Chapter 13 VPN
http://www.level1.com
Page 156
Figure 13_13 PPTP Client Info List 1
Figure 13_14 PPTP Client Info List 2
13.2
IPSec
13.2.1
IPSec Overview
With the development of security standards and network protocols, various VPN technologies
Страница 1: ...Introduction http www level1 com Page 1 WGR 2301 AC750 Dualb Bandb Wireless Gigabit Dual WAN VPN User Manual V1 0 Digital Data Communications Asia Co Ltd http www level1 com ...
Страница 2: ...uration Wizard 17 4 1 Configuration of WAN1 port 17 4 1 1 Dynamic IP access 18 4 1 2 Static IP access 18 4 1 3 PPPoE access 19 Chapter 5 Start menu 20 5 1 Setup Wizard 20 5 2 Interface status 20 5 3 Interface Traffic 21 5 4 Restart device 22 Chapter 6 Network parameters 23 6 1 Configuration of WAN port 23 6 1 1 WAN1 access 24 6 1 2 List of line connection information 26 6 2 Line combination 28 6 2...
Страница 3: ...2 PSK 57 7 3 Wireless MAC Address Filtering 58 7 4 Wireless Advanced Configuration 60 7 5 Client List 61 Chapter 8 Advanced Configuration 63 8 1 NAT and DMZ configuration 63 8 1 1 Description of NAT functions 63 8 1 2 Port Forwarding 64 8 1 3 NAT rules 67 8 1 4 DMZ 69 8 1 5 NAT and DMZ configuration instances 70 8 2 Static Route Settings 72 8 3 Policy routing 74 8 3 1 Enable policy routing 75 8 3 ...
Страница 4: ...ter 10 App Control 105 10 1 Schedule Settings 105 10 2 Application Control 106 10 2 1 Application Management List 107 10 2 2 Internet Application Management Settings 107 10 2 3 Internet Application Management 109 10 3 QQ white list 111 10 4 TM Whitelist 113 10 5 Notification 114 10 5 1 Daily Routine Notification 115 10 5 2 Account expiration notification 116 10 6 Application Audit 117 10 7 Policy ...
Страница 5: ...IPSec configuration instance 169 Chapter 14 System 177 14 1 Administrator 177 14 2 Language 178 14 3 Time 178 14 4 Configuration 180 14 5 Firmware Upgrade 181 14 6 Remote Management 182 14 7 Scheduled task 183 Chapter 15 System 185 15 1 Interface Status 185 15 2 System information 185 15 3 System log 186 15 3 1 System log information 186 15 3 2 Log Management Settings 188 Chapter 16 Customer servi...
Страница 6: ...ID 2 4G LevelOne For the device s SSID the wireless clients must use the same SSID before connecting to wireless devices Here ABCDEF is the hexadecimal numbers converted from the device s serial number SSID 5G LevelOne 5G Table 1 2 Factory settings 2 The factory user name of the system administrator is admin and the factory password is admin case sensitive 0 2 Contact Us If you have any questions ...
Страница 7: ...ly affair notification due account notification functions Supports WEB authentication function Supports virtual server and DMZ Supports various wireless modes Supports various wireless security mechanisms Supports SSID hiding Supports the WMM Wi Fi Multimedia function Supports URL MAC address keyword filtering and other firewall policies Supports Internet behavior management for users and provide ...
Страница 8: ...s The machine meets the 6KV lightning proof feature 1 2 Specifications Compatible with IEEE802 3 IEEE802 3u IEEE 802 11n IEEE 802 11b and IEEE 802 11g Supports TCP IP DHCP ICMP NAT PPPoE static routes and other protocols The physical ports support auto negotiation function and support the MDI MDI X adapter function Provide status indicators Operating environment Temperature 0 40 C Height 0 4000m R...
Страница 9: ...en the power supply is working properly SYS System status indicator Flashes in the frequency of 2 times per second and the flashing frequency declines when the system burden is heavy normally on or off in failure USB Status LED for 3G Internet access card LED is on after 3G card is inserted WLAN Wireless Status LED On when enabling the wireless feature and flashes when sending receiving wireless d...
Страница 10: ... to recover the device s factory settings when you forget the administrator password Method In the process of charged operation hold down the Reset button for more than 5 seconds and then release the button The device will be returned to its factory settings after operation and automatically restart Note The above operations will delete all the original device configurations please use it with car...
Страница 11: ...s and cables Network cables 2 4 Hardware Installation Before installing the device make sure the broadband service is normal If you cannot access please contact operators ISP to resolve the problem After successfully accessing to the network follow these steps to install the device The power plug must be removed during installation Place the device on a stable work bench 1 Place the device on a su...
Страница 12: ...evices to the router over a wireless connection 2 Establish a WAN connection Connect the WAN port of the router to the Internet with a network cable as shown in the figure below 3 Connect power source Before connecting the power supply make sure that both power supply and grounding are normal Figure 2 3 Establish a LAN connection and a WAN connection Tip The above network connection diagram is for...
Страница 13: ...IP address You can use either of the following methods 1 Set the computer s IP address as one of the addresses from 192 168 1 2 192 168 1 254 the subnet mask is 255 255 255 0 and the default gateway is 192 168 1 1 the LAN IP address of the device and the DNS server is the address provided by the local operator 2 Set the computer s TCP IP as Obtain an IP address automatically After setting the buil...
Страница 14: ... or Linux operating systems are used on the PC the device can be configured through browsers such as Internet Explorer or Firefox Open the browser and type in the IP address of the device s LAN port in the address bar Pinging 192 168 1 1 with 32 bytes of data Reply from 192 168 1 1 bytes 32 time 1ms TTL 255 Reply from 192 168 1 1 bytes 32 time 1ms TTL 255 Reply from 192 168 1 1 bytes 32 time 1ms T...
Страница 15: ...me and password the factory defaults of username password are admin and admin respectively which are case sensitive on the login interface and then click OK Figure 3 1 WEB login interface If user name and password are correct the browser will display the homepage of the WEB management interface as shown in Figure 3 2 The top right corner of the page displays device model hardware version software ...
Страница 16: ...on 3 Booking Service Link to the booking service page of HiPER official website for advance reservation of the customer service in a certain working period 2 This page displays the main menu bar on the left 3 The main operating page is located on the right of the page in which you can configure various functions of the device view the related configuration information and status information etc 4 ...
Страница 17: ...e Chapter 3 Logging in the Device If this is the first time for you to log in the device a configuration wizard homepage appears directly in the main operating page As shown in Figure 4 1 Figure 4 1 Homepage of configuration wizard In logging next time the wizard will no longer automatically pop up When checking it you can go directly to the System Status page in logging next time Exit the wizard ...
Страница 18: ...ic IP access 4 1 2 Static IP access If your Internet access mode is Static IP access please select Fixed IP access in the drop down list box of Figure 4 4 and fill in the related parameters and enter into the next page to complete the configuration of WAN1 Figure 4 3 Configuration Wizard Static IP access IP address subnet mask gateway address primary DNS server secondary DNS server Fill in the WAN...
Страница 19: ...ccess in the drop down list box of Figure 4 5 and fill in the corresponding user name and password and then click Next to enter into the next page to complete the configuration of WAN1 Figure 4 4 Configuration wizard PPPoE access User name password Type in the user name password provided by the ISP If you have any questions please ask your ISP ...
Страница 20: ...bout the interfaces and view the statistics data of the devices real time traffics 5 1 Setup Wizard The Start Setup wizard pages can help you to quickly configure the basic parameters required by some devices in working normally For details see Chapter 4 Configuration Wizard 5 2 Interface status This section describes the Start Interface status page in which you can view the information about the ...
Страница 21: ...iewer plug in installed Figure 5 2 Interface Traffic WAN1 WAN port of the device click on the tab to view the dynamic figure of receiving sending traffic APClient The wireless client of the device click on the tab to view the dynamic figure of receiving sending traffic LAN LAN port of the device click on the tab to view the dynamic figure of receiving sending traffic Timeline The x coordinate in t...
Страница 22: ...display according to needs and preferences such as red blue orange etc Flip Click the Flip button and the colors can swap to receive and send data 5 4 Restart device If you need to restart the device just enter into the Start Restart device page to click Restart Figure 5 3 Restart device Tip Upon restarting all users will be disconnected from the device ...
