WPA2-PSK(AES) 1. Select Pre-share Key Mode If you

WPA2-PSK(AES) 1. Select Pre-share Key Mode If you
WPA2-PSK(AES)
1. Select Pre-share Key Mode
If you select HEX, you have to fill in 64 hexadecimal (0, 1, 2…8, 9, A, B…F) digits
If ASCII, the length of Pre-share key is from 8 to 63.
2. Fill in the key, Ex 12345678
26
WPA2(AES)
Check Box was used to switch the function of the WPA. When the WPA function is enabled,
the Wireless user must authenticate to this router first to use the Network service. RADIUS
Server
IP address or the 802.1X server’s domain-name.
Select RADIUS Shared Key
If you select HEX, you have to fill in 64 hexadecimal (0, 1, 2…8, 9, A, B…F) digits
If ASCII, the length of Pre-share key is from 8 to 63.
Key value shared by the RADIUS server and this router. This key value is consistent with the
key value in the RADIUS server.
27
WPA-PSK /WPA2-PSK
The router will detect automatically
which Security type the client
uses to encrypt.
1. Select Pre-share Key Mode
If you select HEX, you have to fill in 64 hexadecimal (0, 1, 2…8, 9, A, B…F) digits
If ASCII, the length of Pre-share key is from 8 to 63.
2. Fill in the key, Ex 12345678
28
WPA/WPA2
Check Box was used to switch the function of the WPA. When the WPA function is enabled,
the Wireless user must authenticate to this router first to use the Network service. RADIUS
Server
The router will detect automatically which Security type(Wpa-psk version 1 or 2) the client
uses to encrypt.
IP address or the 802.1X server’s domain-name.
Select RADIUS Shared Key
If you select HEX, you have to fill in 64 hexadecimal (0, 1, 2…8, 9, A, B…F) digits
If ASCII, the length of Pre-share key is from 8 to 63.
Key value shared by the RADIUS server and this router. This key value is consistent with the
key value in the RADIUS server.
29
WDS(Wireless Distribution System)
WDS operation as defined by the IEEE802.11 standard has been made available. Using WDS it is
possible to wirelessly connect Access Points, and in doing so extend a wired infrastructure to locations
where cabling is not possible or inefficient to implement.
30
4.4.4 Change Password
You can change Password here. We strongly recommend you to change the system password for
security reason.
31
4.5 Forwarding Rules
32
4.5.1 Virtual Server
This product’s NAT firewall filters out unrecognized packets to protect your Intranet, so all hosts
behind this product are invisible to the outside world. If you wish, you can make some of them
accessible by enabling the Virtual Server Mapping.
A virtual server is defined as a Service Port, and all requests to this port will be redirected to the
computer specified by the Server IP. Virtual Server can work with Scheduling Rules, and give
user more flexibility on Access control. For Detail, please refer to Scheduling Rule.
For example, if you have an FTP server (port 21) at 192.168.123.1, a Web server (port 80) at
192.168.123.2, and a VPN server at 192.168.123.6, then you need to specify the following virtual
server mapping table:
Service Port
Server IP
Enable
21
192.168.123.1
V
80
192.168.123.2
V
1723
192.168.123.6
V
33
4.5.2 Special AP
Some applications require multiple connections, like Internet games, Video conferencing, Internet
telephony, etc. Because of the firewall function, these applications cannot work with a pure NAT router.
The Special Applications feature allows some of these applications to work with this product. If the
mechanism of Special Applications fails to make an application work, try setting your computer as the
DMZ host instead.
1.
Trigger: the outbound port number issued by the application..
2.
Incoming Ports: when the trigger packet is detected, the inbound packets sent to the specified
port numbers are allowed to pass through the firewall.
This product provides some predefined settings Select your application and click Copy to to add the
predefined setting to your list.
Note! At any given time, only one PC can use each Special Application tunnel.
34
4.5.3 Miscellaneous Items
IP Address of DMZ Host
DMZ (DeMilitarized Zone) Host is a host without the protection of firewall. It allows a computer to be
exposed to unrestricted 2-way communication for Internet games, Video conferencing, Internet
telephony and other special applications.
NOTE: This feature should be used only when needed.
Non-standard FTP port
You have to configure this item if you want to access an FTP server whose port number is not 21. This
setting will be lost after rebooting.
UpnP Setting
The device also supports this function.If the OS supports this function enable it,like Windows
Xp.When the user get ip from Device and will see icon as below:
35
4.6 Security Settings
36
4.6.1 Packet Filter
Packet Filter enables you to control what packets are allowed to pass the router. Outbound filter applies
on all outbound packets. However, Inbound filter applies on packets that destined to Virtual Servers or
DMZ host only. You can select one of the two filtering policies:
1.
Allow all to pass except those match the specified rules
2.
Deny all to pass except those match the specified rules
You can specify 8 rules for each direction: inbound or outbound. For each rule, you can define the
following:
•
Source IP address
•
Source port address
•
Destination IP address
•
Destination port address
•
Protocol: TCP or UDP or both.
•
Use Rule#
37
For source or destination IP address, you can define a single IP address (4.3.2.1) or a range of IP
addresses (4.3.2.1-4.3.2.254). An empty implies all IP addresses.
For source or destination port, you can define a single port (80) or a range of ports (1000-1999). Add
prefix "T" or "U" to specify TCP or UDP protocol. For example, T80, U53, U2000-2999. No prefix
indicates both TCP and UDP are defined. An empty implies all port addresses. Packet Filter can work
with Scheduling Rules, and give user more flexibility on Access control. For Detail, please refer to
Scheduling Rule.
Each rule can be enabled or disabled individually.
Inbound Filter:
To enable Inbound Packet Filter click the check box next to Enable in the Inbound Packet Filter
field.
Suppose you have SMTP Server (25), POP Server (110), Web Server (80), FTP Server (21), and News
Server (119) defined in Virtual Server or DMZ Host.
Example 1:
38
(1.2.3.100-1.2.3.149) They are allow to send mail (port 25), receive mail (port 110), and browse the
Internet (port 80)
(1.2.3.10-1.2.3.20) They can do everything (block nothing)
Others are all blocked.
Example 2:
(1.2.3.100-1.2.3.119) They can do everything except read net news (port 119) and transfer files via FTP
(port 21)
Others are all allowed.
After Inbound Packet Filter setting is configured, click the save button.
Outbound Filter:
To enable Outbound Packet Filter click the check box next to Enable in the Outbound Packet
Filter field.
39
Example 1:
(192.168.123.100-192.168.123.149) They are allowed to send mail (port 25), receive mail (port 110),
and browse Internet (port 80); port 53 (DNS) is necessary to resolve the domain name.
(192.168.123.10-192.168.123.20) They can do everything (block nothing)
Others are all blocked.
40
Example 2:
(192.168.123.100-192.168.123.119) They can do everything except read net news (port 119) and
transfer files via FTP (port 21)
Others are allowed
After Outbound Packet Filter setting is configured, click the save button.
41
4.6.2 Domain Filter
Domain Filter
Let you prevent users under this device from accessing specific URLs.
Domain Filter Enable
Check if you want to enable Domain Filter.
Log DNS Query
Check if you want to log the action when someone accesses the specific URLs.
Privilege IP Addresses Range
Setting a group of hosts and privilege these hosts to access network without restriction.
Domain Suffix
A suffix of URL to be restricted. For example, ".com", "xxx.com".
Action
When someone is accessing the URL met the domain-suffix, what kind of action you want.
Check drop to block the access. Check log to log these access.
Enable
Check to enable each rule.
42
Example:
In this example:
1. URL include “www.msn.com” will be blocked, and the action will be record in log-file.
2. URL include “www.sina.com” will not be blocked, but the action will be record in log-file.
3. URL include “www.google.com” will be blocked, but the action will not be record in log-file.
4. IP address X.X.X.1~ X.X.X.20 can access network without restriction.
43
4.6.3 URL Blocking
URL Blocking will block LAN computers to connect to pre-defined Websites.
The major difference between “Domain filter” and “URL Blocking” is Domain filter require user to
input suffix (like .com or .org, etc), while URL Blocking require user to input a keyword only. In other
words, Domain filter can block specific website, while URL Blocking can block hundreds of websites
by simply a keyword.
URL Blocking Enable
Checked if you want to enable URL Blocking.
URL
If any part of the Website's URL matches the pre-defined word, the connection will be blocked.
For example, you can use pre-defined word "sex" to block all websites if their URLs contain
pre-defined word "sex".
Enable
Checked to enable each rule.
44
In this example:
1. URL include “msn” will be blocked, and the action will be record in log-file.
2. URL include “sina” will be blocked, but the action will be record in log-file
3. URL include “cnnsi” will not be blocked, but the action will be record in log-file.
4. URL include “espn” will be blocked, but the action will be record in log-file
45
4.6.4 MAC Address Control
MAC Address Control allows you to assign different access right for different users and to assign a
specific IP address to a certain MAC address.
MAC Address Control Check “Enable” to enable the “MAC Address Control”. All of the
settings in this page will take effect only when “Enable” is checked.
Connection control
Check "Connection control" to enable the controlling of which wired and
wireless clients can connect to this device. If a client is denied to connect
to this device, it means the client can't access to the Internet either.
Choose "allow" or "deny" to allow or deny the clients, whose MAC
addresses are not in the "Control table" (please see below), to connect to
this device.
Association control
Check "Association control" to enable the
controlling of which wireless client can
associate to the wireless LAN. If a client is
denied to associate to the wireless LAN, it
means the client can't send or receive any data
46
via this device. Choose "allow" or "deny" to
allow or deny the clients, whose MAC
addresses are not in the "Control table", to
associate to the wireless LAN.
Control table
"Control table" is the table at the bottom of the "MAC Address Control"
page. Each row of this table indicates the MAC address and the expected
IP address mapping of a client. There are four columns in this table:
MAC Address
MAC address indicates a specific client.
IP Address
Expected IP address of the corresponding
client. Keep it empty if you don't care its IP
address.
C
When "Connection control" is checked,
check "C" will allow the corresponding client
to connect to this device.
A
When "Association control" is checked,
check "A" will allow the corresponding client
to associate to the wireless LAN.
In this page, we provide the following Combobox and button to help you to input the MAC address.
You can select a specific client in the “DHCP clients” Combobox, and then click on the “Copy to”
button to copy the MAC address of the client you select to the ID selected in the “ID” Combobox.
Previous page and Next Page
To make this setup page simple and clear, we have divided the
“Control table” into several pages. You can use these buttons to
navigate to different pages.
47
Example:
In this scenario, there are three clients listed in the Control Table. Clients 1 and 2 are wireless, and
client 3 is wired.
1.The "MAC Address Control" function is enabled.
2."Connection control" is enabled, and all of the wired and wireless clients not listed in the "Control
table" are "allowed" to connect to this device.
3."Association control" is enabled, and all of the wireless clients not listed in the "Control table" are
"denied" to associate to the wireless LAN.
4.Clients 1 and 3 have fixed IP addresses either from the DHCP server of this device or manually
assigned:
ID 1 - "00-12-34-56-78-90" --> 192.168.122.100
ID 3 - "00-98-76-54-32-10" --> 192.168.122.101
Client 2 will obtain its IP address from the IP Address pool specified in the "DHCP Server" page or
can use a manually assigned static IP address.
If, for example, client 3 tries to use an IP address different from the address listed in the Control
table (192.168.122.101), it will be denied to connect to this device.
48
5.Clients 2 and 3 and other wired clients with a MAC address unspecified in the Control table are all
allowed to connect to this device. But client 1 is denied to connect to this device.
6.Clients 1 and 2 are allowed to associate to the wireless LAN, but a wireless client with a MAC
address not specified in the Control table is denied to associate to the wireless LAN. Client 3 is a
wired client and so is not affected by Association control.
4.6.5 Miscellaneous Items
Remote Administrator Host/Port
In general, only Intranet user can browse the built-in web pages to perform administration task. This
feature enables you to perform administration task from remote host. If this feature is enabled, only the
specified IP address can perform remote administration. If the specified IP address is 0.0.0.0, any host
can connect to this product to perform administration task. You can use subnet mask bits "/nn" notation
to specified a group of trusted IP addresses. For example, "10.1.2.0/24".
NOTE: When Remote Administration is enabled, the web server port will be shifted to 88. You can
change web server port to other port, too.
Administrator Time-out
The time of no activity to logout automatically. Set it to zero to disable this feature.
Discard PING from WAN side
When this feature is enabled, any host on the WAN cannot ping this product.
SPI Mode
When this feature is enabled, the router will record the packet information pass through the router like
49
IP address, port address, ACK, SEQ number and so on. And the router will check every incoming
packet to detect if this packet is valid.
DoS Attack Detection
When this feature is enabled, the router will detect and log the DoS attack comes from the Internet.
Currently, the router can detect the following DoS attack: SYN Attack, WinNuke, Port Scan, Ping of
Death, Land Attack etc.
4.7 Advanced Settings
50
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement