu ua al l T TA A C Cl li ie en...

Page 201: ... TA client may login to the server Once a single Username Password field has been filled in the Virtual TA server will only allow clients with a valid Username Password to login The screen of Virtual TA configuration is presented below U Us se er r P Pr ro of fi il le e Note that creating a single user access account will limit the access to the Virtual TA server to only the specified account hold...

Page 202: ... the specified MSN number in the CAPI based software When the Virtual TA server sends an alert signal to the specified Virtual TA client the CAPI based software will also receive the action the software will not accept the incoming call 3 3 1 12 2 5 5 C Ca al ll l C Co on nt tr ro ol l Some applications require that the router only for the ISDN models be remotely activated or be able to dial up to...

Page 203: ...ng its Internet access either by dialing up or starting broadband connection users can make a regular phone call the number is set in the Remote Activation field to the router as signaling it for activation The phone call will be soon disconnected once the router is on line Note that Dialing to a Single ISP should be pre configured properly Basic Setup Link Type Because ISDN has two B channels 64K...

Page 204: ...c C Co on nc ce ep pt ts s Over recent years the market for wireless communications has enjoyed tremendous growth Wireless technology now reaches or is capable of reaching virtually every location on the surface of the earth Hundreds of millions of people exchange information every day via wireless communication products The Vigor G model a k a Vigor wireless router is designed for maximum flexibi...

Page 205: ...Wi Fi Protected Access the most dominating security mechanism in industry is separated into two categories WPA personal or called WPA Pre Share Key WPA PSK and WPA Enterprise or called WPA 802 1x In WPA Personal a pre defined key is used for encryption during data transmission WPA applies Temporal Key Integrity Protocol TKIP for data encryption while WPA2 applies AES The WPA Enterprise combines no...

Page 206: ... each other To elaborate an example for business use you may set up a wireless LAN for visitors only so they can connect to Internet without hassle of the confidential information leakage For a more flexible deployment you may add filters of MAC addresses to isolate users access from wired LAN Manage Wireless Stations Station List will display all the station in your wireless network and the statu...

Page 207: ...IEEE802 11b and IEEE802 11g protocols simultaneously SuperG The radio only supports SuperG 11g only The radio only supports IEEE802 11g 11b only The radio only supports IEEE802 11b Index 1 15 Set the wireless LAN to work at certain time interval only You may choose up to 4 schedules out of the 15 schedules pre defined in Applications Schedule setup The default setting of this field is blank and th...

Page 208: ...the information except SSID or just cannot see any thing about Vigor wireless router while site surveying Long Preamble This option is to define the length of the sync field in an 802 11 packet Most modern wireless network uses short preamble with 56 bit sync field instead of long preamble with 128 bit sync field However some original 11b wireless network devices only support long preamble Check i...

Page 209: ...P Key WEP 802 1x Only Accept WEP clients with 802 1x authentication Since the key will be auto negotiated during authentication the field of key setting below will be not available for input WEP or WPA PSK Accepts WEP and WPA clients with legal key accordingly Only Mixed WPA WPA2 is applicable if you select WPA PSK WEP 802 1x or WPA 802 1x Accept WEP or WPA clients with 802 1x authentication Only ...

Page 210: ...ly in this field below or automatically negotiated via 802 1x authentication Type Select from Mixed WPA WPA2 or WPA2 only Pre Shared Key PSK Either 8 63 ASCII characters such as 012345678 or 64 Hexadecimal digits leading by 0x such as 0x321253abcde WEP 64 Bit For 64 bits WEP key either 5 ASCII characters such as 12345 or 10 hexadecimal digitals leading by 0x such as 0x4142434445 128 Bit For 128 bi...

Page 211: ...able Access Control Select to enable the MAC Address access control feature Policy Select to enable any one of the following policy Choose Activate MAC address filter to type in the MAC addresses for other clients in the network manually Choose Isolate WLAN from LAN will separate all the WLAN stations from LAN based on the MAC Address list Choose Blocked MAC address filter will block all the WLAN ...

Page 212: ...s list 3 3 1 13 3 5 5 W WD DS S WDS means Wireless Distribution System It is a protocol for connecting two access points AP wirelessly Usually it can be used for the following application y Provide bridge traffic between two LANs through the air y Extend the coverage range of a WLAN To meet the above requirement two WDS modes are implemented in Vigor router One is Bridge the other is Repeater Belo...

Page 213: ...d from a WDS link will only be forwarded to local wired or wireless hosts In other words only Repeater mode can do WDS to WDS packet forwarding In the following examples hosts connected to Bridge 1 or 3 can communicate with hosts connected to Bridge 2 through WDS links However hosts connected to Bridge 1 CANNOT communicate with hosts connected to Bridge 3 through Bridge 2 Click WDS from Wireless L...