Страница 23: ...tion of WAN port This section describes the Network parameters WAN configuration page In this page you can configure not only the line information modify or delete the configured lines according to the actual needs but also view the connection status of lines After completing the configuration of Internet line in Configuration Wizard you can view the connection and configuration of the line in thi...
Страница 24: ...will not NAT convert the IP address for the Intranet LAN side to access to the external network WAN side and directly looks up the routing table for forwarding MAC address The MAC address of the corresponding interfaces Interface mode Sets the duplex mode and rate for interfaces Options are Auto adaptive 10M FD 10M full duplex 10M HD 10M half duplex 100M FD full duplex 100M 100M HD 100M half duple...
Страница 25: ...rators verify user names passwords Options include NONE not to be verified PAP CHAP and EITHER automatically negotiate with the peer device on the mode of password authentication Dialing type The options include auto dialing dialing on demand manual dialing Auto dialing The device automatically dials up when it is powered on or the previous dial up disconnection occurs Dialing on demand The device...
Страница 26: ... address interface mode please refer to the configuration of dynamic access 3 Static IP access Figure 6 4 Static IP access IP address subnet mask gateway address Static IP address subnet mask and gateway address provided by the operator Primary secondary DNS server The DNS server address the operator provides to you For the working mode in the advanced options MAC address interface mode please ref...
Страница 27: ... of list refreshing The unit is KB s Delete Deletes the appropriate line Update Click Refresh and the system automatically completes the process of releasing the IP address and then obtaining an IP address again Release Click Release to release the currently obtained dynamic IP address Refresh Click Refresh to display the up to date information of line connection information list 2 Static IP acces...
Страница 28: ...ateway address assigned by the connected device to the interface Delete Deletes the appropriate line Dial up Click Dial to establish the PPPoE access 3G access line unestablished or disconnected When the PPPoE connection dial up type is set to Manual dial up and the PPPoE dial up is to be completed here Hang up Click Hang up to hang up the PPPoE dial up line or 3G access line that has been establi...
Страница 29: ...rget of the line at the specified detection interval If all the inspection packets sent have no response within a detection cycle this line will be deemed to be failed and it will be shielded immediately For example if the 3 inspection packets that are sent have no response within a detection cycle the line is deemed to be failed by default When a line is normal the detection mechanism is describe...
Страница 30: ...ault line is restored to normal the device will enable this line automatically and the flow is automatically redistributed In the Partial line load balancing while the others backed up mode part of the lines are used as main lines the other part of the lines is used as backup lines Working principles are as follows 1 As long as the main line is normal the Intranet hosts use main lines for Internet...
Страница 31: ...ion mode Partial line load balancing while the others backed up is selected here Main line The list box represents the Main line group and all the lines in the list box are used as the main lines Main line The list box represents the Backup line group and all the lines in the list box are used as the backup lines Right arrow Left arrow Select one or more line in the Main line list box first and th...
Страница 32: ...n the interface of the line or the Edit hyperlink corresponding to the line to skip to the relevant page for change as shown in Figure 6 11 Refresh Click Refresh to get the latest status information of line combination 6 2 4 Detection and bandwidth configuration After configuring the line combination function you also need to configure the detection mechanism of the lines and the configuration met...
Страница 33: ...ch means not to enable the line detection Detection times The number of inspection packets sent within the detection cycle one detection packet is sent per time which is 10 times by default Detection target The destination address to be detected which is the gateway IP address by default if the gateway disallows PING select a different IP address as the destination IP address of the PING detection...
Страница 34: ...in the online bank if the first session is assigned to WAN2 port connection line all the online banking sessions of this user will go out from the WAN2 port until the user logs out Figure 6 12 Enabling identity binding Enable identity binding Enables disables the identity binding function If multiple lines are configured please enable the device s identity binding function to make normal use of su...
Страница 35: ...ace mode Sets the duplex mode and rate for interfaces Options are Auto adaptive 10M FD 10M full duplex 10M HD 10M half duplex 100M FD full duplex 100M 100M HD 100M half duplex The default is Auto which is usually not required to be modified and if there is any compatibility issue or the device used does not support auto negotiation function then the type of Ethernet negotiation can be set up here ...
Страница 36: ...er assigns to the network computer automatically which should be on the same network segment as the IP address of the device LAN port Subnet mask The subnet mask automatically assigned by the DHCP server to the network computer which should be consistent with that of the LAN port of the device Gateway address The gateway IP address the DHCP server automatically assigns to the network computer whic...
Страница 37: ...Wingate and the PC s DNS server is set as the IP address of the proxy server then the LAN IP address of the device only needs to be set to the same IP address so that the user can switch to using the device s DNS proxy function without having to change the PC setting after the device enables the DNS proxy function 6 4 2 Static DHCP This section describes the static DHCP list and the way to configu...
Страница 38: ...e below Below is a description of the meaning of the parameters for configuring static DHCP Figure 6 16 Static DHCP configuration User name Configures the user name of the computer bound by this DHCP custom no repeat is allowed IP address The reserved IP address which must be the valid IP address within the address range specified by the DHCP server MAC address The MAC address of the computer to u...
Страница 39: ...client Enabling this function can protect against network ARP spoofing If it is not enabled no automatic binding operation is to be done Enable DHCP automatic deletion When DHCP automatic deletion is enabled it means that the device will automatically delete the IP MAC previously bound automatically after the lease expires or the user releases the address actively If it is not enabled it means tha...
Страница 40: ...addresses The host with the MAC address of 00 21 85 9B 45 46 assigns the fixed IP address of 192 168 1 15 while the host with the MAC address of 00 1f 3c 0f 07 f4 assigns the fixed IP address of 192 168 1 10 Configuration steps The first step is to enter into the Network parameters DHCP server DHCPservice settings page The second step is to enable the DHCP function and configure the related DHCP s...
Страница 41: ...HCP service settings Instance The third step is to enter the Network parameters DHCP server Static DHCP page and click Add new entry to configure the two static DHCP instances in the request such as Figure 6 21 Figure 6 22 Figure 6 20 Static DHCP configuration Instance A ...
Страница 42: ...t as shown in Figure 6 23 If configuration errors are found you can click the corresponding item s icon directly and enter into the Static DHCP configuration page for modification and saving Figure 6 22 Static DHCP information list Instance 6 5 DDNS configuration This section describes the Network parameters DDNS configuration page and configuration methods Includes application for DDNS account co...
Страница 43: ...s not guarantee the DDNS service must be able to meet the requirements nor guarantee the service will be uninterrupted nor guarantee the timeliness safety and accuracy of network services 6 5 1 DDNS authentication You can use the Ping command for example ping avery12345 3322 org in the DOS status of intranet computers to check if the DDNS update is successful Upon seeing the correctly parsed out I...
Страница 44: ...e UPnP Ticking the check box for enabling the UPnP feature Internal address The host IP address when port translation is needed in the intranet Internal port The port number provided by the host when port translation is required in the intranet Protocol The protocol used by the UPnP port in translation TCP UDP Peer address The IP address of the peer host External ports The port number of the devic...
Страница 45: ...guration In addition you can also view the status information about the wireless host 7 1 Basic settings This section describes the Wireless Configuration Basic settings page and the configuration methods In this page you can configure the AP working mode SSID wireless mode channel channel bandwidth enabling or disabling the SSID broadcast and other functions of the device In this section the AP w...
Страница 46: ...ly identify a string of wireless network and is case sensitive Wireless mode This parameter is used to set the modes of a wireless device providing three options only 11g only 11n and 11b g n hybrid Only 11g pure 802 11g mode in which the maximum rate is up to 54M bps The wireless sites compatible with the IEEE 802 11g standard can be connected to the device Only 11n Pure 802 11n mode in which the...
Страница 47: ...e 802 11n standard will use the channel bandwidth of 20M 40M When 20M is selected it means the wireless sites accessed by using the 802 11n standard will use the channel bandwidth of 20M SSID broadcast Enables or disables the SSID broadcast function If this function is enabled the device will broadcast its own SSID to all the wireless sites so that the wireless sites without SSID null will get the...
Страница 48: ...uent configuration MAC address of AP MAC address of the peer device Security mode The encryption mode used in the establishment of connection through the WDS function including four options No security mechanism WEP TKIP and AES No security mechanism It means that no encryption algorithms will not be used to protect communication data in the data exchange process WEP It means that the WEP encrypti...
Страница 49: ...on data during the data exchange process For details please refer to the section 7 2 4 WPA PSK WPA2 PSK 7 1 3 Bridge Mode Bridge Mode in which the device is connected to two or more wired networks and the device will no longer send wireless signals to other clients to exchange data with the network devices in Bridge Mode Repeater Mode Lazy Mode Figure 7 3 Bridge Mode The meaning of related configu...
Страница 50: ...igure 7 4 Lazy Mode The meaning of related configuration parameters is the same as AP Mode and Repeater Mode For details refer to the related description in Section 7 1 1 AP Mode and 7 1 2 Repeater Mode 7 1 5 Wireless configuration instance This section lists configuration instances where the device works in the AP Mode AP Client Mode and other AP working modes according to the five AP work modes ...
Страница 51: ... are connected via a network cable to the LAN port of a wireless device Laptops Tablet PCs etc are wirelessly connected to a wireless device and need to be authenticated 3 Configuration steps 1 Configure the TCP IP properties for network computer 2 Log on to the device and configure the WAN1 according to the types of business applied for by operators 3 Enter into the Wireless Configuration Basic c...
Страница 52: ...reless communication Through the above configuration wireless users can connect to the wireless devices so long as they pass the authentication and access to the Internet through it For the way to connect the network computer to the device please refer to 0 2 WDS configuration instance Figure 7 7 Repeater Mode networking environment 1 Requirements The office personnel in Building 2 need to be wire...
Страница 53: ... III Devices A and B are set to Repeater Mode Bridge Mode respectively Solution IV Devices A and B are set to Repeater Mode Lazy Mode respectively Solution V Devices A and B are set to Bridge Mode Lazy Mode respectively Solution VI Device A is set to AP Mode while Device B is set to AP Client Mode 3 Configuration steps Solution I Both are Repeater Mode 1 Configure the AP working mode of Device A a...
Страница 54: ...vices has been established Solutions II III IV V can follow Solution I Tip 1 The device in Bridge Mode cannot be connected to the wireless single clients such as laptops smart phones etc 2 The devices in Lazy Mode can be connected to the wireless single clients 3 In configuration the SSID and key of Devices A B must be kept consistent and the MAC address of AP is that of the peer device It is not ...
Страница 55: ...WEP Security mechanism Selecting WEP here means that the device will use the most basic WEP security mechanism provided by the 802 11 Protocol Authentication type When using the WEP encryption mechanism three options automatic open systems Shared keys are available Auto Means that the device can automatically choose Open System or Pre shared key mode according to the requests of wireless clients O...
Страница 56: ...Key selection Users can enter 1 4 keys according to needs and these 4 keys can take different types of keys WEP key Sets the key value and the length of the key is affected by key types When choosing a 64 bit key you can input 10 hexadecimal characters or 5 ASCII characters When choosing a 128 bit key you can input 26 hexadecimal characters or 13 ASCII characters Key types Selects key types and pr...
Страница 57: ...s TKIP Means that all wireless data will use TKIP as the encryption algorithm AES Means that all wireless data will use AES as the encryption algorithm Radius Server IP It is used to the identity the authentication of the wireless hosts Radius port The Port number of service used by the Radius server for identifying the authentication of the wireless hosts Radius password Sets the password for acc...
Страница 58: ...automatically choose encryption algorithms according to needs TKIP Means that all wireless data will use TKIP as the encryption algorithm AES Means that all wireless data will use AES as the encryption algorithm Pre shared key The preset initialization key with the value of 8 63 characters Key update cycle It is the timed update cycle used to specify the key Value range is 60 86400 in the unit of ...
Страница 59: ...ering information list are allowed to access to the device but disallow the wireless clients out of the filtering table to access Permission Only disallows the MAC addresses in the list to access the wireless network It indicates that only the wireless clients that correspond to the MAC addresses in the MAC address filtering information list are disallowed to access to the device but allow the wir...
Страница 60: ...ly 1 2347 bytes and the default is 2347 bytes The RTS mechanism is used to avoid data transmission conflicts in the wireless LAN The transmission frequency of the RTS packet needs to be set reasonably and setting of the RTS threshold requires weighing If this parameter is set to low the transmission rate of RTS packets is increased consuming more bandwidths which may significantly affect the throu...
Страница 61: ... be received DTIM is usually the multiple of beacon interval Its use range is 1 255 and its default value is 1 Enable Short Preamble Enables or disables Short Preamble When enabled the short preamble type will be used The short preamble type can provide better performance Because the use of short preamble can minimize the costs thus maximizing the network data throughput When disabled the long pre...
Страница 62: ...ireless configuration Wireless MAC address filtering page while not selecting it means that the current MAC address filtering is not set Channel bandwidth The theoretical data transfer rate of the data channel All filter Click All filter to conduct the MAC address filtering for all wireless hosts whose filtering is not enabled in the current list and to add all the MAC addresses to the MAC address...
Страница 63: ...ly and for the public Internet it is reflected as limited range of public network IP addresses Since the internal network can be effectively isolated from the outside world so NAT can also provide some assurance for network security LEVELONE routing products provide flexible NAT function The following will detail its characteristics 1 NAT address space In order to correctly conduct the NAT operati...
Страница 64: ...ernal access requests and send the request messages matching the static NAT mapping to the Intranet computers if any If there are no matching static mappings it will check to see if there is a matching virtual server 3 Two types of NAT rules The device provides two NAT types Easy IP and One2One Easy IP The translation of network port addresses Multiple internal IP addresses are mapped to the same ...
Страница 65: ... list displays some NAT static mapping entries A static mapping entry named as admin is added in the list after remote management is enabled in Systems management Remote management page they cannot be edited or deleted in this page 2 Static NAT mapping configuration Click Add new entry in the page of Figure 8_1 to enter the Static NAT mapping configuration page as shown in Figure 8_2 Here the mean...
Страница 66: ...When you are unable to confirm that the protocol used by the application is TCP or UDP select TCP UDP External starting port The starting service port the device provides to the Internet IP address The IP address of the computer as a server in the Intranet Common port The port number that corresponds to the common protocol type for users choice When you are unable to confirm the protocol select TC...
Страница 67: ... with the intranet IP address of 192 168 1 20 192 168 1 25 to 200 200 202 20 and binds to the WAN1 port to achieve Internet access The NAT type of an instance One2One converts the address with the intranet IP address of 192 168 1 50 192 168 1 52 to 200 200 202 50 200 200 202 51 200 200 202 52 and binds to the WAN1 port to achieve Internet access Figure 8_3 List of NAT rules information Tip Multipl...
Страница 68: ...ing IP address internal ending IP address The IP address range for the computers in the intranet that have the priority to use the NAT rules for Internet access Binding Selects the interface bound by the static NAT mapping 3 One2One Select the NAT type as One2One in Figure 8_5 The meaning of the parameters for configuring the NAT rules as One2One type is described here and those parameters same as...
Страница 69: ...nternal starting IP address is set to 192 168 1 50 Internal ending IP address is set to 192 168 1 52 external starting address is set to 200 200 202 50 then 192 168 1 50 192 168 1 51 192 168 1 52 are in turn mapped to 200 200 202 50 200 200 202 51 200 200 202 52 8 1 4 DMZ The DMZ functions of the device are described below Figure 8_6 DMZ configuration Enable DMZ function Enables or disable the DMZ...
Страница 70: ... a single line for Internet access and the ISP has assigned 8 addresses for this line 218 1 21 0 29 218 1 21 7 29 where 218 1 21 1 29 is the gateway address of the line and 218 1 21 2 29 is the IP address of WAN1 port of the device Note that 218 1 21 0 29 and 218 1 21 7 29 are respectively the related subnet number and broadcast address which cannot be used Now Game B Zone IP address range 192 168...
Страница 71: ... the next hop is set to the IP address of the bound interface 三 One2One configuration instance Demands An enterprise applies for a line of Telecom which adopts the fixed IP access method and the bandwidth is 6M Telecom assigned 8 addresses to it 202 1 1 128 29 202 1 1 1 135 29 Here 202 1 1 129 29 is the gateway address of the line and 202 1 1 130 29 is the IP address of the device s WAN1 Note 218 ...
Страница 72: ...ne Configuration steps are follows The first step is to enter the Advanced configuration NAT and DMZ configurations NAT rules page and click Add new entry The second step is to enter the NAT rules configuration page and fill in Server in the Rule name The third step is to select NAT type as One2One The fourth step is to fill in202 1 1 131in the External starting IP address Fill in192 168 1 200and ...
Страница 73: ...a network failure you need to manually modify the static routing information in the routing table Setting and using static routes correctly can improve network performance and meet special requirements such as implementing traffic control guaranteeing bandwidth for important applications and so on The following describes the list of routing configuration information and the meaning of the paramete...
Страница 74: ...network segment Priority Sets the priority of a static route When the destination network subnet mask are the same select the high priority routing for forwarding data and the smaller the value is the higher the priority is Interface The forwarding interface for the specified packets The packets matching the static route will be forwarded from the specified interface Tip When the destination netwo...
Страница 75: ... policy routing This is a global switch of policy routing Only after it is enabled can the configured policy routing can take effect Move to Users can appropriately sort the policies using this bLeveloneon 8 3 2 Policy routing configuration Click Add new entry in the above figure and enter the Policy routing configuration page ...
Страница 76: ...ess and the ending IP address following this policy route User group The user group following this policy route click on User group to refer to the source address for policy reference for the user group Enter User management User group configuration Add new entry to set up the source address field for the policy routing to take effect Destination address The destination address in the packet follo...
Страница 77: ...rt 8 4 Anti NetSniper This section describes the Advanced Configuration Anti NetSniper page and configuration methods Network vanguard defense is used to crack the shared detection set by the network operator Verify that the intranet is experiencing a sharing problem or don t enable that function Figure 8_14 Anti NetSniper 8 5 Port mirroring This section describes the port mirroring function of th...
Страница 78: ...e monitored port cannot be the same port as the monitoring port 8 6 Port VLAN This section describes the port VLAN function of the Advanced configuration Port VLAN page VLAN virtual LAN can split the network into several different broadcast domains logically A logical constitutes a logical broadcast domain The members of the same VLAN share broadcast and can communicate with each other To achieve ...
Страница 79: ...the VLAN group name of the VLAN VLAN members Displays the members to the VLAN 4 Port VLAN Figure 8_17 Port VLAN settings VLAN group number Sets the VLAN group number VLAN group name Sets the name of the VLAN group VLAN members Selects the members to the VLAN group Tip 1 The system has a default VLAN VLAN 1 and it contains all physical ports by default and cannot be deleted ...
Страница 80: ...itionally both LAN2 port and LAN3 port are not in the same VLAN and the hosts under LAN2 and LAN3 cannot access to each other 8 7 SYSLOG configuration This section describes the Advanced Configuration SYSLOG configuration page Figure 8_18 SYSLOG configuration Enable Syslog service After the syslog service feature is enabled this feature will send a large amount of information of device operation t...
Страница 81: ...o on by viewing analyzing the pie charts and lists in this page Figure 9_1 User Status Analysis of the current network traffic usage analyzes the current percentage of network traffic used by Intranet applications Analysis of current net behaviors Analyzes the net behavior of all currently online users Clear data The system counts the traffic and net behaviors from 00 00 every day Clicking this bL...
Страница 82: ...ing shopping websites social networking sites using stock software and playing online web game accounts for a range of 100 70 of all of its personal net behaviors this means seriously affecting work When the range is 70 50 it means minor When the range is 50 0 it means normal User name Displays the user name for Intranet users MAC address Displays the MAC address of Intranet users Ways of authenti...
Страница 83: ...interval 9 2 IP MAC binding This section describes the User management IP MAC binding page and configuration method To implement network security management you must first solve the identity problems of users before you can carry out the necessary service authorization work In Firewall Access control policy we will introduce how to implement the control of Intranet users net behaviors In this sect...
Страница 84: ...h the device Allow Ticking this check box means to allow the bound user to connect to the device but unchecking it means to disallow the bound user to connect to the device Modify the IP MAC binding entries click the Edit icon to enter the IP MAC binding configuration page as shown in the figure below and after change click Save Export This bLeveloneon is used to export the IP address MAC address ...
Страница 85: ...tion Figure 9_5 IP MAC binding configuration Network segment The management IP address subnet mask of the device by default Text box Displays the scanned IP MAC information or the configured IP MAC binding information whose input format is IP MAC username IP address MAC address The user s IP address MAC address which can be obtained using the ipconfig all command under DOS environment on Windows p...
Страница 86: ...the white list are legal users their IP and MAC address exactly matches an entry in the IP MAC binding information list and the entry selects Allow The users in the black list are illegal users their IP and MAC address exactly matches an entry in the IP MAC binding information list and the entry does not select Allow Or there is only one entry in their IP and MAC address matches the corresponding ...
Страница 87: ...dresses of the host that is prohibited from Internet access as the IP MAC address binding pair and deselect Allow no in the box namely to prohibit the users that exactly match the IP MAC address from accessing to the Internet Next select the Allow non IP MAC binding user to connect to the device so that all other hosts whose IP addresses and MAC addresses are not included in the IP MAC binding inf...
Страница 88: ... want to prohibit a host with the IP address of 192 168 1 30 and the MAC address of 0021859b2564 from connecting and passing the device you can add an IP MAC address binding pair enter the host s IP address and MAC address and deselect Allow no in the box as shown in Figure 9_ 8 Figure 9_8 IP MAC binding information list Instance III ...
Страница 89: ... Discovery stage This stage is used to establish a connection When a user host wants to start a PPPoE session it must first implement the discovery stage to identify the Ethernet MAC address of PPPoE Server and establish a PPPoE session ID Session ID PPPoE Client PPPoE Server PADI PADO PADR PADS Figure 9_9 Basic workflow of Discovery stage As shown in the figure above Discovery stage consists of f...
Страница 90: ... a PPPoE session together uniquely 2 PPP session stage When PPPoE enters the PPP session stage the client and the server will conduct a standard PPP negotiation and after this the data is sent over PPP encapsulation The PPP packets are encapsulated as the payload of PPPoE frame in an Ethernet frame and sent to the peer end of the PPPoE link Session ID must be the ID determined in the Discovery sta...
Страница 91: ...e PPPoE server automatically assigns to the network computers Primary DNS server The IP address of the primary DNS server automatically assigned by the PPPoE server to the network computers Secondary DNS server The IP address of the secondary DNS server automatically assigned by the PPPoE server to the network computers Allow users to modify the dial up password Checking it means to allow intranet...
Страница 92: ...d and confirming password 4 Click Submit to display Operation is successful and the password is successfully changed 2 Users can modify their password 5 times a day on their own 3 The administrator can use the Behavior management Electronic notification page to configure the Routine business notification for informing users of how to modify the PPPoE dial up password 9 3 3 PPPoE account configurat...
Страница 93: ...ation feature please go to Behavior management Electronic notification page for configuration Expired Means that the account is not in the effective date of account Date of account opening date of account disabling When the charging feature is enabled the effective date of the account will be displayed Upload rate limit download rate limit The maximum upload and download rates of PPPOE 0 means unl...
Страница 94: ... fixed IP address assigned for the PPPoE dial up user which must be within the scope of address pool Added to the account groups the user name will be added to the appropriate account group which must be configured in the User management User group configuration page Charging mode Checking it means that the PPPoE charging feature is enabled Here the account expiration notification feature is confi...
Страница 95: ...ch information of the IP addresses the user s MAC address online time of PPPoE connections upload download rates etc the PPPoE server assigns to the user in the list Figure 9_13 PPPoE User Status List Tip When the account of the network dial up user expires dial up can be made successfully and the user can access to the device but cannot access the Internet 9 3 5 Export PPPoE Accounts ...
Страница 96: ... name password for the account in the txt format 9 3 6 Import PPPOE Accounts Figure 9_15 Import PPPOE Accounts Tip 1 When configuring PPPOE accounts to be imported and bound in batch its input format is Account password for example test 123456 each row can have only one configuration item entered 2 In the above input format there may be one or more spaces between the account and the password ...
Страница 97: ... prior to account expiration the maximum number of sessions of test3 is set to 5 2 Configuration steps 1 Configure the PPPoE server Log on to the device enter the User management PPPoE server page configure the content as shown in the figure below and enable the forced PPPoE authentication and allow users to modify the dial up password The password change message can be given to users by configuri...
Страница 98: ... set the maximum number of sessions for its account to 5 Figure 9_18 Instance PPPoE User Status List 4 Configure the account expiration notification feature Enter the Behavior management Electronic notification Account expiration notification page to configure the account expiration notification feature here the Send days of expiration notification in advance is set to 15 days 5 Create a client on...
Страница 99: ...n Figure 9_19 WebAuth Global Settings Enable WEB authentication Checking it means that the intranet users cannot access the Internet unless passing the WEB authentication Enable background image Check it to enable this feature Allow users to modify authentication password Checking it means to allow the WEB authentication users to modify the authentication password on their own Exception address gr...
Страница 100: ... tip text Tip texts for custom WEB authentication pop up window Network image link Enters the network link to the picture to make this picture as the background of the WEB authentication pop up window 9 4 2 Web Authentication Account List Figure 9_20 Web Authentication Account List Figure 9_21 Web Authentication Account List Add new entry ...
Страница 101: ...gures the maximum number of sessions for the account Hang up Clicks this bLeveloneon to hang up the connection to the user Add new entry Click this bLeveloneon to enter the Figure 9_ 2 1 page to configure the information WEB authentication account Delete all entries Click this bLeveloneon to delete all information configured on the page Tip 1 Steps that the WEB authenticated users modify the authe...
Страница 102: ...ens click Go off line safely 3 Click OK in the web page message dialog box that opens 9 4 3 WEB Authentication Client Status Figure 9_22 WEB Authentication Client Status User name Displays the user name of the users who are using the WEB authentication IP address Displays the IP address of the users who are using the WEB authentication Tip The user names and IP addresses in the WEB authentication ...
Страница 103: ...ser group list Figure 9_24 User group Settings Group name Customizes the group name of the user group Group type It consists of address group and account group Here account group refers to the PPPoE authentication accounts WEB authentication accounts Tip The depth of the user group cannot be greater than 2 for instance Address A contains Address Group B and now it is configured with Address Group ...
Страница 104: ...Chapter 9 Wireless configuration http www level1 com Page 104 ...
Страница 105: ...s page and click Add new entry to enter into the configuration page as shown in Figure 10_ 2 Time period defines the effective time for related features one time period can define the three time units Figure 10_1 Schedule list The meaning of time configuration parameters is described below Time period name Customizes the name of time period Effective date of time period Configures the effective da...
Страница 106: ...tion http www level1 com Page 106 Figure 10_2 Schedule Settings 10 2 Application Control This section describes the net behavior management list and net behavior management configuration in the App Control Application Control page ...
Страница 107: ...the net behavior management feature 10 2 2 Internet Application Management Settings Click Add new entry on the above image to enter the Net behavior management configuration page to manage intranet users net behavior Group name Customizes the group name for the instances of the net behavior management which must be unique Select net behavior management object Fills out the address field or user gr...
Страница 108: ...etting Sets the time when the net behavior management instance takes effect Tip When a net behavior management feature does not take effect make sure that this policy library is up to date In the Behavior management Policy library page click Update hyperlink to update the corresponding policy library ...
Страница 109: ...e stocks and game software checking stocks and game site information and access to the shopping website during the working time In the rest of the time all operations are opened up Here the users at the management level address 192 168 1 5 and 192 168 1 9 are not subject to any restrictions in net behavior Sales and customer service staff whose addresses are 192 168 1 70 192 168 1 99 and 192 168 1...
Страница 110: ...n steps 1 Enter the Behavior management Net behavior management page to enter the Net behavior management configuration page 2 Configure behavior management policies for sales department customer service department Group name IM Starting IP address ending IP address 192 168 1 50 192 168 1 99 Behavior management Checks the Select All box of stock software online video online games shopping sites so...
Страница 111: ...www level1 com Page 111 Figure 10_5 Internet Application Management Figure 10_6 Internet Application Management Continued Figure 10_5 10 3 QQ white list QQ white list refers to the QQ users who are defined to be allowed to log on after QQ is ...
Страница 112: ...dd new entry to add QQ white list users in the QQ white list configuration page Figure 10_7 QQ white list Allow 400 800 Business QQ Checks to allow 400 800 Business QQ Enable QQ white list Checks to enable the QQ white list feature Export account Click this bLeveloneon to export the QQ accounts in the QQ white list entry Import account Click this bLeveloneon to import QQ to the QQ white list entri...
Страница 113: ...295 10 4 TM Whitelist Aliwangwang White List refers to the Aliwangwang users allowed to log in after Aliwangwang is prohibited in the Net behavior management Enter the App Control TM Whitelist page and after the Aliwangwang white list feature is enabled click Add new entry to enter into the Aliwangwang white list configuration page to add Aliwangwang white list users ...
Страница 114: ...n Enter the App Control Notification page to configure routine business notification and account expiration notification Notification is a notice sent by the device to users in the form of Web pages when the Intranet users access to the website Upon receipt of the notification Intranet users can access the website normally by entering the corresponding address in the browser address bar again ...
Страница 115: ...ts the address range of routine business notification which can only contain 65535 addresses at maximum Notification title content Sets the title and content of the routine business notification Redirecting time Redirects to the specified page according to the specified time Redirecting URL Automatically redirects to the specified URL address Setting of effective date Sets the date when the routin...
Страница 116: ...he web page for the first time with the effective time period Tip When the routine business notification only involves the change of Notification title Notification content click Save and the notification will not take effect 10 5 2 Account expiration notification Figure 10_11 Account expiration notification Enable Checks to enable the account expiration notification feature Days for sending expir...
Страница 117: ... The section describes the net behavior audit feature Enter the App Control Application Audit Log Management page as shown in the figure below Figure 10_12 Log management Enable web logs Enables the web log to view the records of Intranet users access to webpages in the Behavior audit page Such as 2012 12 03 15 07 47 srcip 10 0 0 10 url www Levelone com cn which means that the users whose Intranet...
Страница 118: ...an record the latest 400 log information 10 7 Policy Database This section describes the App Control Policy Database page and operating procedures The system provides 11 different types of policies at present including emails IM P2P STOCK online video online games shopping websites social networking sites web games forums etc Users can bring the behavior management referencing these policies into ...
Страница 119: ...owing describes the meaning of the parameters in the policy library info list Name The name of a policy Type The type of a policy for example QQ is of the IM type as shown in the above figure Notes A detailed description of a policy Update policy Click Update to update a policy online through the Internet ...
Страница 120: ...rameters Users can limit the uploading downloading rates of the Intranet users in a segment of address through the fine rate limit feature in order to achieve a rational distribution and utilization of bandwidth 1 Fixed Rate Limiting list Enter the Bandwidth management Fine rate limit to view the information of the fine rate limit instances configured in the fine rate limit info list and adjust th...
Страница 121: ... field for the fine rate limit to take effect Rate limit policy The available options are exclusive and shared Exclusive means each IP addresses in this range can use this bandwidth Shared means the IP addresses in this range share this bandwidth Uploading rate limit and downloading rate limit Sets the maximum uploading downloading rates of the IP addresses in this range here 0 means no limitation...
Страница 122: ...exible bandwidth feature Uplink and downlink bandwidth of WAN1 Sets the uplink and downlink bandwidth of WAN1 applied for from ISP and the custom maximum value of Gigabit devices can be set to 1000M Uplink and downlink bandwidth of WAN2 Sets the uplink and downlink bandwidth of WAN1 applied for from ISP and the custom maximum value of Gigabit devices can be set to 1000M Enable game acceleration Ch...
Страница 123: ... 1500 Total connections The maximum number of TCP connections established per host in the Intranet whose default is 1000 Total connections The maximum number of UDP connections established per host in the Intranet whose default is 800 Total connections The maximum number of ICMP connections established per host in the Intranet whose default is 100 Tip 1 When the number of connections is set at 0 t...
Страница 124: ... cannot be set too low so it is recommended that The number of TCP connections is not less than 100 the number of UDP connections is not less than 50 the number of ICMP connections is not less than 10 If their value is too small it will cause the LAN users to be unable to access the Internet or access the Internet normally ...
Страница 125: ...on 1 Internal Attack Prevention Figure 12_1 Attack Prevention Internal Attack Prevention Enable DDoS attack defense When enabled the device will effectively defend against the common Intranet DDOS attacks Enable IP spoofing defense When enabled the device can effectively defend against Intranet IP spoofing Enable UDP FLOOD defense When enabled the device can effectively defend against Intranet UDP...
Страница 126: ...the WAN port of the device does not respond to the ping requests from the external network 12 2 Access control This section describes the functions and configuration methods of the Firewall Access control policy Flexibility in the use of the access control feature not only can set Internet access for different users but also can control the Internet access of users at different times In practical ...
Страница 127: ... in the IP header is TCP or UDP then filter again according to the TCP header information source port and destination port or UDP header information source port and destination port When filter type is IP filtering the filtering conditions available for setting include Source address destination IP address protocol source port destination port action and effective time etc 2 URL filtering URL filt...
Страница 128: ...arding and discarding and the corresponding actions are allow or disallow When the packets to be processed match a defined access control policy and if the action of the policy is allow then the device will forward the packet If the action of the policy is disallow the device will discard the packet What needs to be aware of is that keyword filtering does not provide any action options but disallo...
Страница 129: ...ings Access control policy is to control the packets flowing through the device Click Add new entry in the above figure to enter the Access control policy configuration page to configure the required firewall policy The following will describe the meaning of the parameters in the access control policy configuration under four different filter types IP filtering URL filtering keyword filtering and ...
Страница 130: ...access control policy Action The implementing action for the access control policy the options are allow or disallow Allow Allows the packet that matches the access control policy to pass that is the device will forward the packet Disallow Disallows the packet that matches the access control policy to pass that is the device will discard the packet Filter type Here IP filter is selected Protocol T...
Страница 131: ...fined then set them to the same value with the range of values as 1 65535 Destination starting address destination ending address The destination starting IP address and destination ending address for the access control policy through which you can specify the destination IP addresses within a segment If only one destination IP address is defined then they are set to the same value Source starting...
Страница 132: ... that start with the domain name are matched Or you can enter the substring of the domain name and then all pages that contain the substring in the URL are matched thus filtering all web pages of a site Next let s give a few examples to illustrate Instance I If you enter www sina com cn then all web pages beginning with www sina com cn will match that policy such as www sina com cn index jsp but t...
Страница 133: ... you need to disallow or allow FTP connections by configuring the access control policy of IP filter type 三 Access Control Settings Keyword filtering Figure 12_6 Access Control Settings Keyword filtering Policy name Source address Action and other parameters have the same meaning as that of the parameters in the IP filter type which will not be repeated here Please refer to the related description...
Страница 134: ...her parameters have the same meaning as that of the parameters in the IP filter type which will not be repeated here Please refer to the related description Filter type Here DNS filtering is selected Filter content Sets the domain name to be filtered Tip You can filter more than one domain names by entering the wildcard character in the filter content For example enter the domain name 163 in the f...
Страница 135: ... Analysis Custom policy 1 Allows the DNS application in 192 168 1 10 192 168 1 20 Custom policy 2 Allows the WEB application in 192 168 1 10 192 168 1 20 Custom policy 3 Disallows all other applications in 192 168 1 10 192 168 1 20 What calls for special attention is that Policy 3 when all services are prohibited the DNS service is also prohibited In order to make the users in this address field a...
Страница 136: ...100 from visiting the website http www bbc com IP address is 212 58 246 93 and the website http www cnn com IP address is 157 166 255 18 but allow all other online services of the group Analysis Configure Policy 1 to disallow the users in the segment of 192 168 1 80 192 168 1 100 to accesshttp www bbc com Configure Policy 2 to disallow the users in the segment of 192 168 1 80 192 168 1 100 to acce...
Страница 137: ...Chapter 12 VPN http www level1 com Page 137 Figure 12_10 Access Control Settings Instance II Figure 12_11 Access Control Settings Instance I Continued Figure 12_10 ...
Страница 138: ...ttention in the domain name filtering operation steps domain name filtering configuration process 12 3 1 Domain filtering Settings Figure 12_12 Domain filtering page Steps of configuring domain name filtering 1 Check the Enable domain name filtering 2 Select the way for the domain name filtering policy to take effect 3 Select the intranet objects for the domain name filtering to take effect ...
Страница 139: ...ne as displayed in the Domain list in whole word it will not be able to access the web page corresponding to that domain name 3 You can filter multiple domain names by entering the wildcard character in the domain name for example enter the domain name www 163 in the domain name list and intranet users will not be able to access all web pages beginning with www 163 12 3 2 Domain Block Notification...
Страница 140: ... of the notification information pushed by the device Redirecting time Sets the redirecting time for accessing the domain name as listed in the domain name list Blank means no redirecting while 0 means redirecting immediately Redirecting URL Sets the domain name address redirected when accessing to the domain names as listed in the domain name list Notice content the content of the notification in...
Страница 141: ... Notification page 12 4 MAC Address Filtering This section describes the MAC address filtering function of the Firewall MAC address filtering page including The steps of MAC address filtering and the points for attention to the process of MAC address filter configuration ...
Страница 142: ...AC address filtering function Filtering rules Users can choose Allow Allow only the MAC addresses in the list to access to the network or Disallow Disallow only the MAC addresses in the list to access to the network User name Displays the user name of the configured MAC address filtering MAC address Displays the MAC address of the configured MAC address filtering ...
Страница 143: ...dress filtering configuration page as shown in the figure below Figure 12_16 MAC Address Filtering Settings User name Displays the user name of the configured MAC address filtering MAC address Configures the MAC address to be filtered Users can configure in batch in the Firewall MAC address filtering MAC Address Filtering Settings page Figure 12_17 MAC address filtering ...
Страница 144: ...C user name MAC address The user s MAC address which can be obtained using the ipconfig all command under the DOS environment on Windows platforms User name It can be ignored because the system will automatically assign a name for it Tip 1 In the above input format there may be one or more spaces between the MAC address and the user name ...
Страница 145: ...em by IP networks such as Internet or corporate Intranet The basic function of the PPTP is to transmit user data packets encapsulated using PPP in the IP network PPTP client is responsible for receiving the raw data from users and encapsulates it to the PPP packet and then establishes a PPTP tunnel between the PPTP client and the server for sending the PPP packet Typical application is to deploy t...
Страница 146: ...view the information related to the PPTP tunnel such as user name business type remote Intranet IP address session state time of connection established Figure 13_2 PPTP list Tip 1 The operation of the Establish and Hang up bLeveloneons only take effect for clients 2 In order to ensure the PPTP tunnel can be connected normally after the VPN gateway enables ...
Страница 147: ...nfiguration PPTP page click Add a server in the page as shown in Figure 13_2 and enter the PPTP server page 13 1 3 1 Global Settings Figure 13_3 PPTP server Global Settings Enable PPTP server Check to enable the service Password authentication mode Sets the password authentication mode to establish PPTP VPN The options include MS CHAPV2 PAP CHAP ANY automatically negotiate with the peer device on ...
Страница 148: ...e server after dialing through the VPN but cannot open the web pages Encryption mode Sets the data encryption mode with the options of MPPE encryption no encryption Note In the use of MPPE encryption mode MS CHAPV2 password authentication method must be selected 13 1 3 2 Account Settings The following describes the meaning of the parameters for the PPTP server to configure accounts for the PPTP cl...
Страница 149: ...er address pool Remote Intranet network address Fills in the IP addresses used by the LAN at the opposite end of the PPTP tunnel which may be the LAN IP address of the device at the opposite end of the VPN tunnel Remote Intranet subnet mask Fills in the subnet mask used by the LAN at the opposite end of the PPTP tunnel 13 1 4 PPTP client Settings Enter the VPN configuration PPTP page and click Add...
Страница 150: ...d The password used when dialing the tunnel Password authentication mode Sets the password authentication mode to establish PPTP VPN The options include MS CHAPV2 PAP CHAP ANY automatically negotiate with the peer device on password authentication mode Make sure that the password authentication mode is consistent with that of the server Encryption mode Sets the data encryption mode with the option...
Страница 151: ...uses the PPTP to establish VPN tunnels and the VPN gateway in both places are using HiPER router and the mobile users using the built in PPTP client software of the Windows operating systems at the following addresses Shanghai gateway PPTP server Intranet network segment 192 168 1 0 24 LAN IP address 192 168 1 1 24 WAN domain name 200 200 202 126 24 Beijing gateway PPTP client Intranet network seg...
Страница 152: ...o LAN User name Test2 Password 123456 Password authentication mode MS CHAPV2 Remote Intranet network addresses 192 168 16 1 Remote Intranet subnet mask 255 255 255 0 Figure 13_8 PPTP server Settings LAN to LAN Create an account for mobile users user types Mobile users User name Test1 Password 123456 And assign a fixed IP address of 192 168 55 41 for the mobile user ...
Страница 153: ...clients are configured as shown in the above figure user name test1 Password 123456 Password authentication mode MS CHAPV2 Remote Intranet network addresses 192 168 1 1 Remote subnet mask 255 255 255 0 tunnel server address 200 200 202 126 3 Mobile user configuration Follow these steps to configure a Windows XP computer allowing it to connect to the PPTP server ...
Страница 154: ...select Optional encryption which can connect without encryption 12 In Allow these protocols check Unencrypted password PAP Challenge Handshake Authentication Protocol CHAP Microsoft CHAP MS CHAP Microsoft CHAP MS CHAP v2 version and click OK 13 Select the Network property page and in VPN Type select PPTP VPN 14 Make sure that Internet protocol TCP IP is selected 15 Click OK and save your changes T...
Страница 155: ...pectively to view the PPTP instance connection information As shown in the figure below you can view the user name service type session status using time remote Intranet IP address mask and other information of the PPTP instances Figure 13_11 PPTP List 1 Figure 13_12 PPTP List 2 ...
Страница 156: ... www level1 com Page 156 Figure 13_13 PPTP Client Info List 1 Figure 13_14 PPTP Client Info List 2 13 2 IPSec 13 2 1 IPSec Overview With the development of security standards and network protocols various VPN technologies ...
Страница 157: ...ntegrity and authenticity of packets sent across the Internet through encryption and data origin authentication at the IP layer IKE Internet Key Exchange IKE is used for both communicating parties to negotiate and establish security alliances exchange keys IKE defines the method for two parties to authenticate negotiate encryption algorithm and generate shared keys DES Data Encryption Standard DES...
Страница 158: ...arties data integrity and data source authentication as well as the anti replay feature PSK Pre Shared Key One of the IKE authentication methods which requires that each IKE peer use a predefined and shared key to authenticate the IKE exchange Phase I and Phase II Establish an IPSec Channel Security Alliance SA using the Internet Key Exchange Protocol IKE which requires two stages of negotiation I...
Страница 159: ...cond phase both parties negotiate about encryption algorithms keys life cycle as well as authentication of IPSec and establish a channel for encryption and authentication of user data IPSec SA 1 Phase I In the first phase Aggressive Mode or Main Mode can be used and both parties will exchange the security proposals acceptable to each other for example Encryption algorithm DES 3DES and AES128 192 2...
Страница 160: ...ficate if you are using a certificate The third message The initiator authenticates the responder and confirms the exchange Since the participants identities are exchanged in the plain text in the first two messages the aggressive mode provides no identity protection Tip When the IPSec tunnel is connected by the other dynamically connecting to the local dynamically connecting to the gateway the ag...
Страница 161: ...y DH exchanges and generation of current numbers So the survival time of SA is usually set to relatively long 1 hour to 1 day typically Within the validity period the two communicating parties can only assume that the other party works normally since they cannot detect each other similar to the PING function and in case a party has a foreseeable problem or the network connecting both of them has f...
Страница 162: ... IPSec NAT Traversal NAT T is under standardization by the IPSec network of the Internet Engineering Task Force In the IPSec negotiation process the two peers can be determined automatically according to the following two conditions to support IPSec NAT T One party usually a client computer to initiate the IPSec session and one party to respond to the IPSec session usually a server can perform IPS...
Страница 163: ...ys of connection namely gateway to gateway dynamic connection to the gateway the other party dynamically connects to the local The following describes the meaning of the configuration parameters for three types of connection When one end of the IPSec tunnel is dynamic IP access when no DDNS is applied for Dynamic connection to the gateway The other party dynamically connects to the local are used ...
Страница 164: ...address of the Intranet protected at the remote end of the IPSec tunnel if the remote end is a mobile single user then fill in the IP address of the device Network mask The subnet mask of the Intranet protected at the remote end of the IPSec tunnel if the remote end is a mobile single user then fill in 255 255 255 255 Local Local binding Select the type of local interfaces which can be an Ethernet...
Страница 165: ...econd phase Figure 13_17 IPSec Advanced options Main mode First phase Negotiation mode Sets the negotiation mode in the first phase with the options main mode and aggressive mode When selecting gateway to gateway connection select the main mode When the connection mode is dynamic connection to the gateway other party dynamically connecting to the local machine select the aggressive mode Survival t...
Страница 166: ...ure to reject the received packets or copies of packets in order to protect themselves from attacks DPD Sets whether to enable DPD After enabled the device sends a heartbeat packet on a regular basis to detect whether each other s network is reachable and whether the program is normal If multiple heartbeat packets are lost continuously then IPSec DPD will launch SA negotiation again forcibly Heart...
Страница 167: ...e can only be used as the initiator when establishing an IPSec tunnel and the IPSec tunnel should have the aggressive mode selected at both ends for the IKE negotiation in the first phase Remote end Identity ID Sets the identity ID used to authenticate remote ends Identity type The type of remote identity ID including three options Email address Domain name and IP address Local Identity ID Identit...
Страница 168: ...connect to local machine has been described in the previous two sections so there is no need to repeat any more When selecting Other party dynamically connects to the local the remote gateway address domain name needs not be configured In this case this device can only be used as the responder in establishing an IPSec tunnel and the IPSec tunnel should have the aggressive mode selected at both end...
Страница 169: ...ce in Beijing and hopes to achieve a mutual access to the internal resources of the LAN in two places This scenario uses the IPSec protocol to establish VPN tunnels and the HiPER router is used by the VPN gateway in two places at the following addresses Shanghai gateway Intranet network segment 192 168 1 0 24 LAN IP address 192 168 1 1 24 WAN1 domain name 200 200 202 126 24 Beijing gateway Intrane...
Страница 170: ...AN IP address of Beijing gateway 200 200 202 127 and remote Intranet address is the LAN IP address of Beijing gateway 192 168 1 1 which is locally bound at WAN1 port Set the preshared key for the first phase to testing and the encryption and authentication algorithms for the second phase is esp ase 128 2 Configure Beijing gateway ...
Страница 171: ...168 1 1 which is locally bound at WAN1 port Set the preshared key for the first phase to testing and the encryption and authentication algorithms for the second phase is esp ase 128 View connection status Enter the corresponding pages respectively to view the IPSec instance connection information As shown in the figure below you can view the SA status remote gateways remote Intranet local binding ...
Страница 172: ...Chapter 13 VPN http www level1 com Page 172 Figure 13_23 IPSec connection status Shanghai gateway Figure 13_24 IPSec connection status Beijing gateway ...
Страница 173: ...achieve a mutual access to the internal resources of the LAN in two places This scenario uses the IPSec protocol to establish VPN tunnels and the HiPER router is used by the VPN gateway in two places at the following addresses Shanghai gateway Intranet network segment 192 168 1 0 24 LAN IP address 192 168 1 1 24 WAN domain name 200 200 202 126 24 Beijing gateway Intranet network segment 192 168 16...
Страница 174: ...amically connecting to the local machine and Beijing gateway dynamically connecting to Shanghai gateway Meanwhile set the Beijing gateway information such as Intranet addresses identity ID Locally bound at WAN1 port set the preshared key for the first phase to testing and the encryption and authentication algorithm for the second phase is esp ase 128 2 Configure Beijing gateway ...
Страница 175: ... gateway to a dynamic connection to the gateway Meanwhile sets up Shanghai gateway related information such as gateway address Intranet address identity ID Locally bound at the WAN1 port set the preshared key for the first phase to testing and the encryption and authentication algorithm for the second phase is esp ase 128 View the connection status ...
Страница 176: ...Chapter 13 VPN http www level1 com Page 176 Figure 13_28 IPSec connection status Other party connects to local host dynamically Figure 13_29 IPSec connection status Connect to local host dynamically ...
Страница 177: ...led task page This chapter mainly describes how to change administrator user name and password How to set the device clock How to back up and import configuration files How to upgrade the device How to enable remote management etc 14 1 Administrator 1 Administrator list Figure 14 1 Administrator list 2 Administrator Settings Figure 14 2 Administrator Settings User name Customizes the user name of ...
Страница 178: ...and password to log into the device 14 2 Language This section describes the System management Language selection page Select the device s WEB interface language through the configuration in this page Figure 14_3 Language 14 3 Time This section describes the System Time page In order to guarantee that the functions of the device relating to time work normally the clock of the device needs to be ac...
Страница 179: ...ynchronization After using the network time synchronization function to set up a right NTP server and when the device is connected to the Internet it will automatically synchronize the time with the set NTP server The addresses of two NTP servers preset by the system by default are 192 43 244 18 216 45 57 38 which generally requires no change If you need to know more about the NTP knowledge and th...
Страница 180: ...ou have checked the check box Restore factory settings before import click the Import bLeveloneon and the device will be restored to the factory settings Tip Do not cut off the device s power supply in loading configuration to avoid unexpected errors 3 Restore to factory settings of the device If users need to restore the device to its factory settings enter into the Systems management Configurati...
Страница 181: ...est version of the software Upgrading steps Step 1 Download the latest version of software Click on the hyperlink Download the latest version and go to the official site of LEVELONE to download the latest version of the software to your local PC Tip 1 Please select the most appropriate type of the latest software The applicable hardware version for the downloaded software must be consistent with t...
Страница 182: ...eed of human intervention 14 6 Remote Management This section describes the System Remote management page To facilitate the network maintenance by remote administrators on this page you can configure the remote management function of the device in the Systems management Remote administration page Figure 14_7 Remote Management Enable HTTP Allow or disallow to manage the device from the Internet thr...
Страница 183: ...ity purposes unless absolutely necessary do not enable the remote management function In looking for LEVELONE s customer service engineer s service please enable the remote management function 14 7 Scheduled task This section describes the System management Scheduled task page By configuring scheduled tasks administrators can predefine the actions completed by the device at a specified time 1 List...
Страница 184: ...e 14 10 Scheduled Task Settings Task name Name of the custom tasks Startup type Indicates time cycle and the options are per week per day per hour per minute Running time Means the specific time for implementing these tasks and its settings vary based on different startup types Task content Selects the appropriate task content ...
Страница 185: ...o be detailed again here 15 2 System information In the System status System information page network administrators can understand the system related information and view the system history Through system information network administrators can understand the problems occurring to the network or the potential ones which helps improve the network performance and enhance network security Figure 15_1...
Страница 186: ... model Displays the product model of the device Hardware version Displays the hardware version number of the device Software version Displays the software version number of the device Refresh Click Refresh to view the latest system information Tip Figure 15_1 The usage of CPU memory is different and the displayed colors are different Green when the usage is 0 50 Orange when the usage is 50 70 Red ...
Страница 187: ... to assign it to a user at this point the system will assign another IP address to the user ARP Spoof mac MAC address New IP IP address mac MAC address Old IP IP address mac MAC address Means the spoofing of gateway addresses The MAC address table learns a new MAC address again MAC address times out and ages PPPoE Local IP address IP address Primary DNS address primary DNS address Secondary DNS ad...
Страница 188: ...P logging Check to enable DHCP logging for recording the conflicts of the DHCP server and DHCP Distribute the address conflicts and other messages Enable notification logging Check to enable notification logging recording the notification log information Enable ARP logs Check to enable the ARP logging and record the information of ARP cheat Enable PPPoE logging Check to enable PPPoE logging record...
Страница 189: ...intimate services LEVELONECare Link to the customer service page of LEVELONE s official website to acquire customer services and technical supports Product Discussion Link to the discussion forums of LEVELONE s official website to participate in discussions about the product Knowledge Base Link to the knowledge base of LEVELONE s official website for searching related technical information Booking...
Страница 190: ... 2 and 254 the subnet mask is 255 255 255 0 and the default gateway is 192 168 1 1 the LAN IP address of the device and the DNS server address is provided by operators If confirming that the wireless device has enabled the DHCP server function select Obtain the IP address automatically 5 Select the Use the following DNS server addresses option Type in the IP address which can be provided by the IS...
Страница 191: ...s of a computer Win 7 Step two Connect to a wireless network 1 After the installation of the wireless network card is complete click the icon on the bottom right of the desktop 2 From the pop up list of network connections select the wireless network to be connected and click Connect ...
Страница 192: ... Figure 0 2 Establishing a wireless connection Win 7 3 When the right corner of the entry displays Connected it means that the computer is already connected to a wireless network Figure 0 3 Wireless connection established successfully Win 7 ...
Страница 193: ...bled the wireless feature and has been the AP mode or not A 3 How can I restore the device to its factory settings Tip The following method is used to delete all original settings of the device so please use it with care Case I Knowing the administrator password Under normal circumstances you can directly enter the System management Configuration management page and then click Restore to manually ...
Страница 194: ...6 Figure 6 5 List of line connection information Dynamic IP access 27 Figure 6 6 List of line connection information Static IP access 27 Figure 6 7 List of line connection information PPPoE access 28 Figure 6 8 Full Load Balancing 31 Figure 6 9 Partial Load Balancing 31 Figure 6 10 Load Balancing List 32 Figure 6 11 Line combination configuration 33 Figure 6 12 Enabling identity binding 34 Figure ...
Страница 195: ...re 8_9 NAT rule Settings One2One 72 Figure 8_10 Static Route List 73 Figure 8_11 Static Route Settings 73 Figure 8_12 Policy routing list 75 Figure 8_13 Policy routing configuration 76 Figure 8_14 Anti NetSniper 77 Figure 8_15 Port mirroring 78 Figure 8_16 Port VLAN list 79 Figure 8_17 Port VLAN settings 79 Figure 8_18 SYSLOG configuration 80 Figure 9_1 User Status 81 Figure 9_2 User status inform...
Страница 196: ...n notification 116 Figure 10_12 Log management 117 Figure 10_13 Internet Audit 118 Figure 10_14 Policy Database list 119 Figure 11_1 Fixed Rate Limiting list 120 Figure 11_2 Fixed Rate Limiting Rule Settings 121 Figure 11_3 Flexible Bandwidth 122 Figure 12_1 Attack Prevention Internal Attack Prevention 125 Figure 12_2 Attack Prevention External Attack Prevention 126 Figure 12_3 Access control list...
Страница 197: ...logy 169 Figure 13_21 Gateway to gateway configuration 1 170 Figure 13_22 Gateway to gateway configuration 2 171 Figure 13_23 IPSec connection status Shanghai gateway 172 Figure 13_24 IPSec connection status Beijing gateway 172 Figure 13_25 Dynamic on one party topology 173 Figure 13_26 Dynamic on one party The other party dynamically connects to local machine 174 Figure 13_27 Dynamic on one party...
Страница 198: ...ex http www level1 com Page 198 Figure 0 1 Configuring the TCP IP properties of a computer Win 7 191 Figure 0 2 Establishing a wireless connection Win 7 192 Figure 0 3 Wireless connection established successfully Win 7 192 ...
Страница 199: ...ing address Digital Data Communications GmbH Zeche Norm Str 25 44319 Dortmund Deutschland Phone 49 231 9075 0 Fax 49 231 9075 184 Email support level1 com Web www level1 com NO WARRANTY This program is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU General Public License fo...
Страница 200: ...you can do these things To protect your rights we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to certain responsibilities for you if you distribute copies of the software or if you modify it For example if you distribute copies of such a program whether gratis or for a fee you must give the recipients all ...
Страница 201: ...te copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee 2 You may modify your copy or co...
Страница 202: ...u also do one of the following we use this doubled UL to get the sub sections indented while making the bullets as unobvious as possible a Accompany it with the complete corresponding machine readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or b Accompany it with a written offer valid for at least three y...
Страница 203: ...n the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties to this License 7 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do ...
Страница 204: ... If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of o...
Страница 205: ...the Free Software Foundation either version 2 of the License or at your option any later version This program is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU General Public License for more details You should have received a copy of the GNU General Public License along wi...
Страница 206: ...nterest in the program Gnomovision which makes passes at compilers written by James Hacker signature of Ty Coon 1 April 1989 Ty Coon President of Vice This General Public License does not permit incorporating your program into proprietary programs If your program is a subroutine library you may consider it more useful to permit linking proprietary applications with the library If this is what you ...
