SMC Networks SMCBR18VPN User manual

SMC Networks SMCBR18VPN User manual
Copyright
Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable.
However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or
other rights of third parties which may result from its use. No license is granted by implication or
otherwise under any patent or patent rights of SMC. SMC reserves the right to change
specifications at any time without notice.
The products and programs described in this User Guide are licensed products of SMC. This User
Guide contains proprietary information protected by copyright, and this User Guide and all
accompanying hardware and documentation are copyrighted.
SMC does not warrant that the hardware will work properly in all environments and applications,
and makes no warranty and representation, either implied or expressed, with respect to the
quality, performance, merchantability, or fitness for a particular purpose.
Information in this User Guide is subject to change without notice and does not represent a
commitment on the part of SMC. SMC assumes no responsibility for any inaccuracies that may be
contained in this User Guide.
SMC makes no commitment to update or keep current the information in this User Guide, and
reserves the right to make changes to this User Guide and/or product without notice.
No part of this manual may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or information storage and retrieval
systems, for any purpose other than the purchaser's personal use, without the express written
permission of SMC.
Copyright © 2004 by
SMC Networks, Inc.
38 Tesla
Irvine, California 92618
All rights reserved.
Trademarks
SMC® is a registered trademark; and EZ-Stream, EZ Connect, Barricade and EZ Hub are
trademarks of SMC Networks, Inc. Other product and company names are trademarks or
registered trademarks of their respective holders.
Compliances
FCC - Class B
This equipment has been tested and found to comply with the limits for a Class B digital device,
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection
against harmful interference in a residential installation. This equipment generates, uses and can
radiate radio frequency energy and, if not installed and used in accordance with instructions, may
cause harmful interference to radio communications. However, there is no guarantee that the
interference will not occur in a particular installation. If this equipment does cause harmful
interference to radio or television reception, which can be determined by turning the equipment
off and on, the user is encouraged to try to correct the interference by one or more of the
following measures:
• Reorient the receiving antenna
• Increase the separation between the equipment and receiver
• Connect the equipment into an outlet on a circuit different from that to which
the receiver is connected
• Consult the dealer or an experienced radio/TV technician for help
FCC Caution: To assure continued compliance, (for example - use only shielded interface cables
when connecting to computer or peripheral devices). Any changes or modifications not expressly
approved by the party responsible for compliance could void the user’s authority to operate this
equipment.
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two
conditions: (1) This device may not cause harmful interference, and (2) this device must accept
any interference received, including interference that may cause undesired operation.
CAUTION STATEMENT:
FCC Radiation Exposure Statement
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled
environment. This equipment should be installed and operated with a minimum distance of 5
centimeters between the radiator and your body. This transmitter must not be co-located or
operating in conjunction with any other antenna or transmitter. Note: In order to maintain
compliance with the limits of a Class B digital device, SMC requires that you use a quality
interface cable when connecting to this device. Changes or modifications not expressly approved
by SMC could void the user’s authority to operate this equipment.
Attach unshielded twisted-pair cable (UTP) to the RJ-45 port and shielded USB cable to the USB
port.
EC Conformance Declaration – Class B
SMC contact for these products in Europe is:
SMC Networks Europe,
Edificio Conata II
Calle Fructuos Gelabert 6-8, 2o, 4a
08970 – Sant Joan Despi
Barcelona, Spain
This equipment complies with the requirements relating to electromagnetic compatibility, EN
55022/A1 Class B, and EN 50082-1. This meets the essential protection requirements of the
European Council Directive 89/336/EEC on the approximation of the laws of the member states
relation to electromagnetic compatibility.
Important Safety Notices
• Unplug this product from the AC power before cleaning. Do not use liquid cleaners or
aerosol cleaners. Use a dry cloth for cleaning.
• Route the power supply cords so that they are not likely to be walked on or pinched by
items placed upon or against them. Pay particular attention to cords at plugs,
convenience receptacles, and the point where they exit from the product.
• Situate the product away from heat sources such as radiators, heat registers, stoves, and
other products that produce heat.
• To prevent fire or shock hazard, do not expose this unit to rain or moisture. Do not allow
water or any foreign objects to enter the interior. This may cause a fire or electric shock.
In the event that water or other foreign objects get into the product, immediately unplug
the AC adapter from the electrical outlet and contact Customer Service for inspection
and/or repair/replacement options.
• Do not take apart the equipment. This may cause fire, electric shock or other injuries.
• Do not overload wall outlets and extension cords as this can result in a fire or electric
shock.
• This product is for use with the AC adapter that comes with it. Use with any other AC
power is strongly discouraged as it may cause fire, electric shock, or damage to the
equipment.
1 | System Requirements
•
•
•
•
•
Internet access from your local telephone company or Internet Service Provider (ISP)
using a DSL modem, cable modem, Dial-Up modem, or ISDN modem
A PC using a fixed IP address or dynamic IP address assigned via DHCP, as well as a
Gateway server address and DNS server address from your service provider
A computer equipped with a 10 Mbps, 100 Mbps, or 10/100 Mbps Fast Ethernet card, or
a USB-to-Ethernet converter
TCP/IP network protocol installed on each PC that needs to access the internet
A Java-enabled web browser, such as Microsoft Internet Explorer 5.0 or above, or
Netscape Communicator 4.0 or above installed on one PC at your site for configuring the
router.
2 | Equipment Checklist
After unpacking the Barricade™ VPN Cable/DSL Broadband Router, check the contents of the box
to be sure you have received the following components:
•
•
•
•
•
1
1
1
1
1
Barricade™ VPN Cable/DSL Broadband Router
EZ Installation Wizard and Documentation CD
Ethernet (CAT5-UTP/Straight-Through) Cable
Power Adapter
Quick Installation Guide
Immediately inform your dealer in the event of any incorrect, missing or damaged parts. If
possible, please retain the carton and original packing materials in case there is a need to return
the product.
Please register this product and upgrade the product warranty at SMC's Web site:
http://www.smc.com
3 | Functions and Features
Broadband Modem and NAT
Router
Connects multiple computers to a broadband (cable or DSL)
modem, and/or Ethernet router to access the Internet.
10/100 Mbps Ethernet Interface
Provides a 10/100 Base-TX interface to connect to a DSL or
cable modem for broadband Internet access.
Equipped with a 4/8-port auto-sensing Ethernet switch.
Auto-sensing Ethernet Switch
VPN Supported
Firewall
DHCP Server Supported
Web-based Configuration
Network Filter Supported
Universal Plug and Play (UPnP)
Supported
Supports multiple IPSec sessions and has built-in PPTP and
L2TP VPN servers.
All unwanted packets from outside sources are blocked to
protect your intranet.
All networked computers can retrieve TCP/IP settings
automatically from this device.
Configurable by any networked computer’s Web browser
using Netscape or Internet Explorer.
The Packet Filter lets you control access to a network by
analyzing the incoming and outgoing packets; this lets you
either letting them pass or halt based on the IP address or
the source and destination.
Enables devices such as PCs, routers and printers to be
plugged into a network and ensure automatic recognition.
Virtual Server Supported
Lets you make your Website, FTP site, and other services on
your LAN accessible to Internet users.
User Defined Application
Sensing Tunnel
Lets you define the attributes to support special applications
that require multiple connections like Internet gaming, video
conferencing, Internet telephony, and so on. This device
can sense the application type and opens a multi-port tunnel
for it.
Enables a computer to be fully accessible to the Internet.
This function is used when the special application sensing
tunnel feature is insufficient to allow an application to
function correctly.
SNMP (Simple Network Management Protocol) is a protocol
that lets users remotely manage a computer network by
polling and setting terminal values, and monitoring network
events.
Lets you synchronize system time with the network time
server.
The virtual computer lets you use the original NAT feature,
which lets you setup the one-to-one mapping of multiple
global and local IP addresses.
Lets you block hundreds of Website connections by simply
entering a keyword.
Lets you set a time schedule for different services.
DMZ Host Supported
SNMP Supported
System Time Supported
Virtual Computers Supported
URL Blocking Supported
Schedule Rule
Routing Table Supported
Allows you to determine which physical interface address to
use for outgoing IP data grams. If you have more than one
router and subnet, enable the routing table to allow packets
to find the proper routing path and the different subnets to
communicate with each other.
4 | Panel Layout
The following figure shows the front panel layout, which is followed by a table describing in detail
the status and function of each LED.
SMCBR14VPN Front Panel
SMCBR18VPN Front Panel
LED
Function
Color
Status
Description
Power
Power
indicator
System
status
indicator
Wan port
activity
Green
Steady
Power is being applied to this device
Orange
Blinking
M1 is flashing once every second to
indicate that the system has power
Green
Steady
The WAN port is connected
Blinking
Link status
Green
The WAN port is sending or receiving
data
An active station is connected to the
LAN port
The corresponding LAN port is
sending or receiving data
M1
WAN
Link/Act.