Page 214: ...Pre shared key field valid or not Choose one of the types for the router WEP Check this box to use the same key set in Security Settings page If you did not set any key in Security Settings page this check box will be dimmed Settings Encryption Mode If you checked the box of Use the same WEP key you do not need to choose 64 bit or 128 bit as the Encryption Mode If you do not check that box you can...

Page 215: ... to check Enable box in the front of the MAC address after typing Repeater If you choose Repeater as the connecting mode please type in the peer MAC address in these fields Two peer MAC addresses are allowed to be entered in this page at one time Similarly if you want to invoke the peer MAC address remember to check Enable box in the front of the MAC address after typing Access Point Function Clic...

Page 216: ...ing the scanning process about 5 seconds no client is allowed to connect to Vigor This page is used to scan the existence of the APs on the wireless LAN Yet only the AP which is in the same channel of this router can be found Please click Scan to discover all the connected APs If you want the found AP applying the WDS settings please type in the AP s MAC address on the bottom of the page and click...

Page 217: ...ng wireless clients now along with its status code There is a code summary below for explanation For convenient Access Control you can select a WLAN station and click Add to Access Control below Refresh Click this button to refresh the status of station list Add Click this button to add current selected MAC address into Access Control ...

Page 218: ...en 100 100 000 kbps SSID rate control controls the data transmission rate through wireless connection Enable Check Enable for typing upload and download rate Upload Type the transmitting rate for data upload Default value is 1 000 kbps Download Type the transmitting rate for data download Default value is 1 000 kbps 3 3 1 14 4 V VL LA AN N Virtual LAN function provides you a very convenient way to...

Page 219: ...to achieve the above intention Simply check P1 and P2 boxes on the line of VLAN0 and check P3 and P4 boxes on the line of VLAN1 Enable Check this box to enable this function for VLAN Configuration P1 P4 Check the box to make the computer connecting to the port being grouped in specified VLAN Be aware that each port can be grouped in different VLAN at the same time only if you check the box For exa...

Page 220: ...r the same groups can use same Login ID and password to access into Internet For example see the following graphic Both A and B use the same login ID City and password 1234 Therefore they are grouped in the same W_VLAN The VLAN Wireless VALN allows you to configure Wireless VLAN settings through wireless connection to achieve the above intention Simply type Login ID and password with City and 1234...

Page 221: ... for the wireless VLAN The wireless VLAN function will be available when the time is arrival Expired Date Use the drop down lists to set the expired date for the wireless VALN This function will be invalid when the time is arrival Connect all WDS links with this VALN group Check this box to activate this connection Isolate each member in this VLAN group Check this box to isolate all the members in...

Page 222: ...access into Internet 1 Open a browser and type http www draytek vlan login htm or http vigor router s IP address login htm on the address line 2 The following screen will appear 3 Type in Login ID and Password that was configured in Wireless VLAN Setup page In this case we choose the configuration set in first group of W_VLAN City and 1234 4 When the accessing is successful the following screen wi...

Page 223: ...outer to integrate VLAN and W_VLAN for managing different computers notebooks See the following picture for an example With VLAN Cross Setup notebook A B and PCs on VLAN0 can share resources without difficulty The VLAN VLAN Cross Setup allows you to set a communication bridge between computers in Wireless VLAN and wired VLAN To achieve the intention of the above illustration simply check the box u...

Page 224: ...de 214 Enable Check this box to invoke VLAN Cross Setup function VLAN0 3 It represents the groups of virtual LAN connected by Ethernet interface W_VLAN0 15 It represents the groups of wireless VLAN communicated by wireless interface ...

Page 225: ...lease open VLAN menu and choose Wireless Rate Control The following page will be shown for you to adjust Enable Check this box to enable this function for Rate Control The rate control will limit the transmission rate for upload and download Upload Rate It decides the rate of data transmission for output The default setting is 300 The range must be between 100 kbps to 20 000kbps Adjust the values ...

Page 226: ...general configuration for SSL VPN Server and SSL Tunnel Port Such port is set for SSL VPN server It will not affect the HTTPS Port configuration set in System Maintenance Management In general the default setting is 443 Server Certificate When the client does not set any certificate default certificate will be used for HTTPS and SSL VPN server Choose any one of the user defined certificates from t...

Page 227: ...ified web server on LAN behind the router through any web browser Such page allows you to set interior web server profiles Name Display the name of the profile that you create URL Display the URL Active Display current status active or inactive of such profile Click number link under Index field to set detailed configuration Name Type name of the profile URL Type the address function variation or ...

Page 228: ...way must be indicated to vigor router In addition users must execute Connect manually in SSL Client Portal page SSL if you choose such selection web proxy over SSL will be applied for VPN 3 3 1 15 5 3 3 S SS SL L A Ap pp pl li ic ca at ti io on n It provides a secure and flexible solution for network resources including VNC Virtual Network Computer RDP Remote Desktop Protocol SAMBA to any remote u...

Page 229: ...e an application applied to this profile Different application type will lead different web pages Refer to the following z Virtual Network Computing Choose this item for accessing and controlling a remote PC through VNC protocol IP Address Type the IP address for this protocol Port Specify the port used for this protocol The default setting is 5900 Scaling Chose the percentage 100 80 60 for such a...

Page 230: ...ownload delete certain files on a local Samba server through web browser with this application Samba Path Specify the path for this application 3 3 1 15 5 4 4 U Us se er r A Ac cc co ou un nt t For SSL VPN identity authentication and power management are implemented through deploying user accounts Therefore the user account for SSL VPN must be set together with remote dial in user web page Such me...

Page 231: ...page If you haven t set any SSL Web Proxy Profile in SSL VPN SSL Web Proxy web page there is no check box but a link appeared below However if you have set several SSL Web Proxy Profiles in SSL VPN SSL Web Proxy web page The SSL Web Proxy profile names will be displayed together with check box as shown below ...

Page 232: ...rresponding settings when they access into Draytek SSL VPN portal interface Next users can open SSL VPN Online Status to view login status of SSL VPN Active User Display current user who visit SSL VPN server Host IP Displays the IP address for the host Time out Display the time remaining for logging out Action You can click Drop to drop certain login user from the router s SSL Portal UI ...

Page 233: ...em m S St ta at tu us s The System Status provides basic network settings of Vigor router It includes LAN and WAN interface information Also you could get the current running firmware version or firmware related information from this presentation Model Name Display the model name of the router Firmware Version Display the firmware version of the router Build Date Time Display the date and time of ...

Page 234: ...3 usable channels USA 11 usable channels etc The available channels supported by the wireless products in different countries are various Firmware Version Display information about equipped WLAN miniPCi card This also helps to provide availability of some features that are bound with some WLAN miniPCi card SSID Display the identification name for the WLAN 3 3 1 16 6 2 2 T TR R 0 06 69 9 S Se et tt...

Page 235: ...rd for VigorACS server http IP address of VigorACS 8080 ACSServer services ACSServlet If the connected CPE does not need to be authenticated please set URL as the following http IP address of VigorACS 8080 ACSServer services UnAuthACSServ let Username Password Type username and password for ACS Server for authentication For example if you want to use such CPE with VigorACS you can type as the foll...

Page 236: ...e to STUN server The default setting is Disable Enable The system will send connection request binding message to STUN server Server IP Type the domain name or IP address of the STUN server Server Port Type the server port The default setting is 3478 Minimum Keep Alive Period The default setting is 60 seconds It determines the minimum period that the STUN binding request must be sent by the CPE to...

Page 237: ...ku up p t th he e C Co on nf fi ig gu ur ra at ti io on n Follow the steps below to backup your configuration 1 Go to System Maintenance Configuration Backup The following windows will be popped up as shown below 2 Click Backup button to get into the following dialog Click Save button to open another dialog for saving configuration as a file 3 In Save As dialog the default filename is config cfg Y...

Page 238: ...tion of Certificate R Re es st to or re e C Co on nf fi ig gu ur ra at ti io on n 1 Go to System Maintenance Configuration Backup The following windows will be popped up as shown below 2 Click Browse button to choose the correct configuration file for uploading to the router 3 Click Restore button and wait for few seconds the following picture will tell you that the restoration procedure is succes...

Page 239: ...ttack log AlertLog Port Type the port number for the alertlog and Check the box to send the corresponding message of AI AV Attack Log Access Block Log to Syslog Mail Alert Setup Enable Alert Setup Check Enable to activate function of mail alert Send a test e mail Make a simple test for the e mail address specified in this page Please assign the mail address first and click this button to execute a...

Page 240: ...while the router detecting the item s you specify here Click OK to save these settings For viewing the Syslog please do the following 1 Just set your monitor PC s IP address in the field of Server IP Address 2 Install the Router Tools in the Utility within provided CD After installation click on the Router Tools Syslog from program menu 3 From the Syslog screen select the router you want to monito...

Page 241: ...to use the browser time from the remote administrator PC host as router s system time Use Internet Time Select to inquire time information from Time Server on the Internet using assigned protocol Time Protocol Select a time protocol Server IP Address Type the IP address of the time server Time Zone Select the time zone where the router is located Automatically Update Interval Select a time interva...

Page 242: ...k the checkbox to reject all PING packets from the Internet For security issue this function is enabled by default External Device Auto Discovery Check the checkbox to detect external devices connected to current router automatically Access List You could specify that the system administrator can only login from a specific host or network defined in the list A maximum of three IPs subnet masks is ...

Page 243: ...o ot t S Sy ys st te em m The Web Configurator may be used to restart your router Click Reboot System from System Maintenance to open the following page If you want to reboot the router using the current configuration check Using current configuration and click OK To reset the router settings to default values check Using factory default configuration and click Reboot Now The router will take 5 se...

Page 244: ...ing an example Note that this example is running over Windows OS Operating System Download the newest firmware from DrayTek s web site or FTP site The DrayTek web site is www draytek com or local DrayTek s web site and FTP site is ftp draytek com Click System Maintenance Firmware Upgrade to launch the Firmware Upgrade Utility Click OK The following screen will appear Please execute the firmware up...

Page 245: ...Diagnostics 3 3 1 17 7 1 1 D Di ia al l o ou ut t T Tr ri ig gg ge er r Click Diagnostics and click Dial out Trigger to open the web page The internet connection e g ISDN PPPoE PPPoA etc is triggered by a package sending from the source IP address Decoded Format It shows the source IP address local destination IP remote address the protocol and length of the package Refresh Click it to reload the ...

Page 246: ...to reload the page 3 3 1 17 7 3 3 A AR RP P C Ca ac ch he e T Ta ab bl le e Click Diagnostics and click ARP Cache Table to view the content of the ARP Address Resolution Protocol cache held in the router The table shows a mapping between an Ethernet hardware address MAC Address and an IP address Refresh Click it to reload the page Clear Click it to clear the whole table ...

Page 247: ...ess assigned by this router for specified PC MAC Address It displays the MAC address for the specified PC that DHCP assigned IP address for it Leased Time It displays the leased time of the specified PC HOST ID It displays the host ID name of the specified PC Refresh Click it to reload the page 3 3 1 17 7 5 5 N NA AT T S Se es ss si io on ns s T Ta ab bl le e Click Diagnostics and click NAT Sessio...

Page 248: ...on MAC Address Display the MAC address of the wireless station Login ID Display the login ID that the wireless station belongs to Note Such feature is available for Vigor5510Gi only 3 3 1 17 7 7 7 L LA AN N S Se ec cu ur ri it ty y M Mo on ni it to or r This page displays the running procedure for the IP address monitored and refreshes the data in an interval of several seconds The IP address list...

Page 249: ...sh Click this link to refresh this page manually Index Display the number of the data flow IP Address Display the IP address of the monitored device TX rate kbps Display the transmission speed of the monitored device RX rate kbps Display the receiving speed of the monitored device Sessions Display the session number that you specified in Limit Session web page Action Block can prevent specified PC...

Page 250: ...cted by the router in data transmission Speed means line speed specified in WAN General If you do not specify any rate at that page here will display Auto for instead 3 3 1 17 7 8 8 T Tr ra af ff fi ic c G Gr ra ap ph h Click Diagnostics and click Traffic Graph to pen the web page Choose WAN1 Bandwidth WAN2 Bandwidth Sessions daily or weekly for viewing different traffic graph Click Refresh to ren...

Page 251: ... and received packets in the past For Sessions chart the numbers displayed on vertical axis represent the numbers of the NAT sessions during the past 3 3 1 17 7 9 9 P Pi in ng g D Di ia ag gn no os si is s Click Diagnostics and click Ping Diagnosis to pen the web page Ping through Use the drop down list to choose the WAN interface that you want to ping through or choose Unspecified to be determine...

Page 252: ... Tr ra ac ce e R Ro ou ut te e Click Diagnostics and click Trace Route to open the web page This page allows you to trace the routes from router to the host Simply type the IP address of the host in the box and click Run The result of route trace will be shown on the screen Trace through Use the drop down list to choose the WAN interface that you want to ping through or choose Unspecified to be de...

Page 253: ...his button to start route tracing work Clear Click this link to remove the result on the window 3 3 1 17 7 1 11 1 A AV V A AI I T To op p 1 10 0 This page provides information for the Top 10 of Anti Virus and Anti Intrusion signatures used frequently ...

Page 254: ... W We eb b F Fi ir re ew wa al ll l S Sy ys sl lo og g This page displays the time and message for firewall settings You can check Enable Web Firewall Syslog and choose the display mode you want Later the event of firewall will be shown for your reference ...

Page 255: ...m refer to section 4 1 the other is from router s web configurator refer to section 4 2 After activating the new account you have to register your router from router s web configurator refer to section 4 3 Follow the steps listed below to finish the registration and activation Note The website of MyVigor a server located on http myvigor draytek com provides several useful services such as Anti Spa...

Page 256: ...VigorPro5510 Series User s Guide 246 2 Check to confirm that you accept the Agreement and click Accept 3 Type your personal information in this page and then click Continue ...

Page 257: ...7 4 Choose proper selection for your computer and click Continue 5 Now you have created an account successfully Click START 6 Check to see the confirmation email with the title of New Account Confirmation Letter from myvigor draytek com ...

Page 258: ...hed Please click Login 8 When you see the following page please type in the account and password that you just created in the fields of UserName and Password Then type the code in the box of Auth Code according to the value displayed on the right side of it 9 Now click Login Your account has been activated You can access into MyVigor server to activate the service e g WCF that you want ...

Page 259: ... register a new account from the web configurator of the VigorPro router 1 Open a web browser on your PC and type http 192 168 1 1 A pop up window will open to ask for username and password Do not type any word on the window and click OK 2 From the router s web page please open Defense Configuration Activation Or Click CSM Web Content Filter Profile or 3 You will get the following page Click the A...

Page 260: ...eries User s Guide 250 4 Click the Activate link A login page for MyVigor web site will pop up automatically 5 Click the link of Create an account now 6 Check to confirm that you accept the Agreement and click Accept ...

Page 261: ...VigorPro5510 Series User s Guide 251 7 Type your personal information in this page and then click Continue 8 Choose proper selection for your computer and click Continue ...

Page 262: ...TART 10 Check to see the confirmation email with the title of New Account Confirmation Letter from myvigor draytek com 11 Click the Activate my Account link to enable the account that you created The following screen will be shown to verify the register process is finished Please click Login ...

Page 263: ...3 Now click Login Your account has been activated You can access into MyVigor server to activate the service e g WCF that you want DrayTek will maintain a database of MAC address serial number of shipped goods Only products with shipping records can be registered If your VigorPro 5510 cannot hook up to your account please contact your reseller or DrayTek s technical support ...

Page 264: ...n registered previously the system will not allow you to register the router again After finishing the router registration you can activate Anti Virus Anti Intrusion Anti Spam and Web Content Filter respectively 1 Open a web browser on your PC and type http 192 168 1 1 A pop up window will open to ask for username and password Do not type any word on the window and click OK 2 From the router s web...

Page 265: ...255 4 A Login page will be shown on the screen Please type the account and password that you created previously And click Login 5 The following page will be displayed after you logging in VigorPro server From this page please click Add ...

Page 266: ... and choose the right purchase date from the popup calendar it appears when you click on the box of Purchase Date 7 After adding the basic information for the router please click Submit 8 Now your router information has been added to the database Click OK to leave this web page and return to My Product web page ...

Page 267: ... virus anti intrusion anti spam web content filter WCF service to obtain full security for your computer 4 4 4 4 1 1 F Fo or r A An nt ti i V Vi ir ru us s a an nd d A An nt ti i I In nt tr ru us si io on n S Se er rv vi ic ce e 1 Open a web browser on your PC and type http 192 168 1 1 A pop up window will open to ask for username and password 2 From the router s web page please open Defense Confi...

Page 268: ...he screen Please type the account and password that you created previously And click Login 5 On the web page of My Product you can find a list of the devices that you add with the above steps Currently you just have added VigorPro 5510 Please click the serial number link ...

Page 269: ...s you to delete account name used currently Transfer It allows you to transfer the VigorPro device together with applied license to someone who has already registered another account in www vigorpro com Be sure to press this button to transfer the product to whom you want to give Otherwise he she might not be able to maintain the license hooked up to the VigorPro device Back It allows you to retur...

Page 270: ...ement The system will find out the date for you to activate this version of service Then click Next Note DT DT means you can acquire the anti intrusion and anti virus services from DrayTek Corporation 8 When this page appears click Register 9 Next the DrayTek Service Activation screen will be shown as the following ...

Page 271: ...onfiguration Activation page of the router s web configurator The start date and expire date for the license are shown in this page 12 Click Activate to access into VigorPro website again Open the following page You will see the AI AV with provider DT DT service as been activated and in use Now you have finished Anti Intrusion Anti Virus configuration ...

Page 272: ... Ge et tt ti in ng g 3 30 0 D Da ay ys s o of f F Fr re ee e C Ch ha ar rg ge e 1 Open a web browser on your PC and type http 192 168 1 1 A pop up window will open to ask for username and password 2 From the router s web page please open Defense Configuration Activation You will see the following web page 3 Click the Activate link from Anti Spam License to activate Anti Spam service ...

Page 273: ... User s Guide 263 4 A Login page will be shown on the screen Please type the account and password that you created previously And click Login 5 On the web page of My Product click the Trial button for AS Anti Spam service ...

Page 274: ...the above Agreement The system will find out the date for you to activate this version of service Then click Next Note CTCH means you can acquire anti spam service from Commtouch 7 When this page appears click Register 8 Next the DrayTek Service Activation screen will be shown as the following ...

Page 275: ...date and expire date for the license are shown in this page Now you have finished all the procedure for activating Anti Spam service for your router Note You are allowed to use this version with anti spam feature for 30 days after registration for your router In addition you will be informed with an e mail before expire date of this version ...

Page 276: ... the steps below to activate WCF Service for your system 1 Open a web browser on your PC and type http 192 168 1 1 A pop up window will open to ask for username and password 2 From the router s web page please open Defense Configuration Activation You will see the following web page 3 Click the Activate link from Web Filter License to activate WCF service ...

Page 277: ... s Guide 267 4 A Login page will be shown on the screen Please type the account and password that you created previously And click Login 5 On the web page of My Product click the Trial button for WCF Web Content Filter service ...

Page 278: ...e box of I have read and accept the above Agreement The system will find out the date for you to activate this version of service Then click Next 7 When this page appears click Register 8 Next the DrayTek Service Activation screen will be shown as the following ...

Page 279: ...tart date and expire date for the license are shown in this page Now you have finished all the procedure for activating WCF service for your router Note You are allowed to use this version with WCF feature for few days after registration for your router In addition you will be informed with an e mail before expire date of this version ...

Page 280: ...p 192 168 1 1 A pop up window will open to ask for username and password Do not type any word on the window and click OK 2 From the router s web page please open Defense Configuration Signature Upgrade You will see the following web page 3 On Signature Upgrade web page locate Backup and Download Now T Ti im me e f fo or r B Ba ac ck ku up p Before changing other license it is suggested for you to ...

Page 281: ...bl li in ng g A An nt ti i V Vi ir ru us s A An nt ti i I In nt tr ru us si io on n A An nt ti i S Sp pa am m W WC CF F After applying an account registering your account and router you have to access into the web page of Vigor router to enable Anti Virus Anti Intrusion Anti Spam Web Content Filter WCF functions There are two ways to enable it A For the default rule of firewall please open Firewal...

Page 282: ... and choose proper action profile from the drop down list of Anti Virus Anti Spam Web Content Filter Next click OK to finish the procedure of activation If you did not check the Anti Intrusion box and choose a proper profile for Anti Virus Anti Spam Web Content Filter you still cannot use the Anti Intrusion Anti Virus Anti Spam Web Content Filter function even if you finished all the relational pr...

Page 283: ...may want to connect to network securely such as the remote branch office and headquarter According to the network structure as shown in the below illustration you may follow the steps to create a LAN to LAN profile These two networks LANs should NOT have the same network address Settings in Router A in headquarter 1 Go to VPN and Remote Access and select Remote Access Control to enable the necessa...

Page 284: ...ex number to edit a profile 4 Set Common Settings as shown below You should enable both of VPN connections because any one of the parties may start the VPN connection 5 Set Dial Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial Out method If an IPSec based service is selected you should further specify the remote peer IP Address IKE Authentication Metho...

Page 285: ...ompression for this Dial Out connection 6 Set Dial In settings to as shown below to allow Router B dial in to build VPN connection If an IPSec based service is selected you may further specify the remote peer IP Address IKE Authentication Method and IPSec Security Method for this Dial In connection Otherwise it will apply the settings defined in IPSec General Setup above ...

Page 286: ...ion for this Dial In connection 7 At last set the remote network IP subnet in TCP IP Network Settings so that Router A can direct the packets destined to the remote network to Router B via the VPN connection Settings in Router B in the remote office 1 Go to VPN and Remote Access and select Remote Access Control to enable the necessary VPN service and click OK ...

Page 287: ...both parties have known 3 Go to LAN to LAN Click on one index number to edit a profile 4 Set Common Settings as shown below You should enable both of VPN connections because any one of the parties may start the VPN connection 5 Set Dial Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial Out method If an IPSec based service is selected you should further ...

Page 288: ... VJ Compression for this Dial Out connection 6 Set Dial In settings to as shown below to allow Router A dial in to build VPN connection If an IPSec based service is selected you may further specify the remote peer IP Address IKE Authentication Method and IPSec Security Method for this Dial In connection Otherwise it will apply the settings defined in IPSec General Setup above ...

Page 289: ... further specify the remote peer IP Address Username Password and VJ Compression for this Dial In connection 7 At last set the remote network IP subnet in TCP IP Network Settings so that Router B can direct the packets destined to the remote network to Router A via the VPN connection ...

Page 290: ...re as shown in the below illustration you may follow the steps to create a Remote User Profile and install Smart VPN Client on the remote host Settings in VPN Router in the enterprise office 1 Go to VPN and Remote Access and select Remote Access Control to enable the necessary VPN service and click OK 2 Then for using PPP based services such as PPTP L2TP you have to set general settings in PPP Gen...

Page 291: ... connection If an IPSec service is selected you may further specify the remote peer IP Address IKE Authentication Method and IPSec Security Method for this Dial In connection Otherwise it will apply the settings defined in IPSec General Setup above If a PPTP service is selected you should further specify the remote peer IP Address Username Password and VJ Compression for this Dial In connection ...

Page 292: ...nections or Smart VPN Client complimentary software to help you create PPTP L2TP and L2TP over IPSec tunnel You can find it in CD ROM in the package or go to www draytek com download center Install as instructed 2 After successful installation for the first time user you should click on the Step 0 Configure button Reboot the host 3 In Step 2 Connect to VPN Server click Insert button to add a new e...

Page 293: ...ne set in VPN router If a PPP based service is selected you should further specify the remote VPN server IP address Username Password and encryption method The User Name and Password should be consistent with the one set up in the VPN router To use default gateway on remote network means that all the packets of remote host will be directed to VPN server then forwarded to Internet This will make th...

Page 294: ... at home and takes care of children When working time he would use Vigor router at home to connect to the server in the headquarter office downtown via either HTTPS or VPN to check email and access internal database Meanwhile children may chat on Skype in the restroom 1 Go to Bandwidth Management Quality of Service 2 Click Setup link for WAN1 Make sure the QoS Control on the left corner is checked...

Page 295: ... speed provided by ISP to maximize the QoS performance 4 Return to previous page Enter the Name of Index Class 1 by clicking Edit link Type the name E mail for Class 1 5 For this index the user will set reserved bandwidth e g 25 for Email using protocol POP3 and SMTP 6 Return to previous page Enter the Name of Index Class 2 by clicking Edit link In this index the user will set reserved bandwidth e...

Page 296: ...influent other application and click OK 9 If the worker has connected to the headquarter using host to host VPN tunnel Please refer to Chapter 3 VPN for detail instruction he may set up an index for it Enter the Class Name of Index 3 In this index he will set reserve bandwidth for 1 VPN tunnel 10 Click edit to open a new window ...

Page 297: ...N C Cr re ea at te ed d b by y U Us si in ng g N NA AT T An example of default setting and the corresponding deployment are shown below The default Vigor router private IP address Subnet Mask is 192 168 1 1 255 255 255 0 The built in DHCP server is enabled so it assigns every local NATed host an IP address of 192 168 1 x starting from 192 168 1 10 You can just set the settings wrapped inside the r...

Page 298: ... 288 To use another DHCP server in the network rather than the built in one of Vigor Router you have to change the settings as show below You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage ...

Page 299: ... Utility is included in the tools 1 Go to www draytek com 2 Access into Support Downloads Please find out Firmware menu and click it Search the model you have and click on it to download the newly update firmware for your router 3 Access into Support Downloads Please find out Utility menu and click it 4 Click on the link of Router Tools to download the file After downloading the files please decom...

Page 300: ...en Programs and choose Router Tools XXX Firmware Upgrade Utility 8 Type in your router IP usually 192 168 1 1 9 Click the button to the right side of Firmware file typing box Locate the files that you download from the company web sites You will find out two files with different extension names xxxx all keep the old custom settings and xxxx rst reset all the custom settings to default settings Cho...

Page 301: ...VigorPro5510 Series User s Guide 291 10 Click Send Now the firmware update is finished ...

Page 302: ...de 292 5 5 6 6 R Re eq qu ue es st t a a c ce er rt ti if fi ic ca at te e f fr ro om m a a C CA A s se er rv ve er r o on n W Wi in nd do ow ws s C CA A S Se er rv ve er r 1 Go to Certificate Management and choose Local Certificate ...

Page 303: ...r s Guide 293 2 You can click GENERATE button to start to edit a certificate request Enter the information in the certificate request 3 Copy and save the X509 Local Certificate Requet as a text file and save it for later use ...

Page 304: ...e take a Windows 2000 CA server for example Select Request a Certificate Select Advanced request Select Submit a certificate request a base64 encoded PKCS 10 file or a renewal request using a base64 encoded PKCS 7 file Import the X509 Local Certificate Requet text file Select Router Offline request or IPSec Offline request below ...

Page 305: ...es you a certificate Select Base 64 encoded certificate and Download CA certificate Now you should get a certificate cer file and save it 5 Back to Vigor router go to Local Certificate Click IMPORT button to open next page 6 Browse the file to import the certificate cer file into Vigor router ...

Page 306: ...VigorPro5510 Series User s Guide 296 7 When the file is imported successfully the following dialog will appear 8 You may review the detail information of the certificate by clicking View button ...

Page 307: ...rt ti if fi ic ca at te e a an nd d S Se et t a as s T Tr ru us st te ed d o on n W Wi in nd do ow ws s C CA A S Se er rv ve er r 1 Use web browser connecting to the CA server that you would like to retrieve its CA certificate Click Retrive the CA certificate or certificate recoring list ...

Page 308: ...sted CA Certificate Click IMPORT button and browse the file to import the certificate cer file into Vigor router When finished click refresh and you will find the below illustration 4 You may review the detail information of the certificate by clicking View button Note Before setting certificate configuration please go to System Maintenance Time and Date to reset current time of the router first ...

Page 309: ...g I If f t th he e H Ha ar rd dw wa ar re e S St ta at tu us s I Is s O OK K o or r N No ot t Follow the steps below to verify the hardware status 1 Check the power line and WLAN LAN cable connections Refer to 1 3 Hardware Installation for details 2 Turn on the router Make sure the ACT LED blink once per second and the correspondent LAN LED is bright 3 If not it means that there is something wrong...

Page 310: ...to the examples for other operation systems please refer to the similar steps or find support notes in www draytek com 1 Go to Control Panel and then double click on Network Connections 2 Right click on Local Area Connection and click on Properties 3 Select Internet Protocol TCP IP and then click Properties ...

Page 311: ...omatically and Obtain DNS server address automatically F Fo or r M Ma ac cO Os s 1 Double click on the current used MacOs on the desktop 2 Open the Application folder and get into Network 3 On the Network screen select Using DHCP from the drop down list of Configure IPv4 ...

Page 312: ...router correctly F Fo or r W Wi in nd do ow ws s 1 Open the Command Prompt window from Start menu Run 2 Type command for Windows 95 98 ME or cmd for Windows NT 2000 XP Vista The DOS command dialog will appear 3 Type ping 192 168 1 1 and press Enter If the link is OK the line of Reply from 192 168 1 1 bytes 32 time 1ms TTL 255 will appear 4 If the line does not appear please check the IP address se...

Page 313: ...o ot t Click WAN Internet Access and then check whether the ISP settings are set correctly Click Details Page of WAN1 WAN2 to review the settings that you configured previously F Fo or r P PP PP Po oE E U Us se er rs s 1 Check if the Enable option is selected 2 Check if Username and Password are entered with correct values that you got from your ISP ...

Page 314: ...na am mi ic c I IP P U Us se er rs s 1 Check if the Enable option is selected 2 Check if IP address Subnet Mask and Gateway are entered with correct values that you got from your ISP F Fo or r P PP PT TP P U Us se er rs s 1 Check if the Enable option for PPTP Link is selected ...

Page 315: ...Try to reset the router by software or hardware Warning After pressing factory default setting you will loose all settings you did before Make sure you have recorded all useful settings before you pressing The password of factory default is null S So of ft tw wa ar re e R Re es se et t You can reset the router to factory default via Web page Go to System Maintenance and choose Reboot System on the...

Page 316: ...en the router will restart with the default configuration After restore the factory default setting you can configure the settings for the router again to fit your personal request 6 6 6 6 C Co on nt ta ac ct ti in ng g Y Yo ou ur r D De ea al le er r If the router still cannot work correctly after trying many efforts please contact your dealer for further help right away For any questions please ...

Reviews:

No comments

Related manuals for VigorPro 5510 Series

3Com 3CR3MFA-92 Installation Manual preview
3CR3MFA-92
Brand: 3Com Pages: 176
D-Link NetDefend DFL-260E User Manual preview
NetDefend DFL-260E
Brand: D-Link Pages: 552
PaloAlto Networks PA-5200 Series Quick Start Manual preview
PA-5200 Series
Brand: PaloAlto Networks Pages: 2
Watchguard Firebox M5800 Quick Start Manual preview
Firebox M5800
Brand: Watchguard Pages: 2
D-Link DFL-1660-WCF-12 Datasheet preview
DFL-1660-WCF-12
Brand: D-Link Pages: 5
JVC VN-C205U - Network Camera Instructions Manual preview
VN-C205U - Network Camera
Brand: JVC Pages: 46
Watchguard Firebox T85 Quick Start Manual preview
Firebox T85
Brand: Watchguard Pages: 2
Check Point Smart-1 series Manual preview
Smart-1 series
Brand: Check Point Pages: 16

Brands by name

Popular brands

Load more brands