1–4/8
Steady
Blinking
Speed
10/100
Data rate
Green
Steady
Data is transmitted at 100 Mbps
SMCBR14VPN Rear Panel: 4 LAN, 1 WAN, and 1 COM port
SMCBR18VPN Front Panel: 8 LAN, 1 WAN, and 1 COM port
Port Type
Description
5 VDC
Receptor for power adapter:
5 VDC, 2 A (minimum)
This is the connection for the Ethernet cable to the
Ethernet port on the cable or DSL modem
These are the connections for Ethernet cables to
your Ethernet enabled computers
Serial port (connection for an analog modem or
console cable)
WAN
Port 1–4/8
COM
5 | Hardware Installation
The router can be placed anywhere in your office or home. No special wiring or cooling
requirements are necessary. However, you should comply with the following guidelines:
•
•
•
Place your router on a flat, horizontal surface
Be sure to place your router away from any heating devices
Avoid dusty and/or humid areas
1) Setup LAN Connection: Connect an Ethernet cable from your computer’s Ethernet port
to one of the LAN ports of the router.
2) Step WAN Connection: Insert one end of the Ethernet cable into the WAN port on the
back panel of your router, and the other end to the cable/DSL modem. You may connect
an analog modem (optional) to function as a backup connection.
3) Power Up: The router automatically enters the self-testing phase once the power cord
is plugged into a wall outlet. When in self-testing phase, the M1 indicator LED illuminates
for about five seconds to indicate proper connection. The M1 LED flashes twice as soon
as the self-testing phase is completed. After the completion of the self-testing phase, the
M1 LED should flash once per second to indicate that the router is functioning properly.
6 | Network Settings and Software Installation
IP Address
Subnet Mask
Administrator Password
User Password
Default Settings
192.168.2.1
255.255.255.0
smcadmin
password
You must first verify that the TCP/IP communication protocol is properly installed and the
computer is configured to get its IP address via the DHCP Server that is built-into this router. If
you have not previously installed TCP/IP protocols on your client PCs, refer to the following
section.
6.1 | Installing TCP/IP
Windows 95/98/Me
1. Click Start/Settings/Control Panel.
2. Double-click the Network icon and select the Configuration tab in the Network window.
3. Click the Add button.
4. Double-click Protocol.
5. Select Microsoft in the manufacturers list. Select TCP/IP in the Network Protocols list.
Click the OK button to return to the Network window.
6. The TCP/IP protocol will be listed in the Network window.
7. Click OK. The operating system may prompt you to restart your system. Click Yes and
the computer will shut down and restart.
Windows 2000/XP
1. Click the Start button and choose Settings, then click the Network and Dial-up
Connections icon.
2. Double-click the Local Area Connection icon, and click the Properties button on the
General tab.
3. Click the install button.
4. Double-click Protocol.
5. Choose Internet Protocol (TCP/IP). Click the OK button to return to the Network window.
6. The TCP/IP protocol will be listed in the Network window. Click OK to complete the
installation procedure.
6.2 | Setting up TCP/IP
Windows 95/98/Me
You may find that the instructions here do not exactly match your version of Windows. This is
because these steps and screenshots were created in Windows 98. Windows 95 and Windows
Millennium Edition are very similar, but not identical, to Windows 98.
1. From the Windows desktop, click Start/Settings/Control Panel.
2. In the Control Panel, locate and double-click the Network icon.
3. On the Network window Configuration tab, double-click the TCP/IP entry for your
network card.
4. Click the IP Address tab.
5. Click the “Obtain an IP address” option.
6. Next click on the Gateway tab and verify the Gateway field is blank. If there are IP
addresses listed in the Gateway section, highlight each one and click Remove until the
section is empty.
7. Click the OK button to close the TCP/IP Properties window.
8. On the Network Properties Window, click the OK button to save these new settings.
Note: Windows may ask you for the original Windows installation disk or additional files.
Check for the files at c:\windows\options\cabs, or insert your Windows CD-ROM into your
CDROM drive and check the correct file location, e.g., D:\win98, D:\win9x. (if D is the
letter of your CD-ROM drive).
9. Windows may prompt you to restart the PC. If so, click the Yes button. If Windows does
not prompt you to restart your computer, do so to insure your settings.
Windows NT
1. From the Windows desktop click Start/Settings/Control Panel.
2.
3.
4.
5.
6.
7.
8.
9.
Double-click the Network icon.
Click on the Protocols tab.
Double-click TCP/IP Protocol.
Click on the IP Address tab.
In the Adapter drop-down list, be sure your Ethernet adapter is selected.
Click on “Obtain an IP address from a DHCP server.”
Click OK to close the window.
Windows may copy files and will then prompt you to restart your system. Click Yes and
your computer will shut down and restart.
Windows 2000/XP
1. Access your Network settings by clicking Start, then choose Settings and then select
Control Panel.
2. In the Control Panel, locate and double-click the Network and Dial-up Connections icon.
3. Locate and double-click the Local Area Connection icon for the Ethernet adapter that is
connected to the Router. When the Status dialog box window opens, click the Properties
button.
4. In the Local Area Connection Properties box, verify the box next to Internet Protocol
(TCP/IP) is checked. Then highlight the Internet Protocol (TCP/IP), and click the
Properties button.
5. Select “Obtain an IP address automatically” to configure your computer for DHCP. Click
the OK button to save this change and close the Properties window.
6. Click the OK button again to save these new changes.
7. Reboot your PC.
6.3 | Obtaining an IP Address
Windows 95/98/Me
1. Click Start/Run.
2. Type WINIPCFG and click OK.
3. From the drop-down menu, select your network card. Click Release and then Renew.
Verify that your IP address is now 192.168.2.xxx, your Subnet Mask is 255.255.255.0
and your Default Gateway is 192.168. 2.1. These values confirm that the Router is
functioning. Click OK to close the IP Configuration window.
Windows 2000/XP
1. On the Windows desktop, click Start/Programs/Command Prompt.
2. In the Command Prompt window, type IPCONFIG /RELEASE and press the <ENTER>
key.
3. Type IPCONFIG /RENEW and press the <ENTER> key. Verify that your IP Address is now
192.168.2.xxx, your Subnet Mask is 255.255.255.0 and your Default Gateway is
192.168.2.254. These values confirm that the Router is functioning
4. Type EXIT and press <ENTER> to close the Command Prompt window.
6.4 | Configuring a Macintosh Computer
You may find that the instructions here do not exactly match your screen. This is because these
steps and screen shots were created using Mac OS 10.2. Mac OS 7.x and above are all very
similar, but may not be identical to Mac OS 10.2.
1. Pull down the Apple Menu. Click System Preferences and select Network.
2. Make sure that Built-in Ethernet is selected in the Show field.
3. On the TCP/IP tab, select Using DHCP in the Configure field.
4. Close the TCP/IP dialog box.
6.5 | Verifying Your TCP/IP Connection
After installing the TCP/IP communication protocols and configuring an IP address in the same
network as the Router, use the ping command to check if your computer has successfully
connected to the Router. The following example shows how the ping procedure can be executed
in an MS-DOS window. First, execute the ping command:
ping 192.168.2.1
If a message similar to the following appears:
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=2ms TTL=64
…a communication link between your computer and the Router has been successfully
established.
If you get the following message:
Pinging 192.168.2.1 with 32 bytes of data:
Request timed out.
…there may be something wrong in your installation procedure.
Check the following items in sequence:
1. Is the Ethernet cable correctly connected between the Router and the computer? The LAN LED
on the Router and the Link LED of the network card on your computer must be on.
2. Is TCP/IP properly configured on your computer? If the IP address of the Router is
192.168.2.1, the IP address of your PC must be from 192.168.2.2 - 254 and the default gateway
must be 192.168.2.1. If you can successfully ping the Router you are now ready to connect to
the Internet!
7 | Configuring Your Broadband VPN Router
Before
1.
2.
3.
you attempt to log into the web-based Administration, please verify the following.
Your browser is configured properly (see below).
Disable any firewall or security software that may be running.
Confirm that you have a good link LED where your computer is plugged into the Router.
If you don’t have a link light, then try another cable until you get a good link.
7.1 | Browser Configuration
Confirm your browser is configured for a direct connection to the Internet using the Ethernet
cable that is installed in the computer. This is configured through the options/preference section
of your browser.
You will also need to verify that the HTTP Proxy feature of your web browser is disabled. This is
so that your web browser will be able to view the Router configuration pages. The following
steps are for Internet Explorer and for Netscape. Determine which browser you use and follow
the appropriate steps.
Internet Explorer 5 or above (For Windows)
1. Open Internet Explorer. Click Tools, and then select Internet Options.
2. In the Internet Options window, click the Connections tab.
3. Click the LAN Settings button.
4. Clear all the check boxes and click OK to save these LAN settings changes.
5. Click OK again to close the Internet Options window.
Internet Explorer (For Macintosh)
1. Open Internet Explorer. Click Explorer/Preferences.
2. In the Internet Explorer Preferences window, under Network, select Proxies.
3. Uncheck all check boxes and click OK.
7.2 | Web Management
To access the Router’s management interface, enter the Router IP address in your web browser
http://192.168.2.1.
Note that there are two different Web user interfaces, one for general users and one for the
system administrator. To log on as an administrator, enter the system password (default
password is smcadmin) and click the LOGIN button. If you typed the password correctly, the
left panel of the Web user interface changes to the administrator configuration mode as shown in
the following figures.
7.3 | Setup Wizard
Time Zone
After logging into the web management, click on SETUP WIZARD on the top left navigation
panel. The first item is Time Zone. For accurate timing of client filtering and log events, you need
to set the time zone. Select your time zone from the drop-down list.
Broadband Type
The following screen lets you select a WAN type. Click one of the five options and then click
[Next].
Cable Modem
The cable modem option allows you to configure a host name and MAC Address. The Host Name
is optional, but may be required by some ISPs. The default MAC address is set to the WAN’s
physical interface on the Router. Use this address when registering for Internet service, and do
not change it unless required by your ISP. If your ISP used the MAC address of an Ethernet card
as an identifier when first setting up your broadband account, only connect the PC with the
registered MAC address to the Router and click the Clone MAC Address button. This will replace
the current Router MAC address with the already registered Ethernet card MAC address. If you
are unsure of which PC was originally set up by the broadband technician, call your ISP and
request that they register a new MAC address for your account. Register the default MAC address
of the Router.
Fixed-IP xDSL
Some xDSL Internet Service Providers may assign a fixed (static) IP address. If you have been
provided with this information, choose this option and enter the assigned IP address, gateway IP
address, DNS IP addresses, and subnet mask.
PPPoE xDSL
Enter the PPPoE User Name and Password assigned by your Service Provider. The Service Name
is normally optional, but may be required by some service providers. Leave the Maximum
Transmission Unit (MTU) at the default value unless you have a particular reason to change it.
Enter a Maximum Idle Time (in minutes) to define a maximum period of time for which the
Internet connection is maintained during inactivity. If the connection is inactive for longer than
the Maximum Idle Time, it will be dropped. (Default: 10) Configure the Connect mode option to
the desired settings. “Always On Line” signifies that the broadband router will maintain your
Internet connection consistently and automatically connect to the Internet after any
disconnection. “Manual Connect” signifies that the broadband router will establish an Internet
connection only when the administrator logs into the web management and manually presses the
“Connect” button. While using the “Connect On Demand” option, if the connection is inactive for
longer than the Maximum Idle Time, it will be dropped and will automatically re-establish the
connection as soon as you attempt to access the Internet again.
PPTP
Point-to-Point Tunneling Protocol is a common connection method used for xDSL connections in
Europe. It can be used to join different physical networks using the Internet as an intermediary.
If you have been provided with the information as shown on the screen, enter the assigned IP
address, subnet mask, default gateway IP address, user ID and password, and PPTP Gateway.
Configure the Connect mode option to the desired settings. “Always On Line” signifies that the
broadband router will maintain your Internet connection consistently and automatically connect
to the Internet after any disconnection. “Manual Connect” signifies that the broadband router will
establish an Internet connection only when the administrator logs into the web management and
manually presses the “Connect” button. While using the “Connect On Demand” option, if the
connection is inactive for longer than the Maximum Idle Time, it will be dropped and will
automatically re-establish the connection as soon as you attempt to access the Internet again.
BigPond
If you use the BigPond Internet Service which is available in Australia, enter your username and
password and apply the changes.
L2TP
Layer 2 Tunneling Protocol is a common connection method used for xDSL connections in
Europe. It can be used to join different physical networks using the Internet as an intermediary.
If you have been provided with the information as shown on the screen, enter the assigned IP
address, subnet mask, default gateway IP address, user ID and password, and L2TP Gateway.
Configure the Connect mode option to the desired settings. “Always On Line” signifies that the
broadband router will maintain your Internet connection consistently and automatically connect
to the Internet after any disconnection. “Manual Connect” signifies that the broadband router will
establish an Internet connection only when the administrator logs into the web management and
manually presses the “Connect” button. While using the “Connect On Demand” option, if the
connection is inactive for longer than the Maximum Idle Time, it will be dropped and will
automatically re-establish the connection as soon as you attempt to access the Internet again.
Dial-Up
Most Dial-up users will select this option to connect to their ISP through an analog dial-up
modem. This feature can be used as a back-up when your broadband connectivity is unavailable.
Enter the phone number, account name and password assigned to you by your ISP. The baud
rate is the communication rate between the broadband router and your modem. Set this to the
desired rate. If you have received DNS addresses from your ISP, enter them here, otherwise
leave these addresses at their default settings. The modem initialization string setting is most
commonly used to optimize the communication quality between the ISP and your analog dial-up
modem. If you are using the dial up modem as a backup, Enable the “Auto Backup/Failover”
option. Configure the Connect mode option to the desired settings. “Always On Line” signifies
that the broadband router will maintain your Internet connection consistently and automatically
connect to the Internet after any disconnection. “Manual Connect” signifies that the broadband
router will establish an Internet connection only when the administrator logs into the web
management and manually presses the “Connect” button. While using the “Connect On Demand”
option, if the connection is inactive for longer than the Maximum Idle Time, it will be dropped
and will automatically re-establish the connection as soon as you attempt to access the Internet
again.
7.4 | Advanced Setup – SYSTEM
Time Zone
Use the section below to configure the Barricade's system time. Select your timezone and
configure the daylight savings option based on your location. This information is used for the
time/date parental rules you can configure with the Barricade's Advanced Firewall. This
information is also used for your network logging.
Once you set you time zone, you can automatically update the Barricade's internal clock by
synchronizing with a public time server over the Internet. To configure this setting, choose one of
the options below - each option allows a different method of updating.
Password Settings
Use this section to configure the 2 password accounts and idle time-out setting for your Barricade
Router. There are 2 levels of admin access for this VPN Router:
The Administrator account has Read/Write permission to view and change any settings. The
default password for this account is "smcadmin".
The User account has Read-Only permissions to view but not change the settings. The default
password for this account is "password".
Remote Management
Use this section to configure the remote management feature of your Barricade Router so the
web-management can be accessed from the Internet (WAN). You can restrict access to a single
IP or a range of IP addresses. If the specified IP address is 0.0.0.0, any host can connect to the
router to perform these tasks. You can use the subnet mask bits’ /nn notation to specify a group
of trusted IP addresses. For example, 10.1.2.0/24. You can also change the remote port that the
administrator uses to gain access to the web management.
Syslog Server
The Syslog Server tool will automatically download the Barricade log to the server IP address
specified by the user. Enter the Server LAN IP Address and select the Enable radio button to
enable this function. The broadband router is also able to send the log files to a specific email
address. Simply enter the IP address of your mail server in the SMTP Server box, enter the email
addresses of the recipients who will receive the email log, and put in your username and
password. Note that you can also customize the subject title of the email! Check to be sure the
radio button for Enable is checked and then submit the changes.
7.5 | Advanced Setup - WAN
Dynamic IP
The cable modem option allows you to configure a host name and MAC Address. The Host Name
is optional, but may be required by some ISPs. The default MAC address is set to the WAN’s
physical interface on the Router. Use this address when registering for Internet service, and do
not change it unless required by your ISP. If your ISP used the MAC address of an Ethernet card
as an identifier when first setting up your broadband account, only connect the PC with the
registered MAC address to the Router and click the Clone MAC Address button. This will replace
the current Router MAC address with the already registered Ethernet card MAC address. If you
are unsure of which PC was originally set up by the broadband technician, call your ISP and
request that they register a new MAC address for your account. Register the default MAC address
of the Router.
PPPoE
Enter the PPPoE User Name and Password assigned by your Service Provider. The Service Name
is normally optional, but may be required by some service providers. Leave the Maximum
Transmission Unit (MTU) at the default value unless you have a particular reason to change it.
Enter a Maximum Idle Time (in minutes) to define a maximum period of time for which the
Internet connection is maintained during inactivity. If the connection is inactive for longer than
the Maximum Idle Time, it will be dropped. (Default: 10) Configure the Connect mode option to
the desired settings. “Always On Line” signifies that the broadband router will maintain your
Internet connection consistently and automatically connect to the Internet after any
disconnection. “Manual Connect” signifies that the broadband router will establish an Internet
connection only when the administrator logs into the web management and manually presses the
“Connect” button. While using the “Connect On Demand” option, if the connection is inactive for
longer than the Maximum Idle Time, it will be dropped and will automatically re-establish the
connection as soon as you attempt to access the Internet again.
PPTP
Point-to-Point Tunneling Protocol is a common connection method used for xDSL connections in
Europe. It can be used to join different physical networks using the Internet as an intermediary.
If you have been provided with the information as shown on the screen, enter the assigned IP
address, subnet mask, default gateway IP address, user ID and password, and PPTP Gateway.
Configure the Connect mode option to the desired settings. “Always On Line” signifies that the
broadband router will maintain your Internet connection consistently and automatically connect
to the Internet after any disconnection. “Manual Connect” signifies that the broadband router will
establish an Internet connection only when the administrator logs into the web management and
manually presses the “Connect” button. While using the “Connect On Demand” option, if the
connection is inactive for longer than the Maximum Idle Time, it will be dropped and will
automatically re-establish the connection as soon as you attempt to access the Internet again.
Static IP
Some Internet Service Providers may assign a fixed (static) IP address. If you have been
provided with this information, choose this option and enter the assigned IP address, gateway IP
address, DNS IP addresses, and subnet mask.
BigPond
If you use the BigPond Internet Service which is available in Australia, enter your username and
password and apply the changes.
L2TP
Layer 2 Tunneling Protocol is a common connection method used for xDSL connections in
Europe. It can be used to join different physical networks using the Internet as an intermediary.
If you have been provided with the information as shown on the screen, enter the assigned IP
address, subnet mask, default gateway IP address, user ID and password, and L2TP Gateway.
Configure the Connect mode option to the desired settings. “Always On Line” signifies that the
broadband router will maintain your Internet connection consistently and automatically connect
to the Internet after any disconnection. “Manual Connect” signifies that the broadband router will
establish an Internet connection only when the administrator logs into the web management and
manually presses the “Connect” button. While using the “Connect On Demand” option, if the
connection is inactive for longer than the Maximum Idle Time, it will be dropped and will
automatically re-establish the connection as soon as you attempt to access the Internet again.
Dial Up
Most Dial-up users will select this option to connect to their ISP through an analog dial-up
modem. This feature can be used as a back-up when your broadband connectivity is unavailable.
Enter the phone number, account name and password assigned to you by your ISP. The baud
rate is the communication rate between the broadband router and your modem. Set this to the
desired rate. If you have received DNS addresses from your ISP, enter them here, otherwise
leave these addresses at their default settings. The modem initialization string setting is most
commonly used to optimize the communication quality between the ISP and your analog dial-up
modem. If you are using the dial up modem as a backup, Enable the “Auto Backup/Failover”
option. Configure the Connect mode option to the desired settings. “Always On Line” signifies
that the broadband router will maintain your Internet connection consistently and automatically
connect to the Internet after any disconnection. “Manual Connect” signifies that the broadband
router will establish an Internet connection only when the administrator logs into the web
management and manually presses the “Connect” button. While using the “Connect On Demand”
option, if the connection is inactive for longer than the Maximum Idle Time, it will be dropped
and will automatically re-establish the connection as soon as you attempt to access the Internet
again.
7.6 | Advanced Setup - LAN
This is the local IP address of the router. All networked computers must use the LAN IP address
of the router as their default Gateway. However, if necessary, it can be changed. Here you can
configure the LAN IP address for the router and enable/disable the DHCP server for dynamic
client address allocation. You can change the lease time if necessary as well. By default this is set
to “One Week”. The other options are Half Hour, One Hour, Two Hours, Half Day, One Day, Two
Days, and Forever. “Forever” signifies that there is no time limit on the IP address lease.
For the IP address pool, a dynamic IP address range may be specified (Default: 192.168.2.100199). Once the IP addresses, e.g. 192.168.2.100–199, have been assigned, these IP addresses
will be part of the dynamic IP address pool. IP addresses from 192.168.2.2–99, and
192.168.2.200–254 will be available as static IP addresses. Remember not to include the address
of the Router in the client address pool. Also remember to configure your client PCs for dynamic
IP address allocation. Lastly, you can enter a local domain suffix in the Domain Name field.
You also have the option to configure more advanced settings by clicking the “More” button. You
can configure the router’s DHCP server to give out specific Primary and Secondary DNS, Primary
and Secondary WINS, and an alternate Gateway (in the event that the router is not the Internet
gateway).
Clicking on the “Client List” link brings up the DHCP Client Table, showing all the clients that have
obtained DHCP addresses from the router:
7.7 | Advanced Setup - NAT
7.7.1 | Virtual Server
The firewall of the router filters out unrecognized packets to protect your intranet. This means
that all network hosts are invisible to the outside world. However, some of the hosts can be
made accessible by enabling the Virtual Server mapping. A virtual server is defined as a Service
Port. All requests to this port will be redirected to the computer specified by the Server IP.
The virtual server can work with scheduling rules as well. This gives you more flexibility for
access control.
For example, if you have an FTP server (port 21) at 192.168.123.1, a Web server (port 80) at
192.168.123.2, and a VPN server at 192.168.123.6, you need to specify the following virtual
server mapping as shown in the table below:
Service Port
Server IP
Enable
21
80
1723
192.168.123.1
192.168.123.2
192.168.123.6
X
X
X
The “IP Address” section should contain the IP of the server computer in the LAN network that
will be providing the virtual services. The “Public Port” is the port number or port range on the
WAN side that will be used to access the virtual service. The “Private Port” is the port number of
the service used by the server computer. “Data Type” can be User Datagram Protocol (UDP),
Transmission Control Protocol (TCP) or both. This depends on the type of service you are
running. TCP is connection-oriented protocol and UDP is connectionless. Since most services are
connection-oriented, you will most likely need to select TCP. For example, FTP and HTTP are
connection-oriented services while DNS and many streaming radio servers are connectionless.
7.7.2 | Special Applications
Some applications require multiple connections, such as Internet games, video conferencing, and
Internet telephony. These applications cannot work with a pure NAT router because of the
firewall function. However, the Special Applications feature allows some of these applications to
work with the router. Should the Special Applications feature fail to make an application work,
you can try setting your computer as a DMZ host.
Trigger: This is the outbound port number issued by the application.
Incoming Ports: When the trigger packet is detected, the inbound packets sent to specified
port numbers are allowed to pass through the firewall.
The router provides some predefined settings. To add a predefined setting to your list, select an
application and click “Copy to”.
Note: Only one computer can use the Special Application tunnels at any given time.
For a full list of ports and the services that run on them, see
http://www.iana.org/assignments/port-numbers
7.7.3 | Virtual Computer
Use the “Virtual Computer” option to maintain the privacy and security of the local network.
Virtual Computer enables you to use the original NAT feature, and allows you to setup the oneto-one mapping of multiple global IP address and local IP address.
7.8 | Advanced Setup - FIREWALL
7.8.1 | Network Filters
The VPN Broadband Router firewall includes comprehensive Outbound and Inbound Network
Packet Filters. The firewall does not significantly affect system performance. The packet filter lets
you control which packets are allowed to pass through the router. The Outbound Filter applies to
all outbound packets. The Inbound Filter applies only to packets addressed to a virtual server or
DMZ host.
You can select one of the two filtering policies:
• Allow all to pass except those that match the specified rules
• Deny all to pass except those that match the specified rules
You can apply up to 8 rules for each direction, inbound or outbound. For each rule you can
define the following:
• Source IP address
• Source port address
• Destination IP address
• Destination port address
• Protocol: TCP or UDP, or both
• Use Rule #
You can define a single IP address (4.3.123.254) or a range of IP addresses (4.3.123.254 –
4.3.2.254) for the source or destination IP address. A blank IP implies that all IP addresses are
included. You can define a single port (80) or a range of ports (1000 – 1999) for the source or
destination port. Specify the TCP or UDP protocol by adding the prefix T or U. Not adding a prefix
implies all ports. Each rule can be enabled or disabled.
7.8.2 | URL Blocking
URL Blocking blocks LAN computers from accessing pre-defined Websites. The difference
between the Domain Filter and URL Blocking is that the Domain filter requires you to enter a
suffix (.com or .org), while URL Blocking requires you to enter only a keyword. In other words,
the Domain Filter can block specific Websites, while URL Blocking can block hundreds of Websites
simply by using a keyword.
•
•
•
•
URL Blocking: Check the box next to Enable if you want to enable the URL Blocking
option.
URL / Keyword: If any part of a Website’s URL matches the pre-defined word you have
entered here, the connection will be blocked. For example, if you type the word “firewall”
into the URL text field, all URLs containing that word will be blocked.
Enable: Check the box to enable the rules.
Use Rule #: Applies a configured schedule rule
7.8.3 | MAC Filter
MAC Address Filtering allows you assign different access rights to various users and you can also
assign a specific IP address to a certain MAC address.
Select the Enable radio button to enable the MAC Address Control. All of the settings on this
screen take effect when Enable is checked.
•
•
MAC Address: This is the unique address of a specific client.
IP Address: Expected IP address of the corresponding client. You can keep this text field
blank if you do not know the address.
The DHCP pull-down menu lets you select specific clients.
Select clients from the DHCP clients list and click “Copy to”, to copy the MAC addresses to the
selected ID, chosen from the ID pull-down menu.
•
Previous Page / Next Page: Use these links to navigate to different pages. The router
supports up to 32 MAC filters.
7.8.4 | Schedule Rule
Set scheduled times to be used to control what time of day a service or set of services is enabled.
Use this section to configure up to 10 Schedule Rules to limit network access based on time and
day. To create a schedule rule click the [Add Schedule Rule...] link below.
Enter a rule name into the text field next to “Name of Rule 1”. Click Save Settings to save your
settings.
The Schedule Rule screen appears. It now shows your setting for Rule 1. If you need to make
changes to your setting, click the Edit button. If you want to delete Rule 1, click the Delete
button.
7.8.5 | Advanced
In this section you can enable/disable Stateful Packet Inspection (SPI), Discard Ping from WAN,
and PPTP and IPSec VPN Passthrough types.
When Discard Ping From WAN is enabled, computers on the Internet will not get a reply back
from the VPN Broadband Router when it is being “ping”ed. This may help to increase security.
When SPI is enabled, the router will extensively record specific packet information passed
through the router such as IP address, port address, ACK, and so on. The router will also check
every incoming packet to detect its validity.
7.8.6 | DMZ
If you have a local client PC that cannot run an Internet application properly from behind the
NAT firewall, then you can open the client up to unrestricted two-way Internet access by defining
a Virtual DMZ Host.
7.9 | Advanced Setup - VPN
7.9.1 | IPSec Tunnel
VPN settings are used to create virtual private tunnels to remote VPN gateways. The tunnel
technology supports data confidentiality, data origin authentication and data integrity of network
information, by utilizing encapsulation protocols, encryption algorithms, and hashing algorithms.
•
•
•
•
•
VPN: VPN protects network information from intruders. However, it greatly decreases
network throughput. Enable it only when a security tunnel is absolutely necessary. This
feature is disabled by default.
Max. Number of Tunnels: Set the number of tunnels that are allowed to be in operation
simultaneously.
Tunnel name: Lists the monitored tunnel.
Method: IPSec VPN supports two kinds of key-exchange methods: manual key exchange
and the automatic key exchange. The manual key exchange method indicates that the
authenticator and the encryption key of the two end VPN gateways are setup manually
by the system managers. However, the IKE method performs an automatic Internet key
exchange. The system managers of both end gateways only need to set the same preshared key.
“More” button: Click the “More” button to setup detailed configuration for Manual key or
IKE methods.
There are three settings that must be configured to enable IKE for a dedicated tunnel:
• Basic setup
• IKE proposal setup
• IPSec proposal setup
Basic Setup
• Local Subnet: The subnet of the local VPN gateway’s LAN site. The subnet can be a host,
a partial subnet, or the whole subnet of the local gateway’s LAN site.
•
•
•
•
•
Local netmask: The local netmask combined with the local subnet forms a subnet
domain.
Remote subnet: The subnet of a remote VPN gateway’s LAN site. The subnet can be a
host, a partial subnet, or the whole subnet of the remote gateway’s LAN site.
Remote netmask: The remote netmask combined with the remote subnet forms a subnet
domain.
Remote gateway: The IP address of the remote gateway.
Pre-shared key: The first key that supports the IKE mechanism of both VPN gateways to
negotiate further security keys. The pre-shared key must be the same for both end
gateways.
Options
• Select IKE proposal: Click this button to setup a set of frequently used IKE proposals for
the dedicated tunnel.
• Select IPSec proposal: Click this button to setup a set of frequently used IPSec proposals
for the dedicated tunnel.
The tunnel name is equal to the name you configured on the previous page of VPN settings. The
IKE proposal index includes the settings for a set of frequently used IKE proposals and offers a
selection of the IKE proposals. The IPSec proposal index includes the settings for a set of
frequently used IPSec proposals and offers a selection of the IPSec proposals.
7.9.2 | IKE Proposal
•
•
IKE Proposal index: A list of selected proposal indexes from the IKE proposal pool. The
selected activity is performed when you select a proposal ID and click the Add to button
next to the Proposal ID roll-down list. A maximum of four indexes can be selected from
the proposal pool for the dedicated tunnel.
Proposal Name: The proposal name indicates which IKE proposal will be monitored. The
first character of the name with the value of 0x00 stands for the IKE proposal that is not
available.
•
•
•
•
•
•
•
DH Group - Three groups can be selected:
o Group 1 (MODP768)
o Group 2 (MODP1024)
o Group 5 (MODP1536)
Encryption algorithm - Two algorithms can be selected:
o 3DES
o DES
Authentication algorithm - Two algorithms can be selected:
o SHA1
o MD5
Life Time: The unit of Life time is based on the value of the life time unit, which can be
seconds or KB. If the value of the unit is seconds, the value of life time represents the
life time of the dedicated VPN tunnel between both end gateways. Its value can range
from 300 to 172,800 seconds. If the value of the unit is KB, the value of life time
represents the maximum allowable amount of transmitted packets through the dedicated
VPN tunnel between both end gateways. This value can range from 20,480 to 2,483,647
KB.
Life Time Unit: The life time unit can be set to seconds or KB.
Proposal ID: The identifier of the IKE proposal can be selected for adding a
corresponding proposal to the dedicated tunnel. A total of ten proposals can be set in the
proposal pool. A maximum of four proposals from the pool can be applied to the
dedicated tunnel.
“Add to” button: Click this button to add the selected proposal, shown in the proposal ID
field of the IKE Proposal index list. The proposal shown in the index list will be used in
phase 1 of the IKE negotiation for obtaining the IKSAMP SA of the dedicated tunnel.
7.9.3 | IPSec Proposal
•
•
•
•
•
•
•
•
•
•
IPSec Proposal index: A list of selected proposal indexes from the IPSec proposal pool.
The selected activity is performed when you select a proposal ID and click the Add to
button next to Proposal ID roll-down list. A maximum of four indexes can be selected
from the proposal pool for the dedicated tunnel.
Proposal Name: The proposal name indicates which IPSec proposal will be monitored.
The first character of the name with the value of 0x00 stands for the IPSec proposal that
is not available.
DH Group - Three groups can be selected:
o Group 1 (MODP768)
o Group 2 (MODP1024)
o Group 5 (MODP1536)
However, you can also select None.
Encapsulation protocol - Two protocols can be selected:
o ESP
o AH
Encryption algorithm - Two algorithms can be selected:
o 3DES
o DES
However, when the encapsulation protocol is set to AH, the encryption algorithm is
unnecessary.
Authentication algorithm - Two algorithms can be selected:
o SHA1
o MD5
However, you can also select None.
Life Time: The unit of Life time is based on the value of the life time unit, which can be
seconds or KB. If the value of the unit is seconds, the value of life time represents the
life time of the dedicated VPN tunnel between both end gateways. Its value can range
from 300 to 172,800 seconds. If the value of the unit is KB, the value of life time
represents the maximum allowable amount of transmitted packets through the dedicated
VPN tunnel between both end gateways. This value can range from 20,480 to 2,483,647
KB.
Life Time Unit: The life time unit can be set to seconds or KB.
Proposal ID: The identifier of the IPSec proposal can be selected for adding a
corresponding proposal to the dedicated tunnel. A total of ten proposals can be set in the
proposal pool. A maximum of four proposals from the pool can be applied to the
dedicated tunnel.
“Add to” button: Click this button to add the selected proposal, shown in the proposal ID
field of the IPSec Proposal index list. The proposal shown in the index list will be used in
phase 2 of the IPSec negotiation for getting the IPSec SA of the dedicated tunnel.
7.9.4 | Dynamic VPN
When using the VPN Dynamic IP Setting, the router functions as a Dynamic VPN server. The
Dynamic VPN server does not check the VPN client IP information - this means that you can build
a VPN tunnel with a VPN gateway from any remote host, regardless of the IP information.
7.9.5 | PPTP/L2TP Server
Point-to-Point and Layer 2 Tunneling Protocols (PPTP / L2TP) allows the secure remote access
over the Internet by simply dialing in a local point provided by an ISP. The following screen
displays the management interface where you enter username and passwords for authorized
remote users, the authentication protocol, and the IP address range to assign to those users:
The VPN Broadband Router supports PAP, CHAP and MS-CHAP authentication protocols. You can
also enable or disable support MPPE which is a Microsoft standard Point-to-Point Encryption
protocol. We recommend enabling MPPE at all times. However, please note that with MPPE
enabled, the only supported authentication protocol is MS-CHAP. This is because during the MSCHAP authentication process, shared secret encryption keys for Microsoft Point-to-Point
Encryption (MPPE) are generated. This does not occur when using PAP or CHAP.
PAP is a simple authentication protocol where the username and password data are both handled
in a cleartext or unencrypted format. We do not recommend using PAP because your passwords
are easily readable from the Point-to-Point Protocol (PPP) packets exchanged during the
authentication process.
When authenticating using Challenge Handshake Authentication Protocol (CHAP), the knowledge
of the password, rather than the password itself is what is sent by the client. With CHAP, the VPN
Broadband Router sends the remote client a challenge string. The remote client uses the
challenge string and the password, and creates a Message Digest-5 (MD5) hash which is then
forwarded to the VPN server. The VPN server computes the same hash calculation and compares
the result with the hash sent by the client. If they match, the remote client is considered an
authentic user.
Note: The virtual IP of the PPTP server and L2TP server must not conflict.
7.10 | Advanced Setup - SNMP
The Simple Network Management Protocol (SNMP) lets you manage a computer network
remotely by polling and setting terminal values and monitoring network events.
•
•
•
Enable SNMP: You can check Local, Remote, or both options to enable the SNMP
function.
o If Local is checked, the router responds only to requests from the LAN.
o If Remote is checked, the router responds only to requests from the WAN.
Get Community: Setting this option allows the router respond to a request.
Set Community: Setting this option allows your router to accept a request.
7.11 | Advanced Setup - ROUTING
The Routing Table lets you determine which physical interface address to use for outgoing IP
data grams. If you have more than one router and subnet, you will have to enable the routing
table to allow packets to find the routing path. This allows different subnets to communicate with
each other. The settings in the routing table are used to support static and dynamic routing
functions. RIPv1 is a protocol where the IP address is routed through the Internet. RIPv2 is an
enhanced version of RIP v1 with added features such as Authentication, Routing Domain, Next
Hop Fowarding, and Subnetmask Exchange.
Enable Static Routing by selecting the radio button next to Enable.
• Static Routing: Allows you to specify up to 8 routing rules. You can enter the destination
IP address, subnet mask, gateway, hop for each routing rule, and then enable or disable
the rule by toggling the Enable check box. Once the routing table settings are
configured, click Save.
Example:
If the host wants to send an IP data gram to 192.168.3.88, it uses the above table to determine
that it has to go via the 192.168.1.33 gateway. If the host wants to send packets to
192.168.5.77, it has to go via the 192.168.1.55 gateway. For an overview, see the chart below:
7.12 | Advanced Setup - MISCELLANEOUS
If you experience difficulties accessing an FTP server that is running on a port other than 21, you
can enter that port in the “Non-standard FTP port” and apply the changes.
Wake-on-LAN is a technology that lets you power up a networked router remotely. To use this
feature, the target network adapter must be Wake-on-LAN enabled and you have to know the
MAC address of the adapter. The address should look similar to this: 00-11-22-33-44-55.
Depressing the “Wake up” button tells the router to send the wake-up frame to the target
adapter.
The ping diagnostics feature allows you to configure an IP address to ping from the router. You
can ping a specific IP or domain to test whether the router is active.
7.13 | Advanced Setup – DISPLAY STATUS
Enable the Display Status option to view the WAN connectivity settings on the login page.
When this is enabled, the login page appears as follows:
7.14 | DDNS (Dynamic DNS)
Dynamic DNS provides users on the Internet a method to tie their domain name(s) to computers
or servers. DDNS allows your domain name to follow your IP address automatically by having
your DNS records changed when your IP address changes. Before you can enable the Dynamic
DNS, you need to register an account with one of the Dynamic DNS servers that are listed in the
Provider field.
7.15 | UPnP (Universal Plug-and-Play)
The Universal Plug and Play architecture offers pervasive peer-to-peer network connectivity of
PCs of all form factors, intelligent appliances, and wireless devices. UPnP enables seamless
proximity networking in addition to control and data transfer among networked devices in the
home, office and everywhere in between.
7.16 | Tools
The Toolbox menu allows you to view your system logs, upgrade firmware, backup settings,
restore settings to defaults, reboot the router, and access miscellaneous settings.
7.17 | Status
You can use the Status screen to see the connection status for Barricade's WAN/LAN interfaces,
firmware and hardware version numbers, any illegal attempts to access your network, as well as
information on all DHCP client PCs currently connected to your network.
8 | IPSec Settings Guide (For Reference/Example Only)
8.1 | Local Security Policy Settings
Step 1: In Windows 2000/XP click the Start button, select Settings and then Control Panel. The
Control Panel window will open. Windows XP users may need to click “Performance and
Maintenance” in the Control Panel window (depending on user environment)
The Performance and Maintenance window opens.
Step 2: Windows 2000/XP: Double-click “Administrative Tools”. The Administrative Tools window
will now open.
Step 3: Double-click the “Local Security Policy” icon. The Local Security Settings window will
appear.
Step
Step
Step
Step
Step
4:
5:
6:
7:
8:
Right-click “IP Security Policies” on Local Computer, then click Create IP Security Policy.
The IP Security Policy Wizard window will appear. Click Next.
In the next window type “to_vpn_router” in the Name field and click Next.
Then deselect the “Activate the default response rule” check box and click Next.
To complete the setup, make sure that the “Edit” check box is checked and click Finish.
8.2 | Create Two IP Filter Lists (PC -> Router / Router -> PC)
Filter List 1 (XP PC -> Router)
Step 1: From the “to_vpn_router” Properties window, deselect the “Use Add Wizard” check box
and click “Add” to create a new rule.
Step 2: The “Edit Rule Properties” window will open. Click “Add” to continue.
Step 3: The “IP Filter List” window opens. Enter “xp->router” in the “Name” field.
Step 4: Deselect the “Use Add Wizard” check box and click Add.
Step 5: The “Filter Properties” window opens. Select “A specific IP Address” from the Source
Address field and enter the IP address (192.168.1.1).
Step 6: Select “A specific IP Subnet” from the Destination address field and enter the IP address
(192.168.2.0) and Subnet mask (255.255.255.0).
Step 7: If you want to select a protocol for your filter, click the “Protocol” tab.
Step 8: Select the protocol type you want and click “OK”.
Step 9: You are returned to the “IP Filter List” window. Click “OK” to complete this part of the
setup.
Step 10: From the “Edit Rule Properties” window, select “Require Security” from the “Filter
Actions” field and click “Edit”.
Step 11: The “Required Security Properties” window opens. Select “Negotiate security” and then
check the “Session key perfect forward security (PFS)”.
Step 12: Click the “Edit” button to select a security method. The “New Security Method” window
will now appear.
Step 13: Select “Custom” and click “OK”.
The “Custom Security Method Settings” window opens.
Step 14: Check “Data integrity and encryption (ESP)”.
• Select MD5 from the Integrity algorithm field.
• Select DES from the Encryption algorithm field.
• Check the “Generate a new key every” check box, and select 10000 seconds, then click
OK.
The “Edit Rule Properties” window will open.
Step 15: Select the “Authentication Methods” tab and click “Add”. The “Edit Authentication
Method Properties” window will appear.
Step 16: Select “Use this string (preshared key)” to protect the key exchange and enter your preshared key string (for example, mypresharedkey).
Step 17: Click “OK” to return to the “Edit Rule Properties” window, and click “OK” again. The
“Edit Rule Properties” window appears.
Step
Step
Step
Step
Step
18:
19:
20:
21:
22:
Select the “Tunnel Setting” tab.
Check “The tunnel endpoint is specified by this IP address” and enter “192.168.1.254.”
Select the “Connection Type” tab.
On the “Connection Type” page, select “All Network connections”.
Click “OK” to complete the tunnel 1 xp->router configuration.
Filter List 2 (Router -> XP PC)
To configure tunnel 2, follow step1 through step 4 from the previous section.
Step 5: The “Filter Properties” window opens. Select A specific IP Subnet from the Source
Address field.
Step 6: Enter the IP address (192.168.2.0) and the Subnet mask (255.255.255.0).
Step 7: Select “A specific IP Address” from the “Destination address” field and enter the IP
address (192.168.1.1).
Step 8: If you want to select a protocol for your filter, click the Protocol tab and continue with
step 8 through step 17 from the previous section.
The Edit Rule Properties window opens.
Step
Step
Step
Step
9: Select the “Tunnel Setting” tab.
10: Check “The tunnel endpoint is specified by this IP address” and enter “192.168.1.1.”
11: Select the “Connection Type” tab.
12: On the “Connection Type” page, select All Network connections.
Step 13: Click OK to complete the tunnel 1 router->xp configuration.
8.3 | Configuring the IKE Properties
Step 1: From the “to_vpn_router Properties” window, select the “General” tab and click
“Advanced”.
The “Key Exchange Settings” window opens.
Step 2: Check the “Master key perfect forward secrecy (PFS)” option.
Step 3: Enter “10000” into the text field below “Authenticate and generate a new key after
every”, and click “Methods”.
The “Key Exchange Security Methods” window opens.
Step 4: Click the “Add” button. The “IKE Security Algorithms” window opens.
Step 5: Select “SHA1” from the Integrity algorithm field.
Step 6: Select “3DES” from the Encryption algorithm field.
Step 7: Select “Medium (2)” from the Diffie-Helman group.
8.4 | Example IPSec VPN Configuration
VPN Router
PC
WAN IP Address: 192.168.1.254
LAN IP Address: 192.168.2.1
192.168.2.xxx
Set the VPN settings as follows:
VPN:
Max. number of
tunnels:
ID:
Tunnel Name:
Method:
Enable
2
1
1
IKE
When finished, click “More”.
VPN Settings – Tunnel 1 – IKE
Set the Tunnel 1 IKE settings as follows:
Tunnel 1:
Local Subnet:
Local Netmask:
Remote Subnet:
Remote Netmask:
Remote Gateway:
Preshare Key:
1
192.168.2.0
255.255.255.0
192.168.1.0
255.255.255.255
192.168.1.1
mypresharedkey
When finished, save your settings.
VPN Settings – Tunnel 1 – Set IKE Proposal
Set the Tunnel 1 IKE Proposal settings as follows:
ID:
Proposal Name:
DH Group:
Encypt. algorithm:
Auth. algorithm:
Life Time:
Life Time Unit:
1
1
Group2
3DES
SHA1
10000
Sec.
When finished, save the settings.
VPN Settings – Tunnel 1 – Set IPSec Proposal
Set the Tunnel 1 IPSec Proposal settings as follows:
ID:
Proposal Name:
DH Group:
Encap. protocol:
Encrypt. algorithm:
Auth. Algorithm:
Life Time:
Life Time Unit:
1
1
Group2
ESP
DES
MD5
10000
Sec.
When finished, save the settings.
Now to view the VPN connection process, go to the STATUS page and view the System Log.
9 | Troubleshooting
A. Verifying your connection to the router
If you are unable to access the Router’s web-based administration pages, then you may not be
properly connected or configured.
To determine your TCP/IP configuration status please follow the steps below:
1. Click Start then choose Run.
2. Type cmd or command to open a DOS prompt.
3. In the DOS window, type ipconfig and verify the information that is displayed.
4. If your computer is set up for DHCP, then your TCP/IP configuration should be similar to the
information displayed:
• IP Address: 192.168.2.x (x is number between 100 and 199 by default.)
• Subnet: 255.255.255.0
• Gateway: 192.168.2.1
If you have an IP address that starts with 169.254.xxx.xxx then see the next section.
If you have another IP address configured, then see section C.
B. I am getting an IP Address that starts with 169.254.xxx.xxx
If you are getting this IP Address, then you need to check that you are properly connected to the
Router.
Confirm that you have a good link light on the Router for the port this computer is connected to.
If not, please try another cable.
If you have a good link light, please open up a DOS window as described in the previous section
and type ipconfig/renew.
If you are still unable to get an IP Address from the Router, reinstall your network adapter.
Please refer to your adapter manual for information on how to do this.
C. My computer’s IP Address is incorrect
If you have another IP address listed then the PC may not be configured for a DHCP connection.
Once you have confirmed your computer is configured for DHCP, then please follow the steps
below.
1. Open a DOS window as described above.
2. Type ipconfig/release.
3. Then type ipconfig/renew.
D. The 10/100 LED does not light after a connection is made.
1. Check that the host computer and the Router are both powered on.
2. Be sure the network cable is connected to both devices.
3. Verify that Category 5 cable is used if you are operating at 100 Mbps, and that the length of
any cable does not exceed 100 m (328 ft).
4. Check the network card connections.
5. The 10BASE-T/100BASE-TX port, network card, or cable may be defective.
E. I can’t get an Internet game, server, or application to work.
If you are having an issue getting any Internet server, application or game to function properly,
you can expose the PC to the Internet using the DeMilitarized Zone (DMZ) function. This option is
useful when an application requires too many ports or when you are not sure which ports to use.
See section 7.8.6 to successfully configure this option
F. I am having problems establishing a PPPoE xDSL WAN connection
Some ISP’s require you to enter the domain name in addition to your username and password.
For instance, for SBC Global, enter [email protected] For Ameritech users, enter
[email protected] BellSouth users may need to enter [email protected] and
Mindspring subscribers enter [email protected] Lastly, Earthlink subscribers should
enter either [email protected] or ELN/[email protected]
G. Can I use this router with AOL DSL?
This is true in most scenarios. Please verify with AOL that your particular connection type is
PPPoE. If yes, then the SMC VPN Broadband Router should work with your WAN connection.
Follow the normal procedures as described in Section 7.3 of this manual, but while doing so, set
the MTU value to 1400. AOL DSL does not allow for anything higher than 1400.
H. IPSec VPN Configuration
When setting up IPSec VPN tunnels between two BR14VPN, BR18VPN or one of each, it is
imperative that you:
a) Use the same pre-shared key between two endpoints
b) Configuring matching IKE and IPSec proposals between two endpoints
To successfully create IPSec or IKE Proposal lists, you must configure the desired DH Group,
Encryption/Authentication Algorithms, and Lifetimes, and then select the appropriate proposal ID
and click the “Add to” button to add the proposal to the Index.
I. I have authentication problems with the L2TP or PPTP VPN Server
The Router’s VPN Server will reject VPN clients that attempt to connect without the proper
credentials. In the same token, if the VPN client is configured to connect only to encrypted
networks, the client will not connect to the Router’s VPN Server if it is configured for PAP or
CHAP Authentication.
If you have configured the Router’s VPN Server to use the PAP or CHAP Authentication Protocol,
MPPE Encryption cannot be enabled. Therefore, you must configure the VPN client to connect the
Router’s VPN server without requiring encryption. By default, Windows VPN clients require
encryption. You can go into the properties of the VPN connection and disable this requirement.
J. I forgot my password and can no longer log into the router.
You should restore your router to factory defaults via its hardware reset button. Locate the reset
button (to the right of the power input). While the device is powered on, use a paper clip to
depress this button for about 5-7 seconds and then release. Now you have completed the reset
to factory defaults.
K. Upgrading the firmware
New firmware revisions will be made available as necessary when new product features or
functionality is released. You should check http://www.smc.com on a periodic basis for these
updates. If a new version is available, check the release notes to be sure of what has been
changed/added and then you can decide if you wish to complete the upgrade. Then download
and unzip the firmware file. Log into the web-based administration of the SMC Router, click
TOOLS, then click FIRMWARE UPGRADE and browse to the new firmware file. Then click the
“BEGIN UPGRADE” button to upload the firmware to the SMC Router. Once this is completed, be
sure to reset the router to factory defaults and reconfigure your WAN connection before
continuing to use it.
10 | Technical Specifications
Standards:
IEEE 802.3 10Base-T Ethernet
IEEE 802.3u 100Base-TX Fast Ethernet
Hardware / Ports:
LAN Port
WAN Port
COM Port
Input Power
LEDs:
Power
WAN
4x RJ45, 10/100 Mbps with Auto-MDI/MDIX (BR14VPN)
8x RJ45, 10/100 Mbps with Auto-MDI/MDIX (BR18VPN)
1x RJ45, 10/100 Mbps with Auto-MDI/MDIX
1x DB9 (male), Up to 115200bps
DC 5V2A
1x Green LED for Power
1x Amber LED for 10Mbps link / Green LED for 100Mpbs link
Blinking LED when data is transmitted
LAN (4 port)
4x Amber LED for 10Mbps connection
4x Green LED for 100Mbps connection
Blinking LED when data is transmitted
LAN (8 port)
8x Amber LED for 10Mbps connection
8x Green LED for 100Mbps connection
Blinking LED when data is transmitted
VPN Pass-through:
IPSec
PPTP
LT2P
VPN Support:
IPSec Endpoint
PPTP Server
L2TP Server
Key management: IKE, Manual
Aggressive/Main mode for VPN
Remote gateway FQDN support
Dynamic VPN support
Encryption algorithm: DES, 3DES, AES
Authentication algorithm: MD5, SHA-1
PFS support
Keying Mode: Pre-Shared Key
Enabled NetBIOS Broadcast
Routing:
Static Route
Dynamic Route (RIP1/2)
WAN Connection Types:
Dial-Up
ISDN
PPPoE
Dynamic IP
L2TP
PPTP
BigPond
Static IP
Input Power:
5V 2A
Operating Temperature:
0~40oC
Humidity: 10%~90% non-condensing
Compliances:
FCC
CE
VCCI
UL
11 | Terminology
10BaseT - Physical Layer Specification for Twisted-Pair Ethernet using Unshielded Twisted Pair
wire at 10Mbps. This is the most popular type of LAN cable used today because it is very cheap
and easy to install. It uses RJ-45 connectors and has a cable length span of up to 100 meters.
There are two versions, STP (Shielded Twisted Pair) which is more expensive and UTP
(Unshielded Twisted Pair), the most popular cable. These cables come in 5 different categories.
However, only 3 are normally used in LANs, Category 3, 4 and 5. CAT 3 TP (Twisted Pair) cable
has a network data transfer rate of up to 10Mbps. CAT 4 TP cable has a network data transfer
rate of up to 16Mbps. CAT 5 TP cable has a network data transfer rate of up to 100Mbps.
Access Point - A device that is able to receive wireless signals and transmit them to the wired
network, and vice versa - thereby creating a connection between the wireless and wired
networks.
Ad Hoc - An ad hoc wireless LAN is a group of computers, each with LAN adapters, connected as
an independent wireless LAN.
Adapter - A device used to connect end-user nodes to the network; each contains an interface to
a specific type of computer or system bus, e.g. EISA, ISA, PCI, PCMCIA, CardBus, etc.
Auto-Negotiation - A signaling method that allows each node to define its operational mode (e.g.,
10/100 Mbps and half/full duplex) and to detect the operational mode of the adjacent node.
Backbone - The core infrastructure of a network. The portion of the network that transports
information from one central location to another central location where it is unloaded onto a local
system.
Base Station - In mobile telecommunications, a base station is the central radio
transmitter/receiver that maintains communications with the mobile radiotelephone sets within its
range. In cellular and personal communications applications, each cell or micro-cell has its own
base station; each base station in turn is interconnected with other cells' bases.
Bitmap – A Windows and OS/2 bitmapped graphics file format. Bitmap files provide formats for 2,
16, 256, or 16 million colors. It uses the extension .BMP.
BSS - BSS stands for "Basic Service Set". It is an Access Point and all the LAN PCs that are
associated with it.
CHAP - When authenticating using Challenge Handshake Authentication Protocol (CHAP), the
knowledge of the password, rather than the password itself is what is sent by the client. With
CHAP, the VPN Broadband Router sends the remote client a challenge string. The remote client
uses the challenge string and the password, and creates a Message Digest-5 (MD5) hash which is
then forwarded to the VPN server. The VPN server computes the same hash calculation and
compares the result with the hash sent by the client. If they match, the remote client is
considered an authentic user.
CSMA/CA - Carrier Sense Multiple Access with Collision Avoidance
DES - Data Encryption Standard. A cryptographic encryption algorithm that is part of many
standards.
DHCP - Dynamic Host Configuration Protocol. This protocol automatically configures the TCP/IP
settings of every computer on your home network.
DMZ - Allows a networked computer to be fully exposed to the Internet. This function is used
when the special application sensing tunnel feature is insufficient to allow an application to
function correctly.
DNS - DNS stands for Domain Name System, which allows Internet host computers to have a
domain name (such as www.smc.com) and one or more IP addresses (such as 192.34.45.8). A
DNS server keeps a database of host computers and their respective domain names and IP
addresses, so that when a domain name is requested (as in typing " www.smc.com" into your
Internet browser), the user is sent to the proper IP address. The DNS server address used by the
computers on your home network is the location of the DNS server your ISP has assigned.
DSL - DSL stands for Digital Subscriber Line. A DSL modem uses your existing phone lines to
transmit data at high speeds.
Ethernet - A standard for computer networks. Ethernet networks are connected by special cables
and hubs, and move data around at up to 10 million bits per second (Mbps).
ESS - ESS (ESS-ID, SSID) stands for "Extended Service Set". More than one BSS is configured to
become an Extended Service Set. LAN mobile users can roam between different BSSs in an ESS
(ESS-ID, SSID).
Fast Ethernet NIC - Network interface card that is in compliance with the IEEE 802.3u standard.
This card functions at the media access control (MAC) layer, using carrier sense multiple access
with collision detection (CSMA/CD).
Fixed IP – (see Static IP)
Full-Duplex - Transmitting and receiving data simultaneously. In pure digital networks, this is
achieved with two pairs of wires. In analog networks, or digital networks using carriers, it is
achieved by dividing the bandwidth of the line into two frequencies, one for sending, one for
receiving.
Hub - Central connection device for shared media in a star topology. It may add nothing to the
transmission (passive hub) or may contain electronics that regenerate signals to boost strength
as well as monitor activity (active/intelligent hub). Hubs may be added to bus topologies; for
example, a hub can turn an Ethernet network into a star topology to improve troubleshooting.
ID3 – The data fields in an MP3 that hold the artist name, track titles, album titles, genre, etc are
known as ID3 tags.
IP Address - IP stands for Internet Protocol. An IP address consists of a series of four numbers
separated by periods, that identifies an single, unique Internet computer host. Example:
192.34.45.8.
IP Security - Provides IP network-layer encryption. IPSec can support large encryption networks
(such as the Internet) by using digital certificates for device authentication.
ISAKMP - Internet Security Association and Key Manangement Protocol. The basis for IKE.
ISP - Internet Service Provider. An ISP is a business that provides connectivity to the Internet for
individuals and other businesses or organizations.
JPEG – Joint Photographic Experts Group. JPEG is a standard for compressing still images and it
provides compression with ratios up to 100:1. File extensions are .JPG or .JPEG.
LAN - A communications network that serves users within a confined geographical area. It is
made up of servers, workstations, a network operating system and a communications link.
Servers are high-speed machines that hold programs and data shared by network users. The
workstations (clients) are the users' personal computers, which perform stand-alone processing
and access the network servers as required.
Diskless and floppy-only workstations are sometimes used, which retrieve all software and data
from the server. Increasingly, "thin client" network computers (NCs) and Windows terminals are
also used. A printer can be attached locally to a workstation or to a server and be shared by
network users. Small LANs can allow certain workstations to function as a server, allowing users
access to data on another user's machine. These peer-to-peer networks are often simpler to
install and manage, but dedicated servers provide better performance and can handle higher
transaction volume. Multiple servers are used in large networks.
The message transfer is managed by a transport protocol such as TCP/IP and NetBEUI. The
physical transmission of data is performed by the access method (Ethernet, Token Ring, etc.),
which is implemented in the network adapters that are plugged into the machines. The actual
communications path is the cable (twisted pair, coax, optical fiber) that interconnects each
network adapter.
MAC Address - MAC (Media Access Control) A MAC address is the hardware address of a device
connected to a network.
MDI / MDI-X - Medium Dependent Interface - Also called an "uplink port," it is a port on a
network hub or switch used to connect to other hubs or switches without requiring a crossover
cable. The MDI port does not cross the transmit and receive lines, which is done by the regular
ports (MDI-X ports) that connect to end stations. The MDI port connects to the MDI-X port on
the other device. There are typically one or two ports on a device that can be toggled between
MDI (not crossed) and MDI-X (crossed).
Medium Dependent Interface – X (crossed) - A port on a network hub or switch that crosses the
transmit lines coming in to the receive lines going out.
MP3 – MPEG Audio Layer 3. This is an audio compression technology that is included in the
MPEG-1 and -2 specifications. MP3 encoding can allow you to compress CD-quality sound by a
factor of 12.
MPEG – Moving Pictures Experts Group. MPEG is a standard for compressing video. MPEG-1 can
provide resolution of 352x240 at 30 frames/second (fps) with 24-bit color and CD-quality sound.
MPEG-2 can provide resolution of 704x480. MPEG uses the same intraframe coding as JPEG for
individual frames, but also uses interframe coding which can help to further compress the video
data, thereby reducing the overall size of the video.
NAT – (Network Address Translation) This process allows all of the computers on your home
network to use one IP address. The NAT capability of the Barricade, allows you to access the
Internet from any computer on your home network without having to purchase more IP
addresses from your ISP. Network Address Translation can be used to give multiple users access
to the Internet with a single user account, or to map the local address for an IP server (such as
Web or FTP) to a public address. This secures your network from direct attack by hackers, and
provides more flexible management by allowing you to change internal IP addresses without
affecting outside access to your network. NAT must be enabled to provide multi-user access to
the Internet or to use the Virtual Server function.
Packet Binary Convulational Code(tm) (PBCC) - A modulation technique developed by Texas
Instruments Inc. (TI) that offers data rates of up to 22Mbit/s and is fully backward compatible
with existing 802.11b wireless networks.
PAP - This is a simple authentication protocol where the username and password data are both
handled in a cleartext or unencrypted format. We do not recommend using PAP because your
passwords are easily readable from the Point-to-Point Protocol (PPP) packets exchanged during
the authentication process.
PCI - Peripheral Component Interconnect - Local bus for PCs from Intel that provides a highspeed data path between the CPU and up to 10 peripherals (video, disk, network, etc.). The PCI
bus runs at 33MHz, supports 32-bit and 64-bit data paths, and bus mastering.
PPPoE - Point-to-Point Protocol over Ethernet. Point-to-Point Protocol is a method of secure data
transmission originally created for dial-up connections. PPPoE is for Ethernet connections.
PPTP - PPTP stands for Point-to-Point Tunneling Protocol. It provides a means for tunneling IP
traffic in Layer 2. For instance, it allows you to establish a connection to a corporate network and
share files or other data as if your machine were actually on that local network.
Roaming - A function that allows your to move through a particular domain without losing
network connectivity.
SNMP - Format used for network management data. Data is passed between SNMP agents
(processes that monitor activity in hubs, switches, etc.) and the workstation used to oversee the
network. SNMP uses Management Information Bases (MIBs), which are databases that define
what information is obtainable from a networked device and what can be controlled (turned off,
on, etc.).
Static IP - If your Service Provider has assigned a fixed IP address; enter the assigned IP
address, subnet mask and the gateway address provided by your service provider.
SPI - Stateful Packet Inspection ensures that the data coming into your network was requested
by an end node computer on your LAN. The Barricade examines the incoming data and compares
it to a database of trusted information. As traffic leaves the network it is defined by certain
characteristics. Incoming information is then compared to these sets of characteristics. If the
incoming data matches the predefined set of characteristics the incoming traffic is allowed. If no
match is found the incoming traffic is discarded.
Subnet Mask - A subnet mask, which may be a part of the TCP/IP information provided by your
ISP, is a set of four numbers configured like an IP address. It is used to create IP address
numbers used only within a particular network (as opposed to valid IP address numbers
recognized by the Internet.
TCP/IP - Transmission Control Protocol/Internet Protocol. This is the standard protocol for data
transmission over the Internet.
TCP - Transmission Control Protocol - TCP and UDP (User Datagram Protocol) are the two
transport protocols in TCP/IP. TCP ensures that a message is sent accurately and in its entirety.
However, for real-time voice and video, there is really no time or reason to correct errors, and
UDP is used instead.
UDP - User Datagram Protocol - A protocol within the TCP/IP protocol suite that is used in place
of TCP when a reliable delivery is not required. For example, UDP is used for real-time audio and
video traffic where lost packets are simply ignored, because there is no time to retransmit. If
UDP is used and a reliable delivery is required, packet sequence checking and error notification
must be written into the applications.
VPN - Virtual Private Network that actually exists within a public network. This consists of a pointto-point tunnel through which users can send and receive data. The data packets are encrypted
to provide for a true private connection to the endpoint (i.e. - corporate network). These packets
cannot be decrypted without the correct encryption keys. Once the VPN tunnel is established, the
client machine is authenticated and registered on the network. Given the proper privileges, it can
then communicate directly with other machines as if it were actually on that local network.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement