advertisement
Security
Gateway/VPN
Firewall
www.digicom.it
FW41IP5-U01 & FW42IP16-U01
Routers/Firewalls
Advanced Configuration Guide
Version: ReOS V10
Table of Contents
Page 2
Page 3
Searching Internet Activities of the LAN User with IP Address 192.168.20.68/24 ...... 69
Searching the LAN Users Accessing 200.200.200.251 ............................................. 70
Searching Internet Activities of the LAN users Using WAN1 IP address .................... 73
How to Renew and Release a DHCP Connection ..................................................... 90
Page 4
The Configuration Steps of Connection Detection and Weight ................................ 114
The Configuration Steps of Load Balancing Global Settings ................................... 115
Page 5
How to Update a System Default Static Route PDB ................................................ 130
DDNS Settings Related to no-ip.org
Page 6
Page 7
Configuration Examples for Port Forwarding ..................................................... 198
The Priorities of Port Forwarding and DMZ Host ............................................... 203
The Relations of Internet Connection, NAT Rule and Port Forwarding Rule ............ 205
Page 8
An Example for Configuring One2One NAT Rule .................................................... 216
An Example for Configuring Passthrough NAT Rule ................................................ 218
Page 9
Configuration Example for PPPoE Server ......................................................... 241
PPPoE Account Expiration Notice by Date ........................................................ 246
PPPoE Account Expiration Notice by Hours ...................................................... 248
Introduction to Bandwidth Management............................................................ 253
Why We Need Bandwidth Management ............................................................. 253
Implementation of Bandwidth Management ....................................................... 255
Page 10
Internet Behavior Management Policy Settings ................................................. 277
Configuration Example for Internet Behavior Management ............................ 289
Page 11
Introduction to Internet Whitelist and Blacklist Based on IP/MAC Binding ............... 315
Page 12
How to connect the Device to the Internet using PPPoE ................................. 378
How to connect the Device to the Internet using Static IP............................... 381
Page 13
How to connect the Device to the Internet using DHCP................................... 382
How to reset the Device to factory default settings .......................................... 384
How to find out who uses the most bandwidth? .............................................. 408
How to troubleshoot faults caused by worm viruses or hacker attacks on the
Page 14
About This Manual
Note
For best use of our product, it is strongly recommended that you update Windows
Internet Explorer browser to version 6.0 or higher.
0.1 Scope
This guide describes the characteristics and features of the FW4x-IPxx-U01 Series
Security Firewalls, which are based on ReOS V10 firmware platform. It mainly describes how to configure and manage the Device via Web UI. Please make sure that your
Device’s firmware version accords with ReOS V10. As the product or firmware version upgrades, or other reasons, this guide will be updated aperiodically.
In addition, as the product specifications of each model are different, you had better contact the digicom support engineer to ask for help on the product specifications.
Note
The Device (The first letter is uppercase.) mentioned in this guide stands for the NE high-performance gateway.
0.2 Web UI Style
The Web UI style complies with the browser standard, which is as follows:
Radio Button: It allows you to choose only one of a predefined set of options.
Check Box: It allows you to choose one or more options.
Button: It allows you to click to perform an action.
Text Box: It allows you to enter text information.
Page 1
List Box: It allows you to select one or more items from a list contained within a static, multiple line text box.
Drop-down List: It allows you to choose one item from a list. When a drop-down list is inactive, it displays a single item. When activated, it drops down a list of items, from which you may select one.
0.3 Documents Conventions
0.3.1 Detailed Description of List
The Web UI contains two kinds of lists: editable list and read-only list. The following examples will describe them respectively.
0.3.1.1 Editable List
An editable list allows you to add, view, modify and delete the entries. Let’s take the
IP/MAC Binding List (see Figure 0-1) as an example to explain it.
Figure 0-1 IP/MAC Binding List
Page 2
: Configured number / maximum number, the example means there are two
configured IP/MAC bindings and the maximum number of bindings supported by the
Device is 500 .
: This drop-down list allows you to select the number of entries displayed per page. In this example, the available options are 10, 30 and 50, and the default value is 10.
: Click it to jump to the first page.
: Click it to jump to the previous page.
: Click it to jump to the next page.
: Click it to jump to the last page.
: Click it to add a new entry to the list. Here it will jump to the Security > IP/MAC
Binding > IP/MAC Binding Settings page, then you can add a new IP/MAC binding.
: Enter the text string you want to search for in this text box, then press <Enter> key to display all the matched entries. What’s more, you can do the search within the displayed results. If you want to display all the entries, you only need clear the text box and then press <Enter> key.
Note that the matching rule is substring matching, that is, it will search for and display those entries that contain the specified text string.
: Click it to go to the corresponding setup page.
: Click it (add the check mark) to select all the entries in the current page.
Click it again (remove the check mark) to unselect all the entries in the current page.
: To delete one or more entries, select the leftmost check boxes of them at first, and then select Delete from the drop-down list, lastly click OK to delete the selected entries. To delete all the entries in the list, select Delete All from the drop-down list at first, and then click OK .
0.3.1.2 Read-only List
A read-only list is used to display the system status information that is not editable. Let’s take the NAT Statistics list (see Figure 0-2) as an example to explain the functions.
Page 3
Figure 0-2 NAT Statistics
First , Prev , Next , Last , Search and Lines/Page have the same meaning as the editable list.
: Both display the number of entries in the list , here it means that there are four entries in the list.
: Click to view the latest information in the list.
: Click to clear all the statistics in the list.
0.3.1.3 Sorting Function
All the lists in Web UI support sorting function, except the Access Control List in the
Security > Firewall page, Rate Limit Rule List in the QoS > Rate Limit Rule page,
Session Limit List in the Security > NAT Session Limit page, DNS Redirection List in the Advanced > DNS Redirection page and Behavior Mgmt. List in the Restriction >
Behavior Mgmt page. The steps are as follows:
You can click any column header to sort the entries in a list by that column. Click once to
Page 4
sort the entries in descending order, click again to sort them in ascending order. Click a third time to sort them in descending order, and so forth. After sorted, the list will be displayed from the first page.
0.3.2 Keyboard Operation
<>: It is used to represent the name of a key on the keyboard. For example, <Enter> key represents the Enter key on the keyboard.
0.3.3 Other Conventions
0.3.3.1 Convention for a Page Path
First Level Menu Name > Second Level Menu Name ( bold font ) means the menu path to open a page. E.g., System > Time means that in the Web UI, click the first level menu
System firstly, and then click the second level menu Time to open the corresponding page.
0.3.3.2 Convention for Clicking a Button
Click the XXX button ( XXX is the name of the button, bold font) means performing a corresponding action. E.g., click the Delete button means performing a deleting action, the Delete button is showed as .
0.3.3.3 Convention for Selecting an Option
Select the XXX option ( XXX is the name of the option, bold font) means selecting the corresponding function. E.g., select the Enable DNS Proxy check box means enabling the DNS proxy feature (see Figure 0-3).
Figure 0-3 Enable DNS Proxy
Page 5
0.4 Partial Factory Default Settings
1. The default administrator user name is Default (case sensitive) with a blank password.
2. The following table provides the factory default settings of the interfaces.
Interface IP Address Subnet Mask
LAN
WAN1
WAN2/DMZ
192.168.20.1
192.168.17.1
192.168.18.1
255.255.255.0
255.255.255.0
255.255.255.0
Table 0-1 Factory Default Settings of Interfaces
0.5 Document Organization
This manual mainly describes the settings and applications of the FW4x-IPxx-U01 products, which is organized as follows:
Chapter Contents
1 Product Overview The functions and features of the Device.
2 Hardware Installation How to install the Device.
How to Login to the Device, including:
3 Login to the Device ●
Configure Your PC: How to install and configure TCP/IP properties on your PC.
●
Login to the Device: How to login to the Device; introduction to
Page 6
4 Quick Setup the web page of the Device.
●
Shortcut Icons: Introduction to the shortcut Icons in the web page of the Device.
How to configure the basic parameters to quickly connect the Device to the Internet, including:
●
LAN Settings: How to configure the IP address and subnet mask of the LAN interface.
●
WAN Settings: How to configure the Internet connection on each
WAN interface one by one. The Device provides three types of connections: PPPoE, Static IP and DHCP.
Note that the number of WAN interfaces depends on the specific product model.
5 System Status
How to view the system statistics and status information, including:
●
System Information: It displays system up time, system resource usage information, system version, port status, and interface rate chart.
●
NAT Statistics: It displays the NAT session details of each LAN host.
●
DHCP Statistics: It displays the statistics of the DHCP address pool, DHCP server, DHCP conflict, DHCP client and DHCP relay agent.
●
Interface Statistics: It displays traffic statistics of each physical interface.
●
Route Statistics: It displays the routing table.
●
Session Monitor: How to monitor the Internet activities of the LAN users by the NAT session list. It allows you to filter and display sessions by certain criteria, such as source IP address, destination
Page 7
6 Basic Setup
IP address/domain name, destination port, NAT translated IP address/domain name, and so on.
●
System Log: It displays the system logs; it also allows you to select the types of logs that you want the Device to store and display.
●
Application Traffic Statistics: It displays the traffic statistics of some special applications per Internet connection; it also displays each application traffic statistics per LAN user.
●
WAN Traffic Statistics: It displays traffic and rate related information of each Internet connection.
How to configure the basic features of the Device, including:
●
Quick Wizard: How to configure the basic parameters to quickly connect the Device to the Internet.
●
LAN Settings: How to configure the parameters of the LAN interface, e.g., IP address, subnet mask, IP address2, proxy ARP,
MAC address.
●
WAN Settings: How to configure the Internet connection on each
WAN interface, and how to view the related configuration and status information.
●
Load Balancing: How to configure the load balancing feature, which includes: detection and weight settings, global settings, ID binding; how to view load balancing list. Note that only after you have configured more than one Internet connections, the second level menu Load Balancing will be displayed.
●
DHCP & DNS: How to configure DHCP server, DHCP auto binding, and DNS proxy.
7 Advanced Setup
How to configure the advanced features of the Device, including:
●
Static Route: How to configure static routes and static route
Page 8
8 NAT
PDBs.
●
PBR: How to configure PBR (Policy-Based Routing) based on source and destination addresses, protocols, ports, schedules, and other criteria.
●
DNS Redirection: How to configure DNS redirection feature which is used to redirect domain names directly to the specified IP addresses.
●
SNMP: How to configure SNMP (Simple Network Management
Protocol).
●
DDNS: How to apply for DDNS account service and configure
DDNS (Dynamic Domain Name System).
●
DHCP: How to configure DHCP client, server, relay agent and raw option.
●
Switch: How to configure switch features, such as VLAN, port mirroring and so on.
●
Miscellaneous: How to configure miscellaneous, such as scheduled task.
How to configure NAT features, including:
●
Port Forwarding: How to configure and view port forwarding rules.
●
DMZ Host: How to configure the global DMZ host and interface
DMZ hosts.
●
NAT Rule: How to configure and view NAT rules. The Device provides three types of NAT: One2One, EasyIP and Passthrough; and you can create more than one NAT rule for each type of NAT when you obtain multiple pubic IP addresses.
●
UPnP: How to enable UPnP and view the port forwarding rules
Page 9
9 PPPoE Server
10
11
QoS
Restriction established using UPnP.
How to configure PPPoE server feature, including:
●
Global Settings: How to configure PPPoE server global parameters, e.g., enable PPPoE server; and IP addresses, gateway IP address and DNS servers IP addresses that will be assigned to the PPPoE dial-in users.
●
PPPoE Account: How to configure PPPoE accounts. It provides rate limit based on the account, account/MAC binding and account/IP binding features; also, it allows you to import multiple accounts at a time.
●
PPPoE IP/MAC Binding: How to use IP/MAC binding feature to assign static IP addresses to the PPPoE dial-in users.
●
PPPoE Status: How to view the status and usage information of each online PPPoE dial-in user.
How to configure QoS features, including:
●
Global Settings: How to enable or disable rate limit, how to configure the capacity, i.e., the maximum number of network devices that can be connected to the Device at the same time.
●
Rate Limit Rule: How to configure flexible rate limit rules based on address group, service group and schedule to improve bandwidth utilization.
●
P2P Rate Limit: How to limit the maximum upload and download rate of the P2P traffic for the LAN users.
●
Application QoS: How to configure preferential forwarding for some predefined special applications traffic.
How to configure restriction features, including:
●
User Admin: How to view the current status information of LAN
Page 10
12 Security users, and configure personal settings for each user individually, including rate limit and Internet behavior management settings.
●
Internet Behavior Management: How to control and manage the
Internet behaviors of the LAN users to improve bandwidth utilization and network security.
●
Policy Database: How to view the policy databases related information; and how to upload or update policy databases.
●
QQ Whitelist: How to configure QQ whitelist feature. The LAN users still can use the QQ numbers in the QQ whitelist to login to
QQ even if you have blocked them from using QQ by Internet behavior management policies.
●
Notice: How to configure notice feature. The Device can push the notice message to the specified LAN users; and there are two types of notices: one-time notice and daily notice.
How to configure security features, including:
●
Attack Defense: How to configure the internal and external attack defense features to enhance network security.
●
IP/MAC Binding: How to configure IP/MAC address pair bindings to prevent IP address spoofing. By utilizing IP/MAC binding feature, you can flexibly configure an Internet whitelist or blacklist for the LAN users.
●
Firewall: How to configure firewall access control rules which are applied on the LAN interface.
●
Domain Filtering: How to configure domain filtering feature. You can only block certain specified domain names or only allow certain specified domain names.
●
NAT Session Limit: How to configure NAT session limit rules to limit the maximum number of concurrent NAT sessions, TCP sessions, UDP sessions, and ICMP sessions based on LAN hosts.
And you can limit different maximum sessions for different LAN
Page 11
hosts.
●
Address Group: How to configure address groups. You can divide some discontinuous IP addresses into an address group, and then reference the address group in an access control rule or rate limit rule.
●
Service Group: How to configure service groups. It provides five types of services including general service, URL, Keyword, DNS and MAC address. It allows you to add multiple services into a service group, and then reference the service group in an access control rule or rate limit rule.
●
Schedule: How to configure schedules. The schedules can be applied to various time-related features, e.g., dial schedule, rate limit rule, access control rule, etc.
13 System Admin
How to manage the Device, including :
●
Administrator: How to configure the administrator account. It provides three privilege groups: admin, read and execute.
●
System Time: How to configure the system date and time manually or automatically.
●
Firmware upgrade: How to backup, download and upgrade firmware.
●
Configuration: How to backup and restore the system configuration, and reset the Device to the factory default settings.
●
Remote Admin: How to enable HTTP remote management feature to remotely configure and manage the Device via Internet.
●
Web server: How to configure the Web server.
●
Restart: How to restart the Device in the Web UI.
Page 12
14 Appendix
Provides six appendixes, including:
●
Appendix A How to configure your PC: How to install and configure TCP/IP properties for Windows 95 and Windows 98.
●
Appendix B FAQ: Frequent questions and answers.
●
Appendix C Common IP Protocols: Provides the list of common
IP protocol numbers and names.
●
Appendix D Common Service Ports: Provides the list of common service port numbers and names.
●
Appendix E Figure Index: Provides a figure index directory.
●
Appendix F Table Index: Provides a table index directory.
Table 0-2 Document Organization
Page 13
Chapter 1 Product Overview
Thanks for choosing FW4x-IPxx-U01 products from Digicom S.p.A.
This chapter describes the functions and features of the FW4x-IPxx-U01 products in brief.
1.1 Key Features
•
Provides multiple Internet connection types: PPPoE, Static IP and DHCP
•
Provides real-time monitoring and management of the LAN traffic and users via Web
UI
•
Provides multiple WAN ports that support intelligent load balancing and auto backup
•
Supports ID binding for some applications, such as online banking, QQ, etc
•
Supports intelligent bandwidth management based on token bucket algorithm
•
Supports Internet behavior management for the LAN users, such as block QQ, MSN and BT download applications
•
Defense against DoS/DDoS attacks
•
Supports IP packet filtering based on IP address, protocol and TCP/UDP port
•
Supports URL and keyword filtering
•
Supports MAC address filtering
•
Supports DNS request filtering
•
Supports address group and service group setup
•
Supports advanced firewall function based on address group and service group
•
Supports strong DHCP features: DCHP Server, DHCP Relay Agent and DHCP Client
•
Supports PPPoE Server feature
•
Supports UPnP (universal plug and play)
•
Supports express forwarding
•
Supports rate limit of the LAN hosts based on schedules
•
Supports port-based VLAN
Page 14
•
Supports port mirroring
1.2 Main Features
1. LAN Interface
● Multiple-port Switch: Provides an integrated multiple-port 10/100Mbps, each port supports auto MDI/MDI-X.
● DHCP Server : It can act as a DHCP server to dynamically assign IP addresses and other TCP/IP configuration parameters (such as gateway IP address, DNS and WINs server IP addresses) to the LAN hosts.
● Multiple Subnets: It can be assigned multiple IP addresses to connect multiple subnets.
● Routing Protocols: It supports static routing and dynamic routing protocols including
RIP I and RIP II.
● Port-based VLAN: A VLAN (Virtual Local Area Network) is a group of devices that form a logical LAN segment, that is, a broadcast domain. The members on the same
VLAN can communicate with each other. The traffic will not disturb among different
VLANs. Note that only some models support this feature.
● Port Mirroring: It allows an administrator to monitor network traffic. It copies the traffic from specified ports to another port where the traffic can be monitored. Then the administrator can perform traffic monitoring, performance analysis and fault diagnosis.
Note that only some models support this feature.
2. WAN Interface
● Multiple WAN Interfaces : It provides multiple 10/100Mbps WAN interfaces that support auto MDI/MDI-X.
● DSL and Cable Modem Supported: FW4x-IPxx-U01 products have passed the compatibility testing with many DSL and cable modems provided by popular manufacturers.
● PPPoE: Each WAN interface can act as a PPPoE (PPP over Ethernet) client to connect to the ISP’s PPPoE server.
● Internet Connection Sharing: The LAN users can share multiple Internet connections to access the Internet using NAT (Network Address Translation).
● Load Balancing and Failover: Provides multiple WAN interfaces that support intelligent load balancing and automatic failover.
Page 15
● Supports ID Binding for Some Applications, such as online banking, QQ, etc.
●
●
●
●
●
3. IP/MAC Binding and Access Control
● Supports IP and MAC address pairs binding
Supports management and control of multiple Internet services
Supports Internet harmful websites filtering
Supports IP packet filtering based on IP address, protocol and TCP/UDP port
Supports Web content filtering based on URL and keyword
Supports DNS request filtering
● Supports MAC address filtering
4. IP QoS
● Supports intelligent bandwidth management based on token bucket algorithm. It can limit the upload and download rates for each LAN host. Also it provides flexible bandwidth management function to effectively control network transmission rate and improve bandwidth utilization.
● Supports rate limiting for the P2P applications traffic. Limiting P2P traffic can effectively solve the network problems which are caused by the abuse of P2P software.
● Supports preferential forwarding for some predefined special applications traffic, that is, these applications traffic aren’t restricted by the rate limit rules, so that you can run these applications more smoothly and faster.
5. Configuration and Management
● Easy Configuration : It provides the Web UI and CLI to facilitate configuration and management.
● Remote Admin: It allows a network administrator to manage the Device remotely from any host on the LAN or WAN.
● Device Restart: It allows you to restart the Device via the Web UI for ease of use.
6. Advanced Features
● DMZ Host: Supports multiple DMZ hosts. The DMZ (Demilitarized Zone) host feature allows one local host to be exposed to the Internet, so the users can easily access it via the Internet.
● Port Forwarding: You can create multiple port forwarding rules to allow the Internet users to access the services offered by the local servers.
Page 16
● Advanced DHCP: All the physical interfaces support DHCP client, DHCP server and
DHCP relay agent. When acting as a DHCP server, the Device supports multiple address pools, also provides flexible and sufficient IP address allocation policy.
If you use the DHCP server and DHCP relay agent together, it can fully meet the various user requirements.
● Special Application Supported: Supports the use of some special Internet applications, such as the Tencent QQ, online games, Video software, Audio software, and so on.
●
●
DDNS: Supports Dynamic Domain Name System (DDNS) service.
PPPoE Server: Supports rich PPPoE server features, which includes PPPoE account and MAC address binding, PPPoE account and IP address binding, and PPPoE IP and MAC address pair binding feature.
● Express Forwarding: It supports express forwarding to greatly improve system performance.
● Notice Feature: The Device can pop up the notice messages to the LAN users.
7. Security Features
● Configuration File: You can configure and modify the administrator password to prevent those unauthorized users from modifying the settings of the Device; and you can back up the configuration file to prevent accidental loss of settings.
● Access Control: The administrator can restrict some LAN users from accessing the
Internet or some Internet services.
● Real-time Monitoring: Supports real-time monitoring and management of the LAN traffic and users, to promptly detect network problems and abnormal users.
● Firewall Protection: The Device can monitor all the traffic from the Internet, block all the illegal requests to the LAN servers, block IP address and port scanning by hacker software, to prevent malicious attacks from the Internet, such as DoS/DDoS attacks. It also allows you to set up an Internet blacklist and whitelist. Furthermore, it supports advanced firewall function based on address group and service group.
● Internet Behavior Management: You can allow or block the specified LAN users from using popular IM (e.g., QQ, MSN) and P2P applications (e.g., BitComet, BitSpirit,
Thunder Search), downloading the files with the extension .exe, .dll, .vbs, .com, .bat or .sys over HTTP, playing online games, accessing stock and game websites, submitting input in the webpage, using HTTP proxy, and so on.
Page 17
1.3 VPN Features
The FW4x-IPxx-U01 products provide full VPN features including IPSec VPN, L2TP and
PPTP VPN; and it allows you to use them at the same time. The detailed features are as follows:
1. Supports VPN tunnels using dynamic IP addresses
2. Supports site-to-site VPN
3. Supports remote access VPN (mobile user-to-site)
4. Supports L2TP server and client
5. Supports PPTP server and client
6. The main features of IPSec are as follows:
●
AutoIKE based on preshared key
●
Manual key tunnel
●
ESP and AH protocols
●
DES, 3DES and AES 128/192/256 encryption algorithms
●
MD5 and SHA-1 hash algorithms
●
Diffie-Hellman group 1, 2 and 5
●
Main mode and aggressive mode
●
DPD (dead peer detection) and Anti-Replay
●
Hub-spoke and mesh connections
●
IPSec NAT traversal
Note
For detailed information about how to configure VPN features, please refer to the related VPN configuration manual.
1.4 Physical Specification
1. Conforms to IEEE 802.3 Ethernet and IEEE 802.3u Fast Ethernet standards
2. Supports TCP/IP, PPPoE, DHCP, ICMP, NAT, Static Route, RIPI/II, SNMP (MIB II),
Page 18
etc.
3. Each physical port supports auto-negotiation for the speed and duplex mode
4. Each physical port supports auto-MDIX
5. Provides system and port LEDs
6. Operating Environment:
●
Temperature: 32ºF to 104ºF (0ºC to 40ºC)
●
Relative Humidity: 10% to 90%, Non-condensing
●
Height: 0m to 4000m
1.5 Detailed Specifications Table
The FW4x-IPxx-U01 products include multiple models. The features and specifications of each model are different. The following table lists detailed specifications for each model.
Model
FW41IP5-U01 FW42IP16-U01
Feature
Number of LAN Ports
Number of WAN Interfaces
4
1
4
2
LAN Interface Speed
WAN Interface Speed
Internet Connection Setup
Load Balancing and failover
DHCP and DNS
DDNS
10/100M
10/100M
10/100M
10/100M
Page 19
NAT
Static Route
Policy-based Routing
IP/MAC binding
DNS Redirection
Advanced DHCP
UPnP
Plug and Play
Express Forwarding
VLAN
Port Mirroring
Administrator Setup
System Time Setup
Firmware Upgrade
Backup & Restore Configuration
SNMP
SYSLOG
Remote Admin
PPPoE Server
Page 20
PPPoE IP/MAC Binding
Account Billing of PPPoE Server
PPPoE Account Expiration Notice
PPPoE Session Status
User Statistics
NAT Statistics
DHCP Statistics
Interface Statistics
Route Table
System Information
System Log
Intelligent Bandwidth Management
Web Log
P2P Traffic Rate Limiting
Application QoS
Application Traffic Statistics
WAN Traffic Statistics
Notice Feature
Domain Name Filtering
Page 21
Domain Name Blocking Notice
Access Control List
Address Group
Service Group
Schedule
Internal and External Attack Defense
Internet Behavior Management
Policy Database
ARP Spoofing Defense
NAT Session Limit
Web Authentication
VPN (PPTP/L2TP/IPSec)
Table 1-1 Detailed Specifications
Page 22
Chapter 2 Hardware Installation
This chapter describes how to install the FW4x-IPxx-U01 products, which include
FW41IP5-U01, FW42IP16-U01.
2.1 Installation Requirements
1. A standard 10/100M or 10/100/1000M Ethernet network.
2. Each LAN PC needs an Ethernet card that works well.
3. TCP/IP should be installed on each PC properly.
4. You should have a DSL modem, cable modem or fiber optic modem.
5. If you will use a PPPoE Internet connection to access the Internet, you should have a login name and password provided by your ISP.
2.2 Installation Procedure
Please make sure that the Device is powered off before installing it. The installation procedures of FW4x-IPxx-U01 products are very similar, which include the following steps in general.
Step 1 Select a proper location to install the Device. You can install the Device install the Device in a 19-inch standard rack; or on a level surface such as a desktop or shelf if you don’t have a 19-inch standard rack.
Step 2 Connect the Device to the LAN, that is, connect the PC or switch on your LAN to a LAN port of the Device.
Step 3 Connect the Device to the WAN, that is, connect your DSL, cable or fiber optic modem to a WAN port of the Device.
Step 4 Power on the Device. Note: Before powering on the Device, make sure that the power supply and connectivity are normal, and the power outlet is grounded properly.
Step 5 Check the LEDs on the front panel of the Device to see whether the Device is working well or not.
The following sections describe the installation procedure, network connection diagram,
Page 23
and LEDs status of each model respectively.
2.3 Installation Procedure of FW41IP5-U01
1. Selecting the Proper Location
Before installing the FW41IP5-U01, you should make sure that it is powered off, and then select a proper location to install the FW41IP5-U01. The FW41IP5-U01 is designed as a desktop device, you can install it on a level surface such as a desktop or shelf.
Note
Please ensure that the desktop or shelf is stable and the power outlet is grounded properly, and do not place heavy objects on the FW41IP5-U01.
2. Connecting the FW41IP5-U01 to the LAN
See Figure 2-1, connect a standard network cable from a PC or switch to a LAN port of the
FW41IP5-U01. The FW41IP5-U01 will automatically adapt to any Ethernet device which is operating at 10Mbps or 100Mbps.
Page 24
Figure 2-1 Connecting the FW41IP5-U01 to the LAN and Internet
3. Connecting the FW41IP5-U01 to the Internet
Connect the network cable provided by the manufacturer from the DSL, cable or fiber optic modem to a WAN port of the FW41IP5-U01, see Figure 2-1. If you don’t have a network cable provided by the manufacturer, please use a standard network cable.
4. Powering On the FW41IP5-U01
Connect the supplied power cord to the power connector on the back panel of the
FW41IP5-U01, and then plug the other end of the power cord to a grounded power outlet, lastly turn on the power switch on the back of the FW41IP5-U01.
Note
To prevent the FW41IP5-U01 from working abnormally or being damaged, make sure that the power supply and connectivity are normal, and the power outlet is grounded properly before powering on the FW41IP5-U01.
5. Checking the LEDs
The LEDs are located on the front panel of the FW41IP5-U01, see Figure 2-2. We divide the LEDs into two groups:
● The first group includes four system LEDs on the left two columns, which indicate power status, operational status and failures of the FW41IP5-U01, see Table 2-1 for detailed description.
● The second group includes the ten port LEDs on the right five columns, which indicate the status of each port, see Table 2-2 for detailed description. Each port has two LEDs, LEDs 1 through 4 are corresponding to LAN1 through LAN4 respectively, and LED WAN is corresponding to WAN.
Figure 2-2 LEDs on the FW41IP5-U01
LEDs Status During Startup Status During Operating
SYS
One second after powering up, the LED flashes fast for one second, and then extinguishes for two seconds, lastly flashes twice
The LED flashes twice per second when the system is operating properly, and it will flash slower if the system is under heavy load.
The LED will extinguish or light steady if a fault
Page 25
per second.
PWR The LED lights during startup.
TRF The LED lights during startup.
FLT The LED lights during startup. occurred in the Device.
The LED lights steady when the power is being supplied to the Device.
The LED flashes when the Device is sending or receiving data.
The LED will extinguish if there is no network traffic on the Device.
The LED extinguishes when the Device is operating properly.
The LED will flash if a fault occurred in the Device.
And the Device will restart automatically after a certain number of flashes.
Table 2-1 Description of the System LEDs on the FW41IP5-U01
LEDs Status During Startup Status During Operating
Link/Act
All the Link/Act LEDs flash firstly, and then they extinguish.
The LED lights steady when a link between the corresponding port and another device is detected.
The LED flashes when the corresponding port is sending or receiving data.
100Mbps extinguished, all the 100Mbps LEDs flash firstly, and then extinguish. connected to the corresponding port; and a
100Mbps link is established between them.
Table 2-2 Description of the Port LEDs on the FW41IP5-U01
6. Reset Button
If you forget the administrator password, you can use the Reset button to reset the Device to factory default settings. The operation is as follows: While the Device is powered on, use a pin or paper clip to press and hold the Reset button for more than 5 seconds, and then release the button. After that, the Device will restart with factory default settings.
Note
This operation will clear all the custom settings on the Device. If you remember the administrator account, it is strongly recommended that you go to System >
Page 26
Configuration page to backup the current configuration firstly, and then reset the
Device to factory default settings.
Page 27
2.4 Installation Procedure of FW42IP16-U01
1. Selecting the Proper Location
Before installing the FW42IP16-U01, you should make sure that it is powered off, and then select a proper location to install the FW42IP16-U01. As the FW42IP16-U01 is designed according to the 11-inch standard rack, you can install it in a standard rack. Also you can install it on a level surface such as a desktop or shelf.
1) Installing the FW42IP16-U01 in a 11-inch Rack
See Figure 2-3, to install the FW42IP16-U01 in a 11-inch rack, firstly attach the rack-mount brackets to the sides of the FW42IP16-U01 (one on each side) with the supplied screws and secure them tightly, and then position the FW42IP16-U01 into the rack and use the supplied screws to secure it in the rack.
Figure 2-3 Install the FW42IP16-U01 in a Rack
2) Installing the FW42IP16-U01 on a desktop or shelf
If you don’t have a 11-inch standard rack, you may directly place the FW42IP16-U01 on a sturdy, flat surface (such as a desktop or shelf) with a power outlet nearby.
Note
Please ensure that the desktop or shelf is stable and the power outlet is grounded properly, and do not place heavy objects on the FW42IP16-U01.
2. Connecting the FW42IP16-U01 to the LAN
See Figure 2-4, connect a standard network cable from a PC or switch to a LAN port of the
Page 28
FW42IP16-U01. The FW42IP16-U01 will automatically adapt to any Ethernet device which is operating at 10Mbps or 100Mbps.
Figure 2-4 Connecting the FW42IP16-U01 to the LAN and Internet
3. Connecting the FW42IP16-U01 to the Internet
Connect the network cable provided by the manufacturer from the DSL, cable or fiber optic modem to a WAN port of the FW42IP16-U01, see Figure 2-4. If you don’t have a network cable provided by the manufacturer, please use a standard network cable.
4. Powering On the FW42IP16-U01
Connect the supplied power cord to the power connector on the back panel of the
FW42IP16-U01, and then plug the other end of the power cord to a grounded power outlet, lastly turn on the power switch on the back of the FW42IP16-U01.
Note
To prevent the FW42IP16-U01 from working abnormally or being damaged, make sure that the power supply and connectivity are normal, and the power outlet is grounded properly before powering on the FW42IP16-U01.
5. Checking the LEDs
The LEDs are located on the front panel of the FW42IP16-U01, see Figure 2-5. We divide the LEDs into two groups:
Page 29
● The first group includes four system LEDs on the left two columns, which indicate power status, operational status and failures of the FW42IP16-U01, see Table 2-3 for detailed description.
● The second group includes the twelve port LEDs on the right six columns, which indicate the status of each port, see Table 2-4 for detailed description. Each port has two LEDs, LEDs 1 through 4 are corresponding to LAN1 through LAN4 respectively, and LEDs 5 through 6 are corresponding to WAN1 through WAN2 respectively.
Figure 2-5 LEDs on the FW42IP16-U01
LEDs
SYS
Status During Startup Status During Operating
One second after powering up, The LED flashes twice per second when the the LED flashes fast for one second, and then extinguishes system is operating properly, and it will flash slower if the system is under heavy load. for two seconds, lastly flashes twice per second.
The LED will extinguish or light steady if a fault occurred in the Device.
PWR
TRF
FLT
The LED lights during startup.
The LED lights during startup.
The LED lights during startup.
The LED lights steady when the power is being supplied to the Device.
The LED flashes when the Device is sending or receiving data.
The LED will extinguish if there is no network traffic on the Device.
The LED extinguishes when the Device is operating properly.
The LED will flash if a fault occurred in the Device.
And the Device will restart automatically after a certain number of flashes.
Table 2-3 Description of the System LEDs on the FW42IP16-U01
Page 30
LEDs Status During Startup Status During Operating
Link/Act
All the Link/Act LEDs flash firstly, and then they extinguish.
The LED lights steady when a link between the corresponding port and another device is detected.
The LED flashes when the corresponding port is sending or receiving data.
100Mbps extinguished, all the 100Mbps LEDs flash firstly, and then extinguish. connected to the corresponding port; and a
100Mbps link is established between them.
Table 2-4 Description of the Port LEDs on the FW42IP16-U01
6. Reset Button
If you forget the administrator password, you can use the Reset button to reset the Device to factory default settings. The operation is as follows: While the Device is powered on, use a pin or paper clip to press and hold the Reset button for more than 5 seconds, and then release the button. After that, the Device will restart with factory default settings.
Note
This operation will clear all the custom settings on the Device. If you remember the administrator account, it is strongly recommended that you go to System >
Configuration page to backup the current configuration firstly, and then reset the
Device to factory default settings.
Page 31
Chapter 3 Logging in to the Device
This chapter describes how to properly configure TCP/IP properties on the PC that you use to administer the Device and how to login to the Device.
3.1 Configuring Your PC
Before configuring the Device via Web UI, you need properly install and configure
TCP/IP properties on the PC that you use to administer the Device. The configuration steps are as follows:
Step 1 Connect the PC to a LAN port of the Device.
Step 2 Install TCP/IP protocol components on your PC. If it has been installed, please ignore it.
Step 3 Configure TCP/IP parameters on your PC: If the Device’s LAN interface is using the default IP address 192.168.20.1/24 , you should set the PC’s IP address to an IP address in the range of 192.168.20.2 through
192.168.20.254 that is not already being used by another LAN device, set its subnet mask to 255.255.255.0, set its default gateway to 192.168.20.1, and set its DNS server to an available IP address provided by your ISP.
Step 4 To verify the network connection between your PC and the Device, you can use the ping command at the MS-DOS command prompt on the PC: Ping
192.168.20.1
•
If the displayed page is similar to the screenshot below, the connection between your PC and the Device has been established.
Page 32
•
If the displayed page is similar to the screenshot below, it means that your
PC has not connected to the Device.
If failed to connect, please do the check according to the following steps:
1. Is the physical link between your PC and the Device connected properly?
The Link/Act LED corresponding to the Device’s LAN port and the LED on your PC’s adapter should light.
2. Is the TCP/IP configuration for your PC correct?
If the Device’s LAN interface is using the default IP address 192.168.20.1/24 , your PC’s
IP address should be an IP address in the range of 192.168.20.2 through
192.168.20.254 that is not already being used by another LAN device, and its default gateway should be 192.168.20.1.
Page 33
3.2 Logging in to the Device
No matter what operating system is installed on the PC, such as, MS Windows, Macintosh,
UNIX, or Linux, and so on, you can configure the Device through the Web browser (for example, Internet Explorer).
Once your PC is properly configured, please do the following to login to the Device: Open a Web browser, enter the Device’s LAN IP address in the address bar (by default, the address is 192.168.20.1
, see Figure 3-1), and then press <Enter> key.
Figure 3-1 Entering IP address in the Address Bar
A login screen prompts you for your user name and password. When you first login to the
Device, you should use the default administrator account: Enter admin (case sensitive) in the User name field and in the Password field (see Figure 3-2), lastly click OK .
Figure 3-2 Login Screen
Once you have entered correct user name and password, the Status > System Info page will appear (see Figure 3-3).
Page 34
Figure 3-3 Homepage - System Info Page
In the Device’s Web page, the system model and version are displayed at the top right corner, some shortcut icons are displayed at the top, and a toolbar is displayed below the shortcut icons.
It allows you to click Add to Toolbar to add a shortcut menu for the current page to the toolbar. The shortcut menus are arranged from left to right in chronological order of creation, and by default the Device provides the shortcut menu of Quick Wizard displayed on the most left of the toolbar.
If you have not configured any Internet connection yet, please click the Quick Wizard hyperlink to configure the basic parameters to quickly connect the Device to the Internet.
Refer to Chapter 4 Quick Wizard for detailed operation.
Page 35
Chapter 4 Quick Wizard
This chapter describes the Basic > Quick Wizard page. The Quick Wizard allows you to configure the basic parameters to quickly connect the Device to the Internet.
Before using Quick Wizard , you need properly install and configure TCP/IP properties on the LAN PCs. Refer to section 3.1 Configure Your PC for detailed operation.
4.1 Running the Quick Wizard
Click the Quick Wizard hyperlink at the top of the Web page or click Basic > Quick
Wizard to run the Quick Wizard . The Quick Wizard will guide you to configure the most basic features of the Device, such as Internet connection settings. Even if unfamiliar with our product, you still can finish the settings via instruction easily.
Figure 4-1 Running the Quick Wizard
Exit the Wizard: Click it to exit the Quick Wizard .
Next: Click it to go to the next page of the Quick Wizard to set the IP address and subnet mask of the LAN interface.
Page 36
4.2 LAN Settings
Figure 4-2 LAN Settings
IP Address: It specifies the IP address of the LAN interface. The default value is
192.168.20.1.
Subnet Mask: It specifies the subnet mask that defines the range of the LAN. The default value is 255.255.255.0
Back: Click it to go back to the previous page of the Quick Wizard .
Next: Click it to go to the next page of the Quick Wizard to choose the Internet connection type.
4.3 Choosing an Internet Connection Type
The Device provides three Internet connection types including PPPoE, Static IP and
DHCP, see Figure 4-3. Please select a connection type from the radio buttons, which is provided by your Internet Service Provider (ISP).
Page 37
Figure 4-3 Choosing an Internet Connection Type
PPPoE: Some DSL-based ISPs use PPPoE to establish Internet connections for end-users. If you use a DSL line, check with your ISP to see if they use PPPoE, and then select the PPPoE radio button.
Static IP: If you are required to use a static IP address, select the Static IP radio button.
DHCP: If your ISP will dynamically assigns an IP address to the Device, select the
DHCP radio button. Most cable modem subscribers use this connection type.
Back: Click it to go back to the previous page of the Quick Wizard .
Select the PPPoE radio button, and then click the Next button to go to the next page of the Quick Wizard to configure a PPPoE Internet connection on the WAN1 interface.
Select the Static IP radio button, and then click the Next button to go to the next page of the Quick Wizard to configure a static IP Internet connection on the WAN1 interface.
Select the DHCP radio button, and then click the Next button to go to the next page of the Quick Wizard to configure a DHCP Internet connection on the WAN1 interface.
Page 38
4.4 Internet Connection Settings
4.4.1 Notes on Internet Connection Settings
1. If you have changed the LAN IP address and saved the change, you should use the new IP address to re-login to the Device. And each LAN host’s default gateway should be changed to this new IP address to access the Device and Internet normally.
2. After you have finished configuring the Internet connection on the WAN1 interface, you also can continue to configure the Internet connection on the WAN2, WAN3 and
WAN4 interface in turn. Note that the number of WAN interfaces depends on the specific product model.
3. After you have finished configuring one or more Internet connections, you had better click the Review Your Configuration button in the Quick Wizard ’s confirmation page to review the settings that you have made in the Quick Wizard firstly, and then modify any of them if desired, lastly click the Finish button to save the settings to make them take effect.
Page 39
4.4.2 PPPoE Internet Connection Settings
Figure 4-4 Choose PPPoE as the Connection Type
In the page of choosing an Internet connection type (see Figure 4-4), select the PPPoE radio button, and then click the Next button to go to the PPPoE Internet connection settings page, see Figure 4-5.
Page 40
Figure 4-5 PPPoE Internet Connection Settings
User Name and Password : They specify the PPPoE login user name and password provided by your ISP.
Back: Click it to go back to the previous page of the Quick Wizard .
Continue WAN2 Settings: Click it to continue to configure the Internet connection on the WAN2 interface if needed.
Skip WAN2 Settings: Click it to go to the confirmation page at the end of the Quick
Wizard if you don’t want to configure another Internet connection in the Quick
Wizard .
4.4.3 Static IP Internet Connection Settings
Figure 4-6 Choosing Static IP as the Connection Type
In the page of choosing an Internet connection type (see Figure 4-6), select the Static IP radio button, and then click the Next button to go to the static IP Internet connection settings page, see Figure 4-7.
Page 41
Figure 4-7 Static IP Internet Connection Settings
IP Address: It specifies the IP address of the WAN interface, which is provided by your ISP.
Subnet Mask: It specifies the subnet mask of the WAN interface, which is provided by your ISP.
Default Gateway: It specifies the IP address of the default gateway, which is provided by your ISP.
Primary DNS Server: It specifies the IP address of your ISP’s primary DNS server.
Secondary DNS Server: It specifies the IP address of your ISP’s secondary DNS server. If it is available, you may set it. Else, please leave it 0.0.0.0.
Back: Click it to go back to the previous page of the Quick Wizard .
Continue WAN2 Settings: Click it to continue to configure the Internet connection on the WAN2 interface if needed.
Skip WAN2 Settings: Click it to go to the confirmation page at the end of the Quick
Wizard if you don’t want to configure another Internet connection in the Quick
Wizard .
Note
The WAN IP address and default gateway IP address should be on the same subnet. If
Page 42
they are not, please modify the Subnet Mask to make them be on the same subnet. If you don’t have the subnet related knowledge, please ask a professional or digicom support engineer for help.
4.4.4 DHCP Internet Connection Settings
Figure 4-8 Choosing DHCP as the Connection Type
In the page of choosing an Internet connection type (see Figure 4-8), select the DHCP radio button, and then directly click the Continue WAN2 Settings button to continue to configure the Internet connection on the WAN2 interface if needed, or click the Skip
WAN2 Settings button to the confirmation page at the end of the Quick Wizard if you don’t want to configure another Internet connection in the Quick Wizard .
4.5 Reviewing and Saving the Settings
After you have finished configuring one or more Internet connections, you had better click the Review Your Configuration button in the Quick Wizard ’s confirmation page to review the settings that you have made in the Quick Wizard firstly, and then modify any of them if desired, lastly click the Finish button to save the settings to make them take effect.
Page 43
Note
Do not forget to click the Finish button to save the settings you have made in the
Quick Wizard , else the related settings will be discarded.
Page 44
Figure 4-9 Viewing and Saving the Settings Made in the Quick Wizard
4.6 Summary
Once clicked the Finish button in the confirmation page, you have completed the configuration of the most basic features through the Quick Wizard . If you cannot access the Internet through the Device yet, please check whether all the settings that you have made in the Quick Wizard are correct. Also, you can go to the Basic > WAN page to view the Internet connection(s) status, view and modify the related configuration parameters.
Page 45
Chapter 5 System Status
This chapter describes the system status related pages, which provide a lot of operating status information and statistics of the Device. By viewing them, the network administrator can easily analyze the system status and monitor the activities on the Device.
When NAT is enabled, the Device provides a set of powerful monitoring functions, which is divided into two categories: One is classification statistics, which can help the administrator find the problems that occurred in the network. The other is real-time monitoring, which can help the administrator analyze the occurring problem to find out in which host it happens, what the problem is, and the impact on other hosts.
The management of the Device operating status is divided into two levels:
●
Physical status: The status and statistics for each physical interface, which includes operating status, ingress and egress traffic statistics, routing table, and so on.
●
NAT status: The status and statistics for every LAN user (i.e., LAN host), which includes upload and download packets statistics, upload and download rate, total
NAT sessions, and so on.
5.1 System Information
In the Status > System Info page, you may view some system information, which include system up time, system resource usage status, system version, port status, and interface rate chart.
5.1.1 System Up Time
Figure 5-1 System Up Time
System Time: It displays the system current date (YYYY-MM-DD) and time
Page 46
(HH:MM:SS).
System Up Time: It displays the elapsed time (in days, hours, minutes and seconds) since the Device was last started.
5.1.2 System Resource
Figure 5-2 System Resource Usage Information
CPU: The real-time CPU usage information, which is displayed as a status bar and percentage.
Memory: The real-time memory usage information, which is displayed as a status bar and percentage.
Session: The ratio of current active NAT sessions to the maximum sessions that the
Device supports, which is displayed as a status bar and percentage.
Note
1. The color of the status bar indicates the usage percentage for each resource.
● When the percentage is below 1%, the bar is blank.
● When the percentage is between 1% and 50% (below 50%), the color is green.
● When the percentage is between 50% and 70% (below 70%), the color is yellow.
● When the percentage is equal to or above 70%, the color is red.
2. The above resources usage information indicates the load of the Device. If the usage percentages are all relatively low, it means that the Device still has the ability to
Page 47
process more tasks. If they are all very high, it means that the Device is nearly under the full load. In this case, the network delays may occur if the Device processes new tasks.
5.1.3 System Version
Figure 5-3 System Version
SN: It displays the internal serial number of the Device, which may be different from the SN found on the label at the bottom of the Device.
Model: It displays the product model of the Device.
Version: It displays the version of ReOS firmware running on the Device.
5.1.4 Port Information
5.1.4.1 Port Status
Figure 5-4 Port Status
Page 48
The port status figure indicates whether each physical port of the Device is active (Up) or inactive (Down). If a port is down, it is shaded black. Else it is shaded green, and its speed, duplex and MDI or MDI-X status are displayed. See Figure 5-4, the LAN4 and WAN1 ports are active.
5.1.4.2 Interface Rate Chart
The interface rate chart dynamically displays the real-time RX/TX rate, average RX/TX rate, maximum RX/TX rate and total RX/TX traffic of each physical interface. If you want to view the rate chart of an interface, click the corresponding interface name hyperlink.
In the interface rate chart, the abscissa (x-axis) shows the time axis, and the ordinate
(y-axis) shows the real-time RX/TX rate axis. Furthermore, you can adjust some parameters of the chart if needed, such as the time interval during which the real-time rates are calculated and displayed, and the displayed colors. Note: The rate chart can only show the rate and traffic information in the last ten minutes. Each time you open this page, the rate chart starts anew.
Figure 5-5 Interface Rate Chart
RX: It indicates the real-time RX rate of the physical interface, which is calculated every two seconds. For the LAN interface, RX means uploading; for the WAN interface, it means downloading.
Page 49
TX: It indicates the real-time TX rate of the physical interface, which is calculated every two seconds. For the LAN interface, TX means downloading; for the WAN interface, it means uploading.
Avg: It indicates the average RX or TX rate of the physical interface since last opened the current page.
Peak: It indicates the maximum RX or TX rate of the physical interface since last opened the current page.
Total: It indicates the total RX or TX traffic of the physical interface since last opened the current page.
LAN/WANx: It allows you to click the interface name hyperlink to view the rate chart of the selected interface. Therein, x (value: 1, 2, 3, 4) indicates the corresponding
WAN interface, and the number of WAN interfaces depends on the specific product model. For example, click the WAN1 hyperlink to view the rate chart of the WAN1 interface.
Note
If the SVG Viewer isn’t installed on your PC, the rate chart cannot be displayed properly. To view the rate chart, click the (Please install svgviewer if the page cannot display properly.) hyperlink to download and install the SVG Viewer.
Page 50
5.2 NAT Statistics
Through the NAT Statistics list in the Status > NAT Stats page, you can view the NAT session details for each LAN user (host).
Figure 5-6 NAT Statistics List
ID: It is used to identify each entry in the list.
Description: If the LAN user is an IP/MAC binding user, it displays the description of the user; else it is blank.
IP Address: It displays the IP address of the LAN host.
Active Sessions: It displays the number of NAT sessions that are being used by the
LAN host now.
Overflow: It displays the cumulative count of the LAN host’s overflowing requests due to the maximum sessions limit. The maximum sessions can be configured in the
Security > NAT Session Limit page.
Rx Packets: It displays the number of packets downloaded by the LAN host through
NAT function.
Tx Packets: It displays the number of packets uploaded by the LAN host through
NAT function.
Page 51
Tx Broadcast Packets: It displays the number of broadcast and multicast packets transmitted from the LAN host to the Device.
Total Sessions: It displays the total number of NAT sessions of the LAN host, which include those sessions that aren’t being used now.
Clear: Click it to clear the NAT statistics in the list, which include Overflow , Rx
Packets , Tx Packets , Tx Broadcast Packets and Total Sessions .
Refresh: Click it to view the latest information in the list .
Note
1. The NAT session limit feature can help the Device prevent some types of network attacks. If a user’s Total Sessions has reached the maximum value (configured in the Security > NAT Session Limit page), any further request for creating a new session will be discarded, and the Overflow will be updated synchronously. In this case, the administrator can find potential DDoS attacks by viewing the logs in the
Status > System Log page.
2. The most Rx Packets means the corresponding user has downloaded the most packets from the Internet.
3. The most Tx Packets means the corresponding user has uploaded the most packets to the Internet.
4. The most Active Sessions means the corresponding user is the most active now.
5. If the Overflow is larger than 100, or the Tx Packets is far larger than the Rx
Packets , this host is suspicious of using port scanner software now.
6. If the Tx Packets is very large, but the Rx Packets is very small or zero, this host is suspicious of performing a DoS/DDoS attack.
Page 52
5.3 DHCP Statistics
This section describes the Status > DHCP Stats page, including the DHCP Pool
Statistics list, DHCP Server Statistics list, DHCP Conflict Statistics list, DHCP Client
Statistics list and DHCP Relay Statistics list.
5.3.1 DHCP Pool Statistics List
The DHCP Pool Statistics list displays the usage information of each DHCP address pool, including IP address and subnet mask, associated MAC address, lease left, DHCP address pool name, status of IP address, and so on.
It allows you to manually bind one or more dynamic IP addresses to the corresponding
MAC addresses. The steps are as follows: Click the leftmost check boxes of the entries you want to bind, and then click the Bind button to bind the selected IP and MAC address pairs. Then you may go to the Advanced > DHCP > DHCP Server or Security > IP/MAC
Binding page to view or modify them.
Figure 5-7 DHCP Pool Statistics List
ID: It is used to identify each entry in the list.
IP Address: It displays the IP address of the DHCP client.
Subnet Mask: It displays the subnet mask of the DHCP client.
MAC Address: It displays the MAC address of the DHCP client.
Page 53
Lease Left: It displays the time remaining until the current IP address lease expires, shown as DD: HH: MM: SS.
Pool Name: It displays name of the DHCP address pool.
Status: It displays the status of the IP address. The possible values are Detecting ,
Assigned , and Conflicted .
•
Detecting: It indicates that the DHCP server is detecting whether the IP address is already in use or not.
•
Assigned: It indicates that the DHCP server has assigned the IP address to the client.
•
Conflicted: It indicates that the DCHP server has detected a conflict for the IP address, i.e., there is another host on the network using the same IP address.
Type: It displays the manner in which the IP address was assigned to the DHCP client. The possible values are Static and Dynamic .
•
Static: It indicates that the IP address was assigned manually through DHCP manual binding.
•
Dynamic: It indicates that the IP address was assigned dynamically from a
DHCP address pool by the DHCP sever.
Client ID: It displays the client identifier of the DHCP client.
Relay Agent ID: It displays the relay agent ID of the DHCP client.
Bind: If you want to manually bind one or more dynamic IP addresses to the corresponding MAC addresses, select the leftmost check boxes of them, and then click the Bind button. Then you may go to the Advanced > DHCP > DHCP Server or
Security > IP/MAC Binding page or to view and modify those IP/MAC bindings.
Refresh: Click it to view the latest information in the list .
Display IP/MAC Binding: Click it to go to the Security > IP/MAC Binding page to view or configure IP/MAC bindings for the LAN hosts.
Note
In the DHCP Pool Statistics list, only the dynamic IP addresses can be bound manually, but the static IP addresses cannot be bound again.
Page 54
5.3.2 DHCP Server Statistics List
The DHCP Server Statistics list displays the DHCP server statistics, which includes the number of each type of DHCP message and the number of assigned IP addresses. The statistics is counted and displayed per physical interface.
Figure 5-8 DHCP Server Statistics List
Interface: The physical interface on which the DHCP server is applied.
Discover: During the statistics interval, the number of DHCPDISCOVER messages that were received by the DHCP server.
Offer: During the statistics interval, the number of DHCPOFFER messages that were sent by the DHCP server.
Request: During the statistics interval, the number of DHCPREQUEST messages that were received by the DHCP server.
Ack: During the statistics interval, the number of DHCPACK messages that were sent by the DHCP server.
Release: During the statistics interval, the number of DHCPRELEASE messages that were received by the DHCP server.
Decline: During the statistics interval, the number of DHCPDECLINE messages that were received by the DHCP server.
Nak: During the statistics interval, the number of DHCPNAK messages that were sent by the DHCP server
Conflict: During the statistics interval, the number of address conflicts that were
Page 55
detected by the DHCP server.
Inform: During the statistics interval, the number of DHCPINFORM messages that were received by the DHCP server.
Unknown: During the statistics interval, the number of unknown packets.
Client: During the statistics interval, the number of IP addresses that were assigned by the DHCP server.
Clear: Click it to clear the DHCP server statistics in the list.
Refresh: Click it to view the latest information in the list .
Note
The statistics interval is the elapsed time since the last clear action.
5.3.3 DHCP Conflict Statistics List
The DHCP Conflict Statistics list displays information related to the address conflicts found by the DHCP server, which include the conflicted IP address, MAC address, the detection method and detection time for each address conflict in the list.
Figure 5-9 DHCP Conflict Statistics List
IP Address: It displays the conflicted IP address.
MAC Address: It displays the MAC address of the LAN host where the IP address
Page 56
conflict occurred.
Detection Method: It displays how the IP address conflict was detected. It may be
ARP or ICMP.
Detection Time: It displays the date (YYYY-MM-DD) and time (HH:MM:SS) when the
IP address conflict was detected.
Refresh: Click it to view the latest information in the list .
5.3.4 DHCP Client Statistics List
The DHCP Client Statistics list displays the DHCP client statistics, which mainly includes the number of each type of DHCP message. The statistics is counted and displayed per physical interface.
Figure 5-10 DHCP Client Statistics List
Interface: The physical interface on which the DHCP client is applied.
Discover: During the statistics interval, the number of DHCPDISCOVER messages that were sent by the DHCP client.
Offer: During the statistics interval, the number of DHCPOFFER messages that were received by the DHCP client.
Request: During the statistics interval, the number of DHCPREQUEST messages that were sent by the DHCP client.
Ack: During the statistics interval, the number of DHCPACK messages that were
Page 57
received by the DHCP client.
Release: During the statistics interval, the number of DHCPRELEASE messages that were sent by the DHCP client.
Decline: During the statistics interval, the number of DHCPDECLINE messages that were sent by the DHCP client.
Nak: During the statistics interval, the number of DHCPNAK messages that were received by the DHCP client.
Conflict: During the statistics interval, the number of address conflicts that were found by the DHCP server when trying to assign an address to the DHCP client.
Inform: During the statistics interval, the number of DHCPINFORM messages that were sent by the DHCP client.
Unknown: During the statistics interval, the number of unknown packets.
Clear: Click it to clear the DHCP client statistics in the list.
Refresh: Click it to view the latest information in the list .
Note
The statistics interval is the elapsed time since the last clear action.
5.3.5 DHCP Relay Statistics List
The DHCP Relay Statistics list displays the DHCP relay agent statistics, which includes the number of various types of DHCP messages. The statistics is counted and displayed per physical interface.
Page 58
Figure 5-11 DHCP Relay Statistics List
Interface: The physical interface on which the DHCP relay agent is applied.
Discover: During the statistics interval, the number of DHCPDISCOVER messages that were relayed by the DHCP relay agent.
Offer: During the statistics interval, the number of DHCPOFFER messages that were relayed by the DHCP relay agent.
Request: During the statistics interval, the number of DHCPREQUEST messages that were relayed by the DHCP relay agent.
Ack: During the statistics interval, the number of DHCPACK messages that were relayed by the DHCP relay agent.
Release: During the statistics interval, the number of DHCPRELEASE messages that were relayed by the DHCP relay agent.
Decline: During the statistics interval, the number of DHCPDECLINE messages that were relayed by the DHCP relay agent.
Nak: During the statistics interval, the number of DHCPNAK messages that were relayed by the DHCP relay agent.
Inform: During the statistics interval, the number of DHCPINFORM messages that were relayed by the DHCP relay agent.
Nadd: During the statistics interval, the number of DHCP messages to which relay information wasn’t added because of the maximum packet size limit.
Nreplace: During the statistics interval, the number of DHCP messages in which relay information wasn’t replaced because of the maximum packet size limit.
Drop: During the statistics interval, the number of DHCP messages that were
Page 59
dropped by the DHCP relay agent.
Clear: Click it to clear the DHCP client statistics in the list.
Refresh: Click it to view the latest information in the list.
Note
The statistics interval is the elapsed time since the last clear action.
Page 60
5.4 Interface Statistics
The Interface Statistics list displays the traffic statistics of each physical interface, including the number of bytes, unicast packets, and non-unicast (i.e., multicast and broadcast) packets.
Figure 5-12 Interface Statistics List
ID: It is used to identify each interface of the Device.
Interface/Direction: It displays the physical interface and the traffic direction.
•
In: The packets are received by the interface.
•
Out: The packets are transmitted by the interface.
Total Bytes: During the statistics interval, the number of bytes that were received or transmitted by the interface.
Unicast: During the statistics interval, the number of unicast packets that were received or transmitted by the interface.
Non-unicast: During the statistics interval, the number of broadcast and multicast packets that were received or transmitted by the interface.
Clear: Click it to clear the interfaces statistics in the list.
Refresh: Click it to view the latest information in the list .
Page 61
Note
1. The statistics interval is the elapsed time since the last clear action.
2. The following characteristics indicate that the Device is in normal operation:
•
The number of packets received by the WAN interface(s) is close to those transmitted by the LAN interface.
•
The number of bytes received by the WAN interface(s) is close to those transmitted by the LAN interface.
•
The number of packets transmitted by the WAN interface(s) is close to those received by the LAN interface.
•
The number of bytes transmitted by the WAN interface(s) is close to those received by the LAN interface.
•
The total network traffic is steady without sharp wave.
Page 62
5.5 Routing Table
This section describes how to view and use the Routing Table in the Status > Route
Stats page.
A router (or gateway) is a device that forwards data packets along networks. One of the basic functions of the router is the ability to select an optimal transmission path for each received packet, and forward the packet to the destination site effectively. The router uses the routing table, which lists the routes to particular network destinations, to accomplish this function. The routing table can be built and updated manually by the system administrator, or dynamically by the router with minimal or no manual intervention.
Figure 5-13 Routing Table
Destination IP/Mask: It indicates the destination network ID. The Destination IP indicates the IP address of the destination network or destination host; and the Mask indicates the subnet mask associated with the destination network. For example,
192.168.18.0/24 means that the destination network IP address is 192.168.18.0
, and
Page 63
subnet mask is 255.255.255.0
.
Gateway IP: It displays the IP address of the next hop gateway or router to which to forward the packets.
Interface: It displays the outbound interface through which the packets are forwarded to the next hop gateway or router.
• ie0: LAN interface; ie1: WAN1 interface; ie2: WAN2 interface;
• ptpdial0: Virtual interface waiting for dialing;
• ptpx: Virtual interface x (value: 1, 2, 3…);
• bhole0: Internal interface, the Device will discard any packet forwarded to this interface;
• local: Internal soft-route interface, the packets are forwarded to the Device itself;
• reject: Internal interface, the Device will discard any packet forwarded to this interface and respond an ICMP unreachable packet;
• loopback: Indicates the loopback network with network ID 127.0.0.0/8;
• mcast: Virtual interface, multicast packets will be forwarded to it.
Flag: *-Hidden, o-OSPF, i-ICMP, l-Local, r-RIP, n-SNMP, c-Connected, s-Static,
R-Remote, g-Gateway, h-Host, p-Private, u-Up, t-Temp, M-Multiple, N-NAT, F-Float, a-Append,?-Unknown.
•
*-Hidden: The route is inactive as it is backup, or the corresponding Internet connection is inactive.
•
N-NAT: NAT is enabled on the route, and the LAN hosts are sharing the corresponding Internet connection to access the Internet.
•
F-Float: The priority related parameters of the route has been configured, and it is floating now. Whether to enable it or not is determined by the corresponding
Internet connection’s working status.
Priority: It indicates the priority of the route. If there are multiple routes to the same destination with different priorities, the Device will choose the route with the highest
Page 64
priority to forward the packets. The smaller the value, the higher the priority.
Metric: It indicates the cost of using the route, which is typically the number of hops to the destination. If there are multiple routes with same priority to the same destination, the Device will choose the route with the lowest metric to forward the packets.
Use: It indicates count of lookups for the route.
Age: It indicates the elapsed time (in seconds) since the route was created in the routing table.
Refresh: Click it to view the latest information in the list .
Display Route Settings: Click it to go to the Advanced > Static Route > Static
Route List page to view the configured static routes settings.
Taking Figure 5-13 as an example, the following describes the different types of routes:
0.0.0.0/0: It indicates a default static route. The Device uses a default route if no other route matches the destination address included in a packet. The default route forwards the packet to a default gateway, whose IP address is configured manually or assigned dynamically by a PPPoE or DHCP server.
127.0.0.0/8: It indicates a loopback route. The Class A network 127.0.0.0 is defined as the loopback network. Addresses from that network are assigned to interfaces that process data within the local system. These loopback interfaces do not access a physical network. Once received a packet which matches the route, the Device will send the packet to itself.
200.200.202.0/24: It indicates a subnet route. The destination is a subnet. If no host route matches the destination IP address included in a packet, the Device will use a subnet route that matches the network ID of the destination IP address. The subnet route forwards the packet to its gateway.
192.168.20.1/32: It indicates a local host route (its inteface is local). Once received a packet which matches the route, the Device will not forward it.
224.0.0.0/4: It indicates a multicast route. Once received a multicast packet, the
Device will make copies and send them to all receivers that have joined the corresponding multicast group.
Page 65
5.6 Session Monitor
This section describes the Status > Session Monitor page, and it tells you how to monitor the Internet activities of the LAN users by the NAT Session List . This page displays the active NAT sessions on the Device, and it lets you filter and display sessions by certain criteria, such as source IP address, destination IP address/domain name, destination port, NAT translated IP address/domain name, and so on. It only displays the
NAT sessions that are currently used by the LAN hosts, but doesn’t display NAT statistics.
When receiving a request initiated by a LAN host, the Device will create a NAT session for the request to translate the host’s local IP address to a public IP address. The NAT will translate incoming as well as outgoing packets belonging to the session.
Note
Only the administrator who has Admin privileges can open this page. You can go to the System > Administrator page to view and modify the administrator’s privileges.
5.6.1 Session Monitor Settings
Figure 5-14 Session Monitor Settings
Filter Option: It specifies an option for filtering and displaying the NAT sessions.
All: Select it to display all the active NAT sessions on the Device. You can use this option to search the Internet activities of all the LAN users.
WANx: Select a WAN interface to display the active NAT sessions related to the interface. You can use this option to search the Internet activities of the LAN users who are using the Internet connection on the selected interface to access the Internet.
Therein, x (value: 1, 2, 3, 4) indicates the corresponding WAN
Page 66
interface, and the number of WAN interfaces depends on the specific product model.
Source IP: Select it to display the active NAT sessions related to a LAN user, which is specified by entering his or her IP address in the Filter Value text box.
You can use this option to search the Internet activities of the specified LAN user.
Destination IP/Domain: Select it to display the active NAT sessions related to an Internet site, which is specified by entering its IP address or domain name in the Filter Value text box. You can use this option to search the LAN users who are accessing the specified website.
Destination Port: Select it to display the active NAT sessions related to a network service, which is specified by entering the service port number in the
Filter Value text box. You can use this option to search the LAN users who are accessing the specified service. The following provides port numbers of some well-known services: ftp-TCP21, ssh-TCP22, telnet-TCP23, smtp-TCP25, dns-UDP53, finger-TCP79, http-TCP80, pop3-TCP110, snmp-UDP161, etc. For more information, please refer to Appendix D Common Service Ports .
NAT Translated IP/Domain: Select it to display the active NAT sessions related to an Internet connection’s IP address or domain name, which is specified in the
Filter Value text box. When using multi-NAT (that is, you get multiple public IP addresses from your ISP), you can use this option to search the Internet activities of the LAN users who are using the specified public IP address to access the Internet.
Filter Value: It specifies the filter value for filtering and displaying the NAT sessions.
You should specify it according the selected Filter Option .
Predefined Port: It provides port numbers of some well-known services for you to choose. If you select Destination Port from the Filter Option drop-down list, you may select a service port number here.
Search: After specifying the Filter Option and Filter Value (if needed), click the
Search button to search and display all the active NAT sessions in accordance with your criteria in the NAT Session List .
Page 67
5.6.2 NAT Session List
Figure 5-15 NAT Session List
ID: It is used to identify each entry in the list.
Source IP: It displays the source IP address for the NAT session.
Source Port: It displays the source port number for the NAT session.
Protocol: It displays the protocol type (T:TCP, U:UDP, I:ICMP) or protocol number for the NAT session.
Dest IP: It displays the destination IP address for the NAT session.
Dest Port: It displays the destination port number or service name for the NAT session. There are some system predefined services, such as dns, ftp, www, smtp, pop3, msn, and so on.
Tx Pkts: It displays the number of transmitted packets through the NAT session.
Rx Pkts: It displays the number of received packets through the NAT session.
Page 68
NAT IP: The translated public IP address for the NAT session.
NAT Port: The translated port for the NAT session. The Device uses this port number to keep track of which hosts initiate data transfer. By keeping this record, the Device is able to correctly route responses.
Clear: Click it to delete all of the dynamic NAT sessions in the list.
Note
The clear operation may disconnect the dynamic sessions that are being used now, so do it with caution.
5.6.3 Examples
5.6.3.1 Searching Internet Activities of the LAN User with IP
Address 192.168.20.68/24
Step 1 Go to the Status > Session Monitor page, see Figure 5-16.
Step 2 Select Source IP from the Filter Option drop-down list.
Step 3 Enter 192.168.20.68
in the Filter Value text box.
Step 4 Click the Search button to search and display all the matching NAT sessions in the NAT Session List , see Figure 5-17.
Figure 5-16 Session Monitor Settings - Example1
Page 69
Figure 5-17 NAT Session List - Example1
5.6.3.2 Searching the LAN Users Accessing 200.200.200.251
Step 1 Go to the Status > Session Monitor page, see Figure 5-18.
Step 2 Select Destination IP/Domain from the Filter Parameter drop-down list.
Step 3 Enter 200.200.200.251
in the Filter Value text box.
Step 4 Click the Search button to search and display all the matching NAT sessions in the NAT Session List , see Figure 5-19.
Page 70
Figure 5-18 Session Monitor Settings - Example2
Figure 5-19 NAT Session List - Example2
5.6.3.3 Searching the LAN Users Using MSN
Step 1 Go to the Status > Session Monitor page, see Figure 5-20.
Step 2 Select Destination Port from the Filter Option drop-down list.
Page 71
Step 3 Enter 1863 in the Filter Value text box, or select 1863 (MSN) option from the
Predefined Port drop-down list directly.
Step 4 Click the Search button to search and display all the matching NAT sessions in the NAT Session List , see Figure 5-21.
Figure 5-20 Session Monitor Settings - Example3
Figure 5-21 NAT Session List - Example3
Page 72
5.6.3.4 Searching Internet Activities of the LAN users Using
WAN1 IP address
Note
When using multiple Internet connections, you can go to the Basic > WAN page to view the WAN List to find the WAN1 IP address.
Step 1 Go to the Status > Session Monitor page, see Figure 5-22.
Step 2 Select the NAT Translated IP/Domain from the Filter Option drop-down list.
Step 3 Enter 200.200.202.134
in the Filter Value text box. The WAN1 IP address is
200.200.202.134 in this example.
Step 4 Click the Search button to search and display all the matching NAT sessions in the NAT Session List , see Figure 5-23.
Figure 5-22 Session Monitor Settings - Example3
Page 73
Figure 5-23 NAT Session List - Example4
Page 74
5.7 System Log
In the Status > System Log page, you can view the system logs; also you can select the types of logs that you want the Device to store and display.
5.7.1 System Log Settings
Figure 5-24 System Log Settings
Select All: It selects or unselects all the check boxes below. If you want to enable all the provided system log features at a time, please select this check box. If you want to disable all the provided system log features at a time, please clear the check box.
Enable Notice Log: It allows you to enable or disable notice log. If you want the
Device to store and display the notice related logs in the System Log , please select this check box.
Enable Dial Log: It allows you to enable or disable dial log. If you want the Device to store and display the dial related logs in the System Log , please select this check box.
Enable NAT Log: It allows you to enable or disable NAT log. If you want the Device to store and display the NAT related logs in the System Log , please select this check box.
Enable DHCP Log: It allows you to enable or disable DHCP log. If you want the
Page 75
Device to store and display the DHCP related logs in the System Log , please select this check box.
Enable ARP Log: It allows you to enable or disable ARP log. If you want the Device to store and display the ARP related logs in the System Log , please select this check box.
Enable Other Log: It allows you to enable or disable other log. If you want the Device to store and display other logs in the System Log , please select this check box.
Save: Click it to save the system log settings.
5.7.2 Viewing System Logs
If you have enabled one or more system log features in the Status > System Log > Log
Settings page, you can view the related logs in the Status > System Log page, see the following figure.
Figure 5-25 System Logs
Clear: Click it to clear all the system logs.
Refresh: Click it to view the latest system logs.
Page 76
The following table describes some common types of system logs.
System Log
Meaning
Keyword Sample
Ethernet Up ieX
The specified physical interface is enabled. ie0: LAN; ie1~ie4: WAN1~WAN4.
MAC New
MAC Old
ARP SPOOF
00:22:aa:00:22:bb
00:22:aa:00:22:aa
192.168.1.1
The new MAC address of the specified user.
The old MAC address of the specified user.
The MAC address of the user with IP address
192.168.1.1 has changed.
Session Up
PPPoE Up
PPPOE
00:22:aa:5d:63:6f
The Device has successfully established a session whose name is PPPOE.
The Device has successfully established a PPPoE connection with the remote device whose MAC address is 00:0c:f8:f9:66:c6.
Call Connected
@_netiNetworkStateChanged:
6244, on line 1, on channel 0
The physical layer data link layer connections have been established, but IP still couldn’t be used.
Outgoing Call @61:1-1
Call Terminated @clearSession: 1
Outgoing Call @61:1-1
The Device started dialing out.
The Device failed to dial.
The Device started dialing out.
Page 77
Session down Manually (PPPOE)
The session whose name is PPPOE was hanged up.
Manually means it was hanged up by manual.
Session up test
The Device has successfully established a session whose name is test.
Assigned to port @answerIncomingCall:8012
The Device has successfully negotiated with the remote dial-in device, and has assigned a port to the remote device.
Call Connected
@_netiNetworkStateChanged:
6244, on line 1, on channel 0
The physical layer and data link layer connections have been established, but IP still couldn’t be used.
Incoming Call
@_netiNetworkStateChanged:
6187, on line 1, on channel 0
The Device received a call from a remote device.
Route Up
Route Down
NAT exceeded [ ethX ethX
IP Address ]
The static routes bound to the specified physical interface became active. (Usually due to that the corresponding Internet connection became active.) eth1: LAN; eth2~eth5: WAN1~WAN4.
The static routes bound to the specified physical interface became inactive. ( Usually due to that the corresponding Internet connection became inactive.
)
The specified host has exceeded the maximum NAT sessions limited by the Device. Usually due to that this host is infected with a virus or it is using hacker attack software. If the host is working properly, please increase the maximum NAT sessions appropriately.
Page 78
ARP exceeded [ IP Address ]
The APR request for the specified IP address has been rejected due to the maximum ARP entries limit. If the
ARP table is full, any new ARP request packet to the
Device will be rejected and this log message generated.
DHCP:IP conflicted notice
[ arp: IP Address ]
A DHCP IP address conflict has occurred, that is, when acting as a DHCP server, the Device detected that the specified IP address is already used in the LAN before assigning it to a user, and then the Device assigned another IP address to this user.
Give notice to user: The device has given a notice to the user with IP address
192.168.20.35 192.168.20.35.
Table 5-1 System Logs List
5.8 Web Log
This section describes the Status > Web Log page.
In this page, it allows you to view web logs. A web log records the information of a web page access by a LAN user, which include: the access time, the LAN user’s IP address, and the domain name of the web page.
5.8.1 Enable Web Log
Figure 5-26 Enable Web Log
Page 79
Enable Web Log: It allows you to enable or disable web log. If you want the Device to store and display the web logs in this page, please select this check box.
Save: Click it to save your settings.
5.8.2 View Web Logs
Figure 5-27 View Web Logs
A web log consists of date and time, an IP address of a LAN user, and a domain name.
●
Date and time: It displays the date and time at which a LAN user accessed a web page.
●
IP address: It displays the IP address of the LAN user who has accessed a web page.
●
Domain name: It displays the domain name of a web page which is accessed by the
LAN user.
Page 80
Clear: Click it to clear all the web logs in the list box.
Refresh: Click it to view the latest web logs.
Note
To ensure that the date and time of the web logs are correct, you should synchronize the system clock in the System > Time page.
5.9 Application Traffic Statistics
In the Status > APP Traffic page, you can view the traffic statistics of some predefined applications. For each application, you can view the traffic statistics of each WAN interface, and the traffic statistics of each LAN user.
5.9.1 Global Setup
Figure 5-28 Enable Application Traffic Statistics
Enable Application Traffic Statistics: It allows you to enable or disable application traffic statistics. If you want to view the applications traffic statistics of the LAN users in the APP Traffic Statistics list, please select this check box to enable this feature.
Save: Click it to save your settings.
Page 81
5.9.2 Application Traffic Statistics List
Figure 5-29 Application Traffic Statistics List
Interface: It allows you select a WAN interface to display the application traffic statistics of this interface.
Application: It indicates the type of application traffic. The Device provides six types of application traffic, including TCP, UDP, Web, FTP, P2P and Game applications.
Therein, there are multiple specific types of P2P and Game applications, please refer to section 11.2 Internet Behavior Management for more information.
Tx Rate: It indicates the real-time uplink rate (in kilobits per second) of the given application traffic through the selected WAN interface.
Rx Rate: It indicates the real-time downlink rate (in kilobits per second) of the given application traffic through the selected WAN interface.
Details: Click the IP Address hyperlink to go to the Status > APP Stats > User
Traffic Statistics page to view the given application traffic statistics of each LAN user.
Refresh: Click it to view the latest information in the list .
Page 82
5.9.3 User Traffic Statistics List
Figure 5-30 User Traffic Statistics List
IP Address: It indicates the IP address of the LAN host (i.e., LAN user).
Tx Rate: It indicates the real-time rate (in kilobits per second) of the given application traffic sent by the LAN host.
Rx Rate: It indicates the real-time rate (in kilobits per second) of the given application traffic received by the LAN host.
Back: Click it to back to the APP Traffic Statistics list.
Refresh: Click it to view the latest information in the list .
Page 83
5.10 WAN Traffic Statistics
Through the WAN Traffic Statistics list in the Status > WAN Traffic page, you can view traffic and rate related information of each Internet connection.
Figure 5-31 WAN Traffic Statistics List
Interface: It specifies a WAN interface on which the Internet connection is established.
Tx Bandwidth: It is the Uplink Bandwidth of the Internet connection configured in the Basic > WAN page.
Real-time Tx Rate: It indicates the real-time uplink rate of the Internet connection.
Average Tx Rate: It indicates the average uplink rate of the Internet connection since the Device was last started.
Max Tx Rate: It indicates the maximum uplink rate of the Internet connection since the Device was last started.
Rx Bandwidth: It is the Downlink Bandwidth of the Internet connection configured in the Basic > WAN page.
Real-time Rx Rate: It indicates the real-time downlink rate of the Internet connection.
Average Rx Rate: It indicates the average downlink rate of the Internet connection since the Device was last started.
Max Rx Rate: It indicates the maximum downlink rate of the Internet connection since the Device was last started.
Refresh: Click it to view the latest information in the list .
Page 84
Chapter 6 Basic Setup
This chapter describes how to configure and use the basic features of the Device, which include LAN interface settings, WAN interface settings, load balancing (only multi-WAN products support it), DHCP and DNS features.
6.1 LAN Settings
This section describes the Basic > LAN page.
After you have configured the Internet Connection through the Quick Wizard , you can modify the IP address and subnet mask of the LAN interface in this page. Also, you can configure some other parameters, which include the IP Address 2 , Subnet Mask 2 , MAC
Address , Proxy ARP , and Mode . Obviously, you can directly configure the IP address and Subnet Mask of the LAN interface in this page without using the Quick Wizard .
Figure 6-1 LAN Interface Settings
IP Address: It specifies the IP address of the LAN interface.
Subnet Mask: It specifies the subnet mask that defines the range of the LAN.
Advanced Options: Click it to view and configure advanced parameters. In most cases, you need not configure them.
IP Address 2: It specifies the secondary IP address of the LAN interface.
Subnet Mask 2: It specifies the secondary subnet mask that defines the range of the
Page 85
secondary subnet.
MAC Address: It specifies the MAC address of the LAN interface. In most cases, please leave the default value.
Proxy ARP: It allows you to enable or disable proxy ARP on the LAN interface. The available options are Disabled , Enabled and Nat .
●
Disabled: Select it to disable the proxy ARP on the LAN interface.
●
Enabled: Select it to enable the proxy ARP on the LAN interface.
●
Nat: Select it to enable the NAT proxy ARP on the LAN interface.
Mode: It specifies the speed and duplex mode of the LAN interface. The Device supports five or six modes (Note that only the gigabit LAN interface supports
1000M-HD ), which include Auto (Auto-negotiation), 100M-FD (100M Full-Duplex),
100M-HD (100M Half-Duplex), 10M-FD (10M Full-Duplex), 10M-HD (10M
Half-Duplex), and 1000M-FD (1000M Full-Duplex).
In most cases, please leave the default value. If a compatibility problem occurred, or the network device connected to the LAN interface doesn’t support auto-negotiation function, you may modify it as required.
Save: Click it to save the LAN interface settings .
Note
1. You can assign two IP addresses to the Device’s LAN interface to connect two subnets. The hosts on the two subnets can communicate with each other.
2. If you have changed the LAN IP address and saved the change, you should use the new IP address to re-login to the Device. And the default gateway of each LAN host should be changed to this new IP address, thus the LAN hosts can access the Device and Internet.
3. The LAN interface integrates multiple switch ports, and you may go to the Status >
System Info page to view each LAN port status.
Page 86
6.2 WAN Settings
6.2.1 WAN List
After you have configured the Internet connection through the Quick Wizard , you can view its configuration and status in the Basic > WAN > WAN List page; also you can modify or delete it if needed.
Figure 6-2 WAN Internet Connection List
Note
If you want to use multiple connections to access the Internet, please configure them in this page, and then go to the Basic > Load Balancing page to configure load balancing and failover.
6.2.1.1 Parameter Definitions
Type: It displays the connection type. For the PPPoE Internet connection , it will also display its user name and dial mode.
Status: It displays current status of the connection. We will describe the status of each connection status respectively.
1. PPPoE Connection Status
There are eight kinds of status for PPPoE connection (see Table 6-1). When it is connected, it will also display the elapsed time (days: hours: minutes: seconds) since connected.
Page 87
Status
Closed
Description
The physical interface isn’t connected, or doesn’t dial up yet.
Dialing Start dialing up, but not receive response yet.
Authenticating Server responded and is authenticating.
Connected
Authentication succeeded, and the connection is established and ready for data transmission.
Disconnecting The PPPoE session is disconnecting.
Hang up Either peer has hanged up.
Disconnected The PPPoE session has terminated, waiting for dialing up.
Internal Error Undefined status.
Table 6-1 Description of PPPoE Connection Status
2. Static IP Connection Status
There are three kinds of status for Static IP connection (see Table 6-2).
Status Description
Closed The physical interface isn’t connected.
Page 88
Connected The connection is established between the Device and peer device.
Internal Error Undefined status.
Table 6-2 Description of Static IP Connection Status
3. DHCP Connection Status
There are four kinds of status for DHCP connection (see Table 6-3). When it is connected, it will also display the time left (days: hours: minutes: seconds) before the lease expires for the current IP address, which is assigned by your ISP’s DHCP server.
Status Description
Closed
The physical interface isn’t connected. Or the connection has released the IP address but hasn’t requested a new one yet.
Connecting Requesting an IP address.
Connected Has obtained an IP address, the connection is established successfully.
Internal Error Undefined status.
Table 6-3 Description of DHCP Connection Status
6.2.1.2 List Function
Edit an Internet Connection: If you want to modify a configured Internet connection, click its Edit hyperlink, the related information will be displayed in the setup page.
Page 89
Then modify it, and click the Save button.
Delete an Internet Connection: If you want to delete a configured Internet connection, click Delete of the connection to delete it.
6.2.1.3 How to Dial and Hang up a PPPoE connection
For the PPPoE connection, the Dial , Hang Up and Delete are shown in the Operation column (see Figure 6-3).
If the PPPoE connection’s Dial Type is set to Manual (see section 6.2.2.1
), you need click Dial to dial-up the Internet connection, and click Hang Up to hang it up.
Dial: Click it to dial up the Internet connection manually. During dialing up, you can view the related status information in the Status column, which includes Closed ,
Dialing , Authenticating and Connected .
Hang Up: Click it to hang the Internet connection up manually.
Figure 6-3 WAN List - PPPoE Internet Connection
6.2.1.4 How to Renew and Release a DHCP Connection
For the DHCP connection, the Renew , Release and Delete are shown in the Operation column (see Figure 6-4).
Renew: Click it to re-obtain an IP address from the ISP’s DHCP server. The Device will automatically release the assigned IP address firstly, and then obtain a new IP address from the DHCP server. During renewing, you can view the related status information in the Status column, which includes Closed , Connecting , and
Connected .
Release: Click it to release the IP address obtained from the ISP’s DHCP server.
Page 90
Figure 6-4 WAN List DHCP Internet Connection
Page 91
6.2.2 WAN Internet Connection Settings
This section describes how to configure PPPoE, Static IP and DHCP Internet connection respectively, and how to delete the connection.
Note
Only after you have configured the Internet connection on the WAN1, you can configure other connections. The system will automatically set these connections’
Primary DNS Server to the IP address of the WAN1 Internet connection’s Primary
DNS Server , and you cannot modify them.
6.2.2.1 PPPoE Internet Connection Settings
Please select PPPoE from the Connection Type drop-down list if your ISP uses PPPoE to establish the Internet connection for you. Then the following page will be showed.
Page 92
Figure 6-5 PPPoE Internet Connection Settings
Connection Type: It specifies the type of the Internet connection. Here please select
PPPoE .
Uplink Bandwidth: It specifies the uplink bandwidth of the Internet connection, which is provided by your ISP. You may ask the ISP about the uplink bandwidth.
Downlink Bandwidth: It specifies the downlink bandwidth of the Internet connection, which is provided by your ISP. You may ask the ISP about the downlink bandwidth.
ISP: It specifies the Internet service provider (ISP) by which the Internet connection is provided.
User Name and Password : They specify the PPPoE login user name and password provided by your ISP.
Dial Mode: It specifies the dial mode of the PPPoE Internet connection. The default
Page 93
value is Normal mode . If the PPPoE connection isn’t established successfully even using correct user name and password, you may try to use another mode.
DNS Server: It specifies the method by which you configure the DNS server(s). If you know the local DNS server IP address, you may select Manual , then enter the DNS server IP address in the Primary DNS server text box, and the secondary DNS server IP address in the Secondary DNS Server if available. Else, please select
Auto , then the Device will automatically obtain the DNS server IP address.
Primary DNS Server: It specifies the IP address of your ISP’s primary DNS server.
Secondary DNS Server: It specifies the IP address of your ISP’s secondary DNS server. If it is available, you may set it. Else, please leave it 0.0.0.0.
Advanced Options: Click it to view and configure advanced parameters. In most cases, you need not configure them.
PPP Authentication: It specifies the PPP authentication mode of the PPPoE connection. The available options are NONE , PAP , CHAP and Either .
•
PAP: Password Authentication Protocol.
•
CHAP: Challenge Handshake Authentication Protocol.
•
None: It means that there is no protocol will be used.
•
Either: It means that the Device will automatically negotiate it with the peer device.
Service Name: It specifies the service name provided by your ISP. In most cases, please leave it blank. If you have any questions, please contact the ISP.
MRU: It specifies the largest packet size permitted for network receive. When dialing, the Device will automatically negotiate it with the peer device. Unless special application, please leave the default value of 1492 bytes.
Dial Type: It specifies the dial type of the PPPoE connection. The available options are Always On , Manual and On Demand .
•
Always On: If you want the Device to establish a PPPoE connection when starting up and to automatically re-establish the PPPoE connection once disconnected, select this option.
•
Manual: If you want to dial and hang up a PPPoE connection manually, select this option. In this case, you should dial and hang up manually in the WAN List in the Basic > WAN page (see section 6.2.1.3).
•
On Demand: If you want the Device to establish a PPPoE connection only when it listens for packets destined for the Internet, select this option. In this case, the
Device will terminate the connection after it has been inactive for the period of
Page 94
time specified by the Idle Timeout .
Dial Schedule: It specifies a schedule during which the Device can dial up. If you select a schedule here, it will allow the Device to dial up only in the selected schedule range; else, the Device can always dial up. The schedule is configured in the
Security > Schedule page.
Online Schedule: It specifies a schedule during which the Device can access the
Internet. If you select a schedule here, it will allow the Device to access the Internet only in the selected schedule range, and the Device will automatically terminate the
PPPoE connection once beyond this schedule range; else, the Device will be always online.
The schedule is configured in the Security > Schedule page.
Keepalive Period: It specifies a period of time during which the Device will detect whether the link is available or not. If the connection is connected , the Device will periodically send keepalive packets to the peer device per 1000 milliseconds. If the
Device does not receive a response during the specified period of time, it will terminate the connection. The default value is 15000 milliseconds.
Idle Timeout: It specifies how long the PPPoE connection keeps connected since no
Internet activity. The Device will automatically terminate the connection after it has been inactive for the specified period of time. The default value is zero, which means that the Device will not terminate it.
Session Timeout: It specifies how long the PPPoE connection keeps connected since established. The Device will automatically terminate the connection after it has been connected for the specified period of time. The default value is zero, which means that the Device will not terminate it. In most cases, please leave the default value.
Priority: It specifies the routing priority of the established connection. When there are several established connections, the Device will choose the connection with the highest priority to forward the packets. The lower value means the higher priority.
Down Priority: It specifies the routing priority of the terminated connection. When there are several terminated connections, the connection with the highest priority will dial up preferentially. The lower value means the higher priority.
Dial Sub-interface: It specifies a logical virtual interface which is subjected to the physical interface. You can create multiple sub-interfaces on a single physical interface. At present, the Device only supports that you create sub-interfaces on the
WAN1, and these sub-interfaces are distinguished from one another by the 802.1Q
VLAN identifier.
Proxy ARP: It allows you to enable or disable proxy ARP on the WAN interface. The available options are Disabled , Enabled and Nat .
Page 95
●
Disabled: Select it to disable the proxy ARP on the WAN interface.
●
Enabled: Select it to enable the proxy ARP on the WAN interface.
●
Nat: Select it to enable the NAT proxy ARP on the WAN interface.
Mode: It specifies the speed and duplex mode of the WAN interface. The Device supports five or six modes (Note that only the gigabit WAN interface supports
1000M-HD ), which include Auto (Auto-negotiation), 100M-FD (100M Full-Duplex),
100M-HD (100M Half-Duplex), 10M-FD (10M Full-Duplex), and 10M-HD (10M
Half-Duplex) , 1000M-FD (1000M Full-Duplex). In most cases, please leave the default value. If a compatibility problem occurred, or the network device connected to the WAN interface doesn’t support auto-negotiation function, you may modify it as required.
MAC Address: It specifies the MAC address of the WAN interface. In most cases, please leave the default value.
Save: Click it to save the PPPoE Internet connection settings .
Note
1. The Dial Sub-interface can only be configured on the product that supports the IEEE
802.1Q tag-based VLAN feature. If you create multiple PPPoE Internet connections on a WAN Interface, some ISPs may forbid these connections to access their broadband access servers as they are using the same MAC address (that is, the
WAN Interface’s MAC address). You can use sub-interface feature to solve this problem: connect the WAN1 to a switch that provides 802.1Q tag-based VLAN feature, and then create multiple VALN sub-interfaces on the WAN1, lastly create a connection on each sub-interface respectively; then each connection will use a MAC address respectively
2. Compared with the PPPoE Internet connection setup page in the Quick Wizard , this page provides more configuration parameters, such as, Dial Schedule, Online
Schedule , Keepalive Period , Priority , Down Priority , and so on.
3. In most cases, please leave the Proxy ARP the default value, that is, disable the proxy ARP on the interface. But in some cases, you need enable the proxy ARP. For example, when you enable PPTP or L2TP server feature on a WAN interface, and the
IP addresses assigned to the mobile user clients are on the same subnet as the
Device LAN interface, you need enable proxy ARP on this interface. Another example is that when using multi-NAT (that is, you get multiple public IP addresses from your
Page 96
ISP) on a WAN interface, you should enable NAT proxy ARP on this interface.
6.2.2.2 Static IP Internet Connection Settings
If you are required to use a static IP address, please select Static IP from the Connection
Type drop-down list. Then the following page will be showed.
Figure 6-6 Static IP Internet Connection Settings
Connection Type: It specifies the type of the Internet connection. Here please select
Static IP .
Uplink Bandwidth: It specifies the uplink bandwidth of the Internet connection, which is provided by your ISP. You may ask the ISP about the uplink bandwidth.
Downlink Bandwidth: It specifies the downlink bandwidth of the Internet connection, which is provided by your ISP. You may ask the ISP about the downlink bandwidth.
ISP: It specifies the Internet service provider by which the Internet connection is provided.
IP Address: It specifies the IP address of the WAN interface, which is provided by your ISP.
Subnet Mask: It specifies the subnet mask of the WAN interface, which is provided by your ISP.
Page 97
Default Gateway: It specifies the IP address of the default gateway, which is provided by your ISP.
Primary DNS Server: It specifies the IP address of your ISP’s primary DNS server.
Secondary DNS Server: It specifies the IP address of your ISP’s secondary DNS server. If it is available, you may set it. Else, please leave it blank.
Advanced Options: Click it to view and configure advanced parameters. In most cases, you need not configure them.
MAC Address: It specifies the MAC address of the WAN interface. In most cases, please leave the default value.
Proxy ARP: It allows you to enable or disable proxy ARP on the WAN interface. The available options are Disabled , Enabled and Nat .
●
Disabled: Select it to disable the proxy ARP on the WAN interface.
●
Enabled: Select it to enable the proxy ARP on the WAN interface.
●
Nat: Select it to enable the NAT proxy ARP the WAN interface.
Mode: It specifies the speed and duplex mode of the WAN interface. The Device supports five or six modes (Note that only the gigabit WAN interface supports
1000M-HD ), which include Auto (Auto-negotiation), 100M-FD (100M Full-Duplex),
100M-HD (100M Half-Duplex), 10M-FD (10M Full-Duplex), and 10M-HD (10M
Half-Duplex) , 1000M-FD (1000M Full-Duplex). In most cases, please leave the default value. If a compatibility problem occurred, or the network device connected to the WAN interface doesn’t support auto-negotiation function, you may modify it as required.
Gateway Binding Mode: It determines whether the gateway’s IP and MAC address pair will be bound or not. If you want to bind the gateway’s IP and MAC address pair to protect the Device against external ARP spoofing, select Manual from this drop-down list, and enter the gateway’s MAC address in the Gateway MAC Address text box. Else, select None .
Save: Click it to save the static IP Internet connection settings .
Note
The WAN interface IP address and default gateway IP address should be on the same subnet. If they are not, please modify the Subnet Mask to make them be on the same subnet. If you don’t have the subnet related knowledge, please ask a professional or digicom support engineer for help.
Page 98
6.2.2.3 DHCP Internet Connection Settings
If your ISP automatically assigns an IP address, please select DHCP from the
Connection Type drop-down list. Then the following page will be showed.
Figure 6-7 DHCP Internet Connection Settings
Connection Type: It specifies the type of the Internet connection. Here please select
DHCP .
Uplink Bandwidth: It specifies the uplink bandwidth of the Internet connection, which is provided by your ISP. You may ask the ISP about the uplink bandwidth.
Downlink Bandwidth: It specifies the downlink bandwidth of the Internet connection, which is provided by your ISP. You may ask the ISP about the downlink bandwidth.
ISP: It specifies the Internet service provider by which the Internet connection is provided.
Primary DNS Server: It specifies the IP address of your ISP’s primary DNS server. If the Internet connection is refreshed, your ISP may update it to a new IP address.
Secondary DNS Server: It specifies the IP address of your ISP’s secondary DNS server. If it is available, you may set it. Else, please leave it blank.
Advanced Options: Click it to view and configure advanced parameters. In most cases, you need not configure them.
MAC Address: It specifies the MAC address of the WAN interface. In most cases, please leave the default value.
Proxy ARP: It allows you to enable or disable proxy ARP on the WAN interface. The
Page 99
available options are Disabled , Enabled and Nat .
●
Disabled: Select it to disable the proxy ARP on the WAN interface.
●
Enabled: Select it to enable the proxy ARP on the WAN interface.
●
Nat: Select it to enable the NAT proxy ARP on the WAN interface.
Mode: It specifies the speed and duplex mode of the WAN interface. The Device supports five or six modes (Note that only the gigabit WAN interface supports
1000M-HD ), which include Auto (Auto-negotiation), 100M-FD (100M Full-Duplex),
100M-HD (100M Half-Duplex), 10M-FD (10M Full-Duplex), and 10M-HD (10M
Half-Duplex) , 1000M-FD (1000M Full-Duplex). In most cases, please leave the default value. If a compatibility problem occurred, or the network device connected to the WAN interface doesn’t support auto-negotiation function, you may modify it as required.
Save: Click it to save the DHCP Internet connection settings .
6.2.2.4 How to Delete the Internet Connection
Figure 6-8 Delete the Internet Connection
If you want to delete a configured Internet connection, go to the Basic > WAN > WAN List page firstly, and then click Delete of the connection in the WAN List , see Figure 6-8. The system will pop up a prompt dialog box, see Figure 6-9. Then click OK to delete the connection, or click Cancel to cancel the operation.
Page 100
Figure 6-9 Prompt Dialog Box - Delete an Internet Connection
Note
You can only delete one Internet connection at a time. And you can only delete the
WAN1 Internet connection at last, that is, there is no any other connection in the WAN
List .
6.2.2.5 Related Default Routes
After you have finished configuring the WAN1 Internet connection through the Quick
Wizard , or configuring the WAN1 Internet connection and other connections in this page, the Device will automatically create a default route for each Internet connection respectively. You can go to the Status > Route Stats page to view their status information in the Routing Table . A default route’s Destination IP/Mask is 0.0.0.0/0 .
Page 101
6.3 Load Balancing
This section describes the Basic > Load Balancing page. Note that only after you have configured more than one Internet connections, the second level menu Load Balancing will be displayed.
When using multiple Internet connections, you can configure load balancing related parameters, such as, load balancing policy, load balancing mode, detection method, detection interval, retry times, and ID binding, and so on.
6.3.1 Introduction to Load Balancing and Failover
6.3.1.1 Internet Connection Detection Mechanism
When using multiple Internet connections, the Device should has the ability of real-time monitoring each Internet connection, and the network will not be interrupted even a connection is faulty. To this end, we design flexible automatic detection mechanism on the
Device, and provide multiple detection methods to meet the actual requirements.
For the sake of convenience, we firstly introduce several related parameters including
Detection Target IP , Detection Interval , Retry Times , and Detection Period .
●
Detection Target IP: It indicates the IP address of a target device. The Device will monitor an Internet connection by sending the detection packets to the specified target IP address.
●
Detection Interval: It indicates the time interval at which the Device periodically sends detection packets, one packet at a time. The default value is 1000 milliseconds.
Especially, if you don’t want to monitor an Internet connection, please set it to 0.
●
Retry Times: It indicates the number of retries per detection period. The default value is 3.
●
Detection Period: It indicates a period of time during which the Device detects whether the Internet connection is available or not. Its value is the product of
Detection Interval and Retry Times . For example, by default, its value is 3000 (1000
× 3 = 3000) milliseconds.
Page 102
For a normal Internet connection and a faulty Internet connection, the detection mechanisms are different, the following describes them respectively.
For a normal Internet connection, the detection mechanism is as follows: The Device periodically sends a detection packet at the specified time interval to the target IP address.
Once no response packet received during a detection period, the Device will consider that the connection is faulty and shield it immediately. For example, by default, if the Device has sent three detection packets but not received any response packet during a detection period, it will consider that the connection is faulty.
For a faulty Internet connection, the detection mechanism is as follows: Similarly, the
Device also periodically sends a detection packet at the specified time interval to the target IP address. Once more than half of the response packets received during a detection period, the Device will consider that the connection is back to normal and enable it immediately. For example, by default, if the Device has sent three detection packets and received two packets during a detection period, it will consider that the connection is back to normal.
Note
If you don’t want to monitor an Internet connection, please set its Detection Interval to 0.
6.3.1.2 Load Balancing Mode
The Device provides two connection groups: primary connection group and backup connection group. An Internet connection belonging to the primary connection group is a primary connection, while an Internet connections belonging to the backup connection group is a backup connection. By default, all the Internet connections are primary connections. It allows you to divide one or more connections into the backup connection group, but the WAN1 Internet connection can only be used as a primary connection.
The Device provides two load balancing modes: Full Load Balancing and Partial Load
Balancing .
If you choose to use Full Load Balancing , all the Internet connections are used as primary connections. The operation principle is as follows:
1. If all the Internet connections are normal, the LAN users will use these connections to access the Internet.
Page 103
2. If an Internet connection is faulty, the Device will shield it immediately, and the traffic through the faulty connection will be distributed to other normal connections automatically.
3. Once the faulty connection is back to normal, the Device will enable it immediately, and the traffic will be redistributed automatically.
If you choose to use Partial Load Balancing , some Internet connections are used as primary connections, and others are used as backup connections. The operation principle is as follows:
1. As long as one or more primary connections are normal, the LAN users will use the primary connection(s) to access the Internet. In this case, if there is more than one primary connection, the Device will control and balance the traffic among these connections.
2. If all the primary connections are faulty, it will automatically switch to the backup connection(s) to let the LAN users use them to access the Internet. In this case, if there is more than one backup connection, the Device will control and balance the traffic among these connections.
3. Once one or more faulty primary connections are back to normal, it will automatically switch back to the primary connection(s).
Note
During connections switching, some user applications (such as some online games) may be interrupted unexpectedly due to the nature of TCP connection.
Digicom S.p.A. will not bear all the losses and legal proceedings caused by it.
6.3.1.3 Internet Connection Detection Method
The Device provides three detection methods: ICMP , ARP and DNS . It allows you to select one of them to monitor the Internet connections. Note that you can only select a single Detection Method for all the Internet connections, but can set different Detection
Target , Detection Interval , and Retry Times for each Internet connection respectively. The descriptions of each detection mode are as follows:
●
ICMP: The Device will monitor an Internet connection by sending ICMP echo request packets the target IP address you specify. In this case, the target IP address can be
Page 104
either the connection’s default gateway IP address or another public IP address you specify.
●
ARP: The Device will monitor an Internet connection by sending ARP request packets to the connection’s default gateway IP address.
●
DNS: The Device will monitor an Internet connection by sending DNS query packets to the public DNS server IP address you specify.
The following table describes detection target IP supported by each detection method, and the restriction of using each detection method. Therein, Gateway IP Address indicates the IP address of the Internet connection’s default gateway; Other IP Address indicates an appropriate public IP address except gateway IP address.
Detection Method Detection Target IP Description
ICMP
ARP
DNS
Gateway IP Address
The detection target IP can be either the gateway IP address or other public IP address.
Other IP Address
Gateway IP Address
The detection target IP should be the gateway IP address. You cannot perform ARP request test on a
PPPoE Internet connection.
Other IP Address
The detection target IP should be a public DNS server’s IP address.
Table 6-4 Detection Method and Detection Target IP
In practice, it is suggested that you choose a detection method according to the following points:
1. As ICMP method has high sensitivity and accuracy, it is suggested that you choose
ICMP method to perform ICMP echo test (Ping) on the Internet connection. In most cases, please use the connection’s default gateway IP address as the detection
Page 105
target IP; but if ping response is disabled on the default gateway, you should choose other appropriate public IP address as the detection target IP.
2. The ARP method applies to a network environment in which ping response is disabled. Note that when performing ARP request test, the detection target IP should be the gateway IP address; and you cannot perform ARP request test on a PPPoE
Internet connection.
3. The DNS method applies to a network environment in which the Internet connection is connected always, but the access time is restricted by the ISP. Note that when performing DNS query test, the detection target IP should be an appropriate public
DNS server IP address; and it is suggested that you use your ISP’s DNS server IP address. Moreover, you cannot choose any DNS server used by the LAN hosts as the detection target; otherwise, those LAN hosts can only use the current Internet connection to access the Internet, but cannot use other Internet connections.
4. As a PPPoE connection automatically uses LCP (link control protocol) echo mechanism to validate link availability, the Device will not use ICMP, ARP or DNS method to monitor the PPPoE Internet connection by default (its Detection Interval is set to 0). If needed, the Device can perform ICMP echo or DNS query test on the
PPPoE connection in addition to LCP echo mechanism, but the detection target cannot be the default gateway when choosing ICMP method.
6.3.2 The Operation Principle of Load Balancing
No matter what Load Balancing Mode you choose, as long as there are more than one primary Internet connections, the Device will implement load balancing among these connections. The following sections describe the operation principle and the characteristics of load balancing feature.
6.3.2.1 Allocating Traffic according to Connection Bandwidth
On the Device, it allows you designate the ratio of traffic that will be allocated to each
Internet connection in advance. You can achieve this by specifying the Internet connection’s Weight , the connection that has larger Weight will take more traffic than the connection that has smaller Weight . In most cases, to properly allocate traffic, you may specify each connection’s Weight according to the ratio of each connection’s bandwidth.
Page 106
For example, we assume that a business has four Internet connections: connection A, connection B, connection C, and connection D. Their bandwidths are 10M, 6M, 4M and
4M respectively. There are two cases:
●
In the case of Full Load Balancing , as all of the four Internet connections are used as primary connections, we may set each connection’s Weight to 5, 3, 2, and 2 respectively.
●
In the case of Partial Load Balancing , let’s assume that connection A and B are used as primary connections, and connection C and D are used as backup connections, then we may set connection A’s and B’s Weight to 5 and 3 respectively, and set both connection C’s and D’s Weight to 1.
6.3.2.2 Two Load Balancing Policies
The Load Balancing Policy is used to control and balance the traffic among multiple
Internet connections. And the Device provides two load balancing policies: load balancing based on IP address and load balancing based on NAT session. Their implementation mechanisms are as follows.
1. Load Balancing Based on IP Address
Note that here we assume that each LAN host only has one IP address.
If you choose IP address as the load balancing policy, the Device will assign the LAN hosts’ IP addresses to each Internet connection in turn. The ratio of the numbers of the IP addresses assigned to each connection is the same with the ratio of connection’s Weight .
In this case, the NAT sessions initiated from the same IP address will use the same connection, that is, a LAN host will use only one Internet connection to access the
Internet.
For example, there are three Internet connections whose Weights are 3, 2 and 1 respectively. Then in the sequence of accessing the Internet, the first, second and third
LAN hosts will use the first connection, the fourth and fifth LAN hosts will use the second connection, the sixth LAN hosts will use the third connection; in turn the seventh, eighth and ninth LAN hosts will use the first connection ... and so on.
2. Load Balancing Based on NAT Session
If you choose NAT session as the load balancing policy, the Device will assign the NAT sessions to each Internet connection in turn. The ratio of the numbers of the NAT sessions assigned to each connection is the same with the ratio of each connection’s Weight . In this case, the NAT sessions initiated from the same LAN host will use different connections, that is, a LAN host will use multiple connections to access the Internet.
Page 107
For example, there are three Internet connections whose Weights are 3, 2 and 1 respectively. Then in the sequence of accessing the Internet, the first, second and third
NAT sessions initiated from the LAN hosts will use the first connection, the fourth and fifth
NAT sessions will use the second connection, the sixth NAT sessions will use the third connection; in turn the seventh, eighth and ninth NAT sessions will use the first connection ... and so on.
3. How to Choose the Load Balancing Policy
In most cases, it is suggested that you choose IP address as the load balancing policy. If you want to use some applications that need high bandwidth, such as the NetAnts,
FlashGet, Net Transport, and other multi-threaded download managers (multi-threaded download means that it can split a file into several pieces and download the pieces simultaneously, and merge them together once downloaded), you may choose NAT session as the load balancing policy to take full advantage of multiple Internet connections’ bandwidth to increase download speed. Note that even if you choose NAT session as the load balancing policy, due to that the related download website is busy or there are some other reasons, the bandwidth of each Internet connection cannot be aggregated fully, so some applications may be not running smoothly.
6.3.3 ID Binding
When using multiple Internet connections, if Load Balancing Policy is set to NAT
Session , the NAT sessions of the same application will be assigned to the different connections, thus some applications (such as online banking, QQ, etc.) cannot be used normally due to the identity change. We provide ID binding feature to solve this problem:
After you enable ID binding, the Device will assign the NAT sessions of the same application to the same Internet connection. For example, when a LAN user logs in to an online banking system, if the first NAT session is assigned to the WAN2 Internet connection, henceforth all the subsequent NAT sessions of the online banking application will be assigned to the WAN2 connection until the user logs out.
Figure 6-10 Enable ID Binding
Page 108
Enable ID Binding: It allows you to enable or disable ID binding. If you want to enable ID binding feature for some applications such as online banking, QQ, etc., please select this check box.
Save: Click it to save your settings.
6.3.4 Load Balancing Global Settings
The following sections describe the global settings related to Full Load Balancing and
Partial Load Balancing respectively. For more information about them, please refer to section 6.3.1.2 Load Balancing Mode .
6.3.4.1 Global Settings - Full Load Balancing
Figure 6-11 Global Settings - Full Load Balancing
Detection Method: It specifies the detection method which is used to monitor
Internet connections. The Device provides three detection methods: ICMP , ARP and
DNS . For more information about them, please refer to section 6.3.1.3 Internet
Connection Detection Method .
●
ICMP: The Device will monitor an Internet connection by sending ICMP echo request packets the target IP address you specify. In this case, the target IP address can be either the connection’s default gateway IP address or another public IP address you specify.
●
ARP: The Device will monitor an Internet connection by sending ARP request
Page 109
packets to the connection’s default gateway IP address.
●
DNS: The Device will monitor an Internet connection by sending DNS query packets to the public DNS server IP address you specify.
Load Balancing Policy: It specifies the policy which is used to control and balance the traffic among multiple Internet connections. The available options are IP Address and NAT Session , and the default value is IP Address . Refer to section 6.3.2.2 Two
Load Balancing Policies for more information.
Load Balancing Mode: It specifies the mode of load balancing. Here please select
Full Load Balancing . Refer to section 6.3.1.2 Load Balancing Mode for more information.
Save: Click it to save the load balancing global settings.
6.3.4.2 Global Settings --Partial Load Balancing
Figure 6-12 Global Settings - Partial Load Balancing
Please refer to section 6.3.4.1 Full Load Balancing for detailed description of the
Detection Method and Load Balancing Policy.
Load Balancing Mode: It specifies the mode of load balancing. Here please select
Page 110
Partial Load Balancing . Refer to section 6.3.1.2 Load Balancing Mode for more information.
Primary: It specifies the primary connection group. An Internet connection in the
Primary list box is a primary connection. Refer to section 6.3.1.2 Load Balancing
Mode for more information.
Backup: It specifies the backup connection group. An Internet connection in the
Backup list box is a backup connection. Refer to section 6.3.1.2 Load Balancing
Mode for more information.
==>: Select one or more Internet connections in the Primary list box, and then click
==> to move the selected connection(s) to the Backup list box.
<==: Select one or more Internet connections in the Backup list box, and then click
==> to move the selected connection(s) to the Primary list box.
Save: Click it to save the load balancing global settings.
Note
1. The WAN1 Internet Connection can only be located in the Primary list box, that is, you cannot move it to the Backup list box.
2. If you change the Load Balancing Mode from Partial Load Balancing to Full Load
Balancing and click the Save button to save the change, the Device will automatically move all the Internet connection(s) in the Backup list box to the
Primary list box.
3. If you move all the Internet connection(s) in the Backup list box to the Primary list box and click the Save button to save change, or delete all the backup connections in the Basic > WAN > WAN List page, the Device will automatically switch the Load
Balancing Mode from Partial Load Balancing to Full Load Balancing .
6.3.5 Detection and Weight Settings
Note
In the Basic > Load Balancing > Detection & Weight page, you can configure the
Page 111
connection detection related parameters ( Detection Target IP , Detection Interval ,
Retry Times ) and Weight for each Internet connection respectively. The operation is as follows: Click the Edit hyperlink of an Internet connection in the Load Balancing
List to go to Detection & Weight setup page, and then configure those parameters for the selected Internet connection, lastly click the Save button.
Figure 6-13 Detection and Weight Settings
Detection Target IP: It indicates the IP address of a detection target device. The
Device will monitor an Internet connection by sending the detection packets to the detection target IP address. If you select Gateway IP Address from the drop-down list, the Device will send the detection packets to the selected Internet connection’s default gateway; If you select Other IP Address from the drop-down list, you need enter an appropriate public IP address in the associated text box, then the Device will send the detection packet to this IP address.
Detection Interval: It specifies the time interval at which the Device periodically sends detection packets, one packet at a time. The default value is 1000 milliseconds.
It should be between 1000 and 60000 milliseconds, or 0; and 0 means that connection detection is disabled on the selected Internet connection.
Retry Times: It specifies the number of retries per detection period. The default value is 3.
Weight: It specifies the weight of the selected Internet connection. Refer to section
6.3.2.1 Allocating Traffic according to Connection Bandwidth for more information about how to set it.
Save: Click it to save the detection and weight settings of the selected Internet connection.
Page 112
Note
The Detection Target IP , Detection Interval , and Retry Times are connection detection related parameters. For more information about them, please refer to section 6.3.1.1 Internet Connection Detection Mechanism .
6.3.6 Load Balancing List
Figure 6-14 Load Balancing List
Edit an Internet Connection: If you want to configure or modify the detection related parameters and Weight of an Internet connection, click its Edit hyperlink, the related information will be displayed in the Detection & Weight page. Then configure or modify it, and click the Save button.
View Load Balancing List: When you have configured load balancing global parameters, and detection and weight settings for one or more Internet connections, you can view the related configuration and status information in the Load Balancing
List .
Refresh Load Balancing List: Click the Refresh button to view the latest information in the list.
6.3.7 How to Configure Load Balancing
6.3.7.1 The Process of Configuring Load Balancing
Only after you have configured more than one Internet connections, the secondary menu
Page 113
of Load Balancing will be displayed. The process of configuring load balancing is as follows:
1. Go to the Basic > WAN page, configure the WAN1 Internet connection firstly, and then configure other Internet connection(s) as required. Note that you also can configure the WAN1 connection through the Quick Wizard .
2. Go to the Basic > Load Balancing page, click the Edit hyperlink of an Internet connection in the Load Balancing List to go to the Detection & Weight page to configure detection related parameters and Weight for the selected connection. Then continue to configure these parameters for other connection(s) one by one.
3. Go to the Basic > Load Balancing > Global Settings page to configure global parameters as required.
4. Go to the Basic > Load Balancing > ID Binding page to enable ID binding feature if needed.
6.3.7.2 The Configuration Steps of Connection Detection and
Weight
Step 1 Go to the Basic > Load Balancing page.
Step 2 Click the Edit hyperlink of an Internet connection in the Load Balancing List to go to the Detection & Weight page.
Step 3 Configure the connection detection related parameters ( Detection Target IP ,
Detection Interval , Retry Times ) and Weight for the selected Internet connection as required.
Step 4 Click the Save button to save the detection and weight settings for the selected
Internet connection.
Step 5 If you want to configure the connection detection related parameters and
Weight for another Internet connection, please repeat the above steps.
Page 114
6.3.7.3 The Configuration Steps of Load Balancing Global
Settings
Step 1 Go to the Basic > Load Balancing > Global Settings page.
Step 2 Specify the Detection Method as required.
Step 3 Specify the Load Balancing Policy as required.
Step 4 Specify the Load Balancing Mode as required. If you choose Partial Load
Balancing as Load Balancing Mode , you need move one or more Internet connections from the Primary list box to the Backup list box according to actual requirement. .
Step 5 Click the Save button to save the load balancing global settings.
6.3.7.4 The Configuration Steps of ID Binding
Step 1 Go to the Basic > Load Balancing > ID Binding page.
Step 2 Select the Enable ID Binding check box if needed.
Step 3 Click the Save button to save the ID binding settings.
6.3.8 Related Detection Route
When connection detection is enabled on an Internet connection (i.e., Detection Interval is more than 0), the Device will automatically create a detection route for the connection to ensure that the detection packets are forwarded through it. You can view the detection route configuration in the Static Route List on the Advanced > Static Route page. Refer to section 7.1.1.2 System Reserved Static Routes for more information about detection routes.
Note
For a static IP or DHCP Internet connection, when its Detection Target IP is set to
Gateway IP Address , the system will directly use its default route to forward detection packets to monitor the connection. That is, the default route also acts as a detection route.
Page 115
6.4 DHCP & DNS
This section describes the Basic > DHCP & DNS page.
The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network.
DHCP allows a host to be configured automatically, eliminating the need for intervention by a network administrator. The Device can acts as a DHCP server to assign network addresses and deliver other TCP/IP configuration parameters (such as gateway IP address, DNS server IP address, WINS server IP address, etc.) to the LAN hosts.
6.4.1 DHCP Server
Figure 6-15 DHCP Server Settings
Enable DHCP Server: It allows you to enable or disable DHCP server. If you want to enable DHCP server on the Device, please select this check box.
Start IP Address: It specifies the starting IP address assigned by the DHCP server.
In most cases, this address should be on the same subnet as the Device’s LAN IP address.
Subnet Mask: It specifies the subnet mask of the IP addresses assigned by the
DHCP server. In most cases, this subnet mask should be the same with the Device’s
LAN subnet mask.
Number of Addresses: It specifies the maximum number of IP addresses that can
Page 116
be assigned by the DHCP server.
Default Gateway: It specifies the IP address of the default gateway for a DHCP client.
In most cases, this address should be the same with the Device’s LAN IP address, that is, the Device is used as the default gateway for the LAN hosts.
Lease Time: It specifies a length of time (in seconds) during which a client host can use an assigned IP address. If the lease expires, the client is automatically assigned a new dynamic IP address. Before the lease expires, the client typically needs to renew its address lease assignment with the server. The default value is 3600 seconds.
Primary DNS Server: It specifies the IP address of the primary DNS server that is available to a DHCP client. If you have already set the Primary DNS Server through the Quick Wizard or in the Basic > WAN page, the Device will automatically set up the same value here.
Secondary DNS Server: It specifies the IP address of the secondary DNS server that is available to a DHCP client. If you have already set the Secondary DNS
Server through the Quick Wizard or in the Basic > WAN page, the Device will automatically set up the same value here.
Save: Click it to save the DHCP server settings.
Note
If you want a LAN host to obtain an IP address and other TCP/IP parameters from the
Device’s built-in DHCP server, please select the Obtain an IP address automatically option in the TCP/IP properties dialog box on the host.
6.4.2 DHCP Auto Binding
If the hosts change frequently on your LAN, it is very troublesome to configure DHCP manual bindings. Using ARP Spoofing Defense (see section 12.1.1 Internal Attack
Defense ) feature also needs periodic maintenance. So usually there are some users who can’t access the Device and Internet. To deal with these issues, the Device provides
DHCP auto binding feature.
Once the DHCP auto binding is enabled, the Device will immediately scan the LAN to detect active hosts connected to the Device, learn dynamic ARP information and bind the related valid IP and MAC address pairs. After that, when a client host obtains an IP address from the Device that acts as a DHCP server, the Device will immediately bind this host’s IP and MAC address pair. So it can effectively protect the Device and LAN hosts
Page 117
against ARP Spoofing.
Figure 6-16 DHCP Auto Binding
Enable DHCP Auto Binding: It allows you to enable or disable DHCP auto binding. If you select this check box to enable DHCP auto binding, once a LAN host obtains an
IP address from the Device that acts as a DHCP server, the Device will immediately bind this host’s IP and MAC address pair. Else, the Device will not perform auto binding operation.
Enable DHCP Auto Deleting: It allows you to enable or disable DHCP auto deleting.
If you select this check box to enable DHCP auto deleting, the Device will automatically delete a DHCP auto binding entry if the corresponding host releases the IP address initiatively or its lease expires. Else, the Device will not perform auto deleting operation.
Save: Click it to save your settings.
6.4.3 DNS Proxy
When acting as a DNS proxy, the Device listens for incoming DNS requests on the LAN interface, relays the DNS requests to the current public network DNS servers, and replies as a DNS resolver to the requesting LAN hosts.
Page 118
Figure 6-17 Enable DNS Proxy
Enable DNS Proxy: It allows you to enable or disable DNS proxy. If you want to enable DNS proxy on the Device, please select this check box.
Save: Click it to save the DHCP proxy settings.
Note
1. If the DNS proxy is enabled on the Device, in order to use DNS proxy service normally, you need set the LAN hosts’ primary DNS server to the Device’s LAN IP address. Note: If the DHCP server is also enabled on the Device, the Device will assign its LAN IP address as the primary DNS server address to the LAN hosts automatically.
2. To ensure that the DNS proxy works well, you should at least specify the primary
DNS server provided by your ISP on the Device. It is obvious that you can specify the secondary DNS server if it is provided by your ISP.
3. The Device can act as a DNS proxy server to all LAN users; this greatly simplifies the
LAN hosts setup. For example, there is a LAN DNS proxy server on which a DNS proxy software is installed (e.g., Wingate), and the LAN users take this server’s IP address as the primary DNS server address. Now, the Device will be used as a new gateway for the LAN hosts. In this case, in order to use DNS proxy service normally, the administrator only need change the Device’s LAN IP address to the old proxy
DNS server’s IP address, and enable DNS proxy on the Device, without modify the
LAN hosts’ related settings.
Page 119
Chapter 7 Advanced Setup
This chapter describes how to configure and use the Device advanced features, which include static route, policy-based routing, DNS redirection, Plug and Play, SNMP,
SYSLOG, DDNS, and switch, and so on.
7.1 Static Route
This section describes the Advanced > Static Route page.
In this page, you can configure not only static routes, but also static route PDBs (PDB:
Policy Database). Using static route PDBs, you can create a large batch of static routes at a time, thus the traffic destined for one ISP’s servers will be forwarded through this ISP’s connection, but not another ISP’s connection.
The following describes how to configure and user static route and static route PDB.
7.1.1 Static Route
7.1.1.1 Introduction to Static Route
A static route is manually configured by the network administrator, which is stored in a routing table. By using routing table, the Device can select an optimal transmission path for each received packet, and forward the packet to the destination site effectively. The proper usage of static routes can not only improve the network performance, but also achieve other benefits, such as traffic control, provide a secure network environment.
The disadvantage of using static routes is that they cannot dynamically adapt to the current operational state of the network. When there is a change in the network or a failure occurs, some static routes will be unreachable. In this case, the network administrator should update the static routes manually.
Page 120
7.1.1.2 System Reserved Static Routes
In the system, there are two types of reserved static routes: default route and detection route. The following describes them respectively.
1. Default Routes
A default route is used to forward packets that don’t match any other route in the routing table. The packets will be forwarded to the default gateway specified by the default route.
The default route’s destination IP address and subnet mask both are 0.0.0.0.
After you have finished configuring the WAN1 Internet connection through the Quick
Wizard , or configuring the WAN1 Internet connection and other connections in the Basic >
WAN page, the Device will automatically create a default route for each Internet connection respectively. You can go to the Status > Route Stats page to view their status information in the Routing Table . A default route’s Destination IP/Mask is 0.0.0.0/0 .
2. Detection Routes
If connection detection is enabled on an Internet connection (i.e., the Detection Interval is more than 0) in the Basic > Load Balancing page, the Device will automatically create a detection route for the connection to ensure that the detection packets are forwarded through it. You can view the detection route configuration in the Static Route List on this page. Table 7-1 provides the IDs of detection routes for the Internet connections with different interfaces and connection types.
Note
For a static IP or DHCP Internet connection, when its Detection Target IP is set to
Gateway IP Address , the system will directly use its default route to forward detection packets to monitor the connection. That is, the default route also acts as a detection route.
Internet Connection
Physical Interface Connection Type
Static IP
Detection Route ID
Detect
WAN1 DHCP
PPPoE
Detect
Detect
Page 121
WAN2
WAN3
WAN4
Static IP
DHCP
PPPoE
Static IP
DHCP
PPPoE
Static IP
DHCP
PPPoE
Table 7-1 Reserved Detection Route Name
DETEFIX_03
DETEDYN _03
DETEPPP _01
DETEFIX_04
DETEDYN _04
DETEPPP_02
DETEFIX_05
DETEDYN_05
DETEPPP_03
7.1.1.3 Static Route Settings
Figure 7-1 Static Route Settings
Predefined: When creating a static route, please leave the default value of None .
Page 122
Else, select one predefined route PDB (policy database).
Destination IP: It specifies the IP address of the destination network or destination host.
Subnet Mask: It specifies the subnet mask associated with the destination network.
Gateway IP Address: It specifies the IP address of the next hop gateway or router to which to forward the packets.
Bind to: It specifies an outbound interface through which the packets are forwarded to the next hop gateway or router. The available options are the name of each physical interface, and Local .
Local means internal soft-route interface, and the packets will be forwarded to the Device itself.
Description: It specifies the description of the static route. When creating a static route, you may enter the description for it. Else, the description is provided by the system.
Detection Interval: It is same with the Detection Interval in the Basic > Load
Balancing > Detection & Weight page. Only the detection route needs it. It specifies the time interval at which the Device sends the detection packets to detecting the corresponding Internet connection status. Refer to section 6.3.5 Detection and
Weight Settings for more information.
Priority: It indicates the priority of the route. If there are multiple routes to the same destination with different priorities, the Device will choose the route with the highest priority to forward the packets. The smaller the value, the higher the priority.
Metric: It indicates the cost of using the route, which is typically the number of hops to the IP destination. If there are multiple routes with same priority to the same destination, the Device will choose the route with the lowest metric to forward the packets.
Save: Click it to save the static route settings.
Note
1. When creating a static route, you should specify the next hop IP address by the
Gateway IP Address or Bind to . If the outbound interface is a physical interface, you should specify the Gateway IP Address , but may not specify the Bind to (i.e., leave it blank). In this case, the Device can select an optimal transmission path. If the outbound interface is a dial interface related to a dial connection (e.g., PPPoE connection), you should select the corresponding physical interface from the Bind to drop-down list, but need not specify the Gateway IP Address (i.e., leave it the default value 0.0.0.0
). In this case, the next hop IP address is assigned by a dial server (e.g.,
Page 123
PPPoE server).
2. In most cases, please don’t modify the system reserved static route (e.g., Default,
Detect) to avoid surfing the Internet abnormally.
7.1.1.4 Static Route List
Figure 7-2 Static Route List
Add a Static Route: If you want to add a new static route, click the New button or select the Route Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View Static Routes: When you have configured some static routes, you can view them in the Static Route List .
Edit a Static Route: If you want to modify a configured static route, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete Static Route(s): If you want to delete one or more static routes, select the leftmost check boxes of them, and then click the Delete button.
Display Routing Table : Click this hyperlink to go to the Status > Route Stats page to view the current status of all the active routes in the Routing Table .
Page 124
7.1.1.5 How to Add the Static Routes
If you want to add one or more static routes, do the following:
Step 1 Go to the Advanced > Static Route page.
Step 2 Click the New button or select the Route Settings tab to go to the setup page.
Step 3 Specify the Destination IP and Subnet Mask for the static route.
Step 4 Specify the next hop IP address by the Gateway IP Address or Bind to .
If the outbound interface is a physical interface, you should specify the Gateway IP
Address , but may leave the Bind to blank. In this case, the Device will select an optimal transmission path.
For example, a static route’s destination network is 192.168.1.0/24, gateway IP address is
192.168.1.254, and the outbound interface is a physical interface. Here you should enter
192.168.1.254
in the Gateway IP Address text box, but may leave the Bind to blank. The
Device will select an optimal transmission path. The detailed settings are shown in the following figure.
Figure 7-3 Static Route Settings - Example One
If the outbound interface is a dial interface, you should select the corresponding physical interface from Bind to drop-down list, but need leave the Gateway IP Address the default value 0.0.0.0
. In this case, the next hop IP address is assigned by a dial server (e.g.,
PPPoE server).
For example, a static route’s destination network is 218.19.213.45/24, the outbound
Page 125
interface is a PPPoE dial interface, and the corresponding physical interface is WAN2.
Here you should select WAN2 from the Bind to drop-down list, but need leave the
Gateway IP Address the default value 0.0.0.0
. The next hop IP address is assigned by your ISP’s PPPoE server. The detailed settings are shown in the following figure.
Figure 7-4 Static Route Settings - Example Two
Step 5 Specify the Detection Interval if you want to detect connection status.
Step 6 Specify the Priority and Metric for the static route as required.
Step 7 Click the Save button to save the settings. You can view the static route in the
Static Route List .
Step 8 If you want to add another new static route, please repeat the above steps.
Note
If you want to delete one or more static routes, select the leftmost check boxes of them in the Static Route List , and then click the Delete button.
7.1.2 Static Route Policy Database
Note
The policy database is called PDB for short in this document.
Page 126
7.1.2.1 Introduction to Static Route PDB
A user (e.g., Internet Café or Business) using multiple Internet connections usually applies for them from different ISPs, for example, one is Telecom Italia Internet connection, and another is Fastweb Internet connection. In some cases, if packets accessing one ISP’s servers are forwarded through another ISP’s connection, the access rate may be very slow, or the access even be forbidden. To ensure that the LAN hosts access the servers normally, the traffic destined for one ISP’s servers should be forwarded through this ISP’s connection, but not another ISP’s connection. You can easily achieve this by using static route PDBs.
The system provides three predefined route PDBs whose names are for example T.Italia,
Fastweb, BT, ecc. The T.Italia, PDB is used to access the T.Italia, servers (i.e., the servers provided by Telecom Italia), the Fastweb PDB is used to access Fastweb servers (i.e., the servers provided by Fastweb), and the BT PDB is used to access the BT servers (i.e., the servers provided by BT ). The T.Italia PDB encapsulates many T T.Italia EL subnets information (IP addresses and subnet masks), and so on for the other ISPs.. By introducing route PDB, the users don’t need add static routes one by one, but instead create a large batch of static routes at a time. Then the traffic destined for T.Italia servers will be forwarded through the T.Italia connection, the traffic destined for Fastweb servers will be forwarded through the Fastweb Internet connection, and so on.
Digicom S.p.A. will successively provide more route PDBs according to actual user requirements. You may go to the Restriction > Policy Database page to view the route
PDBs status information in the Policy Database List , such as version, reference status, and so on.
In addition, as the IP addresses of ISP servers often change, the technical engineers will acquire the related information and provide the latest route PDBs periodically as required.
In order to facilitate using PDBs, we provide PDB online update function. That is, you only need go to the Restriction > Policy Database page, and click the Update hyperlink of a route PDB entry in the Policy Database List . Then the Device will download the latest
PDB from designated web site and apply it automatically.
Page 127
7.1.2.2 Static Route PDB Settings
Figure 7-5 Static Route PDB Settings
Because each static route PDB encapsulates many IP addresses and subnet masks, you needn’t configure the Destination IP and Subnet Mask when creating a static route PDB entry as shown in Figure 7-5.
As a route PDB entry’s Gateway IP Address , Bind to , Detection Interval , Priority and
Metric are the same with a static route’s, please refer to section 7.1.1.3
Static Route
Setup for detailed description.
Predefined: You should select a PDB option when creating a static route PDB entry.
The available options are the main Italian ISPs. Note that the PDB should be bound to the corresponding WAN connection where the ISP is actually connected.
Detection Interval: Its value should be 0 for a route PDB entry.
Description: Its value is Routing PDB , which is provided by the system automatically when creating a static route PDB.
Save: Click it to save the static route PDB entry settings.
When you have created a route PDB entry here, the system will automatically create many static routes that have the following characteristics:
Their Destination IP and Subnet Mask are predefined by the route PDB.
Each static route has same Gateway IP Address , Bind to , Detection Interval ,
Priority and Metric , that is, the same with the route PDB. Note: As the Detection
Interval can only be set to 0 when creating the PDB entry, so each static route’s
Detection Interval is 0.
ID values are 1, 2, 3 ... incrementally.
Page 128
Note
If there is a static route PDB entry bound to an Internet connection, once the connection is activated, all the static routes created by the route PDB entry will take effect immediately. You can go to the Status > Route Stats page to view the settings and status of these static routes in the Routing Table .
7.1.2.3 How to Add the Static Route PDB Entries
If you want to add one or more static route PDB entries, do the following:
Step 1 Go to the Advanced > Static Route page.
Step 2 Click the New button or select the Route Settings tab to go to the setup page.
Step 3 Select a PDB option from the Predefined drop-down list.
Step 4 Specify the next hop IP address by the Gateway IP Address or Bind to .
If the outbound interface is a physical interface, you should specify the Gateway IP
Address , but may leave the Bind to blank. In this case, the Device will select an optimal transmission path.
For example, you want to create a Telecom Italia route PDB entry. The Telecom Italia
Internet connection is static IP connection (that is, the outbound interface is a physical interface), and gateway IP address is 200.200.200.1. Here you should enter
200.200.200.1
in the Gateway IP Address text box, but may leave the Bind to blank. The
Device will select an optimal transmission path. The detailed settings are shown in the following figure.
Figure 7-6 Static Route PDB Settings - Example One
If the outbound interface is a dial interface, you should select the corresponding physical
Page 129
interface from the Bind to drop-down list, but need leave the Gateway IP Address the default value 0.0.0.0
. In this case, the next hop IP address is assigned by a dial server
(e.g., PPPoE server).
For example, you want to create a Fastweb route PDB entry. The Fastweb Internet connection is PPPoE connection (that is, the outbound interface is a dial interface), and the corresponding physical interface is WAN2. Here you should select WAN2 from the
Bind to drop-down list, but need leave the Gateway IP Address the default value 0.0.0.0
.
The next hop IP address is assigned by your ISP’s PPPoE server. The detailed settings are shown in the following figure.
Figure 7-7 Static Route PDB Settings - Example Two
Step 5 Specify the priority and metric for the static route PDB entry as required. In most cases, please leave the default values.
Step 6 Click the Save button to save the settings. You can view the static route PDB entry in the Static Route List .
Step 7 If you want to add another new static route PDB entry, please repeat the above steps.
Note
If you want to delete one or more static route PDB entries, select the leftmost check boxes of them in the Static Route List , and then click the Delete button.
7.1.2.4 How to Update a System Default Static Route PDB
As mentioned earlier, if you want to update a system default static route PDB, please go to the Restriction > Policy Database page, and click the Update hyperlink of the route PDB in the Policy Database List . Then the Device will download the latest PDB from
Page 130
designated web site and apply it automatically.
Note that if the route PDB has been referenced, you should reference it again in this page to let the related settings take effect. The steps are as follows: At first click the Edit hyperlink of the route PDB, and then select the PDB from the Predefined drop-down list again, lastly click the Save button to make the related settings take effect.
Page 131
7.2 Policy-Based Routing
This section describes the Advanced > PBR page.
PBR (policy-based routing) provides a tool for forwarding and routing data packets based on the user-defined policies. Different from the traditional destination-based routing mechanism, PBR enables you to use policies based on source and destination address, protocol, port, schedule, and other criteria to route packets flexibly.
7.2.1 Policy-Based Routing Settings
Figure 7-8 Policy-Based Routing Settings
Bind to: It specifies an outbound interface through which the packets matching the
PBR entry are forwarded.
Schedule: It specifies a schedule to restrict when the PBR entry is in effect. The default value is Always , which means the PBR entry will be in effect always.
Page 132
Description: It specifies the description of the PBR entry. It is usually used to describe the purpose of the entry.
Source: It specifies the source IP addresses of the packets to which the PBR entry applies. There are two options:
● Addresses: boxes.
Select it to enter the start and end addresses in the associated text
● Address Group: Select it to choose an address group from the associated drop-down list. By default, the Address Group radio button is selected, and its value is Any Address .
Destination: It specifies the destination IP addresses of the packets to which the
PBR entry applies. There are two options:
● Addresses: text boxes.
Select it to enter the start and end IP addresses in the associated
● Address Group: Select it to choose an address group from the associated drop-down list. By default, the Address Group radio button is selected, and its value is Any Address .
Service: It specifies a range of ports or a service group to which the PBR applies.
There are two options:
● Ports: Select it to enter the start and end port numbers in the associated text boxes, and select a protocol type from Protocol drop-down list. The port number is between 1 and 65535, and the protocols include TCP, UDP and ICMP.
● Service Group: Select it to choose a service group or predefined service from the associated drop-down list. The Device provides some well-known services, such as telnet, smtp, web, pop3, and so on. By default, the Service Group radio button is selected, and its value is Any Service .
Edit Schedule: Click it to go to the Security > Schedule page to add, view, modify or delete the schedules.
Edit Address Group: Click it to go to the Security > Address Group page to add, view, modify or delete the address groups.
Edit Service Group: Click it to go to the Security > Service Group page to add, view, modify or delete the service groups.
Save: Click it to save the PBR entry settings.
Page 133
Note
PBR (Policy-based routing) takes precedence over the Device’s normal destination-based routing. That is, if a packet matches all the criteria (source address, destination address, protocol type, port, etc.) specified in a PBR entry , it will be forwarded through the outbound interface specified in the PDB entry . If no match is found in the
PBR list, the packet will be forwarded through normal routing channel (in other words, destination-based routing is performed).
7.2.2 Enable Policy-Based Routing
Figure 7-9 Enable Policy-Based Routing
Enable Policy-based Routing: It allows you to enable or disable policy-based routing. If you select the check box to enable policy-based routing, the configured
PBR entries will take effect. Else the PBR entries will be of no effect.
Save: Click it to save your settings.
Page 134
7.2.3 Policy-Based Routing List
Figure 7-10 PBR List
Add a PBR Entry: If you want to add a new PBR entry, click the New button or select the PBR Settings tab to go to the setup page, and then configure it, lastly click the
Save button.
Enable a PBR Entry: The Enable check box is used to enable or disable the corresponding PBR entry. The default value is selected, which means the PBR entry is in effect. If you want to disable the PBR entry temporarily instead of deleting it, please click it to remove the check mark.
View PBR Entry(s): When you have configured some PBR entries, you can view them in the PBR List .
Edit a PBR Entry: If you want to modify a configured PBR entry, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete PBR Entry(s): If you want to delete one or more PBR entries, select the leftmost check boxes of them, and then click the Delete button.
Move a PBR Entry: The Device allows you to move a PBR entry before another entry in the list, the operation is as follows: Select the ID of a PBR entry that you want to move from the Move drop-down list, and another entry’s ID from the before drop-down list, lastly click OK . Note that moving a PBR entry in the list doesn’t change its ID number.
Page 135
7.3 DNS Redirection
This section describes the Advanced > DNS Redirection page.
7.3.1 Introduction to DNS Redirection
DNS redirection is used to redirect domain names directly to the specified IP addresses, that is, the domain names aren’t resolved by DNS server, but are queried in a user-defined list of names-to-addresses mappings. Once you have configured some DNS redirection entries, a DNS redirection list that contains the names-to-addresses mappings will be created. When receiving a DNS request, the Device lookups the requested domain name in the DNS redirection list. If a match is found, the Device will send a DNS response that contains the IP mapped address to the requester. Else, the Device will resolve the domain name by looking up local DNS cache or external DNS servers.
7.3.2 Enable DNS Redirection
Figure 7-11 Enable DNS Redirection
Enable DNS Redirection: It allows you to enable or disable DNS redirection. The default value is unselected, which means the configured DNS redirection entries are of no effect. If you want the DNS redirection entries to take effect, please select this check box to enable DNS redirection.
Save: Click it to save your settings.
Page 136
7.3.3 DNS Redirection List
Figure 7-12 DNS Redirection List
Add a DNS Redirection Entry: If you want to add a new DNS redirection entry, click the New button or select the DNS Redirection Settings tab to go to the setup page, and then configure it, lastly click the Save button.
Enable a DNS Redirection Entry: The Enable check box is used to enable or disable the corresponding DNS redirection entry. The default value is selected, which means the DNS redirection entry is in effect. If you want to disable the DNS redirection entry temporarily instead of deleting it, please click it to remove the check mark.
View DNS Redirection Entry(s): When you have configured some DNS redirection entries, you can view them in the DNS Redirection List .
Edit a DNS Redirection Entry: If you want to modify a configured DNS redirection entry, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete DNS Redirection Entry(s): If you want to delete one or more DNS redirection entries, select the leftmost check boxes of them, and then click the Delete button.
Note
1. A DNS redirection entry whose domain name contains the wildcard character * has lower priority, in other words, the domain name has the highest accuracy will be matched first. For example, there are two DNS redirection entries in the list, the first
Page 137
entry’s domain name is www.sina.com
, and the second entry’s is www.sina.* . When accessing www.sina.com
, the Device will redirect www.sina.com
to the IP address specified by the first entry because of higher accuracy.
2. For the entries whose domain names have the same accuracy, in reverse chronological order of creation, the last created entry will be matched first.
7.3.4 DNS Redirection Settings
Figure 7-13 DNS Redirection Settings
IP Address: It specifies the IP address to which the specified domain name(s) are redirected.
Description: It specifies the description of the DNS redirection entry. It is usually used to describe the purpose of the entry.
Domain List: Each DNS redirection entry has a domain list. You can enter a domain name or multiple domain names that you want to redirect in the Domain List box. It supports up to ten different domain names.
Save: Click it to save the DNS redirection entry settings.
Note
1. Different DNS redirection entries can have the same IP addresses or domain names.
Page 138
2. The domain names that contain the wildcard character * should be different.
3.
The domain names that belong to the same Domain List should be different.
7.3.5 How to Configure DNS Redirection
Do the following to configure DNS Redirection.
Step 1 Go to the Advanced > DNS Redirection page.
Step 2 Click the New button or select the DNS Redirection Settings tab to go to the setup page.
Step 3 Specify the IP Address , Description and Domain List for a DNS Redirection entry.
Step 4 Click the Save button to save the settings. You can view the DNS Redirection entry in the DNS Redirection List .
Step 5 If you want to add another new DNS Redirection entry, please repeat the above steps.
Step 6 Select the Enable DNS Redirection check box to enable the DNS redirection, thus all the DNS redirection entries you have created will take effect immediately.
Once you have configured DNS redirection, all the DNS request packets received by the
Device will be processed by DNS redirection module firstly.
Note
Please make ensure that Enable DNS Redirection check box is selected, else the configured DNS redirection entries will not be in effect.
Page 139
7.4 Plug and Play
This section describes the Advanced > Plug and Play page.
7.4.1 Introduction to Plug and Play
Plug and Play is a new feature of FW4x-IPxx-U01 series security firewalls. If you enable plug and play feature on the Device, the LAN users can access the Internet through the
Device without changing any network parameters, no matter what IP address, subnet mask, default gateway and DNS server they might have. Obviously, this feature can greatly facilitate the users. As this feature is suitable for hotel network, we also call it hotel special version.
7.4.2 Enable Plug and Play
Figure 7-14 Enable Plug and Play
Enable Plug and Play: It allows you to enable or disable plug and play. By default it is disabled. If you select the check box to enable this feature, no matter what IP address, subnet mask, default gateway and DNS server the LAN users might have, they are able to access the Internet through the Device.
Save: Click it to save your settings.
Note
1. The LAN hosts basic TCP/IP parameters (including IP address, subnet mask,
Page 140
gateway IP address, and DNS server IP address) should be set properly; otherwise, plug and play feature cannot act on those hosts.
2.
Once plug and play is enabled, the Device will automatically enable proxy ARP, enable DNS proxy, and disable IP spoofing defense.
3.
Once plug and play is enabled, the Device will allow those non-IP/MAC binding users to access the Device and Internet.
4. The users with the same IP address cannot access the Internet at the same time. For example, if a LAN user with IP address 1.1.1.1 has connected to the Device to access the Internet, another user with IP address 1.1.1.1 cannot access the Internet through the Device.
5. A LAN user’s IP address cannot be the same with the Device’s LAN/WAN interface IP address, gateway IP address, and primary/secondary DNS server IP address; otherwise, the user cannot access the Device and Internet.
7.5 SNMP
This section describes the Advanced > SNMP page.
SNMP (Simple Network Management Protocol) is an application layer protocol for collecting information about devices on the network. It is part of the TCP/IP protocol suite which enables network administrators to monitor, configure, and troubleshoot the network devices.
If you enable the SNMP agent on the Device, you can use the SNMP manager software to monitor and manage the Device remotely. The Device supports SNMP v1/v2c and
Management Information Base II (MIBII) groups.
To ensure security, the SNMP manager can read the information about the Device but can’t change anything.
Page 141
Figure 7-15 SNMP Settings
Enable SNMP: It allows you to enable or disable the SNMP agent. If you want to enable the SNMP agent on the Device, please select this check box.
Community Name: It specifies a community name to restrict access to the Device.
The SNMP community name is used as a shared secret for SNMP managers to access the SNMP agent. The default value is blank. To ensure security, it is recommended that you modify it to prevent intruder from using SNMP requests to get the information from the Device.
System Name: It specifies the host name of the Device.
System Contact: It specifies the system contact information (such as a name or phone number).
System Location: It specifies the physical location information of the Device.
Allowed SNMP NMSs: If you select this check box, you can specify up to three
SNMP network management stations (i.e., hosts), and only they can access and manage the Device. Else, any host can use SNMP to manage the Device.
Host 1 IP Address ~ Host 3 IP Address: They specify the IP addresses of the hosts that can use SNMP to manage the Device.
Save: Click it to save the SNMP settings.
Note
Page 142
If you want to use SNMP Manager to manage the Device via Internet, please select the SNMP check box in the System > Remote Admin page first.
Page 143
7.6 SYSLOG
This section describes the Advanced > SYSLOG page.
Syslog is a standard protocol used to capture a lot of running information about network activity. The Device supports this protocol and can send its activity logs to an external syslog server. It helps the network administrator monitor, analyze and troubleshoot the
Device and network.
Figure 7-16 SYSLOG Settings
Enable Syslog: It allows you to enable or disable syslog feature. If you want to enable syslog feature on the Device, please select this check box.
Syslog Server IP address: It specifies the IP address or domain name of the syslog server to which the Device sends syslog messages.
Syslog Server Port: It specifies the port used by the syslog server to communicate with the Device. In most cases, please leave the default value of 514 , which is a well-known port number.
Syslog Message Facility: It specifies the facility level used for logging. The facilities are used to distinguish different classes of syslog messages. The available options are local0, local1 through local7.
Sending Interval: It specifies the time interval (in seconds) at which the Device periodically sends heartbeat messages. If you select the option other than zero, the
Device will periodically send heartbeat messages to the syslog server to indicate that it is still alive. The default value is 0, which means the Device will not send heartbeat messages.
Save: Click it to save the Syslog settings.
Page 144
Note
So far, only the Xport HiPER Manager software of can identify the heartbeat message.
Page 145
7.7 DDNS
This section describes the Advanced > DDNS page.
Note
To ensure that DDNS operates properly, you should synchronize the system clock in the System > Time page.
7.7.1 Introduction to DDNS
Dynamic Domain Name Service (DDNS) is a service used to map a domain name which never changes to a dynamic IP address which can change quite often. For example, if you have applied for a PPPoE connection with a dynamically assigned IP address from the ISP’s PPPoE server, you can use DDNS to allow the external hosts to access the Device by a constant domain name.
In order to use DDNS service, you should apply for a DDNS account from a DDNS service provider. Each DDNS provider offers its own specific network services. The DDNS service provider reserves the right to change, suspend or terminate your use of some or all network services at any time for any reason. The DDNS service providers supported by Digicom S.p.A. currently provide free DDNS services, but they may charge for the DDNS services in the future.
In this case, Digicom S.p.A. will notify you as soon as possible; if you refuse to pay for the services, you will no longer be able to use them. During the free phase, Digicom S.p.A. does not guarantee that the DDNS services can meet your requirements and will be uninterrupted, and Digicom S.p.A does not guarantee the timeliness, security and accuracy of the services.
So far, Digicom S.p.A. only supports www.no-ip.org
on this device.
It will successively support other DDNS service providers in the future.
7.7.2 DDNS Service Offered by no-ip.org
7.6.1.1 Apply for a DDNS Account from no-ip.org
To use DDNS offered by no-ip.org on the Device, you should login to apply for a DDNS account, which includes a fully qualified domain name (FQDN) with suffix of no-ip.org .
Page 146
Figure 7-17 Apply for a DDNS Account from no-ip.org
Host Name: It specifies a unique host name of the Device. The suffix of no-ip.org, or other selectable, will be appended to the host name to create a fully qualified domain name (FQDN) for the Device. For example, if the Device’s host name is test , then its
FQDN is test.no-ip.org
; and it allows you to use test.no-ip.org
to access the Device.
Note that to avoid duplication, you had better use the Device’s globally unique serial number (SN) as the host name. The SN is the same with the Registration Number displayed in the Advanced > DDNS > DDNS Settings page.
Page 147
7.7.2.1 DDNS Settings Related to no-ip.org
Figure 7-18 DDNS Settings Related to no-ip.org
Interface: It specifies the WAN interface on which DDNS service is applied. All the
WAN interfaces support DDNS feature, and you can use DDNS service on each WAN interface at the same time.
Registry Website: It allows you to click http://www.no-ip.org to go to this website to register a DDNS account for the Device.
Service Provider: It specifies the DDNS service provider who offers services to the
Device..
Host Name: It specifies the host name of the Device. It should be the same with the host name that you entered when registering the DDNS account on the website of www.no-ip.org
Email name: It specifies the id/email name that you used when registering the DDNS account on the website of www.no-ip.org.
Password: It specifies the password you used when registering the DDNS account on the website of www.no-ip.org.
Save: Click it to save the DDNS settings.
Page 148
7.8 Advanced DHCP
This section describes the Advanced > DHCP pages.
7.8.1 Introduction to DHCP
7.8.1.1 Overview
The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network.
DHCP allows a host to be configured automatically, eliminating the need for intervention by a network administrator. DHCP is built on a client/server model, where one or more DHCP servers assign network addresses and deliver other TCP/IP configuration parameters to DHCP clients (hosts). In addition, DHCP can guarantee to avoid allocation of duplicate IP addresses, and to reassign the IP addresses that are no longer used.
DHCP supports three mechanisms for IP address allocation:
●
Automatic allocation: DHCP server assigns a permanent IP address to a client.
●
Dynamic allocation: DHCP server assigns an IP address to a client for a limited period of time, which is called a lease. The client may extend its lease with subsequent request, and it may release the address back to the server.
●
Manual allocation: A network administrator assigns an IP address to a client, and
DHCP server is used simply to convey the assigned address to the client.
A particular network will use one or more of these mechanisms, according to the actual requirements. The dynamic allocation is the only mechanism that allows automatic reuse of addresses that are no longer needed by the client.
Page 149
7.8.1.2 DHCP Operation Process
The following describes the basic operation principle of DHCP, including the process of requesting for a new IP address, the process of renewing an IP address, and the process of releasing an IP address.
1. Requesting for an IP Address
Figure 7-19 Requesting for an IP Address from a DHCP Server
As shown in Figure 7-20, the process of a DHCP client requesting for an IP address from a
DHCP server falls into four basic phases:
DHCP Discover: It is the phase that the DHCP client locates a DHCP server to ask for an IP address.
The client broadcasts a DHCPDISCOVER message on its local physical subnet. Only DHCP server(s) will respond it.
DHCP Inform: It is the phase that one or more DHCP servers) offer an IP address to the DHCP client. Once received the DHCPDISCOVER message, a DHCP server will send a DHCPOFFER unicast message which includes configuration parameters
(such as an IP address, a domain name, a lease, and so on) to the DHCP client.
DHCP Request: It is the phase that the DHCP client accepts the offer, chooses an IP address and requests the address. The client may receive DHCPOFFER messages from more than one DHCP server. Then the client chooses one from them, and broadcasts a DHCPREQUEST message to formally request the offered IP address.
The DHCPREQUEST message also includes the server identifier option to indicate which message it has selected, implicitly declining all other DHCPOFFER messages.
Once received the DHCPREQUEST message, those servers not selected will release the
IP addresses offered to the client.
If the configuration parameters sent to the client in the DHCPOFFER unicast message by the DHCP Server are invalid (a misconfiguration error exists), the client returns a DHCPDECLINE broadcast message to the DHCP Server to reject the
Page 150
configuration assigned.
DHCP Acknowledgement: It is the phase that the DHCP server officially assigns the address to the client. Once received the DHCPREQUEST message, the selected
DHCP server will respond with a DHCPACK unicast message containing the IP address and other configuration parameters for the requesting client. Then the client will accept and apply the IP address and other configuration parameters.
2. Renewing an IP Address
An IP address dynamically allocated by a DHCP server for a client has a lease. The
DHCP server will reclaim the IP address if the lease expires, so the client has to renew the lease in order to use the IP address longer. When one half of the lease time has expired, the client will send a DHCPREQUEST message to the DHCP server, asking to extend the lease for the given configuration. The DHCP server will respond with a
DHCPACK message if it agrees to renew the lease.
If the requesting IP address in the DHCPREQUEST message is inconsistent with the allocated IP address whose lease doesn’t expire, the DHCP server will respond with a DHCPNAK message.
3. Releasing the IP Address
When a DHCP client no longer needs the IP address assigned by a DHCP server, it relinquishes the address by sending a DHCPRELEASE message to the DHCP server.
The address returns to the address pool for reassignment. Besides the DHCP client sets its IP address to 0.0.0.0.
7.8.1.3 DHCP Message types
DHCP is built on a client/server model. A client and a server may exchange the types of messages listed in the below table.
Message Type Description
DHCPDISCOVER Broadcast by a client to find available DHCP servers.
DHCPOFFER
Response from a server to a DHCPDISCOVER message and offering IP address and other parameters.
Page 151
Message from a client to servers that does one of the following:
●
Requests the parameters offered by one of the servers, which implicitly declines all other offers.
DHCPREQUEST
●
Requests the extension of a lease on a particular address.
●
Verifies a previously allocated address after a system or network change
(a restart for example).
DHCPDECLINE
Message from a client to server indicating that the offered address is already in use.
DHCPACK
DHCPNAK
Acknowledgement message from a server to a client with configuration parameters, including IP address.
Negative acknowledgement message from a server to a client, refusing the request for parameters. If the client receives a DHCPNAK message, it will restart the configuration process.
DHCPRELEASE
Message from a client to a server cancelling remainder of a lease and relinquishing network address.
DHCPINFORM
Message from a client that already has an IP address (manually configured, for example), requesting further network configuration parameters (DNS server’s
IP address, for example) from the DHCP server. This message is used very rare.
Table 7-2 DHCP Message Types
7.8.2 Introduction to DHCP Feature of the Device
According to the different settings, the Device can act as a DHCP client, DHCP server or
DHCP relay agent. The following sections describe their characteristics respectively.
Page 152
Note
If the DHCP client is enabled on a physical interface, neither the DHCP server nor
DHCP relay agent function can be enabled on it. If both the DHCP server and DHCP relay agent function are enabled on the interface, the DHCP server has higher priority.
That is, the Device will chose the DHCP server to process the DHCP messages preferentially; and it will chose the DHCP relay agent to process the messages only when the DHCP server isn’t able to process them.
7.8.2.1 Introduction to DHCP Server
When acting as a DHCP server, the Device can allocate network addresses and deliver other TCP/IP configuration parameters (such as gateway IP address, DNS server IP address, WINS server IP address, etc.) to the LAN hosts.
7.8.2.1.1 Address Conflict Detection Method
In order to prevent the DHCP server from assigning duplicate addresses that cause the address conflict, the DHCP server should probe the address before assigning an address to a DHCP client. The device supports two address detection methods: ARP and ICMP.
ARP is the system default method which is enabled forever and is not configurable. ICMP method is configurable, and can be disabled.
●
ARP Method: Before assigning an address to a DHCP client, DHCP will send ARP packets to the address to detect whether it is already in use firstly. After sending two
ARP packets in succession, if no response is received, the DHCP server assumes that the address is free. Else, the DHCP server assumes that the address is in use, and will try another address and so on, until it finds a free address.
●
ICMP Method: Once passed the ARP detection, the address needs to be detected further by ICMP. The DHCP server will send ICMP ECHO REQUEST packets (one packet at a time) to detect if it is already in use. After sending the specified maximum number of ICMP packets in succession, if no response is received, the DHCP server assumes that the address is free and assigns the address to the requesting client.
Else, the DHCP server assumes that the address is in use, and will try another address and so on, until it finds a free address and assigns it to the client.
The maximum number of ICMP ECHO REQUEST packets is specified by the parameter ICMP Ping Packets , and the maximum amount of time the DHCP server waits for a ping reply packet is specified by the parameter ICMP Ping Timeout . By default, the value of ICMP Ping Packets is 2, and the value of DHCP Ping Timeout’s
Page 153
value is 500 milliseconds. If you want to disable the ICMP detection, please set the
DHCP Ping Packets to 0 .
7.8.2.1.2 DHCP Address Pool
The DHCP server assigns an IP address to a requesting client from a DHCP address pool, which also can be configured to provide other TCP/IP configuration parameters to the client, such as the DNS Server, gateway IP address, etc. The Device supports multiple address pools, so you can easily define multiple subnets in the LAN. Before configuring an address pool, you should specify a physical interface to which the pool is bound.
7.8.2.1.3 DHCP Manual Binding
Through DHCP manual binding, you can assign a static IP address to a specific host
(client). You may create a manual binding by mapping the IP address to the host’s MAC address, Remote ID or Client ID. The DHCP server will always assign the specified IP address to the host that matches the manual binding.
7.8.2.1.4 IP Address Allocation Policy
A DHCP server assigns an IP address to a client based on some parameters contained in the message sent by the client. The parameters are Remote ID, Circuit ID (i.e., Relay
Agent ID), giaddr (i.e., Relay Agent IP), Client ID and MAC address, and the priorities of them are descending. Only the highest priority parameter will be effect when more than one parameter is configured. When a matching parameter is found, the DHCP server will assign an address according to this parameter related configuration. If no matching parameter is found, the DHCP server will find an IP address that can be allocated according to the default sequence.
Specifically, a DHCP server assigns an IP address to a client according to the following sequence:
1 ) If the message sent by the client contains Remote ID option, the DHCP server will search the DHCP manual binding list to find out if there is an IP address bound to this
Remote ID. If a match is found, the DHCP server will assign the specified IP address to the client. Else, do the next step.
2 ) If the message sent by the client contains Circuit ID option, the DHCP server will search the DHCP address pool list to find out if there is an address pool which is configured with this Circuit ID. If a match is found, the DHCP server will assign an IP address from this address pool. Else, do the next step.
3 ) If the giaddr field contained in a message sent by a client is not 0, the DHCP server will search the DHCP address pool list to find out if there is an address pool which is configured with this giaddr. If a match is found, the DHCP server will assign an IP address from this address pool. Else, do the next step.
Page 154
4 ) If the message sent by the client contains Client ID option, the DHCP server will search the DHCP manual binding list to find out if there is an IP address bound to this
Client ID. If a match is found, the DHCP server will assign the specified IP address to the client. Else, do the next step.
5 ) The DHCP server will search the DHCP manual binding list to find out if there is an IP address bound to the MAC address of the client. If a match is found, the DHCP server will assign the specified IP address to the client. Else, do the next step.
6 ) If the message sent by the client contains Requested IP Address option, the DHCP server will search the DHCP address pool list to find out if there is an address pool contains this Requested IP Address. If a match is found, and this Requested IP
Address is free, the DHCP server will assign it to the client. If a match is found, but this Requested IP address is in use, the DHCP server will try to assign another address dynamically from the address pool. Else, do the next step.
7 ) If no matching parameter found, the DHCP server will find an assignable IP address from each DHCP address pool in the chronological order of creation. Once an assignable IP address is found, the DHCP server will assign it to the client.
8 ) If no IP address is assignable, the DHCP server will report an error.
Note
1) You may create a manual binding by mapping an IP address to a host’s MAC address,
Remote ID or Client ID. The priorities of Remote ID, Client ID and MAC Address are descending. Only the highest priority parameter will be in effect when two or three of them are configured. For example, if there is a manual binding that contains an IP address bound to Remote ID and Client ID, the Client ID will be of no effect. That is, if a message sent by a client contains a mismatched Remote ID option, even if it contains a matched Client ID option, the client can’t obtain the specified IP address.
2) If a message sent by a client contains Circuit ID or giaddr option that matches a
DHCP address pool, the DHCP server will search the manual bindings belong to this address pool to find out if there is a DHCP manual binding contains the client’s Client
ID or MAC address. If a match is found, the DHCP server will assign the specified IP address to the client. Else, the DHCP server will try to find out if there is a DHCP manual binding contains this Requested IP Address. If a match is found, the DHCP server will assign it to the client. Else, the DHCP server will try to assign an address dynamically from this address pool.
3) If a message sent by a client matches a DHCP manual binding, but doesn’t match the
Circuit ID or giaddr option that is specified in the related DHCP address pool, the
DHCP server will assign the address that is specified in this DHCP manual binding to the client.
Page 155
4) If a message sent by a client matches a DHCP manual binding, but the specified IP address is already in use by another client (that is, an address conflict is detected), the DHCP server won’t assign any IP address to the client.
5) If a message sent by a client contains Circuit ID or giaddr option that matches a
DHCP address pool, but there is no free address in this pool, the DHCP server will assign an address from other DHCP address pools to the client.
7.8.2.2 Introduction to DHCP Client
When acting as a DHCP client, the Device can dynamically obtain an IP address and other TCP/IP configuration parameters from a DHCP server. All of the physical interfaces support DHCP client feature, and you can enable DHCP client on each interface at the same time.
In order to meet different needs, DHCP client can use client ID to identify itself, send
DHCPREQUEST messages in broadcast or unicast mode, and require DHCP server to respond in broadcast or unicast mode.
The Device also supports AutoIP feature, that is, if the DHCP client cannot obtain an IP address via DHCP, it will automatically assign an IP address (in the range of
169.254.1.0/16 through 169.254.254.0/16) to itself. And the DHCP client can ascertain that the address is not used by another host.
7.8.2.3 Introduction to DHCP Relay Agent
When acting as a DHCP relay agent, the Device can forwards DHCP messages between
DHCP servers and clients. DHCP relay agents are used to forward requests and replies between clients and servers when they are not on the same physical subnet. Then the
DHCP clients that reside on multiple physical subnets can use the same DHCP server.
Using DHCP relay agent can help you save cost and achieve centralized management.
The following describes the basic operation principle of DHCP relay agent.
1.
When starting, a DHCP client will start the DHCP initialization procedure during that a
DHCPDISCOVER message will be broadcasted on its local physical subnet.
2. If a DHCP server that resides on the local subnet and is configured and operating correctly, the DHCP client will directly obtain configuration parameters such as an IP address from it. In this case, no DHCP relay agent is required.
Page 156
3. If a DHCP server that doesn’t reside on the local subnet, there must be a DHCP relay agent on the local subnet to receive the message and then generate a new DHCP message to send to the specified DHCP server that resides on another subnet.
4. After receiving the DHCPREQUEST message, the DHCP sever will unicast a
DHCPOFFER message to the DHCP relay agent, which includes an IP address and other configuration parameters. After receiving the DHCPOFFER message, the
DHCP relay agent will process and forward the message to the requesting client.
5. There are multiple such interactions during the configuration process.
The Device provides the parameters of Option and Policy to specify the forwarding policy of DHCP messages. When a DHCP relay agent receives a client-originated DHCP message, it will process message according to the settings of these two parameters, see the following table for detailed description:
Option Policy
The message is from another relay The message is from a client directly, agent, and already contains option 82. and doesn’t contain option 82. drop Drop the message. insert keep The relay agent will retain the existing option 82 in the message and forward it.
The relay agent will insert option 82 into the message before forwarding it.
The relay agent will replace (overwrite) replace the existing option 82 with its option 82 in the message before forwarding it. drop Drop the message. disabled keep Forward directly. replace Forward directly.
Forward directly.
Table 7-3 DHCP Relay Agent Forwarding Policies
The following explains the meanings of the parameters in the above table.
Option 82: It indicates the relay agent information option.
Option: It is used to enable or disable the Device to insert option 82 before forwarding a client-originated DHCP message that doesn’t contain option 82.
By default, the relay
Page 157
agent will forward the message directly. If you want to insert option 82 into the message before forwarding it, please select insert . Note that, when the Option is set to disabled , the DHCP relay agent will drop or forward the message directly.
Policy: It is used to configure the reforwarding policy for a DHCP relay agent (what a relay agent should do if a message already contains option 82). A DHCP relay agent may receive a message from another relay agent that already contains relay information. By default, the relay agent will retain the existing option 82 in the message and forward it. If this behavior is not suitable for your network, you can set Policy to change it.
7.8.2.4 Introduction to Raw Option
DHCP provides a framework for passing configuration information to hosts on a TCP/IP network. Configuration parameters and other control information are carried in tagged data items that are stored in the options field of the DHCP message. The data items themselves are also called options. For detailed information about DHCP options, see
RFC 2132, with updates in RFC 3942.
Most DHCP options are predefined in RFC, although new options will come out with
DHCP development. The Device provides Raw Option feature to support for the predefined options, and also new options. The raw options can be applied to both DHCP sever and DHCP client.
7.8.3 DHCP Client
Go to the Advanced > DHCP page firstly, and then select the DHCP Client radio button
(see the following figure) to go to the DHCP Client page, which includes the DHCP Client
List and DHCP Client Settings subpages.
Figure 7-20 Select DHCP Client
Page 158
7.8.3.1 DHCP Client Settings
Figure 7-21 DHCP Client Settings
Interface: It specifies a physical interface on which the DHCP client is applied.
Enable DHCP Client: It allows you to enable or disable DHCP client. If you want to enable DHCP client on the specified interface, please select this check box.
Enable PnP: It allows you to enable or disable PnP. If you select this check box to enable PnP, the DHCP client can obtain IP address and subnet mask, and other
TCP/IP configuration parameters such as default gateway address, DNS server addresses and so on. Else, the DHCP client can only obtain IP address and subnet mask.
Request Mode: It specifies a mode in which the DHCP client sends the
DHCPREQUEST messages. The available options are Unicast and Broadcast .
●
Unicast: It indicates that the DHCP client unicasts the DHCPREQUEST messages.
●
Broadcast: It indicates that the DHCP client broadcasts the DHCPREQUEST messages.
Required Response Mode: It specifies a mode in which DHCP server sends the
DHCP response message. The available options are Unicast and Broadcast .
●
Unicast: It indicates that the DHCP client requires DHCP server to respond in unicast mode.
Page 159
●
Broadcast: It indicates that the DHCP client requires DHCP server to respond in broadcast mode.
Client ID: It specifies the client identifier. There are three types of formats.
● hex: It is used to specify a hexadecimal string. It should be between 1 and 25 characters long.
● ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
● ip: It is used to specify an IP address.
Allow AutoIP: You can allow or deny the DHCP client to use AutoIP. AutoIP means if the DHCP client cannot obtain an IP address via DHCP, it will automatically assign an
IP address (in the range of 169.254.1.0/16 through 169.254.254.0/16) to itself. And the DHCP client can ascertain that the address is not used by another host.
Save: Click it to save the DHCP client settings.
7.8.3.2 DHCP Client List
Figure 7-22 DHCP Client List
Configure DHCP Client: If you want to apply DHCP client function on a physical interface, select the DHCP Client Settings tab to go to the setup page, and then select the interface and configure other parameters, lastly click the Save button.
Page 160
View DHCP Client Information: When you have configured DHCP client on one or more physical interfaces, you can view the related configuration and status information in the DHCP Client List .
Edit DHCP Client: If you want to modify DHCP client applied on a physical interface, click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
Release: If you want to release the current IP address of the DHCP client applied on a physical interface, select its leftmost check box, and then click the Release button.
7.8.3.3 How to Configure DHCP Client
If you want to configure DHCP client, do the following:
Step 1 Go to the Advanced > DHCP page, select the DHCP Client radio button and then select the DHCP Client Settings tab to go to the setup page.
Step 2 From the Interface drop-down list, select a physical interface on which the
DHCP client will be applied.
Step 3 Select the Enable DHCP Client check box to enable DHCP client on the specified interface.
Step 4 In most cases, select the Enable PnP check box to enable PnP for the client.
Step 5 Specify the Request Mode and Required Response Mode if required.
Step 6 Specify the Client ID if required.
Step 7 In most cases, select the Allow AutoIP check box to allow the DHCP client to use AutoIP.
Step 8 Click the Save button to save the settings.
Till now you have finished configuring the DHCP client applied on the specified interface, and then you can view the related configuration and status in the DHCP Client List .
Note
If you want to disable DHCP client on a physical interface, please click its Edit hyperlink in the DHCP Client List , and then unselect the Enable DHCP Client check box, lastly click the Save button.
Page 161
7.8.4 DHCP Server
Go to the Advanced > DHCP page firstly, and then select the DHCP Server radio button
(see the following figure) to go to the DHCP Server page, which includes the Global
Settings , Manual Binding List , Manual Binding Settings , Address Pool List and
Address Pool Settings subpages.
Figure 7-23 Select DHCP Server
7.8.4.1 DHCP Server Global Settings
Figure 7-24 DHCP Server Global Settings
Enable DHCP Server: It allows you to enable or disable DHCP server. If you want to enable DHCP server on the Device, please select this check box.
DHCP Ping Packets: It specifies the maximum number of ping packets which is used by ICMP address conflict detection method. It should be between 0 and 10, and the default value is 2. If you want to turn off ICMP detection feature, please set its value to
0.
DHCP Ping Timeout: It specifies the amount of time (in milliseconds) that the DHCP server waits before timing out a ping packet. It should be between 500 and 10000 milliseconds, and the default value is 500 milliseconds.
Save: Click it to save the DHCP server global settings.
Note
Page 162
For more information about ICMP address conflict detection method, please refer to section 7.7.2.1.1
Address Conflict Detection Method .
7.8.4.2 DHCP Manual Binding List
Figure 7-25 DHCP Manual Binding List
Add a DHCP Manual Binding: If you want to add a new DHCP manual binding, click the New button or select the Manual Binding Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View DHCP Manual Binding(s): When you have configured some DHCP manual bindings, you can view them in the Manual Binding List .
Edit DHCP Manual Binding: If you want to modify a configured DHCP manual binding, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete DHCP Manual Binding(s): If you want to delete one or more DHCP manual bindings, select the leftmost check boxes of them, and then click the Delete button.
Note
The IP/MAC bindings created in the Advanced > IP/MAC Binding page will also display in the Manual Binding List , because they are DHCP manual bindings too.
Page 163
7.8.4.3 DHCP Manual Binding Settings
Through DHCP manual binding, you can assign a static IP address to a specific host
(client). You may create a manual binding by mapping the IP address to the host’s MAC address, Remote ID or Client ID. The priorities of Remote ID, Client ID and MAC Address are descending. Only the highest priority parameter will be in effect when two or three of them are configured. The DHCP server will always assign the specified IP address to the host that matches the manual binding.
Figure 7-26 DHCP Manual Binding Settings
Bind to: It specifies a DHCP address pool to which the DHCP manual binding belongs.
User Name: It specifies a unique name for the DHCP manual binding. It is used to identify the host that want to be assigned a static IP address. It should be between 1 and 31 characters long.
IP Address: It specifies the IP address for the DHCP manual binding. It must be a valid IP address of the related address pool. The requesting host that matches the manual binding will be assigned this specified address.
MAC Address: It specifies the MAC address of the DHCP client.
Client ID: It specifies the Client ID of the DHCP client. There are three types of formats.
Page 164
● hex: It is used to specify a hexadecimal string. It should be between 1 and 25 characters long.
● ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
● ip: It is used to specify an IP address.
Remote ID: It specifies the Remote ID of the DHCP client. There are three types of formats.
● hex: It is used to specify a hexadecimal string. It should be between 1 and 25 characters long.
● ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
● ip: It is used to specify an IP address.
Host Name: It specifies the local host name of the DHCP client. It should be between
1 and 31 characters long.
Save: Click it to save the DHCP manual binding settings.
Show ARP Table: Click it to display the hosts’ dynamic ARP information learned by the LAN interface. Note: It will only display dynamic ARP information, but not display static ARP information (that is, the IP and MAC address pairs have been bound manually).
7.8.4.4 How to Add the DHCP Manual Bindings
If you want to add one or more DHCP manual bindings, do the following:
Step 1 Go to the Advanced > DHCP page, and select the DHCP Server radio button to go to the DHCP Server page.
Step 2 Select the Manual Binding Settings tab to go to the setup page.
Step 3 From the Bind to drop-down list, select a DHCP address pool to which this
DHCP manual binding belongs.
Page 165
Step 4 Specify the User Name , IP Address and MAC Address as required.
Step 5 Specify the Client ID , Remote ID or Host Name if needed.
Step 6 Click the Save button to save the settings. You can view the DHCP manual binding in the Manual Binding List .
Step 7 If you want to add another new DHCP manual binding, please repeat the above steps.
Note
If you want to delete one or more DHCP manual bindings, select the leftmost check boxes of them in the Manual Binding List , and then click the Delete button.
7.8.4.5 DHCP Address Pool List
Figure 7-27 DHCP Address Pool List
Add a DHCP Address Pool: If you want to add a new DHCP address pool, select the
Address Pool Settings tab, and then configure it, lastly click the Save button.
View DHCP Address Pool(s): When you have configured some DHCP address pools, you can view them in the Address Pool List .
Edit DHCP Address Pool: If you want to modify a configured DHCP address pool, click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
Delete DHCP Address Pool(s): If you want to delete one or more DHCP address
Page 166
pools, select the leftmost check boxes of them, and then click the Delete button.
7.8.4.6 DHCP Address Pool Settings
The DHCP server assigns an IP address to a requesting client from a DHCP address pool, which also can be configured to provide other TCP/IP configuration parameters to the client, such as the Gateway IP address, DNS Server and WINS Server addresses, lease time, etc. The Device supports multiple address pools, so you can easily define multiple subnets in LAN.
Before configuring a DHCP address pool, you should specify a physical interface to which the pool is bound.
Figure 7-28 DHCP Address Pool Settings
Interface: It specifies a physical interface to which the DHCP address pool is bound.
Pool Name: It specifies a unique name for the DHCP address pool. It should be
Page 167
between 1 and 11 characters long.
Start IP Address: It specifies the starting IP address assigned from the DHCP address pool.
Number of Addresses: It specifies the maximum number of IP addresses that can be assigned from the DHCP address pool. The addresses can be assigned dynamically or manually by the DHCP server.
Subnet Mask: It specifies the subnet mask of the IP addresses assigned from the
DHCP address pool.
Default Gateway: It specifies the IP address of the default gateway for a DHCP client.
Lease Time: It specifies the length of time (in seconds) during which each IP address assigned by a DHCP server is valid. If the lease expires, the client is automatically assigned a new dynamic IP address. Before the lease expires, the client typically needs to renew its address lease assignment with the server. The duration for a lease determines when it will expire and how often the client needs to renew it with the server. The default value is 3600 seconds.
Primary DNS Server: It specifies the IP address of the primary DNS server that is available to a DHCP client.
Secondary DNS Server: It specifies the IP address of the secondary DNS server that is available to a DHCP client.
Primary WINS Server: It specifies the IP address of the primary NetBIOS WINS server that is available to a Microsoft DHCP client.
Secondary WINS Server: It specifies the IP address of the secondary NetBIOS
WINS server that is available to a Microsoft DHCP client.
Domain Name: It specifies the DNS domain name for a DHCP client. This is usually an organization name followed by a period and an extension that indicates the type of organization, such as digicom.it. This domain name is appended to the local host name to create the fully qualified domain name (FQDN) for the host. When querying for a host name, the system will append this domain name to the host name for name resolution, thus the DHCP client host who has a host name can access the network.
DHCP Relay IP: It specifies the relay agent IP address for the DHCP address pool. It can be a parameter used by address allocation policy. Refer to section 7.7.2.1.4
IP
Address Allocation Policy for details.
Enable AutoIP: It allows you to enable or disable AuotIP. Select it to permit the address obtained by a DHCP client through AutoIP to coexist with the address assigned by a DHCP server.
Page 168
Response Mode: It specifies the mode in which DHCP server sends the DHCP response messages to the client. The available options are Client Determine ,
Unicast and Broadcast .
●
Client Determine: It indicates that the DHCP server sends the DHCP response messages in the mode required by the client.
●
Unicast: It indicates that the DHCP server unicasts the DHCP response messages to the client.
●
Broadcast: It indicates that the DHCP server broadcasts the DHCP response messages to the client.
NetBIOS Node Type: It specifies the NetBIOS node type for Microsoft DHCP clients.
There are four NetBIOS nodes types, and each node type resolves NetBIOS names differently.
●
B-Node: It indicates a broadcast node that uses broadcasts for name resolution.
●
P-Node: It indicates a peer-to-peer node that uses a WINS server to resolve
NetBIOS names. P-Node does not use broadcasts but queries the WINS server directly.
●
M-Node: It indicates a mixed node that is a combination of a B-Node and
P-Node. By default, an M-Node functions as a B-Node firstly. If the broadcast name query is unsuccessful, it uses a WINS server.
●
H-Node: It indicates a hybrid node that is a combination of a P-Node and B-Node.
By default, an H-Node functions as a P-Node firstly. If the unicast name query to the WINS server is unsuccessful, it uses broadcasts.
Relay Agent ID: It specifies the relay agent identifier for the DHCP address pool. It can be a parameter used by address allocation policy. Refer to section 7.7.2.1.4
IP
Address Allocation Policy for details. There are three types of formats.
● hex: It is used to specify a hexadecimal string. It should be between 1 and 25 characters long.
● ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
● ip: It is used to specify an IP address.
Page 169
Save: Click it to save the DHCP address pool settings.
Note
The Device provides a default address pool whose name is pool1 . The pool1 is editable, but can’t be deleted. Also, you can configure and view it in the Basic >
DHCP & DNS page.
7.8.4.7 How to Add the DHCP Address Pools
If you want to add one or more DHCP address pools, do the following:
Step 1 Go to the Advanced > DHCP page, and select the DHCP Server radio button to go to the DHCP Server page.
Step 2 Select the Address Pool Settings tab to go to the setup page.
Step 3 From the Interface drop-down list, select a physical interface to which the
DHCP address pool is bound.
Step 4 Specify the Pool Name , Start IP Address , Number of Addresses and
Primary DNS Server .
Step 5 Specify the Subnet Mask , Default Gateway and Lease Time as required.
Step 6 Specify the Secondary DNS Server , Primary WINS Server and Secondary
WINS Server if needed.
Step 7 Specify the Domain Name , DHCP Relay IP and Relay Agent ID if needed.
Step 8 In most cases, select the Enable AutoIP check box.
Step 9 Specify the Response Mode and NetBIOS Node Type if needed
Step 10 Click the Save button to save the settings. You can view the DHCP address pool in the Manual Binding List .
Step 11 If you want to add another new DHCP address pool, please repeat the above steps.
Note
If you want to delete one or more DHCP address pools except the Pool1 , select the leftmost check boxes of them in the Address Pool List , and then click the Delete button.
Page 170
7.8.5 DHCP Relay Agent
Go to the Advanced > DHCP page firstly, and then select the DHCP Relay Agent radio button (see the following figure) to go to the DHCP Relay Agent page, which includes the
DHCP Relay Agent List and Relay Agent Settings subpages.
Figure 7-29 Select DHCP Relay Agent
7.8.5.1 DHCP Relay Agent Settings
Figure 7-30 DHCP Relay Agent Settings
Interface: It specifies physical interface on which the DHCP relay agent is applied.
Enable DHCP Relay Agent: It allows you to enable or disable DHCP relay agent. If you want to enable DHCP relay agent on the specified interface, please select this check box.
DHCP Server 1 ~ 3: It specifies one or more DHCP servers for the relay agent. You
Page 171
can specify up to three DHCP servers for the relay agent. The DHCP relay agent will unicast the DHCP request messages to all the specified servers respectively.
Option: It specifies whether the DHCP relay agent inserts option 82 (DHCP relay agent information option) into a client-originated DHCP message before forwarding it to a DHCP server or not.
Policy: It specifies the reforwarding policy for the DHCP relay agent, that is, what the relay agent should do if a message already contains option 82.
Max. Packet Size: It specifies the maximum size of packet (in bytes) that the DHCP relay agent can forward. The default is 1024 bytes.
Relay Agent ID: It specifies the relay agent identifier. There are three types of formats:
● hex: It is used to specify a hexadecimal string. It should be between 1 and 25 characters long.
● ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
● ip: It is used to specify an IP address.
Response Mode: It specifies the mode in which DHCP relay agent sends the DHCP response messages to the client. The available options are Client Determine ,
Unicast and Broadcast .
●
Client Determine: It indicates that the DHCP relay agent sends the DHCP response messages in the mode required by the client.
●
Unicast: It indicates that the DHCP relay agent unicasts the DHCP response messages to the client.
●
Broadcast: It indicates that the DHCP relay agent broadcasts the DHCP response messages to the client.
Save: Click it to save the DHCP relay agent settings.
Note
For more information about Option and Policy , please refer to section 7.7.2.3
Introduction to DHCP Relay Agent .
Page 172
7.8.5.2 DHCP Relay Agent List
Figure 7-31 DHCP Relay Agent List
Configure DHCP Relay Agent: If you want to apply DHCP relay agent function on a physical interface, select the Relay Agent Settings tab to go to the setup page, and then select the interface and configure other parameters, lastly click the Save button.
View DHCP Relay Agent Information: When you have configured DHCP relay agent on one or more physical interfaces, you can view the related information in the
DHCP Relay Agent List .
Edit DHCP Client: If you want to modify DHCP relay agent on a physical interface, click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
7.8.5.3 How to Configure DHCP Relay Agent
If you want to configure DHCP relay agent, do the following:
Step 1 Go to the Advanced > DHCP page, and select the DHCP Relay Agent radio button to go to the DHCP Relay Agent page.
Step 2 Select the Relay Agent Settings tab to go to the setup page.
Step 3 From the Interface drop-down list, select a physical interface on which the
DHCP relay agent is applied.
Step 4 Select the Enable DHCP Relay Agent check box to enable DHCP relay agent on the specified interface.
Page 173
Step 5 Specify the DHCP Server 1 , and specify DHCP Server 2 and DHCP Server 3 if needed.
Step 6 Specify the Option and Policy if needed.
Step 7 Specify the Max. Packet Size , Relay Agent ID and Policy if needed.
Step 8 Click the Save button to save the settings.
Till now you have finished configuring the DHCP relay agent which is applied on the specified interface, and then you can view the related configuration and status information in the
DHCP Relay Agent List .
Note
If you want to disable DHCP relay agent on a physical interface, please click its Edit hyperlink in the DHCP Relay Agent List , and then unselect the Enable DHCP Relay
Agent check box, lastly click the Save button.
7.8.6 Raw Option
Go to the Advanced > DHCP page firstly, and then select the Raw Option radio button
(see the following figure) to go to the Raw Option page, which includes the Raw Option
List and Raw Option Settings subpages.
Figure 7-32 Select Raw Option
7.8.6.1 Raw Option Settings
In this page, you can easily create DHCP raw options. Once a raw option is defined, the
DHCP server or client on the specified interface will add it into the options field of the
DHCP messages before sending them.
Page 174
Figure 7-33 Raw Option Settings
Option Name: It specifies a unique name of the raw option. It should be between 1 and 31 characters long.
Option Code: It specifies the code of the raw option. It is used to uniquely identify the option type. It should be a number between 1 and 254.
Option Value: It specifies the associated values of the raw option. There are three types of formats.
● hex: It is used to specify a hexadecimal string. It should be between 1 and 25 characters long.
● ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
● ip: It is used to specify an IP address.
Interface: It specifies the physical interface on which the DHCP raw option is applied.
Save: Click it to save the DHCP raw option settings.
Note
For detailed information about DHCP options, see RFC 2132, with updates in RFC
3942.
Page 175
7.8.6.2 Raw Option List
Figure 7-34 Raw Option List
Add a Raw Option: If you want to add a new DHCP raw option, click the New button or select the Raw Option Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View Raw Option(s): When you have configured some DHCP raw options, you can view them in the Raw Option List .
Edit a Raw Option: If you want to modify a configured DHCP raw option, click its
Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete Raw Option(s): If you want to delete one or more DHCP raw options, select the leftmost check boxes of them, and then click the Delete button.
7.8.6.3 How to Add the DHCP Raw Options
If you want to add one or more DHCP raw options, do the following:
Step 1 Go to the Advanced > DHCP page, and select the Raw Option radio button to go to the Raw Option page.
Step 2 Select the Raw Option Settings tab or click the New button to go to the setup page.
Step 3 Specify the Option Name , Option Code and Option Value .
Page 176
Step 4 From the Interface drop-down list, select a physical interface on which the
DHCP raw option is applied.
Step 5 Click the Save button to save the settings. You can view the DHCP raw option in the Raw Option List .
Step 6 If you want to add another new DHCP raw option, please repeat the above steps.
Note
If you want to delete one or more DHCP raw options, select the leftmost check boxes of them in the Raw Option List , and then click the Delete button.
7.8.7 Configuration Examples for DHCP
7.8.7.1 Configuration Example for the DHCP Server
There are two typical types of DHCP network topologies:
●
The DHCP server(s) and DHCP clients are on the same subnet so they can directly exchange DHCP messages.
●
The DHCP server(s) and DHCP clients are not on the same subnet so they need communicate via a DHCP relay agent.
The DHCP server configuration for these two types is the same.
1. Network Requirements
In this example, the Device acts as a DHCP server to dynamically assign the IP addresses to the clients that reside on the same subnet. The Device’s LAN interface IP address is
192.168.20.1/24.
We need to create two address pools (pool1 and pool2). The pool1’s address range is from 192.168.20.2/24 to 192.168.20.101/24, primary and secondary DNS servers IP addresses are 202.96.209.5 and 202.96.199.133, domain name is digicom.it and lease time is 3600 seconds. And it uses Device’s LAN IP address (that is, 192.168.20.1/24) as the default gateway address. Leave the default values for the other parameters.
The pool2’s address range is from 192.168.20.102/24 to 192.168.20.254/24 and lease time is 7200 seconds. The pool2’s primary and secondary DNS servers, domain name,
Page 177
and default gateway IP address have the same values with pool1’s.
Besides, we need to create a DHCP manual binding to the host that needs a static IP address. The host’s MAC address is 000795a81c3d, client ID is 01000795a81c3d which is formed by concatenating the media type and MAC address, and host name is test. The host wants to use 192.168.20.10/24 as its IP address and binding1 as its user name. It is obvious that the host belongs to the pool1 .
2. Network Topology
Figure 7-35 Network Topology where DHCP Server and Clients on Same Subnet
3. Configuration Procedure
1 ) Configuring DHCP Server Global Parameters
Step 1 Go to the Advanced > DHCP page, and then select the DHCP Server radio button to go to the DHCP Server page.
Step 2 Select the Global Settings tab to go to the setup page.
Step 3 Select the Enable DHCP Server check box, see the following figure.
Page 178
Figure 7-36 DHCP Server Global Settings - Example
Step 4 Click the Save button to save the settings.
Till now you have finished configuring DHCP server global settings.
2 ) Configuring the DHCP Address Pool - pool1
As mentioned earlier, the pool1 is the default address pool provided by the Device. And it is editable, but can’t be deleted. So you could modify the pool1 according to your requirements. The steps are as follows:
Step 1 Go to the Advanced > DHCP page, and then select the DHCP Server radio button to go to DHCP Server page.
Step 2 Select the Address Pool List tab to go to related subpage, and then click the
Edit hyperlink of the pool1 , the related information will be displayed in the setup page.
Figure 7-37 DHCP Address Pool Settings - Example (pool1)
Page 179
Step 3 Enter 192.168.20.2
in the Start IP Address text box, enter 100 in the Number of Addresses text box, enter 192.168.20.1 in the Default Gateway text box, enter 202.96.209.5 in the Primary DNS Serve r text box, enter 202.96.199.133 in Secondary DNS Serve r text box, and enter digicom.it
in the Domain Name text box. Leave the default values for the other parameters.
Step 4 Click the Save button to save the settings.
Till now you have finished configuring the pool1 , and then you can view its configuration in the Address
Pool List .
3 ) Configuring the DHCP Address Pool - pool2
Step 1 Go to the Advanced > DHCP page, and then select the DHCP Server radio button to go to the DHCP Server page.
Step 2 Select the Address Pool Settings tab to go to the setup page, see the following figure.
Figure 7-38 DHCP Address Pool Settings - Example (pool2)
Page 180
Step 3 Enter 192.168.20.102
in the Start IP Address text box, enter 153 in the
Number of Addresses text box, enter 192.168.20.1 in the Default Gateway text box, enter 7200 in the Lease Time text box, enter 202.96.209.5 in the
Primary DNS Serve r text box, enter 202.96.199.133 in the Secondary DNS
Serve r text box, and enter digicom.it
in the Domain Name text box. Leave the default values for the other parameters.
Step 4 Click the Save button to save the settings.
Till now you have finished configuring the pool2 , and then you can view its configuration in the Address
Pool List .
4 ) Configuring the DHCP Manual Binding
Step 1 Go to the Advanced > DHCP page, and then select the DHCP Server radio button to go to the DHCP Server page.
Step 2 Select the Manual Binding Settings tab to go to the setup page, see the following figure.
Figure 7-39 DHCP Manual Binding Settings - Example
Step 3 Select pool1 from the Bind to drop-down list, enter binding1 in the User
Name text box, enter 192.168.20.10 in the IP Address text box and enter
000795a81c3d in the MAC Address text box.
Step 4 Select hex from the Client ID drop-down list and enter 01000795a81c3d in the associated text box, enter test in the Host Name text box. Leave the default values for the other parameters.
Step 5 Click the Save button to save the settings.
Till now you have finished configuring the DHCP manual binding, and then you can view its configuration in the Manual Binding List .
Page 181
7.8.7.2 Configuration Example for the DHCP Client
As mentioned earlier, each physical interface of the Device supports DHCP client, and it allows you to enable DHCP client on each interface at the same time. In this example, the
DHCP client is applied on the WAN interface.
1. Network Requirements
In this example, we connect the Device’s WAN interface to the LAN that contains a DHCP server. The LAN network ID is 200.200.200.0/24. The Device acts as a DHCP client which is enabled on the WAN interface, then the WAN interface will obtain an IP address from the DHCP server dynamically. The WAN interface’s MAC address is 0022aa123456, and its client ID is 010022aa123456 which is formed by concatenating the media type and
MAC address.
2. Network Topology
DHCP Server
200.200.200.0/24
LAN
WAN Interface
DHCP Client
Figure 7-40 Network Topology Where DHCP Client is Applied on WAN Interface
3. Configuration Procedure
Step 1 Go to the Advanced > DHCP page, select the DHCP Client radio button and then select the DHCP Client Settings tab to go to the setup page, see the following figure.
Page 182
Figure 7-41 DHCP Client Settings - Example
Step 2 Select WAN from the Interface drop-down list.
Step 3 Select the Enable DHCP Client , Enable PnP and Allow AutoIP check boxes.
Step 4 Select hex from the Client ID drop-down list and enter 010022aa123456 in the associated text box. Leave the default values for the other parameters.
Step 5 Click the Save button to save the settings.
Till now you have finished configuring the DHCP client, and then you can view its configuration and status in the DHCP Client List .
7.8.7.3 Configuration Example for the DHCP Relay Agent
1. Network Requirements
In this example, the DHCP clients reside on the subnet 192.168.20.0/254, and the DHCP server’s IP address is 200.200.200.254/24. Because the DHCP server and DHCP clients reside on the different subnets, the Device acting as a DHCP relay agent is deployed to forward DHCP messages between the DHCP server and DHCP clients. The DHCP relay agent is enabled on the LAN interface, which is connected to the subnet where DHCP clients reside. Then DHCP clients can obtain an IP address and other TCP/IP configuration parameters from the DHCP server dynamically.
Note that in order to assign appropriate IP addresses to the DHCP clients, on the DHCP server you should create a DHCP address pool whose address range is from
192.168.20.2 to 192.168.20.254. And also you should create a static route whose
Page 183
destination network is 192.168.20.0/24. For more information about static route, please refer to section 7.1.1
Static Route .
2. Network Topology
Figure 7-42 Network Topology Where the Device Acting as a DHCP Relay Agent
3. Configuration Procedure
Step 1 Go to the Advanced > DHCP page, and select the DHCP Relay Agent radio button.
Step 2 Select the Relay Agent Settings tab to go to the setup page, see the following figure.
Figure 7-43 DHCP Relay Agent Settings - Example
Page 184
Step 3 Select LAN from the Interface drop-down list.
Step 4 Select the Enable DHCP Relay Agent check box.
Step 5 Enter 200.200.200.254
in the DHCP Server 1 text box. Leave the default values for the other parameters.
Step 6 Click the Save button to save the settings.
Till now you have finished configuring the DHCP relay agent, and then you can view its configuration and status in the DHCP Relay Agent List .
7.8.7.4 Configuration Example for the Raw Option
1. Requirements
In this example, we need to create a raw option whose option name is ven_inf, option code is 43 (that is, vendor-specific information) and option value is Test in ASCII format.
And it is applied on the LAN interface.
2. Configuration Procedure
Step 1 Go to Advanced > DHCP page, and select the Raw Option radio button.
Step 2 Select the Raw Option Settings tab to go to the setup page, see the following figure.
Figure 7-44 Raw Option Settings - Example
Step 3 Enter ven_inf in the Option Name text box, enter 43 in the Option Code text box, select ascii from the Option Value drop-down list and enter Test in the associated text box.
Step 4 Select LAN from the Interface drop-down list.
Page 185
Step 5 Click the Save button to save the settings.
Till now you have finished configuring the DHCP raw option, and then you can view its configuration in the
Raw Option List .
7.8.7.5 Comprehensive Example for DHCP
When acting as a DHCP server, the Device supports up to ten DHCP address pools. You can use different Relay agent IP addresses or IDs to distinguish them. In most cases, the
DHCP server will assign the addresses from the same address pool to the clients that have the same relay agent IP address or ID with this pool’s, then these clients will reside on the same subnet.
1. Network Requirements
In this example, there is a college who wants to realize the unified management of the campus network hosts. We plan to divide the campus network into several subnets, one subnet per building (office or dormitory building), so that the hosts residing on the same building will be on the same subnet. We deploy a Device acting as a DHCP server on the network center, and deploy a Devices acting as a DHCP relay agent on each building.
Each DHCP relay agent Device is connected to the center DHCP server Device. And the hosts residing on each building are connected to a relay agent Device, so that these hosts can access the network center through the related relay agent Device.
See the following network topology, we respectively call these buildings building1, building2 ... building10, and call the Devices residing on each building DHCP Relay1,
DHCP Realy2 ... DHCP Realy10. Each relay agent Device has its own ID.
The Device residing on the center network acts as a DHCP server, and the DHCP address pools are bound to the LAN interface with IP address 200.200.200.254/24.
The Devices residing on each building act as the DHCP relay agents. The DHCP relay agent is enabled on each Device’s LAN interface. The hosts residing on each building are connected to the related Device’s LAN interface respectively, and they will act as clients to request addresses from the DHCP server. The following table lists the name, relay agent
ID, WAN IP address and LAN IP address for each relay agent Device. Also it lists the IP address space of each subnet where the client hosts reside.
Name
DHCP Relay1
DHCP Relay2
DHCP Relay3
WAN IP address LAN IP Address Client Subnet
200.200.200.1/24 192.168.1.1/24 192.168.1.0/24
200.200.200.2/24
200.200.200.3/24
192.168.2.1/24
192.168.3.1/24
192.168.2.0/24
192.168.3.0/24
Relay Agent ID
Test_Relay1
Test _Relay2
Test _Relay3
Page 186
DHCP Relay4
DHCP Relay5
DHCP Relay6
DHCP Relay7
DHCP Relay8
DHCP Relay9
200.200.200.4/24
200.200.200.5/24
200.200.200.6/24
200.200.200.7/24
200.200.200.8/24
200.200.200.9/24
192.168.4.1/24
192.168.5.1/24
192.168.6.1/24
192.168.7.1/24
192.168.8.1/24
192.168.9.1/24
192.168.4.0/24
192.168.5.0/24
192.168.6.0/24
192.168.7.0/24
192.168.8.0/24
192.168.9.0/24
DHCP Relay10 200.200.200.10/24 192.168.10.1/24 192.168.10.0/24
Test _Relay4
Test _Relay5
Test _Relay6
Test _Relay7
Test _Relay8
Test _Relay9
Test _Relay10
Table 7-4 DHCP Relay Agent IP Addresses and IDs - Comprehensive Example
In order to ensure that the hosts residing on each building obtain the addresses in the range of the specified subnet respectively, we need to create ten DHCP address pools on the DHCP server Device. These DHCP address pools’ settings are as follows:
●
Every DHCP address pool is bound to the LAN interface.
●
Their pool names are pool1, pool2 ... pool10 respectively.
●
Their starting IP addresses are 192.168.1.2, 192.168.2.2 ... 192.168.10.2 respectively.
●
Every DHCP address pool’s number of addresses is 253, which is the maximum number of valid addresses in each subnet where the client hosts reside.
●
Every DHCP address pool’s lease time is 3600 seconds, primary and secondary DNS servers’ IP addresses are 202.96.209.6 and 202.96.199.133.
●
Their relay agent IDs are Test_Relay1, Test_Relay2 ... Test_Relay10 respectively, which are in ASCII format.
Note that you also should create ten static routes whose destination networks are the subnets where the client hosts reside. For more information about static route, please refer to section 7.1.1
Static Route .
For those DHCP relay agent Devices, the DHCP relay agent settings are as follows:
Page 187
●
Every DHCP relay agent is applied on the LAN interface.
●
Every DHCP relay agent’s DHCP Server 1 is 200.200.200.254
.
●
Every DHCP relay agent’s Option is insert .
●
Their Relay Agent IDs are Test_Relay1 , Test_Relay2 ... Test_Relay10 respectively, which are in ASCII format.
Note that since the DHCP server uses the relay agent ID to distinguish each address pool, we need set Option to insert for each relay agent. The DHCP relay agent will insert relay agent ID before forwarding a client-originated DHCP message; thus the DHCP server can select a matched address pool according to the relay agent ID to assign an address to the requesting client.
2. Network Topology
Figure 7-45 Network Topology for DHCP Comprehensive Example
3. Configuration Procedure
As DHCP address pools have the similar configuration procedure, here we will take DHCP
Page 188
address poo1 for example to describe how to configure the DHCP address pool.
As DHCP relay agents have the similar configuration procedure, here we will take DHCP
Relay1 for example to describe how to configure the DHCP relay agent.
1) Configuring DHCP server a) Configuring DHCP Server Global Parameters
Step 1 Go to the Advanced > DHCP page, and then select the DHCP Server radio button to go to the DHCP Server page.
Step 2 Select the Global Settings tab to go to the setup page.
Step 3 Select the Enable DHCP Server check box, see the following figure.
Figure 7-46 DHCP Server Global Settings - Comprehensive Example
Step 4 Click the Save button to save the settings.
Till now you have finished configuring DHCP server global settings. b) Configuring the DHCP Address Pool - pool1
As mentioned earlier, the pool1 is the system default address pool. And it is editable, but can’t be deleted. So you could modify the pool1 according to your requirements. The steps are as follows:
Step 1 Go to the Advanced > DHCP page, and then select the DHCP Server radio button to go to the DHCP Server page.
Step 2 Select the Address Pool List tab, and then click the pool1 ’s Edit hyperlink in the Address Pool List , the related information will be displayed in the setup page.
Page 189
Figure 7-47 DHCP Address Pool Settings - Comprehensive Example (pool1)
Step 3 Enter 192.168.1.2
in the Start IP Address text box, enter 253 in the Number of
Addresses text box, enter 192.168.1.1 in the Default Gateway text box, enter
202.96.209.5 in the Primary DNS Serve r text box and enter 202.96.199.133 in the Secondary DNS Serve r text box.
Step 4 Select ascii from the Relay Agent ID drop-down list and enter Test_Relay1 in the associated text box. Leave the default values for the other parameters.
Step 5 Click the Save button to save the settings.
Till now you have finished configuring the pool1 , and then you can view its configuration in the Address
Pool List . c) Configuring the Other DHCP Address Pools (pool2 ~ pool10)
The other DHCP address pools’ configuration procedures are very similar to that of the
Pool1 . The difference is that each DHCP address pool has different Pool Name , Start IP
Address , Default Gateway and Relay Agent ID . Since the other DHCP address pools’ configuration procedures are so similar to that of the poo1 , the user is directed to review
Page 190
the configuration procedure of the pool1 .
Step 1 Configuring DHCP Relay1
Go to the Advanced > DHCP page, select the DHCP Relay Agent radio button and then select the Relay Agent Settings tab to go to the setup page, see the following figure.
Figure 7-48 DHCP Relay Agent Settings - Comprehensive Example (DHCP Relay1)
Step 2 Select LAN from the Interface drop-down list.
Step 3 Select the Enable DHCP Relay Agent check box.
Step 4 Enter 200.200.200.254
in the DHCP Server 1 text box. Select insert from the
Option text box, select ascii from the Relay Agent ID drop-down list and enter
Test_Relay1 in the associated text box. Leave the default values for the other parameters.
Step 5 Click the Save button to save the settings.
Till now you have finished configuring the DHCP relay agent, and then you can view its configuration in the DHCP Relay Agent List .
2) Configuring the Other DHCP Agent Relays (DHCP Relay2 ~ Realy10)
The other DHCP relay agents’ configuration procedures are very similar to that of the
DHCP Relay1 . The difference is that each DHCP relay agent has different Relay Agent
ID . Since the other DHCP relay agents’ configuration procedures are so similar to that of the DHCP Relay1 , the user is directed to review the configuration procedure of the DHCP
Relay1 .
Page 191
7.9 Switch
This section describes Advanced > Switch page.
7.9.1 Port Mirroring
7.9.1.1 Introduction to Port Mirroring
The port mirroring allows an administrator to mirror and monitor network traffic. It copies the traffic from the specified ports to another port where the traffic can be monitored with an external network analyzer. Then the administrator can perform traffic monitoring, performance analysis and fault diagnosis.
7.9.1.2 Port Mirroring Setup
Figure 7-49 Port Mirroring Settings
Enable Port Mirroring: It allows you enable or disable port mirroring. If you want to enable port mirroring on the Device, please select this check box. By default, the LAN
Port 1 is the mirroring port that can’t be changed. If the port mirroring is enabled, the
LAN Port 1 will mirror the traffic of the other LAN ports
Click the Save button to save the port mirroring settings.
Note
If the LAN switch ports belong to different VLANs, only the traffic of the ports on the same VLAN as the Port 1 can be mirrored.
Page 192
7.9.2 Port-Based VLAN
7.9.2.1 Introduction to VLAN
A VLAN (Virtual Local Area Network) is a group of devices that form a logical LAN segment, that is, a broadcast domain. The members on the same VLAN can communicate with each other. The traffic will not disturb among different VLANs, that is, any traffic
(unicast, broadcast or multicast) within a VLAN doesn’t flow to another VLAN. The VLAN feature offers the benefits of both security and performance. VLAN is used to isolate traffic between different users which provides better security. Limiting the broadcast traffic within the same VLAN broadcast domain also enhances performance.
The Device provides port-based VLAN, which is defined according to the switch ports on the Device. You can set a VLAN ID to each switch port. The ports that have the same
VLAN ID will be grouped into a VLAN. The ports that belong to the same VLAN can communicate with each other, but the ports that belong to the different VLANs can’t communicate. For example, if a port belongs to VLAN 1 and another port belongs to VLAN
2, the two ports will not be able to communicate with each other.
7.9.2.2 Port-Based VLAN Setup
Figure 7-50 Port-Based VLAN Setup
Port 1 VLAN ID ~ Port 5 VLAN ID: They specify the VLAN IDs of the five switch ports. It allows you to set a VLAN ID to each switch port for each switch port respectively. The ports that have the same VLAN ID will be grouped into a VLAN, which is independent of the other ports.
Save: Click it to save the VLAN settings.
Page 193
Note
1.
The ports that have the same VLAN ID will be grouped into a VLAN. The ports on the same VLAN can communicate with each other, but the ports that belong to the different VLANs can’t communicate.
2.
By default, all the LAN switch ports are members of the same VLAN. The most complex case is that each port is grouped into a VLAN respectively. For example, see
Figure 7-52, Port 1 and Port 2 are grouped into a VLAN (VLAN 1), Port 3, Port 4 and
Port 5 are grouped to the different VLANs (VLAN 2, VLAN 3 and VLAN 4) respectively.
3. The ports within a LAG should be grouped into the same VLAN.
Page 194
Chapter 8 NAT
This chapter describes how to configure and use NAT features, including port forwarding,
DMZ hosts, NAT rule and UPnP.
8.1 Port Forwarding
This section describes the NAT > Port Forwarding page, which allows you to configure port forwarding rules.
8.1.1 Introduction to Port Forwarding
By default, NAT is enabled on the Device, so the Device will block all the requests initiated from outside users. In some cases, the outside users want to access the LAN internal servers through the Device. To achieve this purpose, you need to create port forwarding rules or DMZ hosts on the Device.
Using port forwarding, you can create the mapping between <external IP address: external port> and <internal IP address: internal port>, then all the requests from outside users to the specified external IP address: port on the Device will be forwarded to the mapped local server, so the outside users can access the service offered by the local server.
For example, if you want to allow the local SMTP server (IP address: 192.168.20.88) to be available to the outside users, you can create a port forwarding rule: external IP address is
WAN1 IP address (200.200.201.88 in this example), external port is 2100, internal IP address is 192.168.20.88, and internal port is 25. Then all the requests for SMTP from outside users to 200.200.201.88:2100 will be forwarded to 192.168.20.88:25.
Page 195
8.1.2 Port Forwarding Settings
Figure 8-1 Port Forwarding Settings
Protocol: It specifies the transport protocol used by the service. The available options are TCP , UDP and GRE .
Start External Port: It specifies the lowest port number provided by the Device. The external ports are opened for outside users to access.
Internal IP Address: It specifies the IP address of the local host that provides the service.
Start Internal Port: It specifies the lowest port number of the service provided by the
LAN host. The Start External Port and Start Internal Port can be different.
Port Count: It specifies the number of service ports provided by the LAN host. If the service uses only one port number, enter 1. The maximum value is 20. For example, if the start internal port is 21, the start external port is 2001 and the port count is 10, then the internal port range is from 21 to 30, and the external port range is from 2001 to 2010.
Bind to: It specifies the NAT rule to which this port forwarding rule is bound. The port forwarding rule will use the NAT rule’s external IP address as its external IP address.
The available options are:
●
Each EasyIP NAT rule’s ID : it stands for the corresponding NAT rule respectively.
●
WANx (x: 1, 2, 3, 4): It stands for the system reserved NAT rule bound to the
Internet connection on the selected WAN interface. The reserved NAT rule uses the WAN interface’s IP address as its external IP address.
Page 196
Description: It specifies the description of the port forwarding rule.
Save: Click it to save the port forwarding rule settings.
Note
1. If you choose the Protocol as GRE , you should set the Start External Port and Start
Internal Port to 0, and set the Port Count to 1.
2. After you have enabled some features (such as, HTTP management in the System >
Remote Admin page), the system will automatically create some port forwarding rules, which cannot be modified or deleted.
8.1.3 Port Forwarding List
Figure 8-2 Port Forwarding List
Add a Port Forwarding Rule: If you want to add a new port forwarding rule, click the
New button or select the Port Forwarding Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View Port Forwarding Rule(s): When you have configured some port forwarding rules, you can view them in the Port Forwarding List .
Edit a Port Forwarding Rule: If you want to modify a configured port forwarding rule, click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
Delete Port Forwarding Rule(s): If you want to delete one or more port forwarding
Page 197
rules, select the leftmost check boxes of them, and then click the Delete button.
8.1.4 How to Add the Port Forwarding Rules
If you want to add one or more port forwarding rules, do the following:
Step 1 Go to the NAT > Port Forwarding page, and then click the New button or select the Port Forwarding Settings tab to go to the setup page.
Step 2 Specify the Protocol , Internal IP Address and Start Internal Port as required.
Step 3 Specify the Start External Port as required. The Start External Port and Start
Internal Port can be different.
Step 4 If the open service uses a range of consecutive ports, you need specify the
Port Count .
Step 5 Select a NAT rule from the Bind to drop-down list as required. The port forwarding rule will use the selected NAT rule’s external IP address as its external IP address.
Step 6 Click the Save button to save the settings. You can view the port forwarding rule in the Port Forwarding List .
Step 7 If you want to add another new port forwarding rule, please repeat the above steps.
Note
If you want to delete one or more port forwarding rules, select the leftmost check boxes of them in the Port Forwarding List , and then click the Delete button.
8.1.5 Configuration Examples for Port Forwarding
8.1.5.1 Example One
An organization wants a LAN server (IP Address: 192.168.20.88) to open syslog service
(Protocol: UDP; Port: 514) to the outside users. And the Device will use 2514 as the external port and the WAN1 IP address (200.200.200.88 in this example) as the external
IP address. Then all the requests for syslog from outside users to 200.200.200.88:2514
Page 198
will be forwarded to 192.168.20.99:514.
The following figure shows the detailed settings.
Figure 8-3 Port Forwarding Settings - Example One
8.1.5.2 Example Two
An organization wants a LAN server (IP Address: 192.168.20.100) to open ftp service
(Protocol: TCP; Port: 20, 21) to the outside users. And the Device will use 2020 and 2021 as the external ports and the WAN2 IP address (200.200.201.18 in this example) as the external IP address. As the ftp service uses two ports, so we need set the Port Count to 2.
Then all the requests for ftp from outside users to 200.200.201.18:2020 or
200.200.201.18:2021 will be forwarded to 192.168.20.100:20 or 192.168.20.100:21.
The following figure shows the detailed settings.
Figure 8-4 Port Forwarding Settings - Example Two
Page 199
8.1.5.3 Example Three
An organization obtains eight public IP addresses (from 218.1.21.0/29 to 218.1.21.7/29) from the ISP. Therein, 218.1.21.1/29 is used as the Internet connection’s gateway IP address, 218.1.21.2/29 is used as the Device’s WAN1 interface’s IP address.
The organization wants a LAN server (IP Address: 192.168.20.88) to open SMTP service
(Protocol: TCP; Port: 25) to the outside users. And the Device will use 2025 as the external port and 218.1.21.3 as the external IP address.
Firstly, we need to create a NAT rule, and set its External IP Address to 218.1.21.3, see section 8.3.5 How to Add the NAT Rules for detailed information. Then we need to create the port forwarding rule, and select the NAT rule’s ID ( 4 in this example) from the
Bind to drop-down list.
The following figure shows the detailed settings.
Figure 8-5 Port Forwarding Settings - Example Three
Page 200
8.2 DMZ Host
This section describes the NAT > DMZ page.
8.2.1 Introduction to DMZ host
The DMZ (Demilitarized Zone) host allows one local host to be exposed to the Internet for the use of a special service such as online game or video conferencing. When receiving the requests initiated from outside users, the Device will directly forward these requests to the specified DMZ host.
For the Device that has multiple WAN interfaces, it allows you to create one global DMZ host, and several interface DMZ hosts which are bound to each WAN interface respectively.
● Global DMZ host: You can access the global DMZ host through different Internet connections at the same time.
● Interface DMZ host: You can only access the interface DMZ host through the corresponding Internet connection.
Note
When a local host is designated as the DMZ host, it loses firewall protection provided by the Device. As the DMZ host is exposed to many exploits from the Internet, it may be used to attack your network.
Page 201
8.2.2 DMZ Host Settings
8.2.2.1 Global DMZ Host Settings
Figure 8-6 Global DMZ Host Settings
DMZ IP: It specifies the private IP address of the global DMZ host.
Save: Click it to save the global DMZ host settings.
8.2.2.2 Interface DMZ Host Settings
Figure 8-7 Interface DMZ Host Settings
WANx DMZ IP: It specifies the private IP address of the interface DMZ host which is bound to the WAN interface. Therein, x (value: 1, 2, 3, 4) indicates the corresponding
WAN interface, and the number of WAN interfaces depends on the specific product model.
Page 202
Save: Click it to save the interface DMZ host settings.
8.2.3 The Priorities of Port Forwarding and DMZ Host
The port forwarding has higher priority than the DMZ host. When receiving a request packet initiated from an outside user, the Device will firstly search the Port Forwarding
List to find out if there is a port forwarding rule matching the destination IP address and port of the packet. If a match is found, the Device will forward the packet to the mapped local host. Else, the Device will try to find out if there is an available DMZ host.
And the interface DMZ host has higher priority than the global DMZ host. Only when there is no interface DMZ host available to the request packet, the Device will choose the global
DMZ host.
Page 203
8.3 NAT Rule
8.3.1 Introduction to NAT
The NAT (Network Address Translation) is an Internet standard that is used to map one IP address space (i.e., Intranet) to another IP address space (i.e., Internet). The NAT is designed to alleviate the shortage of IP addresses, that is, it allows all the LAN hosts to share a single or a small group of IP addresses: On the Internet, there is only a single device using a single or a small group of public IP addresses; but the LAN hosts can use any range of private IP addresses, and these IP addresses are not visible from the
Internet. As the internal network can be effectively isolated from the outside world, the
NAT can also provide the benefit of network security assurance.
The Device provides flexible NAT features, and the following sections will describe them in detail.
8.3.1.1 NAT Address Space Definitions
To ensure that NAT operates properly, the Device uses and maintains two address spaces:
● Internal IP address: It indicates the IP address that is assigned to a LAN host by the administrator. It is usually a private IP address.
● External IP address: It indicates the IP address that is assigned to the Device’s
Internet connection by the ISP. It is a legal public IP address that can represent one or more internal IP addresses to the outside world.
8.3.1.2 NAT Types
The Device provides three types of NAT: One2One , EasyIP and Passthrough .
● One2One (One to One): referred to as Basic NAT, which provides a one to one mapping between an internal and an external IP address. In this type of NAT, IP address need be changed, but port needn’t.
It indicates static network address translation. It is always
Page 204
One to One NAT can be used to allow the outside users to access a LAN server: In the local network, the LAN server still use the private IP address, which is provided to the
LAN hosts to access; and on the Internet, the Device will assign an external IP address to the local server, then the outside users can using this external IP address to access the server through the Device.
● EasyIP: It indicates network address and port translation (NAPT). Since it is the most common type of NAT, it is often simply referred to as NAT. NAPT provides many-to-one mappings between multiple internal IP addresses and a single external IP addresses, that is, these multiple internal IP addresses will be translated to the same external IP address. In this type of NAT, to avoid ambiguity in the handling of returned packets, it must dynamically assign a TCP/UDP port to an outgoing session and change the packets’ source port to the assigned port before forwarding them. Besides, the Device must maintain a translation table so that return packets can be correctly translated back.
● Passthrough: It indicates bypassing NAT when NAT is enabled. If you enable NAT, the
LAN hosts must match a NAT rule when accessing outside hosts. So if you do not want to perform NAT for some LAN hosts, you can use this function to bypass NAT for those hosts. It is often used for some particular applications that do not support NAT well, such as, online game or video conferencing. To ensure that these applications run properly, you can divide a voice and video area in the LAN, and create a
Passthrough NAT rule for the hosts in this area. Then the Device will not perform
NAT for them, that is, the packets sent by these hosts to the outside hosts will be directly routed and forwarded.
When you obtain multiple public IP addresses from your ISP, you can create more than one
NAT rule for each type of NAT. In actual network environment, different types of NAT rules are often used together.
8.3.1.3 The Relations of Internet Connection, NAT Rule and
Port Forwarding Rule
On the Device, the relations of the Internet connection, NAT rule and port forwarding rule are as follows:
● A NAT rule should be bound to an Internet connection. It allows you bind multiple NAT rules to the same Internet connection.
Page 205
● A port forwarding rule should be bound to an EasyIP NAT rule (that is, the NAT rule’s type is EasyIP ), and the port forwarding rule will use the NAT rule’s external IP address as its external IP address. It allows you bind multiple port forwarding rules to the same
EasyIP NAT rule.
● Only after you have configured an Internet connection, you can create a NAT rule which is bound to this Internet connection; and only after you have configured an EasyIP NAT rule, you can create a port forwarding rule which is bound to this EasyIP NAT rule.
8.3.1.4 System Reserved NAT Rules
After you have finished configuring the WAN1 Internet connection through the Quick
Wizard , or configuring the WAN1 Internet connection and other connections in the Basic >
WAN page, the Device will automatically create a NAT rule for each Internet connection respectively.
For convenience, we call them system reserved NAT rules in the manual. You can view them in the NAT Rule List . By default, a system reserved NAT rule’s Type is EasyIP , Bind to is the
WAN interface on which the Internet connection is established, external IP Address is 0.0.0.0
which means this NAT rule will directly use the WAN interface’s IP address as its external IP address.
8.3.2 NAT and Multi-WAN Load Balancing
8.3.2.1 Overview
The section 6.3
Load Balancing describes load balancing among multiple Internet connections. In actual, that feature implementation is based on NAT feature.
8.3.2.2 Assigning Preferential Channel according to Source IP
Here, the channel stands for the NAT rule, which determines NAT type, external IP address and Internet connection used by the LAN hosts to surf the Internet.
On the Device, you can assign a preferential channel to some LAN hosts in advance by specifying the NAT rule’s Start Internal IP Address and End Internal IP Address , then
Page 206
the LAN hosts belong to the specified address range will preferentially use the assigned
NAT rule to access the Internet. If the assigned NAT rule is in effect, these LAN hosts can only use this NAT rule to access the Internet. Else, the Device will take them as the free
LAN hosts (that is, the hosts that have not been assigned a preferential channel) to process. On the Device, you can assign different preferential channel for different LAN hosts.
8.3.2.3 Allocating Traffic according to Connection Bandwidth
On the Device, you can designate the ratio of traffic that will be allocated to each Internet connection in advance. You can achieve this by specifying the Internet connection’s
Weight , the connection that has larger Weight will take more traffic than the connection that has smaller Weight . In most cases, to properly allocate traffic, you may specify each connection’s Weight according to the ratio of each connection’s bandwidth.
Note that if several EasyIP NAT rules are bound to an Internet connection with multiple IP addresses, then the Internet connection’s Weight is the sum of each EasyIP NAT rule’s
Weight .
Besides, when you have designated preferential channels for some LAN hosts, if you specify each connection’s Weight according to the ratio of each connection’s bandwidth, the ratio of each connection’s actual traffic and the ratio of each connection’s bandwidth may be quite different. In this case, you can adjust each connection’s Weight according to the actual situation.
8.3.2.4 Two Load Balancing Policies
Note
In this section, those hosts that have not been assigned a preferential NAT rule are called free LAN hosts .
The Load Balancing Policy is used to control and balance the traffic among multiple
Internet connections. Note that the load balancing policy only acts on the free LAN hosts.
The Load Balancing Policy is configured in the Basic > Load Balancing > Global
Settings page, and the Device provides two load balancing policies: load balancing based on IP address and NAT session. Their implementation mechanisms are as follows.
1. Load Balancing Based on IP Address
Note that here we assume that each LAN host only has one IP address.
Page 207
If you choose IP address as the load balancing policy, the Device will assign the free LAN hosts’ IP addresses to each EasyIP NAT rule in turn. The ratio of the numbers of the IP addresses assigned to each EasyIP NAT rule is the same with the ratio of each rule’s
Weight . In this case, the NAT sessions initiated from the same IP address will use the same NAT rule, that is, a LAN host will use only one NAT rule to access the Internet.
For example, there are three EasyIP NAT rules whose Weights are 3, 2 and 1 respectively. Then in the sequence of accessing the Internet, the first, second and third free hosts will use the first rule, the fourth and fifth free hosts will use the second rule, the sixth free hosts will use the third rule; then the seventh, eighth and ninth free hosts will use the first rule ... and so on.
2. Load Balancing Based on NAT Session
If you choose NAT session as the load balancing policy, the Device will assign the NAT sessions to each EasyIP NAT rule in turn. The ratio of the numbers of the NAT sessions assigned to each EasyIP NAT rule is the same with the ratio of each rule’s Weight . In this case, the NAT sessions initiated from the same LAN host will use different NAT rules, that is, a LAN host will use several NAT rules to access the Internet.
For example, there are three EasyIP NAT rules whose Weights are 3, 2 and 1 respectively. Then in the sequence of accessing the Internet, the first, second and third
NAT sessions initiated from the free LAN hosts will use the first rule, the fourth and fifth
NAT sessions will use the second rule, the sixth NAT sessions will use the third rule; then the seventh, eighth and ninth NAT sessions will use the first rule ... and so on.
3. How to Choose the Load Balancing Policy
In most cases, it is suggested that you choose IP address as the load balancing policy. If you want to use some applications that need high bandwidth, such as the NetAnts,
FlashGet, Net Transport, and other multi-threaded download managers (multi-threaded download means that it can split a file into several pieces and download the pieces simultaneously, and merge them together once downloaded), you may choose NAT session as the load balancing policy to take full advantage of multiple Internet connections’ bandwidth to increase download speed. Note that even you choose NAT session as the load balancing policy, due to that the related download website is busy or there are some other reasons, the bandwidth of each Internet connection cannot be aggregated fully, so some applications may be not running smoothly.
8.3.2.5 The Priorities of NAT Rules
When receiving a request packet initiated from a LAN host to access the Internet, the
Device will firstly search the NAT Rule List to find out if there is a NAT rule matching the source IP address or the packet, that is, the host’s IP address belongs to the address
Page 208
range specified by the Start Internal IP Address and End Internal IP Address of the
NAT rule. If a match is found, the Device will assign the matched NAT rule to the host, and then the host will use this rule to access the Internet. Else, the Device will assign the
EasyIP NAT rule to the host. If there are several EasyIP NAT rules, the Device will assign the IP addresses or NAT sessions to each EasyIP NAT rule in turn. Then the Device will effectively control and balance the traffic among multiple Internet connections.
8.3.3 NAT Rule Settings
The following sections describe three types of NAT rules respectively, which include:
EasyIP NAT (see Figure 8-8), One2One NAT (see Figure 8-9), and Passthrough NAT
(see Figure 8-10).
Note
When using multi-NAT (that is, you get multiple public IP addresses from your ISP) on a WAN interface, you should enable NAT proxy ARP on the interface. The operation is as follows: Go to the Basic > WAN > WAN List page, click the Edit hyperlink of the related Internet connection to go to its setup page, click the Advanced Options , and then select Nat from the Proxy ARP drop-down list, lastly click the Save button.
8.3.3.1 EasyIP NAT Rule Settings
Figure 8-8 EasyIP NAT Rule Settings
Page 209
NAT Type: It specifies the type of the NAT rule. The available options are EasyIP ,
One2One , and Passthrough . Here please select EasyIP .
External IP Address: It specifies the external IP address to which the LAN hosts’ IP addressed are mapped. A system reserved NAT rule’s external IP address is 0.0.0.0
, which means that the rule will use the related WAN interface’s IP address as its external IP address; and it is non-editable. A user-defined NAT rule’s external IP address can be neither 0.0.0.0 nor the WAN interface’s IP address, that is, you can only use the other public IP addresses provided by your ISP as its external IP addresses.
Start Internal IP Address and End Internal IP Address: They specify the internal address range of the NAT rule. The LAN hosts that belong to this address range will preferential use the NAT rule.
Weight: It specifies the weight of the NAT rule. It should be a number between 1 and
255. The default value is 1.
Bind to: It specifies an Internet connection to which the NAT rule is bound. The LAN hosts that match the NAT rule will access the Internet through this Internet connection.
Description: It specifies the description of the NAT rule.
Save: Click it to save the NAT rule settings.
8.3.3.2 One2One NAT Rule Settings
Figure 8-9 One2One NAT Rule Settings
NAT Type: It specifies the type of the NAT rule. The available options are EasyIP ,
One2One , and Passthrough . Here please select One2One .
Page 210
Start External IP Address: It specifies the start external IP address to which the start internal IP address is mapped.
Start Internal IP Address and End Internal IP Address: They specify the internal address range of the NAT rule. The LAN hosts that belong to this address range will use the NAT rule.
Bind to: It specifies an Internet connection to which the NAT rule is bound. The LAN hosts that match the NAT rule will access the Internet through this Internet connection.
Description: It specifies the description of the NAT rule.
Save: Click it to save the NAT rule settings.
Note
1. When creating a One2One NAT rule, you should set the Start External IP Address , and the number of the external IP addresses is the same with the number of internal
IP addresses, which is determined by the Start Internal IP Address and End
Internal IP Address . For example, if the Start Internal IP Address is 192.168.20.6,
End Internal IP Address is 192.168.20.8, and Start External IP Address is
200.200.200.116, then 192.168.20.6, 192.168.20.7, and 192.168.20.8 will be mapped to 200.200.200.116, 200.200.200.117, and 200.200.200.118 respectively.
2. In order to make both LAN hosts and Internet hosts can access a One2One NAT rule’s external IP addresses (that is, public IP addresses), after you finished configuring the One2One NAT rule, the Device will automatically create the related static routes and enable NAT proxy ARP (by selecting Nat from Proxy ARP drop-down list) on the related WAN interface. You can go to the Advanced > Static
Route page to view those static routes in the Static Route List , therein, the static route’s Destination IP is a public IP addresses, Gateway IP is the related WAN interface’s IP address.
Page 211
8.3.3.3 Passthrough NAT Rule Settings
Figure 8-10 Passthrough NAT Rule Settings
NAT Type: It specifies the type of the NAT rule. The available options are EasyIP ,
One2One , and Passthrough . Here please select Passthrough .
Start Internal IP Address and End Internal IP Address: They specify the internal address range of the NAT rule. They are usually public IP addresses provided by the
ISP. The LAN hosts that belong to this address range will use the Passthrough NAT rule; that is, the Device will not perform NAT for them, so the packets sent by these hosts to the outside hosts will be directly routed and forwarded. Note that the internal address range of a Passthrough NAT rule should not overlap with the external address range of any EasyIP or One2One NAT rule.
Bind to: It specifies an Internet connection to which the NAT rule is bound. The LAN hosts that match the NAT rule will access the Internet through this Internet connection.
Description: It specifies the description of the NAT rule.
Save: Click it to save the NAT rule settings.
Page 212
8.3.4 NAT Rule List
Figure 8-11 NAT Rule List
Add a NAT Rule: If you want to add a new NAT rule, click the New button or select the NAT Rule Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View NAT Rule(s): When you have configured some NAT rules, you can view them in the NAT Rule List .
Edit a NAT Rule: If you want to modify a configured NAT rule, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete NAT Rule(s): If you want to delete one or more NAT rules, select the leftmost check boxes of them, and then click the Delete button.
8.3.5 How to Add the NAT Rules
If you want to add one or more NAT rules, do the following:
Step 1 Please decide the type of the NAT rule.
Step 2 Go to the NAT > NAT Rule page, and then click the New button or select the
NAT Rule Settings tab to go to the setup page.
Step 3 Select a type from the NAT Type drop-down list as required.
Page 213
Step 4 There are three cases:
1) If the NAT rules’ type is EasyIP , please specify the External IP Address ,
Start Internal IP Address , End Internal IP Address , and Weight as required.
2) If the NAT rules’ type is One2One , please specify the Start External IP
Address , Start Internal IP Address , and End Internal IP Address as required.
3) If the NAT rules’ type is Passthrough , please specify the Start Internal IP
Address and End Internal IP Address as required.
Step 5 Select an Internet connection from the Bind to drop-down list as required.
Step 6 Click the Save button to save the settings. You can view the NAT rule in the
NAT Rule List .
Step 7 If you want to add another new NAT rule, please repeat the above steps.
Note
1. If you want to delete one or more NAT rules, select the leftmost check boxes of them in the NAT Rule List , and then click the Delete button. Note that you cannot delete the system reserved NAT rules here.
2. A system reserved NAT rule’s external IP address is 0.0.0.0, which means that the rule will use the related WAN interface’s IP address as its external IP address; and it is non-editable. A user-defined NAT rule’s external IP address can be neither 0.0.0.0 nor the related WAN interface’s IP address, that is, you can only use the other public
IP addresses provided by your ISP as its external IP addresses.
3. The internal IP address range of each NAT rule should not overlap, and the external
IP address range of each NAT rule should not overlap too; and the internal IP address range of a Passthrough NAT rule should not overlap with the external IP address range of any EasyIP or One2One NAT rule.
Page 214
8.3.6 Configuration Examples for NAT Rule
8.3.6.1 An Example for Configuring EasyIP NAT Rule
1. Requirements
In this example, an Internet café has a single Internet connection, and obtains eight public
IP addresses (from 218.1.21.0/29 to 218.1.21.7/29) from the ISP. Therein, 218.1.21.1/29 is used as the Internet connection’s gateway IP address, 218.1.21.2/29 is used as the
Device’s WAN1 interface’s IP address. Note that 218.1.21.0/29 and 218.1.21.7/29 cannot be used as they are the subnet number and broadcast address respectively.
The administrator want the hosts in the online game area (its address range is from
192.168.20.10/24 to 192.168.20.100/24) to use 218.1.21.3/29 to access the Internet. To achieve this purpose, he should create an EasyIP NAT rule for them. The rule’s External
IP Address is 218.1.21.3, Start Internal IP address is 192.168.20.10, End Internal IP
Address is 192.168.20.100, and Bind to is WAN1. And we assume that the Weigh t is 2.
2. Configuration Procedure
The configuration steps are the following:
Step 1 Go to the NAT > NAT Rule page, and select the NAT Rule Settings tab to go to the setup page.
Step 2 Select EasyIP from the NAT Type drop-down list, see the following figure.
Figure 8-12 EasyIP NAT Rule Settings - Example
Step 3 Enter 218.1.21.3
in the External IP Address text box, enter 192.168.20.10
in
Page 215
the Start Internal IP address text box, and enter 192.168.20.100
in the End
Internal IP address text box.
Step 4 Enter 2 in the Weight text box.
Step 5 Select WAN1 from the Bind to drop-down list.
Step 6 Click the Save button to save the settings.
Till now you have finished configuring the NAT rule, and then you can view its configuration in the NAT
Rule List .
8.3.6.2 An Example for Configuring One2One NAT Rule
1. Requirements
In this example, see Figure 8-13, a business has a single static IP Internet connection, and obtains eight public IP addresses (from 202.1.1.128/29 to 202.1.1.1.135/29) from the
ISP. Therein, 202.1.1.129/29 is used as the Internet connection’s gateway IP address,
202.1.1.130/2 is used as the Device’s WAN1 interface’s IP address. Note that
202.1.1.128/29 and 202.1.1.1.135/29 cannot be used as they are the subnet number and broadcast address respectively.
Figure 8-13 Network Topology for One2One NAT Rule Configuration Example
The business employees will share a single public IP address of 202.1.1.130/29 to access the Internet. The LAN’s subnet number is 192.168.20.0, and subnet mask is
255.255.255.0. And the business want to use the remaining four public IP addresses (from
202.1.1.131/29 to 202.1.1.134/29) to create a One2One rule for the four local servers,
Page 216
then the outside users can use these public addresses to access the local servers through the Device. The four local servers IP addresses are from 192.168.20.200/24 to
192.168.20.203/24, which are mapped to 202.1.1.131/29, 202.1.1.132/29, 202.1.1.133/29,
202.1.1.134/29 respectively.
2. Analysis
Firstly we need configure a static IP Internet connection on the WAN1 interface in the
Basic > WAN page or through the Quick Wizard . After you have configured the Internet connection, the Device will automatically create a related system reserved NAT rule, and also enable NAT.
Secondly, we need to create a One2One NAT rule for the four local servers. After you have configured this rule, the Device will automatically create the related static route and enable NAT proxy ARP on the WAN1 interface. Please see section 8.3.3.2
One2One
NAT Rule Settings for detailed description.
3. Configuration Procedure
Here we only describe how to create the One2One NAT rule.
The configuration steps are the following:
Step 1 Go to the NAT > NAT Rule page, and select the NAT Rule Settings tab to go to the setup page.
Step 2 Select One2One from the NAT Type drop-down list, see the following figure.
Figure 8-14 One2One NAT Rule Settings - Example
Step 3 Enter 202.1.1.131
in the Start External IP Address text box, enter
192.168.20.200
in the Start Internal IP address text box, and enter
192.168.20.203
in the End Internal IP address text box.
Step 4 Select WAN1 from the Bind to drop-down list.
Page 217
Step 5 Click the Save button to save the settings.
Till now you have finished configuring the NAT rule, and then you can view its related configuration in the
NAT Rule List .
8.3.6.3 An Example for Configuring Passthrough NAT Rule
1. Requirements
In this example, see Figure 8-15, a business has a single static IP Internet connection.
The connection IP address is 202.96.97.2/30, and the connection’s gateway IP address is
202.96.97.1/30. The business employees will share the IP address of 202.96.97.2/30 to access the Internet. The LAN’s subnet number is 192.168.20.0, and subnet mask is
255.255.255.0.
Furthermore, the ISP has assigned a range of IP addresses (from 202.96.100.0/27 to
202.96.100.31/27) to the business. The business wants to assign these public IP addresses for some local servers, and create a Passthrough NAT rule for these local servers. Note that 202.96.100.0/27 and 202.96.100.31/27 cannot be used as they are the subnet number and broadcast address respectively.
Figure 8-15 Network Topology for Passthrough NAT Rule Configuration Example
2. Analysis
Firstly we need configure a static IP Internet connection on the WAN1 interface in the
Basic > WAN page or through the Quick Wizard . After you have configured the Internet connection, the Device will automatically create the related system reserved NAT rule, and also enable NAT.
Page 218
Secondly, in order to make the opened local servers be routed directly, we need connect the servers to the Device’s WAN2 interface over a switch, set the WAN2 interface IP address to 202.96.100.1/27, set each server’s IP address to an IP address in the range of
202.96.100.2/27 through 202.96.100.30/27, and set each server’s default gateway IP address to 202.96.100.1/27.
Lastly, we need to create a Passthrough NAT rule for the opened local servers.
3. Configuration Procedure
Here we only describe how to create the Passthrough NAT rule.
The configuration steps are the following:
Step 1 Go to the NAT > NAT Rule page, and select the NAT Rule Settings tab to go to the setup page.
Step 2 Select Passthrough from the NAT Type drop-down list, see the following figure.
Figure 8-16 Passthrough NAT Rule Settings - Example
Step 3 Enter 202.96.100.2
in the Start Internal IP address text box, and enter
202.96.100.30 in the End Internal IP address text box.
Step 4 Select WAN2 from the Bind to drop-down list.
Step 5 Click the Save button to save the settings.
Till now you have finished configuring the NAT rule, and then you can view its configuration in the NAT
Rule List .
Page 219
8.4 UPnP
This section describes the NAT > UPnP page.
The Universal Plug and Play (UPnP) is architecture that implements zero configuration networking, that is, it provides automatic IP configuration and dynamic discovery of the
UPnP compatible devices from various vendors. A UPnP compatible device can dynamically join a network, obtain an IP address, announce its name, convey its capabilities upon request, and learn about the presence and capabilities of other devices on the network.
The Device can implement NAT traversal by enabling UPnP. When you enable UPnP, the
Device allows any LAN UPnP-enabled device to perform a variety of actions, including retrieving the public IP address, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP-enabled device opens the related service ports on the Device to allow the Internet hosts access. Windows Messenger is an example of an application that supports NAT traversal and UPnP.
The Device provides the UPnP Port Forwarding List , which lists all the port forwarding rules established using UPnP. You can view each port forwarding rule’ s detailed information in the list, which includes internal IP address, internal port, protocol, remote IP address, external port, and description.
8.4.1 Enable UPnP
Figure 8-17 Enable UPnP
Enable UPnP: It allows you to enable or disable UPnP. If you want to enable UPnP, please select this check box.
Save: Click it to save your settings.
Page 220
Note
The UPnP is enabled on the LAN interface by default.
8.4.2 UPnP Port Forwarding List
Figure 8-18 UPnP Port Forwarding List
ID: It is used to identify each UPnP port forwarding rule in the list.
Internal IP: It displays the IP address of the LAN host.
Internal Port: It displays the service port provided by the LAN host.
Protocol: It displays the transport protocol used by the service.
Remote IP: It displays the IP address of the remote host.
External Port: It displays the external port of the UPnP port forwarding, which is opened for outside user to access.
Description: It displays the description of the UPnP port forwarding rule.
Delete: If you want to delete one or more UPnP port forwarding rules, select the leftmost check boxes of them, and then click the Delete button.
Page 221
Chapter 9 PPPoE Server
9.1 Introduction to PPPoE
The PPPoE stands for Point-to-Point Protocol over Ethernet, which uses client/server model. The PPPoE provides the ability to connect the Ethernet hosts to a remote Access
Concentrator (AC) over a simple bridging access device. And it provides extensive access control management and accounting benefits to ISPs and network administrators.
The PPPoE is a network protocol for encapsulating PPP frames in Ethernet frames to provide point-to-point connection over an Ethernet network.
9.1.1 PPPoE Stages
As specified in RFC 2516, the PPPoE has two distinct stages: a discovery stage and a
PPP session stage. The following describes them respectively.
9.1.2 PPPoE Discovery Stage
In the PPPoE discovery stage, a PPPoE client will find a proper server, and then build the connection. When a client initiates a PPPoE session, it should perform discovery to indentify the PPPoE server’s Ethernet MAC address, and establish a PPPoE session ID.
Figure 9-1 PPPoE Discovery Stage Flows
Page 222
See Figure 9-1, the discovery stage includes the following four steps:
1. PADI (PPPoE Active Discovery Initiation): At the beginning, a PPPoE client broadcasts a PADI packet to find all the servers that can be connected possibly. Until it receives PADO packets from one or more servers. The PADI packet must contain a service name which indicates the service requested by the client.
2. PADO (PPPoE Active Discovery Offer): When a PPPoE server receives a PADI packet in its service range, it will send a PADO response packet. The PADO packet must contain the server’s name, and a service name identical to the one in the PADI, and any number of other service names which indicate other services that the PPPoE server can offer. If a PPPoE server receives a PADI packet beyond its service range, it cannot respond with a PADO packet.
3. PADR (PPPoE Active Discovery Request): The client may receive more than one
PADO packet as the PADI was broadcast. The client chooses one server according to the server’s name or the services offered. Then the host sends a PADR packet to the selected server. The PADR packet must contain a service name which indicates the service requested by the client.
4. PADS (PPPoE Active Discovery Session- confirmation): When a PPPoE server receives a PADR packet; it prepares to begin a PPP session. It generates a unique
PPPoE session ID, and respond to the client with a PADS packet. The PADS packet must contain a service name which indicates the service provided to the client.
When the discovery stage completes successfully, both the server and client know the
PPPoE session ID and the peer's Ethernet MAC address, which together define the
PPPoE session uniquely.
9.1.3 PPP Session Stage
In the PPP session stage, the server and client perform standard PPP negotiation to establish a PPP connection. After the PPP connection is established successfully, the original datagram are encapsulated in PPP frames, and PPP frames are encapsulated in
PPPoE session frames, which have the Ethernet type 0x8864. Then these Ethernet frames are sent to the peer. In a PPPoE session frame, the session ID must be the value assigned in the Discovery stage, and cannot be changed in this session.
Page 223
9.1.4 PPPoE Session Termination
After a session is established, either the server or client may send a PADT (PPPoE Active
Discovery Terminate) packet at anytime to indicate the session has been terminated. The
PADT packet’s SESSION-ID must be set to indicate which session is to be terminated.
Once received a PADT, no further PPP packets (even normal PPP termination packets) are allowed to be sent using the specified session. A PPP peer should use the PPP protocol itself to terminate a PPPoE session, but can use the PADT packet to terminate the PPPoE session if PPP cannot be used.
9.2 PPPoE Server Settings
The FW4x-IPxx-U01 Series Security Firewalls support PPPoE server to allow LAN hosts acting as the PPPoE clients to dial up to the Device.
The FW4x-IPxx-U01 Series Security Firewalls provide rich PPPoE server features, which include PPPoE server global settings, PPPoE account settings, static and dynamic address allocation, PPPoE account and MAC address binding, PPPoE account and IP address binding, PPPoE IP/MAC binding, PPPoE status viewing, and so on.
9.2.1 PPPoE Server Global Settings
Figure 9-2 PPPoE Server Global Settings
Page 224
Enable PPPoE Server: It allows you to enable or disable PPPoE server. If you want to enable PPPoE server on the Device, please select this check box. Only after you have enabled PPPoE server, you can configure the other parameters in this page.
Start IP Address: It specifies the starting IP address that is assigned by the PPPoE server.
Number of Addresses: It specifies the maximum number of IP addresses that can be assigned to the PPPoE clients. The addresses can be assigned dynamically or manually by the PPPoE server.
Primary DNS Server: It specifies the IP address of the primary DNS server that is available to a PPPoE client.
Secondary DNS Server: It specifies the IP address of the secondary DNS server that is available to a PPPoE client.
Advanced Options: Click it to view and configure advanced parameters. In most cases, you need not configure them.
PPP Authentication: It specifies the PPP authentication mode by which the PPPoE server authenticates a PPPoE client. The available options are NONE , PAP , CHAP and Either . In most cases, please leave the default value of Either , which means that the Device will automatically choose PAP or CHAP to authenticate the PPPoE client.
Max. Sessions: It specifies the maximum number of PPPoE sessions that can be created on the Device. The maximum value of Max. Sessions depends on the specific product model.
Save: Click it to save the PPPoE server global settings.
9.2.2 Internet Access Control
Figure 9-3 Internet Access Control Settings
Only Allow PPPoE Users: It allows you to enable or disable Only Allow PPPoE
Users , that is, only the PPPoE dial-in users can access the Internet through the
Page 225
Device. If you want to only allow the PPPoE dial-in users to access the Internet through the Device, please select this option. The one exception is that you select an address group from Exception drop-down list.
Exception: It specifies an address group that is exempt from the restriction of Only
Allow PPPoE Users . If you select an address group here, the LAN users that belong to this address group are exempt from the restriction of Only Allow PPPoE Users , that is, whether it is enabled or not, those users may access the Internet through the
Device even they aren’t PPPoE dial-in users. The address group is configured in the
Security > Address Group page.
Save: Click it to save the Internet access control settings.
Page 226
9.3 PPPoE Account
This section describes the PPPoE > PPPoE Account page, which includes the PPPoE
Account Settings , PPPoE Account List , Import Accounts and PPPoE Account
Billing .
9.3.1 PPPoE Account Settings
In the PPPoE > PPPoE Account > PPPoE Account Settings page, you can configure
PPPoE account related parameters, which include basic parameters, rate limit parameters and security parameters.
Page 227
Figure 9-4 PPPoE Account Settings
User Name: It specifies a unique user name of the PPPoE account. It should be between 1 and 31 characters long. The PPPoE server will use User Name and
Password to identify the PPPoE client.
Password : It specifies the password of the PPPoE account.
Description: It specifies the description of the PPPoE account.
Advanced Options: Click it to view and configure advanced parameters. In most cases, you need not configure them.
Idle Timeout: It specifies how long the PPPoE session keeps connected since no packets are transmitted through the PPPoE session. The Device will automatically terminate the session after it has been inactive for the specified period of time. It should be between 0 and 65535 seconds. The default value is zero, which means that the Device will not terminate it.
Session Timeout: It specifies how long the PPPoE session keeps connected since established. The Device will automatically terminate the session after it has been connected for the specified period of time. It should be between 0 and 65535 seconds.
The default value is zero, which means that the Device will not terminate it.
Dialing Schedule: It specifies a schedule during which a PPPoE client can use the current PPPoE account to dial up. If you select a schedule here, it will allow the
PPPoE client to dial up only in the selected schedule range.
Else, the PPPoE client can always dial up. The schedule is configured in the Security > Schedule page.
Tx Bandwidth: It specifies the maximum upload bandwidth of a PPPoE dial-in user that uses the current PPPoE account.
Rx Bandwidth: It specifies the maximum download bandwidth of a PPPoE dial-in user that uses the current PPPoE account.
Accounting Mode: FW4x-IPxx-U01 Series support Account Billing of PPPoE Server.
It offer account billing based on different mode of By Date, By Hour and By Traffic.
● None: If you don’t want to bill a PPPoE Account, please select this option. The default value is None .
● By Date: Account will expire at the specified date. Refer to section 9.3.4 PPPoE
Account Billing for more information.
● By Hours: Account will expire after accumulative online time reaches the specified hours. Refer to section 9.3.4 PPPoE Account Billing for more
Page 228
information.
● By Traffic: Account will expire after accumulative upload or download traffic reaches the specified megabytes. Refer to section 9.3.4 PPPoE Account Billing for more information.
Max. Sessions: It specifies the maximum number of PPPoE sessions that can be created by using the current PPPoE account.
Account/MAC Binding: It specifies the type of PPPoE account and MAC address binding. The available options are None , Auto and Manual .
● None: If you don’t want to create account/MAC binding for the current PPPoE account, select this option, then a PPPoE client with any MAC address can use the current PPPoE account to dial up.
● Auto: If you want to create account/MAC binding for the current PPPoE account automatically, select this option. That is, the Device will automatically bind the
PPPoE account to the MAC address of the user who uses this account to establish a PPPoE session firstly. After that only this user can use the account.
● Manual: If you want to create account/MAC binding for the current PPPoE account manually, select this option, and configure up to four MAC addresses that are bound to the account. Then only the users with one of these MAC addresses can use the account.
MAC Address: It specifies the MAC address that is bound to the current PPPoE account. If you select Manual from the Account/MAC Binding drop-down list, this parameter will be displayed. In this case, you should enter a MAC address that is bound to the account in the text box.
MAC Address 2, MAC Address 3, and MAC address 4: It specifies another three
MAC addresses that are bound to the current PPPoE account. If you select Manual from the Account/MAC Binding drop-down list, you can configure more than one
MAC address (up to four) if needed.
Account/IP Binding: It specifies a static IP address that is assigned to the user who uses the current PPPoE account. It must be a valid IP address in the range of address pool configured in the PPPoE > Global Settings page.
Save: Click it to save the PPPoE account settings.
Note
Page 229
1. If you want to assign a static IP address to the user that uses a PPPoE account to establish a PPPoE session, you should enter the IP address in the Account/IP
Binding text box, and should set the Max. Sessions to 1.
2. The PPPoE IP/MAC binding has higher priority than the PPPoE account/IP binding, that is, if an IP/MAC binding and account/IP binding have the same IP address, the
Device will assign this IP address to the user that matches the IP/MAC binding. The
IP/MAC binding is configured in the PPPoE > PPPoE IP/MAC > IP/MAC Binding
Settings page.
3. The rate limit for a PPPoE account is in effect only when the Enable Rate Limit check box is selected in the QoS > Global Settings page.
9.3.2 PPPoE Account List
When you have configured some PPPoE accounts, you can view their configuration in the
PPPoE Account List , including User Name , Enable , Tx Bandwidth , Rx Bandwidth ,
Account/IP Binding, Accounting Mode, Max. Sessions , and Description .
Figure 9-5 PPPoE Account List
Add a PPPoE Account: If you want to add a new PPPoE account, click the New button or select the PPPoE Account Settings tab to go to the setup page, and then configure it, lastly click the Save button.
Enable a PPPoE Account: The Enable check box is used to enable or disable the corresponding PPPoE account. The default value is selected, which means the
PPPoE account is in effect. If you want to disable the PPPoE account temporarily instead of deleting it, please click it to remove the check mark.
Page 230
Edit a PPPoE Account: If you want to modify a configured PPPoE account, click its
Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete PPPoE Account(s): If you want to delete one or more PPPoE accounts, select the leftmost check boxes of them, and then click the Delete button.
9.3.3 Import Accounts
The PPPoE > PPPoE Account > Import Accounts page provides PPPoE accounts import function to simplify operation. When you want to create a great deal of PPPoE accounts, you can import them at a time in the page. You can edit them in Notepad, and then copy them to the Import Accounts list box; also you can directly enter them in the
Import Accounts list box. The import contents are: User Name, Password, and
Description of each PPPoE account, one PPPoE account per line; and the import format of a PPPoE account is: User Name <Space> Password <Space> Description <Enter> .
Figure 9-6 PPPoE Accounts Import
Save: After you have entered the PPPoE accounts in the Import Accounts list box, click the Save button to save them to the Device, and then you can view them in the
PPPoE Account List .
Page 231
Note
To avoid unnecessary data loss due to computer crashes, you can copy the entered
PPPoE accounts to a Notepad file in your local PC before saving them to the Device.
9.3.4 PPPoE Account Billing
9.3.4.1 Introduction to PPPoE Account Billing Mechanism
PPPoE Account Billing is a specific function of FW4x-IPxx-U01 Series Security Firewalls.
It provides a billing mechanism. According to different Accounting Mode , the Device will start to run the billing mechanism by Date, Hour or Traffic . Together with PPPoE Account
Expiration Notice to alert the user to renew the account, PPPoE Account Billing can be a very helpful Billing tool especially for Communication. When the PPPoE account expires, the account will be no longer available unless the user renew the account. Here provide the billing mechanism picture, see Figure 9-7.
Page 232
START
Check Accounting Mode
Yes
By Date?
No
By Hour?
No
By Traffic?
Yes
Set Expiration
Date, Billing by
Date
Expiration date reach?
Yes Renew Account
No
Yes
Yes
Set Online
Hours, Billing by
Hour
No
Yes
Set Max. Tx/Rx
Traffic, Billing by Traffic
No
Remaining hour is 0?
Remaining Tx/Rx
Traffic is 0?
Yes
No
PPPoE Account closed
No
None END
Figure 9-7 PPPoE Account Billing mechanism
9.3.4.2 PPPoE Account Billing By Date
If you want to create a PPPoE Billing Account by date, you can go to PPPoE > PPPoE
Account > PPPoE Account Settings page and set the Accounting Mode as By Date, see Figure .
Page 233
Figure 9-8 PPPoE Account Billing By Date
Accounting Mode: It specify the accounting mode of the PPPoE billing account.
Here select By Date.
Account Opening Date: It specify the opening date of the PPPoE account. If the current date is before the Account Opening Date , the account cannot be used because it’s been disabled by the FW4x-IPxx-U01 device.
Account Expiration Date: It specify the expiration(end) date of the PPPoE account.
If the current date is after the Account Expiration Date , the account cannot be used because it’s been disabled by the FW4x-IPxx-U01 device.
Note
1. To ensure that PPPoE Account Billing operates properly, you should synchronize the system clock in the System > Time page.
2. Before the PPPoE Account expires, if you have also set the PPPoE Account
Expiration Notice (refer to section 9.7 PPPoE Account Expiration Notice for more information), the device will push a notice to the user. If the user decide to renew the account(Accounting Mode is By Date), the Administrator should set the Account
Opening Date and Account Expiration Date to new dates.
9.3.4.3 PPPoE Account Billing By Hour
If you want to create a PPPoE Billing Account by hour, you can go to PPPoE > PPPoE
Account > PPPoE Account Settings page and set the Accounting Mode as By Hour .
Figure 9-9 PPPoE Account Billing By Hour
Accounting Mode: It specify the accounting mode of the PPPoE billing account.
Here select By Hour.
Hours: It specify the max online time(by hour) of the PPPoE account. The device will accumulate the online time of the PPPoE account, once the online time reaches the
Page 234
max online time, the account cannot be used because it’s been disabled by the
FW4x-IPxx-U01 device. 0 means no limit, the account will be always enabled.
Note
1. To ensure that PPPoE Account Billing operates properly, you should synchronize the system clock in the System > Time page.
2. Before the PPPoE Account expires, if you have also set the PPPoE Account
Expiration Notice(refer to section 9.7 PPPoE Account Expiration Notice for more information), the device will push a notice to the user. If the user decide to renew the account(Accounting Mode is By Hour), the Administrator should set the Hours to a new value.
9.3.4.4 PPPoE Account Billing By Traffic
If you want to create a PPPoE Billing Account by traffic, you can go to PPPoE > PPPoE
Account > PPPoE Account Settings page and set the Accounting Mode as By Traffic .
Figure 9-10 PPPoE Account Billing By Traffic
Accounting Mode: It specify the accounting mode of the PPPoE billing account.
Here select By Traffic.
Tx. Traffic: It specify the max Tx. Traffic of the PPPoE account. The device will accumulate the upload traffic of the PPPoE account, once the accumulative upload traffic reaches the Tx. Traffic , the account cannot be used because it’s been disabled by the FW4x-IPxx-U01 device. 0 means no limit for upload traffic.
Rx. Traffic: It specify the max Rx. Traffic of the PPPoE account. The device will accumulate the download traffic of the PPPoE account, once the accumulative download traffic reaches the Rx. Traffic , the account cannot be used because it’s been disabled by the FW4x-IPxx-U01 device. 0 means no limit for download traffic.
Note
Page 235
Before the accumulative upload/download traffic reaches the Tx./Rx. Traffic , if you have also set the PPPoE Account Expiration Notice(refer to section 9.7 PPPoE Account
Expiration Notice for more information), the device will push a notice to the user. If the user decide to renew the account(Accounting Mode is By Traffic), the Administrator should set the Tx. Traffic and Rx. Traffic to new value.
9.4 PPPoE IP/MAC Binding
In the PPPoE > PPPoE IP/MAC > IP/MAC Binding Settings page, you can create a binding by mapping a static IP address to a host’s MAC address, and then the PPPoE server will always assign this IP address to the specified host.
9.4.1 PPPoE IP/MAC Binding Settings
Figure 9-11 PPPoE IP/MAC Binding Settings
IP Address: It specifies the IP address for the PPPoE IP/MAC binding. The PPPoE server will always assign this address to the PPPoE dial-in host specified by the MAC
Address . It must be a valid IP address in the range of address pool configured in the
PPPoE > Global Settings page.
MAC Address: It specifies the MAC address of a PPPoE dial-in host.
Description: It specifies the description of the PPPoE IP/MAC binding.
Save: Click it to save the PPPoE IP/MAC binding settings.
Note
Page 236
1. If you create an IP/MAC binding for a PPPoE dial-in user, the PPPoE server will always assign the specified IP address to the user.
2. The PPPoE IP/MAC binding has higher priority than the PPPoE account/IP binding, that is, if an IP/MAC binding and account/IP binding have the same IP address, the
Device will assign this IP address to the user that matches the IP/MAC binding. The account/IP binding is configured in the PPPoE > PPPoE Account > PPPoE Account
Settings page.
9.4.2 PPPoE IP/MAC Binding List
When you have configured some PPPoE IP/MAC bindings, you can view them in the
PPPoE IP/MAC Binding List , and check whether a static IP address is assigned to the specified host or not.
Figure 9-12 PPPoE IP/MAC Binding List
Add a PPPoE IP/MAC Binding: If you want to add a new PPPoE IP/MAC binding, click the New button or select the IP/MAC Binding Settings tab to go to the setup page, and then configure it, lastly click the Save button.
Edit a PPPoE IP/MAC Binding: If you want to modify a configured PPPoE IP/MAC binding, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete PPPoE IP/MAC Binding(s): If you want to delete one or more PPPoE
IP/MAC bindings, select the leftmost check boxes of them, and then select Delete
Page 237
from the drop-down list on the lower right corner of the IP/MAC Binding List , lastly click OK .
Delete All: If you want to delete all the PPPoE IP/MAC bindings at a time, select
Delete All from the drop-down list on the lower right corner of the list, and then click
OK . Then the PPPoE server will assign IP addresses to the dial-in users dynamically.
Page 238
9.5 PPPoE Status
In the PPPoE > PPPoE Status page, you can view the status and usage information of each online PPPoE dial-in user. If a PPPoE dial-in user has established the PPPoE session to the Device successfully, you can view the assigned IP address, MAC address,
Rx Rate and Tx Rate of the user, online time and session ID of the PPPoE session.
Figure 9-13 PPPoE Status List
User Name: It displays the PPPoE user name. The PPPoE dial-in user uses it to dial-up and establish the PPPoE session to the Device.
Status: It displays the PPPoE account status. If a PPPoE dial-in user has established the PPPoE session to the Device successfully with the PPPoE account, it displays
Connected; Else, it displays Disconnected.
IP Address: It displays the PPPoE dial-in user’s IP address that is assigned by the
PPPoE server.
MAC Address: It displays the PPPoE dial-in user’s MAC address.
Online Time: It displays the elapsed time since the PPPoE session was established successfully.
Rx Rate: It displays the real-time download rate (in kilobytes per second) of the
PPPoE dial-in user.
Tx Rate: It displays the real-time upload rate (in kilobytes per second) of the PPPoE dial-in user.
Session ID: It displays the session ID of the PPPoE Session, which uniquely identifies a PPPoE session.
Disconnect: If you want to hang the established PPPoE session up manually, select the leftmost check box of this PPPoE session, and then click the Disconnect button.
Page 239
Refresh: Click it to view the latest information in the list .
Page 240
9.6 Configuration Example for PPPoE Server
1. Requirements
In this example, an organization’s administrator wants the LAN users to act as the PPPoE clients to dial up to the Device. And it only allows the PPPoE dial-in users to access the
Internet through the Device. The exception is the CEO with IP address 192.168.20.2
.
When acting as a PPPoE server, the Device dynamically will assign the IP addresses to the LAN users. The start IP address assigned to the dial-in user is 10.0.0.1, the maximum number of dial-in users is 100, the primary DNS server IP address is 202.101.10.10, and the maximum number of PPPoE sessions that can be created on the Device is 100.
The administrator need to create two PPPoE accounts: one is universal account which is used by the normal employees, and its Rx and Tx bandwidth are both 512 Kbit/s, its Max.
Sessions is 90; the other is advanced account, its Max. Sessions is 10.
And the administrator wants the LAN user with MAC address 0021859b4544 to use a static IP address: 10.0.0.50, so he needs to create a PPPoE IP/MAC binding for this user.
2. Configuration Procedure
1 ) Configuring PPPoE Server Global Parameters
Step 1 Go to the PPPoE > Global Settings page.
Step 2 See the following figure, select the Enable PPPoE Server check box, enter
10.0.0.1
in the Start IP Address , enter 100 in the Number of Addresses , enter 202.101.10.10
in the Primary DNS Server , and enter 100 in the Max.
Sessions text box. Leave the default values for the other parameters. Then click the Save button to save the settings.
Page 241
Figure 9-14 PPPoE Server Global Settings - Example
Step 3 Go to the PPPoE > Global Settings > Internet Access Control page, select the Only Allow PPPoE Users check box, and select CEO from the Exception drop-down list. The CEO address group only includes one IP address:
192.168.20.2, which is configured in the Security > Address Group page.
Figure 9-15 Internet Control Settings - Example
2 ) Configuring PPPoE Accounts
Step 1 Go to the PPPoE > PPPoE Account > PPPoE Account Settings page.
Step 2 Creating the universal PPPoE Account whose user name is All. See the following figure, enter All in the User Name , enter test in the Password , enter universal account in the Description , enter 512 in the Tx Bandwidth and Rx
Bandwidth , and enter 90 in the Max. Sessions text box. Leave the default values for the other parameters. Then click the Save button to save the settings.
Note that you should enable rate limit in the QoS > Global Settings page to make rate limit for this PPPoE account take effect.
Page 242
Figure 9-16 Configuring the Universal PPPoE Account - Example
Step 3 Creating the advanced PPPoE Account whose user name is Advanced. See the following figure, enter Advanced in the User Name , enter test2 in the
Password , enter advanced account in the Description , and enter 10 in the
Max. Sessions text box. Leave the default values for the other parameters.
Then click the Save button to save the settings.
Page 243
Figure 9-17 Configuring the Advanced PPPoE Account - Example
3 ) Configuring a PPPoE IP/MAC Binding
Step 1 Go to the PPPoE > PPPoE IP/MAC > IP/MAC Binding Settings page.
Step 2 See the following figure, enter 10.0.0.50
in the IP Address , and enter
0021859b4544 in the MAC Address , then click the Save button to save the settings.
Figure 9-18 Configuring a PPPoE IP/MAC Binding – Example
Page 244
9.7 PPPoE Account Expiration Notice
The FW4x-IPxx-U01 series security firewalls provide PPPoE account expiration notice feature to remind a PPPoE dial-in user periodically that his/her account is going to expire.
Then the user can avoid the loss due to the account expiration.
When you have enabled PPPoE account expiration notice and the account is going to expire, the Device will pop up a notice message to remind the user. The notice is sent one time per day, at the time user first access a webpage.
In the PPPoE > PPPoE Notice > Expiration Notice page, you can configure PPPoE account expiration notice feature. The Device supports three PPPoE account expiration notice modes:
●
By Date: Account will expire at the specified date.
●
By Hours: Account will expire after accumulative online time reaches the specified hours.
●
By Traffic: Account will expire after accumulative upload or download traffic reaches the specified megabytes.
You should select the proper mode here according to the accounting mode of a PPPoE account, which is configured in the PPPoE > PPPoE Account > PPPoE Account
Settings page.
Page 245
9.7.1 PPPoE Account Expiration Notice by Date
Figure 9-19 PPPoE Account Expiration Notice by Date
PPPoE Account Expiration Notice Mode: It specifies the PPPoE account expiration notice mode. Here select By Date .
Enable Notice by Date: It allows you to enable or disable the PPPoE account expiration notice by date. If you want to enable this feature, please select this check box.
Remaining Days: It specifies the remaining days before account expires. If the actual remaining days is less than the configured remaining days, the Device will pop up the notice message one time per day; else not.
Notice Title: It specifies the title of the notice message.
Signature: It specifies the signature of the notice message.
Notice Content: It specifies the content of the notice message.
Page 246
Save: Click it to save your settings.
Preview: Click it to preview the notice message you just configured. The following figure shows an example of a notice message.
Figure 9-20 PPPoE Account Expiration Notice Preview – Example 1
Back to Setup Page: Click it to go back to the PPPoE > PPPoE Notice > Expiration
Notice page.
Page 247
9.7.2 PPPoE Account Expiration Notice by Hours
Figure 9-21 PPPoE Account Expiration Notice by Hours
PPPoE Account Expiration Notice Mode: It specifies the PPPoE account expiration notice mode. Here select By Hours .
Enable Notice by Hours: It allows you to enable or disable the PPPoE account expiration notice by hours. If you want to enable this feature, please select this check box.
Remaining Hours: It specifies the remaining hours before account expires. If the actual remaining hours is less than the configured remaining hours, the Device will pop up the notice message one time per day; else not.
Notice Title: It specifies the title of the notice message.
Signature: It specifies the signature of the notice message.
Notice Content: It specifies the content of the notice message.
Page 248
Save: Click it to save your settings.
Preview: Click it to preview the notice message you just configured. The following figure shows an example of a notice message.
Figure 9-22 PPPoE Account Expiration Notice Preview – Example 2
Back to Setup Page: Click it to go back to the PPPoE > PPPoE Notice > Expiration
Notice page.
Page 249
9.7.3 PPPoE Account Expiration Notice by Traffic
Figure 9-23 PPPoE Account Expiration Notice by Traffic
PPPoE Account Expiration Notice Mode: It specifies the PPPoE account expiration notice mode. Here select By Traffic .
Enable Notice by Traffic: It allows you to enable or disable the PPPoE account expiration notice by traffic. If you want to enable this feature, please select this check box.
Remaining Upload Traffic: It specifies the remaining upload traffic (in Megabytes) before account expires. If the actual remaining upload traffic is less than the configured remaining upload traffic, the Device will pop up the notice message one time per day; else not.
Remaining download Traffic: It specifies the remaining download traffic (in
Megabytes) before account expires. If the actual remaining download traffic is less than the configured remaining download traffic, the Device will pop up the notice
Page 250
message one time per day; else not.
Notice Title: It specifies the title of the notice message.
Signature: It specifies the signature of the notice message.
Notice Content: It specifies the content of the notice message.
Save: Click it to save your settings.
Preview: Click it to preview the notice message you just configured. The following figure shows an example of a notice message.
Figure 9-24 PPPoE Account Expiration Notice Preview – Example 3
Note
1. The PPPoE account expiration notice function will take effect only when the accounting function of a PPPoE account is enabled.
2. If you select By Date from the Notice Mode drop-down list, you should configure correct system time and time zone in the System > Time page to ensure the PPPoE account expiration notice by date function work properly.
3. After you selected an option from the Notice Mode drop-down list, you should enable the corresponding PPPoE account expiration notice feature to make it take effect.
Else, it will be of no effect.
4. The PPPoE account expiration notice by date, PPPoE account expiration notice by hours, and PPPoE account expiration notice by traffic can be enabled at the same time.
Page 251
5.
If a PPPoE account is used by multiple users at the same time, the notice message will only be popped up to the first user that access a webpage, but not to any other
LAN user
Page 252
Chapter 10 QoS
This chapter describes how to control and manage Internet bandwidth of the LAN users, including global settings, rate limit rule settings and P2P rate limit settings.
10.1 Introduction to Bandwidth Management
10.1.1 Why We Need Bandwidth Management
With the growing popularity of P2P, Internet users are able to quickly download high definition movies and video clips, massively multiplayer online games, and hundreds of megabytes of data, also share them with others. But at the same time, as the P2P has the nature of seizing bandwidth, it can maximize the consumption of bandwidth, and thus it has been given a name of “network vampire”. Using P2P applications in the LAN will impact the other users accessing the Internet, even cause network congestion and performance deterioration, which will ultimately lead to that those users can’t access the Internet. Therefore, in order to restrain the aggressive consumption of network resources by P2P applications to provide a stable and secure network to the users, we need to effectively limit the maximum bandwidth for the LAN users and applications. However, if we only limit the maximum bandwidth, the bandwidth will be wasted when the network is idle, which will undoubtedly greatly reduce bandwidth utilization. To solve this problem, we introduce a new feature of intelligent bandwidth management on the FW4x-IPxx-U01 products to provide users a more reasonable network bandwidth management solution.
The FW4x-IPxx-U01 products support intelligent bandwidth management based on token bucket algorithm. It allows you to create rate limit rules based on source IP address, destination IP address, protocol type (TCP, UDP or ICMP), port, schedule, and so on.
Through the user-defined capacity and actual network conditions, the Device will get an idea whether the network is idle, normal, busy and exhausted; besides, it can flexibly control the upload and download bandwidth for each LAN host according to the network status and user-defined rate limit rules. In short, using intelligent bandwidth management feature can help you truly implement intelligent and flexible bandwidth management.
Page 253
10.1.2 Token Bucket Algorithm
As bandwidth management feature provided by the FW4x-IPxx-U01 products is based on token bucket algorithm, this section describe token bucket in brief.
Token bucket algorithm is one of the most common algorithms which are used for network traffic shaping and rate limiting. Typically, token bucket algorithm is used to control the amount of data injected into a network, and it allows bursts of data to be sent.
The token bucket is a control mechanism that dictates when traffic can be transmitted, based on the presence of tokens in the bucket. The bucket contains tokens, each of which can represent a byte. If tokens are present, traffic can be transmitted; else, traffic cannot be transmitted. Therefore, if the burst threshold is configured appropriately and there are adequate tokens in the bucket, traffic can be transmitted in its peak burst rate.
The basic process of token bucket algorithm is as follows:
●
The token rate is r , that is, a token is added to the bucket every 1/ r seconds.
●
The bucket can hold at the most
β
tokens. If a token arrives when the bucket is full, it is discarded.
●
When a packet of n bytes arrives, n tokens are removed from the bucket, and the packet is sent to the network.
●
If fewer than n tokens are available, no tokens are removed from the bucket, and the packet is considered to be non-conformant.
●
Although the algorithm allows for the burst of up to
β bytes of traffic, over the long run the output of conformant packets is limited by the constant rate, r .
Non-conformant packets can be treated in various ways:
●
They may be dropped.
●
They may be enqueued for subsequent transmission when sufficient tokens have accumulated in the bucket.
●
They may be transmitted, but marked as being non-conformant, possibly to be dropped subsequently if the network is overloaded.
In conclusion, the token bucket algorithm allows bursts of up to
β
bytes, but over the long
Page 254
run the output of conformant packets is limited to the constant rate, r .
10.1.3 Implementation of Bandwidth Management
Using intelligent bandwidth management based on token bucket algorithm, the Device can flexibly control the upload and download bandwidth of the LAN hosts. There are four process mechanisms depending on the bandwidth utilization:
1. When the bandwidth utilization level is idle, each LAN host is likely to obtain its maximum bandwidth.
2. When the bandwidth utilization level is normal, each LAN host can obtain a bandwidth between its guaranteed and maximum bandwidth, and the bandwidth allocated to the
LAN hosts are closest to their maximum bandwidth.
3. When the bandwidth utilization level is busy, each LAN host can only obtain its guaranteed bandwidth.
4. When the bandwidth utilization level is exhausted, only the LAN hosts with high priority can obtain their guaranteed bandwidth, any other LAN host can only obtain a bandwidth lower than the guaranteed bandwidth.
Depending on the ratio of the actual capacity (i.e., total number of network devices connected to the Device) to the user-defined capacity (set by Capacity in the QoS >
Global Settings page), we divide the bandwidth utilization into four levels: Idle, Normal,
Busy, and Exhausted.
●
Idle: The ratio is below 50%.
●
Normal: The ratio is between 50% and 95%.
●
Busy: The ratio is between 95% and 100%.
●
Exhausted: The ratio is above 100%.
The intelligent bandwidth management feature can help you effectively solve the network congestion problem due to network abuse by the LAN users, and ensure full bandwidth utilization without affecting the other users. In short, this feature can help you truly implement intelligent and flexible bandwidth management.
Page 255
10.2 Rate Limit Global Settings
Figure 10-1 Rate Limit Global Settings
Enable Rate Limit: It allows you to enable or disable rate limit. If you select the check box to enable rate limit, the configured rate limit rules will take effect. Else the rate limit rules will be of no effect.
Capacity: It specifies the maximum number of network devices (PC or other network device) that can be connected to the Device at the same time. Depending on the ratio of the actual capacity (i.e., total number of network devices connected to the Device) to this user-defined capacity, we divide the bandwidth utilization into four levels: Idle,
Normal, Busy, and Exhausted. Refer to 10.1.3 Implementation of Bandwidth
Management for more information.
Save: Click it to save the rate limit global settings.
Note
The units of bandwidth and rate generally are Kbit/s (Kilobit per second) and KByte/s or KB/s (Kilobyte per second). The conversion formulas are as follows:
Byte = 8 bits
Kilobyte = 1024 bytes or 8192 (8 x 1024) bits
Megabyte = 1024 Kilobytes or 1.048.576 (1024 x 1024) bytes or 8.388.608 bits
Gigabyte = 1024 Megabytes or 1.073.741.824 bytes or 8.589.934.592 bits
For example, 10 Mbit/s = 10240 Kbit/s = 10240/8 KByte/s = 1280 KByte/s
Page 256
10.3 Rate Limit Rule
You can create rate limit rules based on source IP address, destination IP address, protocol type (TCP, UDP or ICMP), port, schedule, and so on.
Note that if you want the rate limit rules to take effect, please make sure that the Enable
Rate Limit check box is selected in the QoS > Global Settings page.
10.3.1 Rate Limit Rule Settings
Before creating the rate limit rules, you may do the following tasks:
●
Go to the Security > Address Group page to create the address groups that will be referenced by the rules. The addresses within an address group are used to match the source or destination IP addresses of packets that are received by the Device.
●
Go to the Security > Service Group page to create the service groups that will be referenced by the rules. Note that only the service groups whose Service Type is
General Service can be referenced by the rate limit rules.
●
Go to the Security > Schedule page to create the schedules that will be referenced by the rules.
If the source IP addresses are consecutive, you also can directly specify the source IP addresses for a rate limit rule in this page. The following describes the definitions of a rule’s parameters.
Page 257
Figure 10-2 Rate Limit Rule Settings
Source: It specifies the IP addresses of the LAN hosts to which the rate limit rule applies. There are two available options:
● Addresses: boxes.
Select it to enter the start and end addresses in the associated text
● Address Group: Select it to choose an address group from the associated drop-down list. By default, the Address Group radio button is selected, and its value is Any Address .
Destination Address Group: It allows you to select an address group to specify the destination IP addresses of the traffic to which the rate limit rule applies.
Min. Tx Bandwidth: It specifies the guaranteed upload bandwidth allocated to the
LAN hosts or applications that match the rate limit rule. Note that you can set the Min.
Tx Bandwidth , Min. Rx Bandwidth , Max. Tx Bandwidth and Max. Rx Bandwidth through two ways.
Enter a value in the associated text box. If you don’t want to specify a bandwidth, please enter 0 .
Page 258
Select an option from the associated drop-down list. If you don’t want to specify a bandwidth, please select NoLimit .
Min. Rx Bandwidth: It specifies the guaranteed download bandwidth allocated to the
LAN hosts or applications that match the rate limit rule.
Max. Tx Bandwidth: It specifies the maximum upload bandwidth allocated to the
LAN hosts or applications that match the rate limit rule.
Max. Rx Bandwidth: It specifies the maximum download bandwidth allocated to the
LAN hosts or applications that match the rate limit rule.
Description: It specifies the description of the rate limit rule. It is usually used to describe the purpose of the rule.
Advanced Options: Click it view and configure advanced parameters. In most cases, you need not configure them.
Each: If you select this radio button, the Device will assgin the specified bandwidths to each LAN host or application that matches the rule. For example, if the Min. Tx
Bandwidth is set to 1M and there are 10 LAN hosts match the rule, each host will be ensured with at least 1M upload bandwidth.
Share: If you select this radio button, all the LAN hosts or applications that match the rule will share the specified bandwidths. For example, if the Min. Tx Bandwidth is set to 1M and there are 10 LAN hosts match the rule, the total upload bandwidth allocated to all the hosts is at least 1M.
Service Group: It allows you to select a service group to specify the protocol type
(TCP, UDP or ICMP) and ports of the traffic to which the rate limit rule applies. Note that only the service groups whose Service Type is General Service can be referenced by the rate limit rules. The default value is Any Service , which means any protocol type and port.
Bandwidth Priority: It specifies the bandwidth priority of the traffic to which the rate limit rule applies. There are three options: Low , Mid , and High . The Device will preferentially assign idle bandwidth to the traffic with higher priority; when the network is busy, the Device will firstly ensure the guaranteed bandwidth for the traffic with high priority.
Bind to: It specifies an Internet connection to which the rate limit rule is bound.
Schedule: It specifies a schedule to restrict when the rate limit rule is in effect. The default value is Always , which means the rate limit rule is in effect always. Note that after the selected schedule has expired, the rule will be in effect always.
Edit Schedule: Click it to go to the Security > Schedule page to add, view, modify or delete schedules.
Page 259
Edit Address Group: Click it to go to the Security > Address Group page to add, view, modify or delete address groups.
Edit Service Group: Click it to go to the Security > Service Group page to add, view, modify or delete service groups.
Save: Click it to save the rate limit rule settings.
Note
If the sum of specified Min. Tx/Rx Bandwidth is larger than the Internet connection’s
Uplink/Downlink Bandwidth (configured in the Basic > WAN page), the Device cannot guarantee the specified hosts or applications with minimum upload/download bandwidth.
10.3.2 Rate Limit Rule List
Figure 10-3 Rate Limit Rule List
Add a Rate Limit Rule: If you want to add a new rate limit rule, click the New button or select the Rate Limit Rule Settings tab to go to the setup page, and then configure it, lastly click the Save button.
Enable a Rate Limit Rule: The Enable check box is used to enable or disable the corresponding rate limit rule. The default value is selected, which means the rate limit rule is in effect. If you want to disable the rate limit rule temporarily instead of deleting it, please click it to remove the check mark.
Page 260
View Rate Limit Rule(s): When you have configured some rate limit rules, you can view them in the Rate Limit Rule List .
Edit a Rate Limit Rule: If you want to modify a configured rate limit rule, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Move a Rate Limit Rule: The Device allows you to move a rate limit rule to above another rule in the list, the operation is as follows: Select the ID of a rule that you want to move from the Move drop-down list, and another rule’s ID from the before drop-down list, lastly click OK . Note that moving a rule in the list doesn’t change its ID number.
Delete Rate Limit Rule(s): If you want to delete one or more rate limit rules, select the leftmost check boxes of them, and then click the Delete button.
10.3.3 The Execution Order of Rate Limit Rules
When receiving a packet initiated from LAN, the Device will analyze the packet by extracting its source IP address, destination IP address, protocol type (TCP, UDP or
ICMP), port number, and the date and time at which the packet was received, and then compare them with each rule in the order in which the rules are listed in Rate Limit Rule
List to find out if there is a rule matches the packet. The first matched rule will apply to the packet , and no further rules will be checked. If no rule matches, the packet will not be restricted by any rate limit rule.
Note that in the Rate Limit Rule List , the rate limit rules are listed in reverse chronological order of creation, the later the rule is created, the upper the rule is listed; and the Device allows you to manually move a rule to a different position in the list.
Page 261
10.4 P2P Rate Limit
This section describes the QoS > P2P Rate Limit page.
P2P rate limit feature is specially designed for P2P application. The P2P rate limit has the highest priority, that is, even if you have created rate limit rules for some LAN users in the
QoS > Rate Limit Rule page, the P2P traffic of these users is still restricted by P2P rate limit settings. Using P2P rate limit, you can effectively reduce network congestion caused by the usage of P2P applications without the expense of the other LAN users’ traffic and bandwidth.
Figure 10-4 P2P Rate Limit Settings
Enable P2P Rate Limit: It allows you to enable or disable P2P rate limit. If you want to enable P2P rate limit, please select this check box. P2P applications include Bit
Spirit, Bit Comet, Thunder, Tuotu, and so on.
Max. Tx Rate: It specifies the maximum upload rate of the P2P traffic.
Max. Rx Rate: It specifies the maximum download rate of the P2P traffic.
Rate Limit Mode: It specifies the mode by which the Device will limit the maximum
Tx/Rx rate of the LAN hosts.
●
Each: If you select this radio button, the Tx/Rx rate of each LAN host’s P2P traffic can reach the value specified by the Max. Tx/Rx Rate at most.
●
Share: If you select this radio button, the total Tx/Rx rate of all the LAN hosts’
P2P traffic can reach the value specified by the Max. Tx/Rx Rate at most.
Page 262
Exception: It specifies an address group that is exempt from the restriction of P2P rate limit settings. If you select an address group here, the P2P traffic of the LAN users in the group will be exempt from the restriction of P2P rate limit settings. The address group is configured in the Security > Address Group page.
Save: Click it to save the P2P rate limit settings.
Note
1. The P2P rate limit has higher priority than the rate limit rules configured in the QoS >
Rate Limit Rule page.
2. Only after you have enabled rate limit in the QoS > Global Settings page, the P2P rate limit settings can take effect.
Page 263
10.5 Application QoS
This section describes the QoS > APP QoS page.
The Device provides preferential forwarding for some predefined special applications traffic, that is, these applications traffic will be exempt from the restrictions of the rate limit rules configured in the QoS > Rate Limit Rule page. The predefined applications include hot online games, VoIP, Web browsing, VPN and Email. In this page, it allows you enable preferential forwarding for one or more predefined applications as required. Moreover, it allows you to enable PPPoE upload bandwidth optimization feature.
Figure 10-5 Preferential Forwarding for Some Applications Traffic
Select All: It selects or unselects all the check boxes below. If you want to enable all the features provided in this page at a time, please select this check box. If you want to disable all the features provided in this page at a time, please clear the check box.
Enable Preferential Forwarding for Hot Online Games Traffic: It allows you to enable or disable preferential forwarding for hot online games traffic. If you select the check box to enable this feature, the LAN users’ hot online games traffic will be exempt from the restriction of the rate limit rules. The online games mainly include:
WOW, Aion, MHXY, BNB, Jade Dynasty, QQGame, CGA, Zhengtu, Perfect World,
Audition, Kartrider Rush, and so on.
Enable PPPoE Upload Bandwidth Optimization: It allows you to enable or disable
PPPoE upload bandwidth optimization. If you want to improve the upload speed of the LAN PPPoE dial-in users, please select the check box to enable this feature.
Page 264
Enable Preferential Forwarding for VoIP Traffic: It allows you to enable or disable preferential forwarding for VoIP traffic. If you select the check box to enable this feature, the LAN users’ VoIP traffic will be exempt from the restriction of the rate limit rules. The VoIP applications mainly include: Network Phone, Video Conference, etc.
Enable Preferential Forwarding for Web Traffic: It allows you to enable or disable preferential forwarding for Web traffic. If you select the check box to enable this feature, the LAN users’ Web traffic will be exempt from the restriction of the rate limit rules, thus the web browsing speed of the LAN users will be improved.
Enable Preferential Forwarding for VPN Traffic: It allows you to enable or disable preferential forwarding for VPN traffic. If you select the check box to enable this feature, the LAN users’ VPN traffic (including PPTP, L2TP and IPSec VPN traffic) will be exempt from the restriction of the rate limit rules.
Enable Preferential Forwarding for Email Traffic: It allows you to enable or disable preferential forwarding for Email traffic. If you select the check box to enable this feature, the LAN users’ Email traffic will be exempt from the restriction of the rate limit rules.
Save: Click it to save your settings.
Note
Only after you have enabled rate limit in the QoS > Global Settings page, the Device can preferentially forward the selected applications traffic.
10.6 Configuration Examples for QoS
10.6.1 Example One
1. Requirements
In this example, a business has a single Internet connection with uplink bandwidth 10
Mbit/s and downlink bandwidth 20 Mbit/s. And the number of network devices is approximately 100.
The requirements are as follows: All the LAN users want to access the Internet smoothly, and the bandwidth will not be wasted when the network is idle. Besides, the administrator wants to limit the rate of the P2P applications for each LAN host: Max. Tx Rate is 64 Kbit/s,
Max. Rx Rate is 128 Kbit/s.
Page 265
2. Analysis
We need to do the following settings:
●
Set the Internet connection’s Uplink Bandwidth and Downlink Bandwidth to 10240
Kbit/s and 20480 Kbit/s respectively.
●
Enable rate limit and set the Capacity to 100 in the QoS > Global Setting s page.
●
Create one rate limit rule to set guaranteed bandwidth for each LAN host: Min. Tx
Bandwidth is 100 Kbit/s, and Min. Rx Bandwidth is 200 Kbit/s.
●
Enable P2P rate limit feature, and limit the P2P traffic rate for each LAN host: Max. Tx
Rate is 64 Kbit/s, Max. Rx Rate is 128 Kbit/s.
3. Configuration Procedure
Step 1 Go to the Basic > WAN > WAN1 page, enter 10240 in the Uplink Bandwidth text box, and enter 20480 in the Downlink Bandwidth text box.
Step 2 Go to the QoS > Global Settings page (see Figure 10-6), select the Enable
Rate Limit check box, and then enter 100 in the Capacity text box, lastly click the Save button.
Figure 10-6 Rate Limit Global Settings - Example One
Step 3 Go to QoS > Rate Limit Rule > Rate Limit Rule Settings page (see Figure
10-7), enter 100 in the Min. Tx Bandwidth text box, and enter 200 in the Min.
Rx Bandwidth text box.
Leave the default values for the other parameters.
Lastly click the Save button.
Page 266
Figure 10-7 Rate Limit Rule Settings - Example One
Step 4 Go to the QoS > P2P Rate Limit page (see Figure 10-8), select the Enable
P2P Rate Limit check box, and select 64K from the Max. Tx Rate drop-down list, and select 128K from the Max. Rx Rate drop-down list. Leave the default values for the other parameters. Lastly click the Save button.
Figure 10-8 P2P Rate Limit Settings - Example One
Page 267
10.6.2 Example Two
1. Requirements
In this example, an Internet café has a single Internet connection with uplink bandwidth 50
Mbit/s and downlink bandwidth 100 Mbit/s. And the number of network devices is approximately 100. The Internet café consists of three areas: Video Area, Online Game
Area, and Common Area. There are 30 hosts in Video Area, 30 hosts in Online Game
Area, and 40 hosts in Common Area. The IP address ranges of the areas are as follows:
●
Video Area: 192.168.20.2~192.168.20.40
●
Online Game Area: 192.168.20.41~192.168.20.80
●
Common Area: the remaining IP addresses
The requirements are as follows: The hosts in Video Area have high bandwidth demand, the hosts in Online Game Area have mid bandwidth demand, and the hosts in Common
Area have low bandwidth demand (that is, the bandwidth just need to meet the requirements of web browsing and any other general operation); furthermore, the LAN users’ Web traffic has the highest priority.
2. Analysis
We need to do the following settings:
●
Set the Internet connection’s Uplink Bandwidth and Downlink Bandwidth to 51200
Kbit/s and 102400 Kbit/s respectively.
●
Enable rate limit and set Capacity to 100 in the QoS > Global Setting s page.
●
Create rate limit rule 1 for all the LAN users: Min. Tx Bandwidth is 256 Kbit/s, Min.
Rx Bandwidth is 512 Kbit/s, and Bandwidth Priority is Low . Note that as this rule has lowest priority, it should be created at first.
●
Create rate limit rule 2 for the hosts in the Online Game Area: Min. Tx Bandwidth is
1 Mbit/s, Min. Rx Bandwidth is 2 Mbit/s, and Bandwidth Priority is Mid .
●
Create rate limit rule 3 for the hosts in the Video Area: Min. Tx Bandwidth is 2 Mbit/s,
Min. Rx Bandwidth is 4 Mbit/s, and Bandwidth Priority is High .
●
Enable preferential forwarding for Web traffic feature in the QoS > APP QoS page.
Page 268
3. Configuration Procedure
Step 1 Go to Security > Address Group page to create two address groups: One is for the Video Area, and it contains the IP addresses from 192.168.20.2 to
192.168.20.40; the other is for the Online Game Area, and it contains the IP addresses from 192.168.20.41 to 192.168.20.80; and here we assume their names are video and game respectively.
Step 2 Go to the Basic > WAN > WAN1 page, enter 51200 in the Uplink Bandwidth text box, and enter 102400 in the Downlink Bandwidth text box.
Step 3 Go to the QoS > Global Settings page, select the Enable Rate Limit check box, and then enter 100 in the Capacity text box, lastly click the Save button to save the settings.
Step 4 Creating rate limit rule 1: Go to the QoS > Rate Limit Rule > Rate Limit Rule
Settings page (see Figure 10-9), enter 256 in the Min. Tx Bandwidth text box, and enter 512 in the Min. Rx Bandwidth text box. Leave the default values for the other parameters. Lastly click the Save button.
Figure 10-9 Rate Limit Rule 1 Settings - Example Two
Step 5 Creating rate limit rule 2: Go to the QoS > Rate Limit Rule > Rate Limit Rule
Settings page (see Figure 10-10), select game from the Source Address
Page 269
Group , select 1M from the Min. Tx Bandwidth drop-down list, select 2M from the Min. Rx Bandwidth drop-down list, and select Mid from the Bandwidth
Priority drop-down list. Leave the default values for the other parameters. lastly click the Save button.
Figure 10-10 Rate Limit Rule 2 Settings - Example Two
Step 6 Creating rate limit rule 3: Go to the QoS > Rate Limit Rule > Rate Limit Rule
Settings page (see Figure 10-11), select video from the Source Address
Group , select 2M from the Min. Tx Bandwidth drop-down list, select 4M from the Min. Rx Bandwidth drop-down list, select High from the Bandwidth
Priority drop-down list.
Leave the default values for the other parameters.
Lastly click the Save button.
Page 270
Figure 10-11 Rate Limit Rule 3 Settings - Example Two
Step 7 Go to the QoS > APP QoS page (see Figure 10-12), select the Enable
Preferential Forwarding for Web Traffic check box, and then click the Save button.
Figure 10-12 Enable Preferential Forwarding for Web Traffic- Example Two
Page 271
Chapter 11 Restriction
This chapter describes how to configure personal settings for each LAN user, Internet behavior management, policy database, QQ whitelist, notice and Web Authentication feature; and how to view the related status information.
11.1 User Admin
This section describes how to view the current status information of LAN users (hosts); and how to configure personal settings for each user individually, including rate limit settings and Internet behavior management settings.
11.1.1 User Status List
Through the User Status List in the Restriction > User Admin page, you can view the status information of each LAN user (host).
Figure 11-1 User Status List
ID: It is used to identify each entry in the list.
Description: If the LAN user is an IP/MAC binding user, it displays the description of the user; else it is blank.
Page 272
IP Address: It displays the IP address of the LAN user. If you click IP Address hyperlink, it will jump to the Restriction > User Admin > Rate Limit page, and then you can individually limit the maximum upload and download rates of the user; moreover, you can go to the Restriction > User Admin > Internet Behavior page to configure the personal Internet behavior management parameters for the user. If you move your mouse over the IP Address hyperlink, it will display the current effective settings of the user.
MAC Address: It displays the MAC address of the LAN user.
Binding Status: It indicates whether the LAN user is binding or not. If the user is an
IP/MAC binding user, DHCP binding user, or PPPoE IP/MAC binding user, it displays
Yes ; else, it displays No .
Rx Rate: It displays the real-time download rate (in kilobits per second) of the LAN user.
Tx Rate: It displays the real-time upload rate (in kilobits per second) of the PPPoE
LAN user.
NAT Sessions: It displays the number of NAT sessions that are being used by the
LAN host now.
User Type: It displays the access type of the LAN user. The possible values are
PPPoE , DHCP and Static IP . If the user is a PPPoE dial-in user, it displays PPPoE ; if the user is a DHCP client user, it displays DHCP ; else, it displays Static IP .
Online Status: It displays online status of the LAN user. If the user is connected to the Device, it displays Online ; if the user is an IP/MAC binding user, DHCP binding user, or PPPoE IP/MAC binding user, and isn’t connected to the Device, it displays
Offline . Note that the list doesn’t display the status information of those non-binding users who aren’t connected to the Device.
Enable Personal Settings: The Enable Personal Settings check box is used to enable or disable the personal settings of the LAN user. If you want to configure and enable the personal settings of a LAN user, please select this check box. Note that as mentioned earlier, it allows you to click IP Address hyperlink to configure, view and modify personal settings. If you want to disable the LAN user’s personal settings temporarily instead of deleting them, please click it to remove the check mark.
Display IP/MAC Binding: Click it to go to the Security > IP/MAC Binding page to view the IP/MAC Binding List .
Delete Selected Personal Settings: If you want to delete personal settings of one or more LAN users, select the leftmost check boxes of them, and then select Delete
Selected Personal Settings from the drop-down list on the lower right corner of the list, lastly click OK .
Page 273
Delete All Personal Settings: If you want to delete all the personal settings at a time, select Delete All Personal Settings from the drop-down list on the lower right corner of the list, and then click OK .
Note
You can configure IP/MAC binding users in the Security > IP/MAC Binding >
IP/MAC Binding Settings page, configure PPPoE IP/MAC binding users in the
PPPoE > PPPoE IP/MAC > IP/MAC Binding Settings page, and configure DHCP manual binding users in the DHCP > DHCP Server > Manual Binding Settings page.
11.1.2 Personal Rate Limit
If you want to individually limit the maximum upload and download rates of a LAN user, go to the Restriction > User Admin > User Status List page firstly, and then select the user’s Enable Personal Settings check box or click its IP Address hyperlink to go to the
Restriction > User Admin > Rate Limit page to specify the Max. Tx Rate and Max. Rx
Rate for the selected user.
Figure 11-2 Personal Rate Limit Settings
Max. Tx Rate: It specifies the maximum upload rate of the selected LAN user.
Max. Rx Rate: It specifies the maximum download rate of the selected LAN user.
Save: Click it to save your settings.
Page 274
11.1.3 Personal Internet Behavior Management
Moreover, it allows you to go to the Restriction > User Admin > Internet Behavior page to configure, modify and view the personal Internet behavior management settings for the selected user, see Figure 11-3. For detailed description of the related parameters, refer to section 11.2.1 Internet Behavior Management Settings .
Figure 11-3 Personal Internet Behavior Management Settings
Page 275
11.2 Internet Behavior Management
This section describes the Restriction > Behavior Mgmt page.
In this page, you can easily control and manage the Internet behaviors of the LAN users, which include: allow or block the LAN users from using popular IM (e.g., QQ, MSN) and
P2P applications (e.g., Bit Comet, Bit Spirit, Thunder Search), downloading the files with the extension .exe, .dll, .vbs, .com, .bat or .sys over HTTP, playing online games, accessing stock and game websites, submitting input in the webpage, using HTTP proxy, and so on.
Moreover, it allows you to configure Internet behaviors management policies based on address group and schedule.
Page 276
11.2.1 Internet Behavior Management Policy Settings
Figure 11-4 Internet Behavior Management Policy Settings
Address Group: It specifies an address group to which the Internet behavior management policy applies. The Device will control and manage the Internet behaviors of the LAN users that belong to this address group according to the policy.
The address group is configured in the Security > Address Group page.
Schedule: It specifies a schedule to restrict when the Internet behavior management policy is in effect. The default value is Always , which means the policy is in effect always. Note that after the selected schedule has expired, the policy will be in effect
Page 277
always. The schedule is configured in the Security > Schedule page.
Description: It specifies the description of the Internet behavior management policy.
It is usually used to describe the purpose of the policy.
IM: You can allow or block some popular IM (Instant Message) applications, which include QQ, MSN, Ali Wangwang, WebQQ and Fetion.
Block QQ: Allow or block QQ application. If you want to block the specified LAN users (set by Address Group ) from using QQ to chat with others, please select this check box.
Block MSN: Allow or block MSN Messenger. If you want to block the specified
LAN users from using MSN Messenger to chat with others, please select this check box.
Block Ali Wangwang: Allow or block Ali Wangwang application. If you want to block the specified LAN users from using Ali Wangwang, please select this check box.
Block WebQQ: Allow or block WebQQ application. If you want to block the specified LAN users from using WebQQ to chat with others, please select this check box.
Block Fetion: Allow or block Fetion application. If you want to block the specified
LAN users from using Fetion to chat with others, please select this check box.
P2P: You can allow or block some popular P2P applications, which include BT (Bit
Comet, Bit Spirit), Thunder Search, QQLive, PPS, Sogou Search, PPLive and QVOD.
Block BT (BitSpirit, BitComet): Allow or block BitSpirit and BitComet applications. If you want to block the specified LAN users from using BitSpirit or
BitComet to download files, please select this check box.
Block Thunder Search: Allow or block Thunder search application. If you want to block the specified LAN users from using Thunder to search resources, please select this check box.
Block QQLive: Allow or block QQLive application. If you want to block the specified LAN users from using QQLive to play videos, please select this check box.
Block PPS: Allow or block PPS (i.e., PPStream) application. If you want to block
Page 278
the specified LAN users from using PPS to play videos, please select this check box.
Block Sogou Search: Allow or block Sogou search application. If you want to block the specified LAN users from using Sogou to search resources, please select this check box.
Block PPLive: Allow or block PPLive application. If you want to block the specified LAN users from using PPLive to play videos, please select this check box.
Block QVOD: Allow or block QVOD (Quasi Video on Demand) application. If you want to block the specified LAN users from using QVOD to play videos, please select this check box.
Game: You can allow or block some popular online game applications, which include
QQGame, BNB, Zhengtu, Perfect World, Jade Dyna, MHXY, Audition, CGA, WOW,
Aion and Kartrider Rush.
Block QQGame: Allow or block QQGame application. If you want to block the specified LAN users from playing QQGame, please select this check box.
Block BNB: Allow or block BNB application. If you want to block the specified
LAN users from playing BNB game, please select this check box.
Block Zhengtu: Allow or block Zhengtu application. If you want to block the specified LAN users from playing Zhengtu game, please select this check box.
Block Jade Dynasty: Allow or block Jade Dynasty and Perfect World applications. If you want to block the specified LAN users from playing Jade
Dynasty or Perfect World game, please select this check box.
Block MHXY: Allow or block MHXY application. If you want to block the specified
LAN users from playing MHXY game, please select this check box.
Block Audition: Allow or block Audition application. If you want to block the specified LAN users from playing Audition game, please select this check box.
Block CGA: Allow or block CGA application. If you want to block the specified
LAN users from playing CGA game, please select this check box.
Page 279
Block WOW: Allow or block WOW application. If you want to block the specified
LAN users from playing WOW game, please select this check box.
Block Aion: Allow or block Aion application. If you want to block the specified
LAN users from playing Aion game, please select this check box.
Block Kartrider Rush: Allow or block Kartrider Rush application. If you want to block the specified LAN users from playing Kartrider Rush game, please select this check box.
Web: You can allow or block downloading some predefined types of files over HTTP, and submitting input in the webpage.
Block Files: Allow or block downloading some predefined types of files over
HTTP. If you want to block the specified LAN users from downloading the files with the extension .exe, .dll, .vbs, .com, .bat or .sys over HTTP, please select this check box. It allows you to click View hyperlink to view all the predefined file types.
Block Submit: Allow or block submitting input in the webpage. If you want to block the specified LAN users from submitting input in the webpage, such as logging in to a website, posting messages on a forum, etc.
DNS: You can allow or block some predefined game and stock websites by DNS filtering.
Block Game Websites: Allow or block some predefined game websites. If you want to block the specified LAN users from accessing those predefined game websites, please select this check box. It allows you to click the View hyperlink to view all the predefined game websites.
Block Stock Websites: Allow or block some predefined stock websites. If you want to block the specified LAN users from accessing those predefined stock websites, please select this check box. It allows you to click the View hyperlink to view all the predefined stock websites.
Others : Allow or block some other applications such as HTTP Proxy, SOCK Proxy.
Block HTTP Proxy: Allow or block HTTP Proxy application. If you want to block the specified LAN users from using HTTP Proxy, please select this check box.
Block SOCK4 Proxy: Allow or block SOCK4 Proxy application. If you want to
Page 280
block the specified LAN users from using SOCK4 Proxy, please select this check box.
Block SOCK5 Proxy: Allow or block SOCK4 Proxy application. If you want to block the specified LAN users from using SOCK5 Proxy, please select this check box.
Save: Click it to save the Internet behavior management policy settings.
Note
1. If a function option of an internet behavior management policy is not in effect as desired, please go to the Restriction > Policy Database > Policy Database List to check whether its corresponding policy database is the latest or not. Refer to section
11.3.2 Policy Database List for more information about how to update a policy database.
2. When using Internet behavior management feature, the Device will search the
Internet behavior management policy list to find out if there is a matched policy for each LAN user. It will check the user’s IP address against each policies in the order in which the policies are listed. The first matched policy will apply to the LAN user , and no further policies will be checked. Note that in the Behavior Mgmt. List , the policies are listed in reverse chronological order of creation, the later the policy is created, the upper the policy is listed.
Page 281
11.2.2 Internet Behavior Management Policy List
Figure 11-5 Internet Behavior Management Policy List
Add an Internet Behavior Management Policy: If you want to add a new Internet behavior management policy, click the New button or select the Behavior Mgmt.
Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View Internet Behavior Management Policy(s): When you have configured some
Internet behavior management policies, you can view them in the Behavior Mgmt.
List .
Enable an Internet Behavior Management Policy: The Enable check box is used to enable or disable the corresponding Internet behavior management policy. The default value is selected, which means the policy is in effect. If you want to disable the policy temporarily instead of deleting it, please click it to remove the check mark.
Edit an Internet Behavior Management Policy: If you want to modify a configured
Internet behavior management policy, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete Internet Behavior Management Policy(s): If you want to delete one or more
Internet behavior management policies, select the leftmost check boxes of them, and then click the Delete button.
Page 282
11.3 Policy Database
This section describes the Restriction > Policy Database page.
Note
In this document the policy database is called PDB for short.
11.3.1 Introduction to Policy Database
This page allows you to not only view the PDBs in the Policy Database List , but also upload and update PDBs. By introducing PDB, we can add a group of policies into a PDB; and we also provide PDB online update function to greatly facilitate the users. The Device currently supports four types of PDBs, which includes Route PDB, DNS PDB, Website
PDB and Firewall PDB; and in the future, Digicom S.p.A. will successively provide more types of PDBs according to actual user requirements.
The route PDBs can be referenced and configured in the Advanced > Static Route page.
By introducing route PDB, the users don’t need add static routes one by one, but instead create a large batch of static routes for each ISP connection at a time. Then the traffic destined for one ISP’s servers will be forwarded through this ISP’s connection, but not another ISP’s connection; such as, the traffic destined for Telecom Italia servers will be forwarded to the Telecom Italia connection, the traffic destined for Fastweb servers will be forwarded to the Fastweb Internet connection. Thus the LAN hosts can access those servers normally. Refer section 7.1.2 Static Route Policy Database for more information about route PDBs.
The firewall PDBs, DNS PDBs, and Website PDBs are referenced and configured in the
Restriction > Behavior Mgmt. > Behavior Mgmt. Settings page. By introducing firewall
PDBs, you don’t need add multiple access control rules one by one, but instead just click some check boxes to block or allow the LAN users to use popular IM (e.g., QQ, MSN) and
P2P applications (e.g., BitComet, BitSpirit, Thunder Search).
Page 283
11.3.2 Policy Database List
Figure 11-6 Policy Database List
Name: It displays the name of the PDB.
Type: It displays the type of the PDB. Now the Device provides four types of policy databases: Route, Firewall, Dns and Website.
Description: It displays the description of the PDB. It is usually used to describe the purpose of the PDB.
Referenced: It indicates whether the PDB is referenced or not. If the PDB is referenced, it displays Yes ; else, it displays No .
Version: It displays the version of the PDB. The version indicates the date on which
PDB was created, for example, the version of 090805 means that the PDB was created on August 5, 2009. You can judge whether a PDB needs to be updated according to its version: the larger the value, the newer the version.
Update: If you want to update a PDB, click its Update hyperlink to download the latest PDB from designated website and apply it automatically.
Update All: If you want to update all the PDBs in the list at a time, click the Update
All hyperlink to download all the latest PDBs from designated website and apply them automatically.
Delete: If you want to delete one or more PDBs, select the leftmost check boxes of them, and then click the Delete button.
Page 284
Note
1. You cannot delete the system default PDBs.
2. By default, the Policy Database List only displays the system default PDBs, which include Some ISPs, QQ, MSN, BT, Thunder, GAMEURL, STOCKURL, FileType, and upload. It allows you to customize firewall PDBs and modify the system default firewall PDBs via CLI.
3. Only the system default PDBs can be updated. Once you have updated a firewall
PDB which has been referenced, the related settings will take effect immediately; after you updated a route PDB which has been referenced, you should go to the
Advanced > Static Route page to reference it again and perform the save operation to make the related settings take effect. Refer to section 7.1.2.4 How to Update a
System Default Static Route PDB for detailed operation.
11.3.3 Policy Database Version Check
Figure 11-7 Policy Database Version Check
Policy Database Version Check: It specifies whether the Device will automatically check the version of each PDB or not. There are two available options:
●
Never: It indicates that the Device will not automatically check the version of each PDB.
●
Automatically: It indicates that the Device will automatically check the version of each PDB at the specified time (set by Check Time ); and log the results that mainly contain which PDBs need to be updated in the Status > System Log page.
Page 285
Check Time: It specifies a time at which PDB version check will be triggered. If you select Automatically from the Policy Database Version Check drop-down list, you should set the Check Time as required.
Save: Click it to save the PDB version check settings.
Note
If you select Automatically from the Policy Database Version Check drop-down list, you should synchronize the system clock in the System > Time page to ensure that the Device will automatically check the version of each PDB at the desired time.
11.3.4 Import Policy Database
Figure 11-8 Import Policy Database
Choose File: Click the Browse button to choose a PDB file or enter the file path and name in the text box.
Upload: Click it to import the selected PDB file into the Device. Once the PDB file is imported successfully, you can view it in the Policy Database List .
Note
To avoid unexpected error, do not power off the Device during importing the PDB file.
Page 286
11.4 QQ Whitelist
The Device provides QQ whitelist feature, which allows you to add some QQ numbers into the QQ Whitelist , then those QQ numbers will be exempt from the restriction of the
Internet behavior management policies configured in the Restriction > Behavior Mgmt. >
Behavior Mgmt. Settings page, that is, the LAN users still can use those QQ numbers to login to QQ even if you have blocked these users from using QQ by policies.
11.4.1 Enable QQ Whitelist
Figure 11-9 Enable QQ Whitelist
Enable QQ Whitelist: It allows you enable or disable QQ whitelist. If you select the check box to enable QQ whitelist, the QQ numbers in the QQ Whitelist will take effect. Else, those QQ numbers will be of no effect.
Save: Click it to save your settings.
11.4.2 QQ Whitelist Settings
Figure 11-10 QQ Whitelist Settings
Page 287
QQ Number: It specifies a unique QQ number. It should be a number less than 11 digits. The QQ number will be exempt from the restriction of the Internet behavior management policies, that is, a LAN user still can use this QQ number to login to QQ even if you have blocked the user from using QQ by a policy.
Description: It specifies the description of the QQ number.
Save: Click it to save the QQ whitelist settings.
11.4.3 QQ Whitelist
Figure 11-11 QQ Whitelist
Add a QQ Number: If you want to add a new QQ number into the QQ Whitelist , click the New button or select the QQ Whitelist Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View QQ Number(s): When you have configured some QQ numbers, you can view them in the QQ Whitelist .
Edit a QQ Number: If you want to modify a configured QQ number, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete QQ Number(s): If you want to delete one or more QQ numbers, select the leftmost check boxes of them, and then click the Delete button.
Page 288
11.5 Configuration Example for Internet
Behavior Management
1. Requirements
In 2011, a business CEO wants to control online behavior of the employees. He wants to block all the predefined IM and P2P applications, online games, game and stock websites during working time, but allow all the Internet services during rest periods. But there are some exceptions which are as follows:
●
The CEO and vice CEO can access the Internet without any restrictions. Their IP addresses are 192.168.20.4 and 192.168.20.5 respectively.
●
The Customer Service and Sales Departments’ employees need to use IM applications to communicate with customers during working time. Their IP address ranges are: from 192.168.20.50 to 192.168.20.70, and from 192.168.20.100 to
192.168.20.120 respectively.
●
There are five employees with dynamic IP addresses, and they need to use QQ.
Their QQ numbers are 21586375, 29583674, 1572681475, 1143550132 and
66587954 respectively.
The business’s working time is: Monday to Friday, 9:00 to 12:00 am, and 1:00 to 6:00 pm.
2. Analysis
We need to create three Internet behavior management policies, enable QQ whitelist feature and add five QQ numbers into the QQ Whitelist to meet requirements.
1) Policy 1: It is used to block all the LAN users from using IM and P2P applications, playing online games, and accessing game and stock websites.
2) Policy 2: It is used to allow the Customer Service and Sales Departments’ employees to use IM applications during working time. Note that as this policy has higher priority than policy 1, it should be created later than policy 1.
3) Policy 3: It is used to allow the CEO and vice CEO to access all the Internet services.
Note that as this policy has the highest priority, it should be created at last.
4) Enable QQ whitelist feature and add five QQ numbers into the QQ Whitelist .
3. Configuration Procedure
Before creating the Internet behavior management policies, you may do the following
Page 289
tasks:
●
Go to the Security > Address Group page to create two address groups, one is for the two CEOs, and it contains two IP addresses: 192.168.20.4 and 192.168.20.5; the other is for Customer Service and Sales Departments’ employees, and it contains two
IP address ranges: from 192.168.20.50 to 192.168.20.70, and from 192.168.20.100 to 192.168.20.120. Here we assume the first group’s name is Directors , and the second group’s name is CSD_SD . Refer to section 12.6.4 How to Add the Address
Groups for detailed information about how to create them.
●
Go to the Security > Schedule page to create one schedule for working time. Here we assume its name is work . Refer to section 12.8.5 Configuration Example for
Schedule for detailed information about how to create it.
Here we only describe how to create three Internet behavior management policies, enable
QQ whitelist feature and add five QQ numbers into the QQ Whitelist .
The configuration steps are the following:
Step 1 Go to the Restriction > Behavior Mgmt. > Behavior Mgmt. Settings page.
Step 2 Creating Policy 1: Select Any Address from the Address Group drop-down list, select work from the Schedule drop-down list, select all the check boxes in
IM , P2P , Games and DNS configuration fields, and then click the Save button, see Figure 11-12.
Page 290
Figure 11-12 Internet Management Behavior Example - Policy 1
Step 3 Creating Policy 2: Select CSD_SD from the Address Group drop-down list, select work from the Schedule drop-down list, select all the check boxes in
P2P , Games and DNS configuration fields, and then click the Save button, see
Figure 11-13.
Page 291
Figure 11-13 Figure 11-9 Internet Management Behavior Example - Policy 2
Step 4 Creating Policy 3: Select Directors from the Address Group drop-down list, select Always from the Schedule drop-down list, and unselect all the check boxes in the page, and then click the Save button, see Figure 11-14.
Page 292
Figure 11-14 Internet Management Behavior Example - Policy 3
Step 5 Go to Restriction > QQ Whitelist page, select the Enable QQ Whitelist check box, and click the Save button, see Figure 11-15. Click the New button to go to the QQ Whitelist Settings page to add the first QQ number (i.e., 21586375) into the QQ Whitelist , and then add the other four QQ numbers one by one, see Figure 11-16.
Figure 11-15 Internet Management Behavior Example - Enable QQ Whitelist
Page 293
Figure 11-16 Internet Management Behavior Example -QQ Whitelist
Page 294
11.6 Notice
This section describes the Restriction > Notice page.
11.6.1 Introduction to Notice
The Device provides notice feature which is used to push notice messages to the specified LAN users. After you enable notice feature, if a specified LAN user accesses the
Internet via a web browser (e.g., IE, Firefox), the Device will automatically push a notice message to the user.
The Device provides one-time notice and daily notice. If you enable one-time notice feature and specify a notice message, and then when a specified LAN user accesses the
Internet via a web browser, the Device will automatically push the notice message to the user; in general, the one-time notice message is only pushed once. If you enable daily notice feature and specify a notice message, the Device will automatically push the notice message to the specified LAN users one time per day.
Either you use one-time notice or daily notice, it allows you to customize a notice message or just specify a notice URL. If you choose to customize a notice message, and then when a specified LAN user accesses the Internet via a web browser, the Device will automatically pop up the notice message to the user. Else, the requested web page will automatically jump to the specified URL to display the notice; in this case, you need add the notice message to that web page in advance.
Besides notice feature in this page, FW4x-IPxx-U01 Series Security Firewalls also provide domain blocking notice feature. Please refer to section 12.4.2 Domain Blocking Notice for detailed information.
11.6.2 Notice Settings
11.6.2.1 One-Time Notice Settings
When using one-time notice, the Device will push the notice message to the LAN users that belong to the specified address group. And the one-time notice message is only pushed once.
Page 295
Figure 11-17 One-Time Notice Settings - Customized Mode
Enable One-Time Notice: It allows you to enable or disable one-time notice. If you want to enable one-time notice, please select this check box.
Address Group: It specifies an address group to which the notice message will be pushed. When you enable one-time notice, the Device will directly push the notice message to the LAN users that belong to this address group. The address group is configured in the Security > Address Group page.
Notice Mode: It specifies the mode of pushing the notice. There are two available options:
● Customized: When selecting Customized (see Figure 11-17), it allows you to customize a notice message which consists of Notice Title , Notice Content and
Signature , and to preview the notice message. In this case, if a specified LAN user accesses the Internet via a web browser, the Device will automatically pop up the notice message to the user.
● URL: When selecting URL, it allows you specify a notice URL , see Figure 11-19.
Page 296
In his case, you need add a notice message to the specified web page in advance; thus, if a specified LAN user accesses the Internet via a web browser, the requested web page will automatically jump to the specified URL to display the notice.
Notice Title: It specifies the title of the notice message. If you select Customized from the Notice Mode check box, you need set it.
Signature: It specifies the signature of the notice message. If you select Customized from the Notice Mode check box, you need set it.
Notice Content: It specifies the content of the notice message. If you select
Customized from the Notice Mode check box, you need set it.
URL: It specifies a notice URL to which the requested web page will automatically jump. If you select URL from the Notice Mode check box, you need set it.
Save: Click it to save your settings.
Preview: If you select Customized from the Notice Mode check box, you may click the Preview button to preview the notice message you just configured. The following figure shows an example of a notice message.
Figure 11-18 One-Time Notice Preview - Example
Page 297
Figure 11-19 One-Time Notice Settings - URL Mode
Note
1. If the Device pushes a notice message to a LAN user who hasn’t launched a web browser, it will fail to push; and once the user launched the web browser and accessed an Internet domain name or IP address, he/she will receive the notice message immediately. For example, we assume that the Device will push a notice message at 8:00 am as planned, if a user hasn’t launch the web browser at 8:00 am yet, the user cannot received the notice message; and if the user access the Internet via the web browser at 10:00, he/she will receive the notice message immediately.
2. When using one-time notice, if you restart the Device, the Device will push the notice message once again.
11.6.2.2 Daily Notice Settings
When using daily notice, the Device will automatically push the notice message to the
LAN users that belong to the specified address group one time per day.
Page 298
Figure 11-20 Daily Notice Settings
Enable Daily Notice: It allows you to enable or disable daily notice. If you want to enable daily notice, please select this check box.
Please refer to section 11.5.2.1 One-Time Notice Settings for detailed description of the other parameters.
11.7 Web Authentication
FW4x-IPxx-U01 series security firewalls provide Web authentication feature. This new feature will enhance network security. If you enable the Web authentication on the Device, those non-PPPoE dial-in users cannot access the Internet through the Device unless they are authenticated successfully through Web browser.
11.7.1 Enable Web Authentication
Figure 11-21Enable Web Authentication
Enable Web Authentication: It allows you to enable or disable web authentication feature. By default it is disabled. If you select the check box to enable this feature, those non-PPPoE dial-in users cannot access the Internet through the Device unless they are authenticated successfully.
Save: Click it to save your settings.
Page 299
11.7.2 Web Authentication User Account Settings
Figure 11-22 Web Authentication User Account Settings
User Name: It specifies a unique user name of the web authentication account. It should be between 1 and 31 characters long. The Device will use the User Name and
Password to authenticate a user.
Password : It specifies the password of the web authentication account.
Description: It specifies the description of the web authentication account.
Save: Click it to save the web authentication account settings.
11.7.3 Web Authentication User Account List
Page 300
Figure 11-23 Web Authentication User Account List
Add a Web Authentication User Account: If you want to add a web authentication user account, click the New button or select the User Account Settings tab to go to setup page, and then configure it, lastly click the Save button.
Edit a Web Authentication User Account: If you want to modify a configured web authentication user account, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click Save button.
Delete Web Authentication User Account(s): If you want to delete one or more configured web authentication user accounts, select the leftmost check boxes of them, and then click Delete button.
11.7.4 How to Use Web Authentication
If you want to use web authentication for a non-PPPoE dial-in user, do the following:
Step 1 Go to the Restriction > Web Authentication page, and then select the Web
User Account Settings tab to go to setup page.
Step 2 Configure a new web authentication user account (see figure 11-11), and then click the Save button to save the settings.
Step 3 Select the User Account List tab, and then select the Enable Web
Authentication check box.
Step 4 Launch a web browser, enter an Internet domain name or IP address in the address bar, and then press <Enter> , the Device will automatically pop up an authentication login page, see figure 11-13.
Page 301
Figure 11-24 Web Authentication Login Page
Step 5 Enter the correct user name and password in the text boxes, and then click the
Save button, the system will pop up a prompt page (see figure 11-14).
Figure 11-25 Web Authentication Prompt Page
Note
Do not close the prompt page; else, the user cannot access the Internet.
Page 302
Chapter 12 Security
This chapter describes how to configure security features, including attack defense,
IP/MAC binding, firewall, DNS filtering, NAT session limit, address group, service group and schedule.
12.1 Attack Defense
This section describes the Security > Attack Defense page, which includes internal attack defense and external attack defense.
12.1.1 Internal Attack Defense
In this page, you can do basic internal attack defense settings to enhance network security.
The internal attack defense includes three parts:
Virus Defense: It can effectively protect the Device against popular virus attacks, such as, Anti-Blaster virus attack, UDP/ICMP/SYN flood attack, ARP spoofing attack, and so on.
Access Restrict: It can effectively protect the Device against DDoS attacks by restricting LAN hosts’ access to the Device.
Other Defense: It can effectively protect the Device against port scanning attack.
Page 303
Figure 12-1 Internal Attack Defense Settings
1. Virus Attacks Defense
Enable Blaster Virus Defense: It allows you to enable or disable anti-blaster virus defense. If you select the check box to enable this feature, it will effectively protect the
Device against blaster and sasser virus attacks. After you enable this feature, the
Device will discard those TCP packets destined for port 135, 136, 137, 138, 139, 445,
1025, 5554 or 9996, so the LAN hosts cannot access the related services provided by outside hosts, e.g., windows file and printer sharing services.
Enable IP Spoofing Defense: It allows you to enable or disable IP spoofing defense.
If you select the check box to enable this feature, it will effectively protect the Device against IP spoofing attack. After you enable this feature, the Device will only forward the packets whose source IP address is in the same subnet as the Device LAN IP address. Note that in this case the hosts behind a L3 switch cannot access the
Internet through the Device.
Enable UDP Flood Defense: It allows you to enable or disable UDP flood defense. If you select this check box to enable this feature, it will effectively protect the Device against UDP flood attack. After you enable this feature, if the number of UDP packets
Page 304
from one source IP address (e.g., 192.168.20.66) to a single port on a remote host exceeds the threshold, the Device will consider that the LAN host with IP address
192.168.20.66 is performing UDP flood attack, and then randomly discard the further
UDP packets from that source to that destination. In most cases, leave Threshold the default value.
Enable ICMP Flood Defense: It allows you to enable or disable ICMP flood defense.
If you select this check box to enable this feature, it will effectively protect the Device against ICMP flood attack. After you enable this feature, if the number of ICMP packets from one source IP address (e.g., 192.168.20.16) to a single port on a remote host exceeds the threshold, the Device will consider that the LAN host with IP address 192.168.20.16 is performing ICMP flood attack, and then randomly discard the further ICMP packets from that source to that destination. In most cases, leave
Threshold the default value.
Enable SYN Flood Defense: It allows you to enable or disable SYN flood defense. If you select this check box to enable this feature, it will effectively protect the Device against SYN flood defense. After you enable this feature, if the number of SYN packets from one source IP address (e.g., 192.168.20.36) to a single port on a remote host exceeds the threshold, the Device will consider that the LAN host with IP address 192.168.20.36 is performing SYN flood attack, and then randomly discard the further SYN packets from that source to that destination. In most cases, leave
Threshold the default value.
Enable ARP Spoofing Defense: It allows you to enable or disable ARP spoofing defense. If you select the check box to enable this feature, and then bind all the
IP/MAC address pairs of the LAN hosts (configured in the Security > IP/MAC
Binding page), it will effectively protect the Device against ARP spoofing attack.
ARP Broadcast Interval: It specifies the time interval at which the Device periodically broadcasts gratuitous ARP packets. These gratuitous ARP packets are used to inform the LAN hosts the correct MAC address of the Device’s LAN interface, so the LAN hosts can effectively defense ARP spoofing attack. It should be multiple of
10 between 100 and 5000 milliseconds.
2. Access Restrict
Enable Device Access Restrict : It allows you to enable or disable device access restrict. Select the check box to restrict LAN hosts’ access to the Device through LAN interface, so it will protect the Device against internal DDoS attacks. The access restrict rules are as follows:
1) Allow any LAN host to use ICMP to access the Device.
Page 305
2) Allow any LAN host to access the UDP port 53, 67 or 68 of the Device, to ensure that the Device’s DNS proxy, DHCP server and DHCP client can operate properly.
3) Only allow the LAN hosts that belong to the range specified by Allowed IP
Addresses to access the web or telnet service provided by the Device, but block the other hosts.
4) Block LAN hosts from accessing any other services provided by the Device.
Allowed IP Addresses: It specifies an address range of the allowed LAN hosts.
When Enable Device Access Restrict is selected, only the LAN hosts that belong to this range can access the web or telnet service provided by the Device.
Threshold: It specifies the maximum number of packets passing through the
Device’s LAN interface per second. It should be between 0 and 20000 packets per second, and the suggested value is between 300 and 600 packets per second.
3. Other Defense
Enable Port Scanning Defense: It allows you to enable or disable port scanning defense.
If you select this check box to enable this feature, it will effectively protect the Device against port scanning attack. After you enable this feature, if a LAN host continuously sends the SYN packets to different ports on a remote host, and the number of ports exceeds 10 at the specified time interval (set by the Threshold) , the
Device will consider that the LAN host is performing port scanning attack, and then randomly discard the further SYN packets from it to that destination host. In most cases, leave the Threshold the default value.
Save: Click it to save the internal attack defense settings.
12.1.2 External Attack Defense
In this page you can enable or disable WAN ping respond. As ping is often used by malicious Internet users to locate active networks or hosts, in most cases, it is recommended that you disable WAN ping respond for added security. Only in some special cases, such as network debugging, you need enable this feature.
Page 306
Figure 12-2 External Attack Defense Settings
Enable WAN Ping Respond: It allows you to enable or disable WAN ping respond. If you select the check box to enable WAN ping respond, all the Device’s WAN interfaces will respond to ping requests from the outside hosts.
Save: Click it to save the external attack defense settings.
Page 307
12.2 IP/MAC Binding
This section describes the Security > IP/MAC Binding page.
12.2.1 Introduction to IP/MAC Binding
12.2.1.1 IP/MAC Overview
To achieve network security management, you should firstly implement user identification, and then you should implement user authorization. Section 12.3 Security > Firewall describes how to configure and use access control rules to control the Internet behaviors of the LAN users. In this section, we will describe how to implement user identification.
The Device provides IP/MAC binding feature to implement user identification. Using the
IP/MAC address pair as a unique user identity, you can protect the Device and your network against IP spoofing attacks. IP spoofing attack refers to that a host attempts to use another trusted host’s IP address to connect to or pass through the Device. The host’s IP address can easily be changed to a trusted address, but MAC address cannot easily be changed as it is added to the Ethernet card at the factory.
The IP/MAC binding feature allows you to add the IP and MAC address pairs of trusted
LAN hosts in the IP/MAC Binding List . Note that in the IP/MAC Binding List , you can allow or block Internet access for each IP/MAC binding user. After you have added a LAN user’s IP and MAC address pair into the IP/MAC Binding List , if its Allow Internet
Access check box is selected (check mark
√ appears), it will allow the user to access the
Device and Internet, else block the user.
12.2.1.2 The Operation Principle of IP/MAC Binding
For the sake of convenience, we firstly introduce several related terms including legal user, illegal user and undefined user.
Legal User: A legal user’s IP and MAC address pair matches an IP/MAC binding whose
Allow Internet Access check box is selected.
Illegal User: A illegal user’s IP and MAC address pair matches an IP/MAC binding whose
Allow Internet Access check box is unselected; or the IP address or MAC address is the
Page 308
same with an IP/MAC binding’s, but not both.
Undefined User: An undefined user’s IP address and MAC address both are different from any IP/MAC binding. The undefined users are all the users except legal and illegal users.
It allows the legal users to access the Device and access the Internet through the Device, and denies the illegal users. And the parameter of Allow Undefined LAN PCs determines whether it allows the undefined users to access the Device and access the
Internet through the Device, that is, it will allow them if the Allow Undefined LAN PCs check box is selected, else block them.
IP/MAC binding feature can act on the packets initiated from the LAN hosts to the Device or outside hosts. When receiving a packet initiated from LAN, the Device will firstly determine the sender’s identity by comparing the packet with the bindings in the IP/MAC
Binding List , and then process the packet according to the sender’s identity. The details are as follows:
1. If the sender is a legal user, the packet will be allowed to pass, and then be further processed by the firewall access control function module.
2. If the sender is an illegal user, the packet will be dropped immediately to prevent IP spoofing.
3. If the sender is an undefined user, there are two cases:
1) If the Allow Undefined LAN PCs check box is selected, the packet will be allowed to pass, and then be further processed by the firewall access control function module.
2) Else, the packet will be dropped immediately.
For example, if the IP/MAC address pair IP 192.168.20.65
and 00:15:c5:67:41:0f is added to the IP/MAC Binding List , and its Allow Internet Access check box is selected, see Figure
12-3.
Page 309
Figure 12-3 IP/MAC Binding List - Example One
Then, when receiving a packet initiated from LAN, the Device will process it according to the following cases:
1. A packet with IP address 192.168.20.65 and MAC address 00:15:c5:67:41:0f is allowed to pass, and then it will be further processed by the firewall access control function module.
2. A packet with IP address 192.168.20.65 but with a different MAC address is dropped immediately to prevent IP spoofing.
3. A packet with a different IP address but with MAC address 00:15:c5:67:41:0f is dropped immediately to prevent IP spoofing.
4. A packet’s IP address and MAC address both are not defined in the IP/MAC Binding
List :
1) If the Allow Undefined LAN PCs check box is selected, the packet is allowed to pass, and then it will be further processed by the firewall access control function module.
2) Else, the packet is dropped.
If you want to block the user who matches the IP/MAC binding from accessing the Device and Internet, you need unselect Allow Internet Access check box, see Figure 12-4. Then a packet with IP address 192.168.20.65 and MAC address 00:15:c5:67:41:0f will be dropped.
Page 310
Figure 12-4 IP/MAC Binding List - Example Two
Note
1. If you have added the IP and MAC address pair of a trusted LAN host in the IP/MAC
Binding List , and later changed this host’s IP address or MAC address, you must also change the corresponding binding in the IP/MAC Binding List ; otherwise the host cannot access the Device and Internet. If the Allow Undefined LAN PCs check box is unselected, you must also add the IP and MAC address pair of any new host that you add to your network, and make sure that its Allow Internet Access check box is selected; otherwise this new host cannot access the Device and Internet.
2. IP/MAC binding feature can only act on the packets initiated from the LAN hosts to the Device or outside hosts, but cannot act on the packets within the LAN. If you change a LAN host’s IP address or MAC address, this LAN host will be unable to access the Device and access the Internet through the Device, but it still can communicate with the other LAN hosts, such as, it can browse Network
Neighborhood, use windows file and printer sharing services within the LAN, and so on.
Page 311
12.2.2 IP/MAC Binding Settings
Figure 12-5 IP/MAC Binding Settings
Scan: If you click the Scan button, the Device will immediately scan the LAN to detect active hosts connected to the Device, learn and display dynamic ARP information (that is, IP and MAC address pairs). Note that if you have added a LAN host’s IP and MAC address pair in the IP/MAC Binding List , this IP/MAC address pair will not be displayed here.
Bind: Click it to bind all the valid IP and MAC address pairs in the list box.
Also you can manually create one or more IP/MAC bindings, the operation is as follows: Add one or more IP/MAC address pair entries in the list box, and then click the Bind button. The input contents are: IP Address, MAC Address and Description, one address pair entry per line; and the input format of an address pair entry is: IP
Address <Space> MAC Address <Space> Description <Enter> . Note that Description is an optional parameter.
Page 312
12.2.3 IP/MAC Binding Global Setup
Figure 12-6 IP/MAC Binding Global Setup
Allow Undefined LAN PCs: It allows or blocks the undefined LAN hosts from accessing the Device and access the Internet through the Device. If you want to allow the undefined LAN hosts to access the Device and Internet, select this check box; else unselect it. For more information about undefined LAN hosts, please refer to section 12.2.1.2 Operation Principle of IP/MAC Binding .
Save: Click it to save the IP/MAC binding global setup.
Export IP/MAC Binding Script: Click it to download the IP/MAC binding (that is, static ARP binding) script file to the local host. Then run the file and restart the host to add all the static ARP entries to the host to prevent ARP spoofing.
Note
If you want to unselect the Allow Undefined LAN PCs check box to block the undefined LAN hosts from accessing or passing through the Device, you should make sure that you have added the IP/MAC address pair of the host that you use to administer the Device into the IP/MAC Binding List .
Page 313
12.2.4 IP/MAC Binding List
Figure 12-7 IP/MAC Binding List
Add an IP/MAC Binding: If you want to add a new IP/MAC binding, click the New button or select the IP/MAC Binding Settings tab to go to the setup page, and then configure it, lastly click the Save button.
Edit an IP/MAC Binding: If you want to modify a configured IP/MAC binding, click its
Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button. The Allow Internet Access check box is used to allow or block a user matching an IP/MAC binding from accessing the Device and
Internet. If you want to allow the user matching an IP/MAC binding to access the
Device and Internet, select its check box; else unselect it.
Delete IP/MAC Binding(s): If you want to delete one or more IP/MAC bindings, select the leftmost check boxes of them, and then select Delete from the drop-down list on the lower right corner of the IP/MAC Binding List , lastly click the OK button.
Delete All: If you want to delete all the IP/MAC bindings at a time, select Delete All from the drop-down list on the lower right corner of the list, and then click the OK button.
12.2.5 How to Add the IP/MAC Bindings
If you want to add one or more IP/MAC bindings, do the following:
Page 314
Step 1 Go to the Security > IP/MAC Binding page, and then click the New button or select the IP/MAC Binding Settings tab to go to the setup page.
Step 2 There are two methods to add IP/MAC bindings:
1) Method One: Click the Scan button to learn current dynamic ARP information (that is, IP and MAC address pairs) of the LAN hosts, and then click the Bind button to bind all the valid IP and MAC address pairs in the list box.
2) Method Two: You can manually add one or more IP/MAC address pairs in the list box, and then click the Bind button to bind these IP/MAC address pairs. Refer to section 12.2.2
IP/MAC Binding Settings for more information.
Step 3 After you have created some IP/MAC bindings, you can view them in the
IP/MAC Binding List .
Step 4 If you want to block the undefined LAN hosts from accessing the Device and
Internet, please unselect the Allow Undefined LAN PCs check box; else, the undefined LAN hosts are allowed to access the Device and Internet.
Step 5 If you want to temporarily block a user matching an IP/MAC binding from accessing the Device and Internet, please unselect its Allow Internet Access check box.
After you have finished configuring IP/MAC binding feature, when receiving a packet initiated from LAN, the Device will firstly compare the packet with the bindings in the
IP/MAC Binding List , and then process the packet according to the related configuration.
The packet will be allowed to pass or be dropped immediately. If it is allowed to pass, the packet will be further processed by the firewall access control function module.
12.2.6 Internet Whitelist and Blacklist
12.2.6.1 Introduction to Internet Whitelist and Blacklist Based on IP/MAC Binding
By utilizing IP/MAC binding feature, you can flexibly configure an Internet whitelist or blacklist for the LAN users.
If you want to allow only a small number of LAN users to access the Internet, you can
Page 315
configure an Internet whitelist for these users. Then only the users that belong to the whitelist can access the Internet, and all the other users can not access.
If you want to block only a small number of LAN users from accessing the Internet, you can configure an Internet blacklist for these users. Then only the users that belong to the blacklist cannot access the Internet, and all the other users can access.
On the Device, a user who belongs to the whitelist is a legal user, that is, the user’s IP and
MAC address pair matches an IP/MAC binding whose Allow Internet Access check box is selected.
A user who belongs to the blacklist is an illegal user, that is, the user’s IP and MAC address pair matches an IP/MAC binding whose Allow Internet Access check box is unselected; or the IP address or MAC address is the same with an IP/MAC binding’s, but not both.
12.2.6.2 How to Configure an Internet Whitelist
If you want to configure an Internet whitelist, do the following:
Step 1 Go to the Security > IP/MAC Binding page, and then click the New button or select the IP/MAC Binding Settings tab to go to the setup page.
Step 2 Specify the legal users by creating the IP/MAC bindings: Add these users’ IP and MAC address pairs into the IP/MAC Binding List . By default, an IP/MAC binding’s Allow Internet Access check box is selected, which means that the user matching the IP/MAC binding can access the Device and Internet, so please leave it the default value. Refer to section 12.2.2
IP/MAC Binding
Settings for detailed operation.
Step 3 Unselect the Allow Undefined LAN PCs check box to block all the undefined users from accessing the Device and Internet.
For example, if you want to allow a LAN user with IP address 192.168.20.68 and MAC address 0015c5674109 to access the Device and Internet, you can add an IP/MAC binding for he/her into the IP/MAC Binding List , see Figure 12-8 . The binding’s Allow
Internet Access check box is selected by default, so please leave it the default value.
Page 316
Figure 12-8 IP/MAC Binding List - Example Three
12.2.6.3 How to Configure Internet Blacklist
If you want to configure an Internet blacklist, do the following:
Step 1 Go to the Security > IP/MAC Binding page, and then click the New button or select the IP/MAC Binding Settings tab to go to the setup page.
Step 2 Specify the illegal users by creating the IP/MAC bindings. There are three methods:
1) Method One: Bind each illegal user’s IP address to a MAC address which is different from any LAN host’s in the IP/MAC Binding List . Refer to section 12.2.2 IP/MAC Binding Settings for detailed operation.
2) Method Two: Bind an IP address which is different from any LAN host’s to each illegal user’s MAC address in the IP/MAC Binding List .
3) Method Three: Add these users’ IP and MAC address pairs in the IP/MAC
Binding List . Unselect each IP/MAC binding’s Allow Internet Access check box respectively, then the matched users can not access the Device and Internet.
Step 3 Select the Allow Undefined LAN PCs check box to allow all the undefined users to access the Device and Internet.
For example, if you want to block a LAN user with IP address 192.168.20.68 and MAC address 0015c5674109 from accessing the Device and Internet, you can add the
Page 317
corresponding IP/MAC binding in the IP/MAC Binding List . And then unselect the binding’s Allow Internet Access check box to block the user’s access to the Device and
Internet, see Figure 12-9 .
Figure 12-9 IP/MAC Binding List - Example Four
Page 318
12.3 Firewall
This section describes the Security > Firewall page, which includes the Access Control
List and ACL Settings subpages.
The access control rules that you have created will be listed in the Access Control List .
Note that by default the rules are listed in reverse chronological order of creation, and it allows you to manually move a rule to a different position in the list.
12.3.1 Introduction to Access Control
12.3.1.1 The Purpose of Access Control Feature
The development of Internet has brought some side effects, such as the emergence of gambling, pornography, and other illegal websites which are contrary to the state laws and regulations; broadband network provide fast surfing to th e Internet users, while fast spreading worms cause great threat to the Internet users. So if an organization wants to access the Internet, it needs specific Internet access rules. Such as, a government organization wants to block the civil servants from accessing stock websites, using IM messenger applications; a business wants to block the employees from accessing game websites and other services which are unrelated to work during working time; parents want to control their children’s online time; an network administrator wants to block the worms and hacker attacks.
To achieve these purposes, we develop and implement access control feature on the Device.
By utilizing access control feature flexibly, you can not only assign different Internet access privileges to different LAN users, but also assign different Internet access privileges to the same users based on schedules. In practice, you can set appropriate access control rules according to the actual requirements of your organization. Such as, for a school, you can block the students to access game websites; for a family, you can only allow your children to access the Internet during the specified period of time; for a business, you can block the Financial Department’s employees from accessing the
Internet.
Page 319
12.3.1.2 The Operation Principle of Access Control
By default, as no access control rule exists on the Device, the Device will forward all the valid packets received by the LAN interface. After you have enabled access control, the
Device will examine each packet received by the LAN interface to determine whether to forward or drop the packet, based on the criteria you specified in the access control rules.
When receiving a packet initiated from LAN, the Device will analyze the packet by extracting its source MAC address, source IP address, destination IP address, protocol type (TCP, UDP or ICMP), port number, content, and the date and time at which the packet was received, and then compare them with each rule in the order in which the rules are listed in the Access Control List . The first rule that matches the packet will be applied to the packet, and the Device will forward or drop it according to this rule ’s action. Note that after a match is found, no further rules will be checked; and if no match is found, the
Device will drop the packet to ensure security.
The access control rules are applied to the packets that are received by the Device’s LAN interface, that is, those packets that arrive on the LAN interface and then go through the
Device. If a packet matches a rule whose Action is Allow , the packet will be allowed to pass, and then be further processed by route, NAT and other modules. Else, if the packet matches a rule whose Action is Drop , or doesn’t match any rule, the packet will be dropped immediately. As these dropped packets are no longer further processed by route,
NAT and other modules, it will reduce CPU load and improve the Device performance.
12.3.1.3 The Action of an Access Control Rule
The action of an access control rule is either Allow or Deny . When receiving a packet that matches a rule in the Access Control List , the Device will forward the packet if the rule’s action is Allow ; else the Device will drop it.
12.3.1.4 The Execution Order of Access Control Rules
The order of access control rules is very important. When receiving a packet initiated from
LAN, the Device will search Access Control List to find out if there is a rule that matches the packet. It will check the packet against each rule in the order in which the rules are listed. After a match is found, no further rules will be checked. If no match is found, the
Device will drop the packet to ensure security. Note that by default the rules are listed in reverse chronological order of creation, the later the rule is created, the upper the rule is
Page 320
listed; and the Device allows you to manually move a rule to a different position in the list.
Because the Device will allow or deny a packet to pass according to the first rule that matches the packet, you should arrange the rules in Access Control List from specific to general. For example, if you create an access control rule at the beginning that explicitly allows all packets to pass, no further rules are ever checked. Another example is that if you only allow a LAN user to access Web service, and block any other service, then the rule that allows the user to access Web service should be listed above the rule that denies the user to access any other service.
12.3.1.5 Address Group and Service Group
On the Device, you can create the IP address groups in the Security > Address Group page or service groups in the Security > Service Group page firstly, and then reference them by name in the source or destination address group, or service group fields of access control rules.
1. Address Group
Using address groups can facilitate the configuration of access control rules. For example, if some LAN hosts’ IP addresses are discontinuous, but the hosts have the same privileges of accessing the Internet, you can create an address group for these hosts.
Then you only need to create one access control rule by using the address group to meet the hosts’ requirements. Else you need to create multiple access control rules for these hosts. Refer to section 12.6 Address Group for more information about address group.
2. Service Group
The service group is used to match the source MAC address, protocol type (TCP, UDP or
ICMP), port number and content of the packets that are received by the Device. Using service groups can facilitate the configuration of access control rules. For example, you can add telnet, pop3 and http services into a service group, and then create one rule by using the service group to control the access to these services. Else, you need to create multiple access control rules for the access to these services, one rule per service. Refer to section 12.7 Service Group for more information about service group.
12.3.1.6 System Default Access Control Rules
Besides user-defined access control rules, the Device will automatically created some system default access control rules in the Access Control List . The following table describes the purposes of these rules.
Page 321
ID Description lan
It is used to allow the LAN users to access the Device’s LAN interface. And it is the first rule, but it is implicit and not displayed in the list. dns It is used to allow the DNS packets to pass by default. dhcp It is used to allow the DHCP packets to pass by default. pass
It is a global rule for IP packets. By default, it is used to allow all the IP packets to pass. And it is always listed and displayed at the bottom of the list. generic
It is a global rule which is used to allow all the packets including non-IP packets to pass. And it is the last rule, but it is implicit and not displayed in the list.
Table 12-1 The System Default Access Control Rules
Note
You cannot delete the system default access control rules in the Access Control List , and cannot modify its parameters except Action .
12.3.2 Access Control Rule Settings
Before creating the access control rules, you may do the following tasks:
●
Go to the Security > Address Group page to create the address groups that will be referenced by the rules.
●
Go to the Security > Service Group page to create the service groups that will be
Page 322
referenced by the rules.
●
Go to the Security > Schedule page to create the schedules that will be referenced by the rules.
Also, you can directly specify the source or destination IP addresses, or services of access control rules in this page. The following describes the definitions of a rule’s parameters.
Figure 12-10 Access Control Rule Settings
Action: It determines the action of the access control rule. There are two available options:
● Allow: It indicates that the Device will allow the packets that match the rule to pass, that is, the Device will forward these packets.
● Deny: It indicates that the Device will deny the packets that match the rule to pass, that is, the Device will drop these packets.
Page 323
Schedule: It specifies a schedule to restrict when the access control rule is in effect.
The default value is Always , which means the access control rule is in effect always.
Note that after the selected schedule has expired, the rule will be in effect always.
Description: It specifies the description of the access control rule. It is usually used to describe the purpose of the rule.
Source: It specifies the source IP addresses of the packets to which the access control rule applies. There are two options:
● Addresses: boxes.
Select it to enter the start and end addresses in the associated text
● Address Group: Select it to choose an address group from the associated drop-down list. By default, the Address Group radio button is selected, and its value is Any Address .
Destination: It specifies the destination IP addresses of the packets to which the access control rule applies. There are two options: Addresses and Address Group .
● Addresses: boxes.
Select it to enter the start and end addresses in the associated text
● Address Group: Select it to choose an address group from the associated drop-down list. By default, the Address Group radio button is selected, and its value is Any Address .
Service: It specifies a range of ports or a service group to which the access control rule applies. There are two options:
● Ports: Select it to enter the start and end port numbers in the associated text boxes, and select a protocol type from Protocol drop-down list. The port number is between 1 and 65535, and the protocols include TCP , UDP and ICMP .
● Service Group: Select it to choose a service group or predefined service from the associated drop-down list. The Device provides some well-known services, such as telnet, smtp, web, pop3, and so on. By default, the Service Group radio button is selected, and its value is Any Service .
Edit Schedule: Click it to go to the Security > Schedule page to add, view, modify or delete schedules.
Edit Address Group: Click it to go to the Security > Address Group page to add, view, modify or delete address groups.
Page 324
Edit Service Group: Click it to go to the Security > Service Group page to add, view, modify or delete service groups.
Save: Click it to save the access control rule settings.
Note
You can create the IP address groups in the Security > Address Group page or service groups in the Security > Service Group page firstly, and then reference them by name in the source or destination address group, or service group fields of access control rules. And if the addresses or service ports are consecutive, you also can directly specify the source or destination IP addresses, or services of rules in this page.
12.3.3 Enable Access Control
Figure 12-11 Enable Access Control
Enable Access Control: It allows you to enable or disable firewall access control. If you select the check box to enable this feature, the configured access control rules will take effect. Else the rules will be of no effect.
Save: Click it to save your settings.
Page 325
12.3.4 Access Control List
Figure 12-12 Access Control List
Add an Access Control Rule: If you want to add a new access control rule, click the
New button or select the ACL Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View Access Control Rule(s): When you have configured some access control rules, you can view them in the Access Control List .
Edit an Access Control Rule: If you want to modify a configured access control rule, click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
Move an Access Control Rule: The Device allows you to move an access control rule to above another rule in the list, the operation is as follows: Select the ID of a rule that you want to move from the Move drop-down list, and another rule’s ID from the before drop-down list, lastly click the OK button. Note: Moving a rule in the list doesn’t change its ID number.
Delete Access Control Rule(s): If you want to delete one or more access control rules, select the leftmost check boxes of them, and then click the Delete button.
Note
1. The user-defined access control rule whose Service is set to dns will be automatically listed above the system default access control rule dns .
Page 326
2. The system default access control rule pass is always listed in the bottom of the
Access Control List , you cannot move it.
3. You cannot delete the system default access control rules in the Access Control List , and cannot modify its parameters except Action .
12.3.5 Configuration Examples for Access Control
12.3.5.1 Example One
1. Requirements
In this example, a business has four departments: Technology Department, Customer
Service Department, Financial Department and Sales Department.
The IP address ranges of the departments are as follows:
●
Technology Department: 192.168.20.2~192.168.20.30
●
Customer Service Department: 192.168.20.31~192.168.20.60
●
Financial Department: 192.168.20.61~192.168.20.70
●
Sales Department: 192.168.20.71~192.168.20.100
The CEO wants to control Internet behaviors of the Technology and Financial
Departments’ employees:
1. Allow them to access WEB and FTP services during working time.
2. Deny them to access all other services during working time.
3. Allow them to access any service during rest periods.
Besides, he wants to allow any other employee to access any service at any time.
The working time is: Monday to Friday, 9:00 to 12:00 am, and 1:00 to 6:00 pm.
2. Analysis
We need to use two user-defined access control rules together with the default rule pass
Page 327
to meet requirements:
●
User-defined rule 1: It is used to allow the Technology and Financial Departments’ employees to access WEB and FTP services during working time.
●
User-defined rule 2: It is used to deny any employee to access any service during working time.
●
Default rule pass : It allows all the IP packets to pass by default.
3. Configuration Procedure
1 ) Configuring Access Control Rule 1
Step 1 Go to the Security > Schedule > Schedule Settings page to create a schedule for working time. Here we assume its name is work , see Figure 12-13.
Refer to section 12.8.5 Configuration Example for Schedule for detailed operation.
Figure 12-13 The Schedule of work Settings - Example 1
Step 2 Go to the Security > Address Group > Address Group Settings page to create an address group for the Technology and Financial Departments’ employees. It includes two address ranges: one is from 192.168.20.2 to
192.168.20.30, the other is from 192.168.20.61 to 192.168.20.70, and here we assume its name is TD_FD , see Figure 12-14.
Page 328
Figure 12-14 The Address Group of TD_FD Settings - Example 1
Step 3 Go to the Security > Service Group > Service Group Settings page to configure a service group which includes two services: one is web, the other is ftp, and here we assume its name is WEB_FTP , see Figure 12-15.
Figure 12-15 The Service Group of WEB_FTP Settings - Example 1
Step 4 Go to the Security > Firewall > ACL Settings page to configure rule 1, see
Page 329
Figure 12-16: select Allow from the Action , select work from the Schedule , select TD_FD from the Source Address Group drop-down list, select Any
Address from the Destination Address Group drop-down list, and select
WEB_FTP from the Service Group drop-down list, lastly click the Save button to save the settings.
Figure 12-16 The Access Control Rule 1 Settings - Example 1
2 ) Configuring Access Control Rule 2
Go to the Security > Firewall > ACL Settings page to create rule 2, see Figure 12-17: select Deny from the Action , select work from the Schedule , select TD_FD from the
Source Address Group drop-down list, select Any Address from the Destination
Address Group drop-down list, and select Any Service from the Service Group drop-down list, lastly click the Save button to save the settings.
Page 330
Figure 12-17 The Access Control Rule 2 Settings - Example 1
3 ) Enabling Access Control
You should enable access control feature to let access control rules take effect, see Figure
12-18.
Figure 12-18 Enable Access Control - Example 1
12.3.5.2 Example Two
1. Requirements
A company uses the Device as a network access device. The requirements are as follows:
Page 331
1) Block an outside user with IP address 202.106.11.22 from attacking a LAN user with
IP address 200.200.200.251 maliciously;
2) Block all the LAN users from accessing the websites which contain illegal content.
Here we take pornography for example.
2. Analysis
We need to create two access control rules to meet requirements:
●
Rule 1: It is used to protect the LAN user with IP address 200.20.200.251 against attack from outside IP address 202.106.11.22.
●
Rule 2: It is used to block all the LAN users from accessing the websites which contain pornography.
3. Configuration Procedure
1 ) Configuring Access Control Rule 1
Step 1 Go to the Security > Address Group > Address Group Settings page to configure two address groups for the LAN user and outside user respectively, see the following two figures: One includes the single IP address
200.200.200.251, the other includes the single IP address 202.106.11.22, and here we assume their names are Inside and Outside respectively.
Figure 12-19 The Address Group of Inside Settings - Example 2
Page 332
Figure 12-20 The Address Group of Outside Settings - Example 2
Step 2 Go to the Security > Firewall > ACL Settings page to configure rule 1, see
Figure 12-21: select Deny from the Action , select Always from the Schedule , select Inside from the Source Address Group drop-down list, select Outside from the Destination Address Group drop-down list, and select Any Service from the Service Group drop-down list, lastly click the Save button to save the settings.
Page 333
Figure 12-21 The Access Control Rule 1 Settings - Example 2
2 ) Configuring Access Control Rule 2
Step 1 Go to the Security > Service Group page, enter Pornography in the Name text box, select Keyword from the Service Type drop-down list, select the New radio button, enter pornography in the Keyword text box, and then click ==> to move the specified keyword to the Service Members list box, lastly click the
Save button.
Page 334
Figure 12-22 The Access Control Rule 2 Settings - Example 2
Step 2 Go to the Security > Firewall > ACL Settings page to create rule 2, see Figure
12-23: select Deny from the Action , select Always from the Schedule , select
Any Address from the Source Address Group drop-down list, select Any
Address from the Destination Address Group drop-down list, and select
Pornography from the Service Group drop-down list, lastly click the Save button to save the settings.
Page 335
Figure 12-23 The Access Control Rule 2 Settings - Example 2
3 ) Enabling Access Control
You should enable access control feature to make the configured access control rules take effect, see Figure 12-24.
Figure 12-24 Enable Access Control - Example 2
Page 336
12.4 Domain Filtering
This section describes the Security > Domain Filtering page.
12.4.1 Domain Filtering Settings
Figure 12-25 Domain Filtering Settings
Enable Domain Filtering: It allows you to enable or disable domain filtering. If you select the check box to enable domain filtering, the configured domain filtering entries will take effect. Else, the domain filtering entries will be of no effect.
Filtering Mode: It specifies the mode of domain filtering. There are two available options:
● Only Block Domain Names in Domain Name List: It indicates that the Device will block the LAN users from accessing the domain names in the Domain Name list , but allow the users to access any other domain names.
● Only Allow Domain Names in Domain Name List: It indicates that the Device will allow the LAN users to access the domain names in the Domain Name list , but block the users from accessing any other domain names.
Domain Name List: It specifies the domain names that will be blocked or allowed
Page 337
according to the Filtering Mode . You can create up to 100 domain names in the list.
Save: Click it to save the domain filtering settings.
Note
1. The matching rule of domain filtering is whole words matching, that is, only a domain name matches the whole words of the domain name in the Domain Name List , the
Device will block or allow it according to the Filtering Mode .
2. You can use the wildcard "*" in a domain name to match multiple domain names. For example, if you have created www.163.* in the Domain Name List , then all the domain names that begin with www.163
. will be blocked or allowed according to the Filtering
Mode .
12.4.2 Domain Blocking Notice
This section describes the Security > Domain Filtering > Domain Blocking Notice page.
When domain blocking notice is enabled, if a LAN user accesses a domain name which is blocked by the Device, the Device will pop up a notice message to remind the user that the website is blocked rather than network problems.
Page 338
Figure 12-26 Domain Blocking Notice
Enable Domain Blocking Notice: It allows you to enable or disable domain blocking notice. If you want to enable domain blocking notice, please select this check box. In this case, if a LAN user accesses a domain name which is blocked by the Device, the
Device will pop up a notice message to remind the user. And the requested web page will automatically jump to the specified web page (set by the Redirecting URL ) after the specified time interval (set by the Redirecting Time) .
Notice Title: It specifies the title of the notice message.
Redirecting Time: It specifies the time interval after which the requested web page will jump to the specified web page. 0 means that the requested web page will immediately jump to the specified web page. Leave it blank if you don’t want the requested web page to jump to any other web page.
Signature: It specifies the signature of the notice message.
Redirecting URL: It specifies the redirecting URL to which the requested web page will jump. Leave it blank if you don’t want the requested web page to jump to any other web page.
Page 339
Notice Content: It specifies the content of the notice message.
Save: Click it to save domain blocking notice settings.
Preview: Click it to preview the notice message you just configured. The following figure shows an example of a notice message.
Figure 12-27 Domain Name Blocking Notice Preview
Note
Only after you have enabled domain filtering and chosen the Only Block Domain
Names in Domain Name List as the filtering mode, the Device will pop up the domain blocking notice messages to the LAN users.
12.5 NAT Session Limit
This section describes the Security > NAT Session Limit page.
The NAT session limit feature allows you to limit the maximum number of concurrent NAT sessions based on the LAN hosts. And it allows you to specify different maximum NAT sessions for different LAN hosts. Furthermore, it allows you to limit the maximum number of concurrent TCP sessions, UDP sessions and ICMP sessions respectively.
Page 340
12.5.1 NAT Session Limit Rule Settings
Figure 12-28 NAT Session Limit Rule Settings
IP Addresses and To: They specify the start IP address and end IP address of the
LAN hosts to which the NAT session limit rule applies. Please enter the start IP address in the first text box, and the end IP address in the second text box. The
Device provides a default NAT session limit rule. Its start IP address and end IP address both are 0.0.0.0, which means that the default rule applies to all the IP addresses. You can modify its parameters except IP Addresses , but cannot delete it.
Max.
Sessions: It specifies the maximum number of concurrent sessions per restricted host.
Max.
TCP Sessions: It specifies the maximum number of concurrent TCP sessions per restricted host.
Max. UDP Sessions: It specifies the maximum number of concurrent UDP sessions per restricted host.
Max. ICMP Sessions: It specifies the maximum number of concurrent ICMP sessions per restricted host.
Description: It specifies the description of the NAT session limit rule.
Save: Click it to save the NAT session limit rule settings.
Note
Page 341
1. When using NAT session limit function, the Device will search the Session Limit List to find out if there is a rule that matches a LAN host. It will check the host’s IP address against each rule in the order in which the rules are listed. After a match is found, no further rules will be checked. Note that the rules are listed in reverse chronological order of creation, the later the rule is created, and the upper the rule is listed.
2. The start IP address should be less than or equal to the end IP address. The address ranges of different NAT session limit rules can overlap.
3. If some applications (such as online games) performance is degraded due to the maximum NAT sessions limit, you can increase the Max. Sessions and Max. TCP sessions (or Max. UDP sessions ) properly. Note that if they are too large, it will lower or lose the Device’s ability to prevent DDoS attacks.
4. In most cases, to ensure that the LAN users surf the Internet normally, the maximum
NAT sessions cannot be too small. It is suggested that both the Max. Sessions and
Max. TCP sessions should be larger than or equal to 100, the Max. UDP sessions should be larger than or equal to 50, and Max. ICMP sessions should be larger than or equal to 10.
12.5.2 NAT Session Limit Rule List
Figure 12-29 NAT Session Limit Rule List
Add a NAT Session Limit Rule: If you want to add a new NAT session limit rule,
Page 342
click the New button or select the Session Limit Settings tab to go to the setup page, and then configure it, lastly click the Save button.
Enable a NAT Session Limit Rule: The Enable check box is used to enable or disable the corresponding NAT session limit rule. The default value is selected, which means the NAT session limit rule is in effect. If you want to disable the NAT session limit rule temporarily instead of deleting it, please click it to remove the check mark.
View NAT Session Limit Rule(s): When you have configured some NAT session limit rules, you can view them in the Session Limit List .
Edit a NAT Session Limit Rule: If you want to modify a configured NAT session limit rule, click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
Delete NAT Session Limit Rule(s): If you want to delete one or more NAT session limit rules, select the leftmost check boxes of them, and then click the Delete button.
Page 343
12.6 Address Group
This section describes the Security > Address Group page.
12.6.1 Introduction to Address Group
An address group can contain up to ten address members. A member may be an address range or address group. And an address group may contain address ranges only, or address groups only, or both.
If you want to create an access control rule (in the Security > Firewall page) whose destination or source IP addresses are discontinuous, you can create an address group for them in this page firstly, and then reference it in the access control rule. When receiving a packet, if the packet’s destination or source IP address belongs to the address group, the Device will consider that its IP address matches the access control rule. And if the packet also matches other criteria ( protocol type, destination ports, schedule, etc.
) of the access control rule, the Device will consider that the packet matches the access control rule.
Using address groups can facilitate the configuration of access control rules. For example, if some LAN hosts’ IP addresses are discontinuous, but the hosts have the same privileges of accessing the Internet, you can create an address group for these hosts.
Then you only need to create one access control rule by using the address group to meet the hosts’ requirements. Else you need to create multiple access control rules for these hosts.
Similarly, you also can reference an address group in a rule limit rule in the QoS > Rate
Limit Rule page.
Page 344
12.6.2 Address Group Settings
Figure 12-30 Address Group Settings
Name: It specifies a unique name of the address group. It should be between 1 and
11 characters long.
Zone: It specifies a network zone to which the address group belongs.
New: Select it to add a new address range to the group.
Existing: Select it to display the configured address groups.
Address Members: It displays the members of the address group. A member may be an address range or address group.
==>: Click it to move the new address range or selected address group(s) to the
Address Members list.
<==: Click it to move the selected address member from the Address Members list box to the left editable list.
Delete: Click it to delete the selected address member from the Address Members list box.
Save: Click it to save the address group settings.
Note
Page 345
1.
The Name of an address group is case insensitive. For example, the address group test or TEST is the same group. You must pay attention to it when creating an address group.
2. If an address group (e.g., group A) has already included another address group (e.g., group B), then the address group A cannot be added to any other address group.
12.6.3 Address Group List
Figure 12-31 Address Group List
Add an Address Group: If you want to add a new address group, click the New button or select the Address Group Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View Address Group(s): When you have configured some address groups, you can view them in the Address Group List .
Edit an Address Group: If you want to modify a configured address group, click its
Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete Address Group(s): If you want to delete one or more address groups, select the leftmost check boxes of them, and then click the Delete button.
Note
Page 346
You cannot delete an address group which is referenced by the access control rule in the Security > Firewall page or rate limit rule in the QoS > Rate Limit Rule page. If you actually want to delete it, please remove all the references firstly.
12.6.4 How to Add the Address Groups
If you want to add one or more address groups, do the following:
Step 1 Go to the Security > Address Group page, and then click the New button or select the Address Group Settings tab to go to the setup page.
Step 2 Specify the Name of the address group.
Step 3 Select the network zone from the Zone drop-down list.
Step 4 Add IP addresses to the group. There are two methods to add them.
1) Method One: Select the New radio button, enter the start and end IP addresses in the Start Address and End Address text boxes, and then click ==> to move the new address range to the Address Members list box. You can continue to add another address ranges if needed.
2) Method Two: Select the Existing radio button, select one or more configured address groups, and then click ==> to move the selected address groups to the Address Members list box.
Step 5 Click the Save button to save the settings. You can view the address group in the Address Group List .
Step 6 If you want to add another new address group, please repeat the above steps.
12.6.5 How to Edit an Address Group
If you want to modify a configured address group, do the following:
Step 1 Go to the Security > Address Group page.
Step 2 Click the Edit hyperlink of the address group in the Address Group List to go to the setup page.
Step 3 Modify the address members as required. There are two cases:
Page 347
1) If you want to modify an address range, select the address range in the
Address Members list, click <== to move it from the Address Members list box to the left editable list, and then modify the Start Address and/or
End Address , lastly click ==> to move the modified address range to the
Address Members list box again.
2) If you want to delete an address member, select the member in the
Address Members list box, and then click the Delete button.
Step 4 Click the Save button to save the changes to make them take effect.
Page 348
12.7 Service Group
This section describes Security > Service Group page.
12.7.1 Introduction to Service Group
The Device provides five service types including general service, URL, Keyword, DNS and MAC address for the service group. Then the service groups can be used to match the protocol type (TCP, UDP or ICMP), port number, content, source MAC address of packets that are received by the Device. For each service type, it allows you to define new services, or select existing services or service groups, and then add them to the service group. A service group can contain up to ten service members. A member may be a service or service group. And a service group may contain services only, or service groups only, or both.
If you want to create an access control rule in the Security > Firewall page, you can create a service group in this page firstly, and then reference it in the access control rule.
Using service groups can facilitate the configuration of access control rules. For example, you can add telnet, pop3 and http services into a service group, and then create one rule by using the service group to control the access to these services. Else, you need to create multiple access control rules for the access to these services, one rule per service.
Similarly, you also can reference a service group whose Service Type is General Service in a rule limit rule in the QoS > Rate Limit Rule page.
Page 349
12.7.2 Service Group Settings
Figure 12-32 Service Group Settings
Name: It specifies a unique name of the service group. It should be between 1 and 11 characters long.
Service Type: It specifies the service type of the service group. The Device provides five service types, which include General Service , URL , Keyword , DNS and MAC .
General Service: It is used to match the source port, destination port and protocol type of the packets.
URL: It is used for URL filtering to control the LAN users’ access to the specified
URLs or web sites.
Keyword: It is used for keyword filtering to block the web sites which contain the specified keywords.
DNS: It is used for DNS request filtering to allow or block the DNS requests for the specified domain names.
MAC: It is used for source MAC address filtering to allow or block the packets with the specified source MAC address.
Page 350
New: Select it to add a new service to the group. For different Service Types , you need configure different parameters.
Existing: Select it to display the service groups that you have configured. If you select General Service from the Service Type drop-down list, it will also display the system predefined services here. The Device provides 38 predefined services.
Service Members: It displays the members of the service group. A member may be a user-defined service, predefined service or a service group.
==>: Click it to move the new user-defined service or selected existing service(s) to the Service Members list box.
<==: Click it to move the selected service member from the Service Members list box to the left editable list.
Delete: Click it to delete the selected service member from the Service Members list box.
Save: Click it to save the service group settings.
Note
1.
A service group can contain up to ten service members.
2.
The Name of a service group is case insensitive. For example, the service group test or TEST is the same group. You must pay attention to it when creating a service group.
3. If a service group (e.g., group A) has already included another service group (e.g., group B), then the service group A cannot be added to any other service group.
Page 351
12.7.3 Service Group List
Figure 12-33 Service Group List
Add a Service Group: If you want to add a new service group, click the New button or select the Service Group Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View Service Group(s): When you have configured some service groups, you can view them in the Service Group List .
Edit a Service Group: If you want to modify a configured service group, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete Service Group(s): If you want to delete one or more service groups, select the leftmost check boxes of them, and then click the Delete button.
Note
You cannot delete a service group which is referenced by the access control rule in the Security > Firewall page or rate limit rule in the QoS > Rate Limit Rule page. If you actually want to delete it, please remove all the references firstly.
Page 352
12.7.4 How to Add the Service Groups
If you want to add one or more service groups, do the following:
Step 1 Go to the Security > Service Group page, and then click the New button or select the Service Group Settings tab to go to the setup page.
Step 2 Specify the Name of the service group.
Step 3 Select the type from the Service Type drop-down list.
Step 4 Add services to the group. There are two methods to add them.
1) Method One: Select the New radio button, add a new service as required, and then click ==> to move the new service to the Service Members list box. You can continue to add another services if needed.
2) Method Two: Select the Existing radio button, select one or more existing services, and then click ==> to move the selected services to the Service
Members list box.
Step 5 Click the Save button to save the settings. You can view the service group in the Service Group List .
Step 6 If you want to add another new service group, please repeat the above steps.
12.7.5 How to Edit an Service Group
If you want to modify a configured service group, do the following:
Step 1 Go to the Security > Service Group page.
Step 2 Click the Edit hyperlink of the group in the Service Group List to go to the setup page.
Step 3 Modify the service members as required. There are two cases:
1) If you want to modify a user-defined service, select the service in the
Service Members list, click <== to move it from the Service Members list to the left editable list box, and then modify it, lastly click ==> to move the modified service to the Service Members list box again.
2) If you want to delete a service member, select the member in the Service
Page 353
Members list box, and then click the Delete button.
Step 4 Click the Save button to save the changes to make them take effect.
Page 354
12.8 Schedule
This section describes the Security > Schedule page.
12.8.1 Introduction to Schedule
The schedule feature lets you define schedules that can be applied to various time-related features, e.g., dial schedule, rate limit rule, access control rule , etc. The schedule is identified by a name and then referenced by a function, so that those time restrictions are imposed on the function itself.
A schedule consists of a start date, an end date, and optional time periods (up to eight).
The Start Date and End Date specify when the schedule begins and ends. If exceed the specified range, the schedule will be of no effect. If both of them are set to 1990-1-1 , the schedule will be in effect forever. The time periods ( Period 1-8 ) specify further constraints of active time by the days of the week, daily start time and daily end time.
Note
To ensure that the schedules take effect at the desired time, you should synchronize the system clock in the System > Time page.
Page 355
12.8.2 Schedule Settings
Figure 12-34 Schedule Settings
Schedule Name: It specifies a unique name of the schedule. It should be between 1 and 11 characters long.
Start Date and End Date: They specify when the schedule begins and ends. If exceed the specified range, the schedule will be of no effect. The date is in the range of 1989-1-1 through 2050-12-31. If you want the schedule to be in effect for ever, set both of Start Date and End Date to 1990-1-1 .There are two methods to set them.
●
Directly enter a date: You can directly enter a date in the Start Date or End
Date text box. The date should be entered in the format YYYY-MM-DD, for example, 2011-03-23 (or 2011-3-23). Therein, YYYY indicates a four-digit year,
MM indicates a month of the year, and DD indicates a day of that month.
●
Select a Date from the Drop-down Calendar: You also can select a date from the drop-down calendar, see figure 12-34. Click the <Year and Year> to select the year, click the <Month and Month> to select the month, and select a date directly from the calendar.
Period 1 to Period 8: They specify further constraints of active time within the specified date range.
It allows you to configure up to eight time periods for each schedule.
Days of the Week: It specifies the day(s) of the week on which the schedule is active.
Page 356
The available options are Everyday , Monday , Tuesday … Sunday , Weekdays
(Mon-Fri) and Weekends (Sat-Sun) .
Daily Start Time and Daily End Time: They specify a daily start time and end time during which the schedule is active. The default values of them are 00:00:00 and
23:59:59 respectively. Note that the time should be entered in the format HH:MM:SS and it is expressed in 24-hour clock. For example, 06:30:00 is 06:30:00 am and
18:30:00 is 06:30:00 pm.
Save: Click it to save the schedule settings.
Note
A schedule that spans two days should be divided into two consecutive time periods.
E.g., for a schedule from 8:00 p.m.
to 5:00 a.m.
next day, you need configure two time periods, one is 20:00:00~23:59:59, and the other is 00:00:00 ~ 05:00:00.
12.8.3 Schedule List
Figure 12-35 Schedule List
Add a Schedule: If you want to add a new schedule, click the New button or select the Schedule Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View Schedule(s): When you have configured some schedules, you can view them in the Schedule List .
Page 357
Edit a Schedule: If you want to modify a configured schedule, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete Schedule(s): If you want to delete one or more schedules, select the leftmost check boxes of them, and then click the Delete button.
View a Schedule’s Details: If you want to view the details of a configured schedule, click its Details hyperlink, then the schedule details page will be displayed (see
Figure 12-36). Furthermore, if the schedule is referenced, the related information will be displayed too.
Figure 12-36 Schedule Details
12.8.4 How to Add the Schedules
If you want to add one or more schedules, do the following:
Step 1 Go to the Security > Schedule page, and then click the New button or select the Schedule Settings tab to go to the setup page.
Step 2 Specify the Schedule Name of the schedule.
Step 3 Specify the Start Date and End Date as required.
Step 4 Specify one or more periods as required.
Step 5 Click the Save button to save the settings. You can view the schedule in the
Schedule List .
Step 6 If you want to add another new schedule, please repeat the above steps.
Page 358
Note
If you want to delete one or more schedules, select the leftmost check boxes of them in the Schedule List , and then click the Delete button.
12.8.5 Configuration Example for Schedule
1. Requirements
In 2011, a business CEO wants to control online behavior of the sales department’s employees. He only allows them to access WEB service during working time, but allows them to access all the Internet services during rest periods. The working time is: Monday to Friday, 9:00 to 12:00 am, and 1:00 to 6:00 pm.
2. Analysis
As the sales department’s employees can only access the WEB service during working time, we need to create a schedule during which only the WEB service is accessible.
The details of the schedule are as follows:
● Schedule Name : Here we assume its name is work .
● Start Date: 2011-1-1
● End Date: 2011-12-31
● Period 1: Monday to Friday, 9:00:00 to 11:59:59
● Period 2: Monday to Friday, 13:00:00 to 17:59:59
3. Configuration Procedure
The configuration steps are the following:
Step 1 Go to the Security > Schedule page, and then click the New button or select the Schedule Settings tab to go to the setup page, see the following figure.
Page 359
Figure 12-37 Schedule Settings Example
Step 2 Enter work in the Schedule Name text box.
Step 3 Enter 2011-1-1 in the Start Date , and enter 2011-12-31 in the End Date .
Step 4 Configuring the two periods of the schedule respectively.
1) Configuring Period 1 : Select Weekdays (Mon-Fri) from the Days of the
Week drop-down list, enter 09:00:00 in the Daily Start Time , and enter
11:59:59 in the Daily End Time .
2) Configuring Period 2 : Select Weekdays (Mon-Fri) from the Days of the
Week drop-down list, enter 13:00:00 in the Daily Start Time , and enter
17:59:59 in the Daily End Time .
Step 5 Click the Save button to save the settings.
Till now you have finished configuring the schedule of work , and then you can reference it in an access control rule. Please refer to section 12.3.5.1 for detailed operation.
Page 360
Chapter 13 System
This chapter describes how to manage the Device, including how to configure administrator accounts, system time, remote admin, Web server, and how to upgrade firmware, backup and restore configuration, and restart the Device.
13.1 Administrator
In the System > Administrator page, you can add, view, modify and delete the administrator accounts.
13.1.1 Administrator Settings
Figure 13-1 Administrator Settings
User Name: It specifies a unique login name of the administrator. It should be between 1 and 31 characters long.
Password: It specifies a login password of the administrator.
Confirm Password: You should re-enter the password.
Privilege Group: It allows you to select the privilege group you want the administrator to have. Each type of privilege group has different privileges.
•
Read: It gives the administrator the ability to view the Device’s settings and status via the Web UI, except the Status > Session Monitor page. Note: This
Page 361
page will only display the current login administrator’s information, and only the password can be modified.
•
Execute: It gives the administrator the ability to view and configure the Device via the Web UI, except the Status > Session Monitor page. Note: This page will only display the current login administrator’s information, and only the password can be modified.
•
Admin: It gives the administrator the full administrative privileges to view and configure the Device via the Web UI.
Save: Click it to save the administrator account settings.
Note
1. It allows you to login to the Device from multiple IP addresses concurrently with the same administrator user name. To avoid configuration conflict, it is suggested that each time you configure the Device from one IP address only.
2. The default administrator user name is admin (case sensitive) with admin password.
To ensure security, it is strongly recommended that you change the default password and remember it.
3. Only the administrator who has Admin privileges can telnet the Device.
13.1.2 Administrator List
Page 362
Figure 13-2 Administrator List
Add an Administrator Account: If you want to add a new administrator account, click the New button or select the Administrator Settings tab to go to the setup page, and then configure it, lastly click the Save button.
View Administrator Account(s): When you have configured some administrator accounts, you can view them in the Administrator List .
Edit an Administrator Account: If you want to modify a configured administrator account, click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button.
Delete Administrator Account(s): If you want to delete one or more administrator accounts, select the leftmost check boxes of them, and then click the Delete button.
Note
You cannot delete the default administrator account.
13.1.3 How to Add the Administrator Accounts
If you want to add one or more administrator accounts, do the following:
Step 1 Go to the System > Administrator page.
Step 2 Click the New button or select the Administrator Settings tab to go to the setup page, and then specify the User Name , Password , Conform Password and Privilege Group as required.
Step 3 Specify the Privilege Group as required. If you choose Admin as the Privilege
Group , you can use this administrator account to telnet the Device.
Step 4 Click the Save button to save the settings. You can view the administrator account in the Administrator List .
Step 5 If you want to add another new administrator account, please repeat the above steps.
Note
If you want to delete one or more administrator accounts, select the leftmost check boxes of them in the Administrator List , and then click the Delete button.
Page 363
13.2 System Time
In the System > Time page, you can view and configure the system time.
To ensure that the time-related functions (e.g., DDNS, Schedule) work well, you should set the right time on the Device.
You can manually configure the system time or enable SNTP (Synchronize with SNTP
Server) to automatically synchronize time from a designated SNTP server on the Internet.
Some models cannot keep clock running if powered off, that is, it will reset the time to the default value. In this case, you need to choose SNTP to automatically synchronize the system time.
Figure 13-3 System Time - Enable SNTP
Current System Time: It displays the Device’s current date (YYYY-MM-DD) and time
(HH:MM:SS).
Mode: It specifies the mode by which you set the system clock. The available options are SNTP and Manual .
•
SNTP: If you want the Device to automatically synchronize the system clock from designated SNTP server on the Internet, select this option (see Figure 13-3).
•
Manual: If you want to set the date (YYYY-MM-DD) and time (HH:MM:SS) for the Device manually, select this option (see Figure 13-4).
Time Zone: It specifies the time zone for your local time.
SNTP Server 1 IP Address ~ SNTP Server 3 IP Address: It allows you to configure
Page 364
up to three SNTP servers on the Device. The Server 1 is the primary server (the default value is 192.43.244.18), and the Server 2 is the first backup server (the default value is 129.6.15.28), and the Server 3 is the second backup server (the default value is 0.0.0.0).
Figure 13-4 System Time - Set Time Manually
Save: Click it to save the system time settings.
Note
To find an NTP server with which you can synchronize your Device, please refer to the Website: http://www.ntp.org/ .
Page 365
13.3 Firmware Upgrade
In the System > Upgrade page, you can view the current firmware version information and upgrade the firmware.
13.3.1 Save Firmware
Figure 13-5 Save Firmware to Local PC
The following figure describes the firmware version details:
Figure 13-6 Firmware Version Details
Backup Firmware to Local PC: Click the Save button to save the current running firmware to your local PC.
Note
The operation will save the Device’s current running firmware only, but it won’t save the current configuration file.
Page 366
13.3.2 Firmware Upgrade
Figure 13-7 Upgrade Firmware
To upgrade the Device’s firmware, do the following:
Step 1 Download the Latest Firmware
Click the Download Firmware hyperlink to download the latest firmware from the website of Digicom S.p.A.
Note
1. Please select the proper firmware that must accord with your product hardware platform.
2. It is recommended that you go to the System > Configuration to back up the
Device’s current configuration before upgrading.
Step 2 Choose the Firmware
Click Browse button to choose the firmware file you want to upgrade or enter the file path and name in the Firmware File text box.
Restart after Upgraded: After upgraded, you have two options to apply this new firmware: select the Restart after Upgraded check box to let the Device restart itself automatically once upgraded, or manually restart the Device.
Step 3 Renew Firmware
Click the Upgrade button to renew the Device’s firmware.
Page 367
Note
1. It is strongly recommended that you upgrade firmware when the Device is under light load.
2. If you upgrade firmware timely, the Device will have more functionality and better performance. The right upgrade will not change the Device’s current settings.
3. The Device will take several minutes to upgrade its firmware. During this process, do not power off the Device and perform any other operation to avoid damaging it.
13.4 Configuration
In the System > Configuration page, you can back up and restore configuration, and reset the Device to factory default settings.
13.4.1 Backup Configuration
Figure 13-8 Backup Configuration
Backup: Click it to save the current configuration file to the local PC.
13.4.2 Restore Configuration
Page 368
Figure 13-9 Restore Configuration
Reset to Factory Defaults before Restore: If you select this check box, it will reset the Device to factory default settings before importing the configuration file; else import the file directly.
Configuration File: Click the Browse button to choose an appropriate configuration file or enter the file path and name in the text box.
Restore: Click it to import the selected configuration file. It will overwrite the current configuration on the Device with the new configuration.
Note
To avoid unexpected error, do not power off the Device during importing the configuration file.
13.4.3 Restore Defaults
Figure 13-10 Restore Default
Reset: Click it to reset the Device to factory default settings.
Note
1. This operation will clear all of the Device’s custom settings. It is strongly recommended that you backup the current configuration before resetting.
2.
The default administrator user name is Default (case sensitive) with a blank password. The default LAN interface IP address is 192.168.20.1, and subnet mask is 255.255.255.0.
Page 369
13.5 Remote Admin
This section describes System > Remote Admin page.
As the Device has built-in firewall function, it will block all requests initiated from the
Internet by default. To remotely configure and manage the Device via Internet, you should enable the HTTP remote management.
Figure 13-11 Remote Admin Settings
HTTP: It allows you to enable or disable HTTP remote management. Select this check box to enable HTTP remote management via Internet. When accessing the
Device from Internet, you will enter http:// and enter the Device's WAN IP address, followed by a colon (:) and the port number. For example, if the WAN IP address is
218.21.31.3 and port number is 8081, enter http://218.21.31.3:8081 in your browser
URL field.
Port: It specifies the port number for HTTP remote management. The default value is
8081. Note: If the port value is changed to 80, the system will automatically create one port forwarding rule: protocol is TCP and port is 80; and you can go to the NAT >
Port Forwarding page to view it in the Port Forwarding List . In this case, it will cause conflict if you add a new port forwarding rule for a LAN Web server.
Save: Click it to save the remote admin settings.
Note
1. You can find the Device’s WAN IP address from the WAN List in Basic > WAN page.
2. To ensure security, it is strongly recommended that you don’t enable HTTP remote management unless necessary. If you are sure to enable it, you had better go to the
System > Administrator page to change the default password.
3. If the Internet connection has a dynamic IP address, you had better enable DDNS in
Page 370
the Advanced > DDNS page, so you may use a fixed domain name to manage the
Device via Internet.
4. Once you enable the HTTP remote management, the system will automatically create two port forwarding rules: their IDs are http and telnet respectively. You can go to the
NAT > Port Forwarding page to view them in the Port Forwarding List .
5.
Please enable the HTTP remote management before asking a digicom support engineer for the technical support.
Page 371
13.6
WEB Server
In the System > WEB Server page, you can specify the port number that the Device Web service uses to listen for HTTP requests from the LAN hosts .
Figure 13-12 WEB Server
Port: The port number that the Web server uses to listen for HTTP requests from the
LAN hosts. The default port number is 80. If it has been changed, you should enter http://Device’s LAN IP address: port number (e.g., http://192.168.20.1:88) to access the Device.
Save: Click it to save your settings.
Page 372
13.7 Restart
The System > Restart page lets you restart the Device.
Figure 13-13 Restart the Device
Restart: Click it to restart the Device.
If you click the Restart button, the system will pop up a prompt dialog box (see Figure
13-19). Then you can click OK to restart the Device, and the system will jump to a countdown page (see Figure 13-20). Or click Cancel to cancel the operation.
Figure 13-14 Prompt Dialog Box - Restart the Device
Figure 13-15 Restarting……
Note
Page 373
Because restarting the Device will disconnect all the sessions, please do it with caution. The Device will return to the Status > System Info page after restarted.
Page 374
Appendix A How to Configure Your PC
Appendix A How to configure your PC
This appendix describes how to install and configure TCP/IP properties for Windows 95 and Windows 98.
Step 1: Installing TCP/IP components
To install TCP/IP component, do the following:
1. On the Windows taskbar, click Start > Settings > Control Panel .
2. Double-click the Network icon, and select the Configuration tab. In The following
network components are installed box, you must make sure that your network card driver and TCP/IP are installed. To do this, please check that TCP/IP -> (your
Ethernet adapter) option exist.
3. If your network card driver and TCP/IP are not installed, at first you should install the network card driver properly.
4. After installing the network card driver, you should install TCP/IP. Do the following: At first, open the Network dialog box (refer to the previous step), and then click Add button on the Configuration tab, this will bring up the Select Network Component
Type window. Select Protocol and click the Add button, this will bring up the Select
Network Protocol window. Select Microsoft in the Manufacturers box, and select
TCP/IP in the Network Protocols box, lastly click OK to reboot the server PC. Your computer will prompt you to restart, and then TCP/IP will be installed.
Step 2: Configuring TCP/IP properties
Once the proper Ethernet card and TCP/IP protocol are installed, you should configure the
TCP/IP properties. There are two methods of configuring TCP/IP properties: one is to manually configure TCP/IP properties, the other is to automatically configure TCP/IP properties with DHCP. The following describes the configuration procedure of these two methods respectively.
Method One: Manually Configuring TCP/IP
To configure the TCP/IP protocol manually, do the following:
1. On the Windows taskbar, click Start > Settings > Control Panel .
2. Double-click the Network icon, and select the Configuration tab. In The following
network components are installed box, select TCP/IP -> (your Ethernet adapter) , and then click Properties .
Page 375
Appendix A How to Configure Your PC
3. In the TCP/IP properties dialog box, select the IP address tab, and then select the
Specify an IP address radio button . Enter 192.168.20.x (x is between 2 and 254, including 2 and 254) in the IP Address box, and enter 255.255.255.0 in the Subnet
Mask box.
4. Select the Gateway tab, enter the IP address of the Device’s LAN interface (default value is 192.168.20.1) in the New gateway box, and then click Add button.
5. Select the DNS Configuration tab, enter a host name in the Host box, and enter a domain name in the Domain box optionally. In the DNS Server Search Order box, enter the IP address of the primary DNS server provided by your ISP. Then click Add button to add the IP address to the list. Add the secondary DNS server IP address in the same manner as the first. Leave the domain suffix search order blank.
6. Click OK in the TCP/IP properties window, this will return you to the Network window. Click OK again. Till now you have finished configuring the TCP/IP properties.
Restart your PC for the changes to take effect.
Method Two: Automatically Configuring TCP/IP with DHCP
1. To ensure that the host can obtain an IP address and other TCP/IP parameters automatically from the Device, you should enable the Device’s DHCP server function in Basic > DHCP & DNS page.
2. On the Windows taskbar, click Start > Settings > Control Panel .
3. Double-click the Network icon, and select the Configuration tab. In The following
network components are installed box, select TCP/IP -> (your Ethernet adapter), and then click Properties .
4. In the TCP/IP properties dialog box, select the IP address tab, and then select
Obtain an IP address automatically .
5. Select the Gateway tab, and then make sure that the Installed gateway box is left blank. If any gateways are shown, remove them.
6. Click the DNS Configuration tab, and then make sure that the Disable DNS is selected.
7. Click OK in the TCP/IP properties window, this will return you to the Network window. Click OK again. Till now you have finished configuring the TCP/IP properties.
Restart your PC for the changes to take effect.
Step 3: Selecting Windows’ Internet Access Method
1. On the Windows taskbar, click Start > Programs > accessories > communications > Internet Connection Wizard .
Page 376
Appendix A How to Configure Your PC
2. Select the third option I want to set up my Internet connection manually, or I want to connect through a Local Area Network (LAN) , and click the Next button.
3. Select I want to connect through a Local Area Network radio button, and click the
Next button.
4. Uncheck all boxes in the LAN Internet Configuration screen, and click the Next button.
5. In the Set Up Your Internet Mail Account screen, select No and click the Next button.
6. In the Internet Connection Wizard screen, Click Finish button to complete the wizard.
Till now you have finished configuring the TCP/IP properties, then you can use the web browser, FTP client, or other Internet client programs normally.
Page 377
Appendix B FAQ
Appendix B FAQ
1.
How to connect the Device to the Internet using
PPPoE
Step 1 Set your ADSL Modem to bridge mode (RFC 1483 bridged mode).
Step 2 Please make sure that your PPPoE Internet connection use standard dial-type.
You may use Windows XP built-in PPPoE dial-in client to test.
Step 3 Connect a network cable from the ADSL modem to a WAN port of the Device, and connect your telephone line to the ADSL modem’s line port.
Step 4 Configure the PPPoE Internet connection related parameters in the Basic >
WAN page or through the Quick Wizard . Refer to section 6.2.2.1 PPPoE
Internet Connection Settings for more information.
Step 5 If you pay monthly for the Internet connection, you can choose Always On as the Dial Type ; else, you can choose On Demand or Manual as the Dial Type , and specify the Idle Timeout to avoid wasting online time due to that you forget to hang up the connection in time.
Step 6 If you choose Manual as the Dial Type , you need go to the Basic > WAN >
WAN List page to dial up manually. Refer to section 6.2.1.3 How to Dial and
Hang up a PPPoE Connection for more information.
Step 6 After the PPPoE connection is established successfully, you can view its configuration and status information in the Basic > WAN > WAN List page, such as Status ( Connected means the connection is established successfully) , the connection’s IP address and Gateway provided by your ISP, and so on, see Figure B-0-1.
Figure B-0-1 Viewing PPPoE Internet Connection Status in WAN List
Page 378
Appendix B FAQ
Step 7 You may go to the Status > System Log page to view the system logs related to the PPPoE connection, see Table B-0-1.
Call Syslog Call Result
Session Up [x]
PPPoE Up 00:0c:f8:f9:66:c6
Call Connected, on Line1, on Channel 0
PPPoE session has been established successfully.
Outgoing Call @51:1-1
Call Terminated @clearSession: 1
Outgoing Call @51:1-1
Failed to establish the physical connection, please check whether the Internet connection is normal. You may use
Windows XP built-in PPPoE dial-in client to test.
Call Terminated @clearSession: 1
The physical connection has been established, but failed to authenticate. Please go to the Basic > WAN page to check
Call Connected, on Line1, on Channel 0 whether the user name and password are correct. If they are correct, please change the PPP Authentication to CHAP or
Outgoing Call @51:1-1
NONE (see Figure B-0-2) and then click the Save button, lastly restart the Device.
Table B-0-1 PPPoE Dial-up System Logs
Page 379
Appendix B FAQ
Figure B-0-2 PPPoE Connection Settings (Part)
Step 8 You may go to the Status > Route Stats page to view the related route information in the Routing Table , such as the Gateway IP Address provided by your ISP, Flag ( N should appear, which means NAT is enabled on the route), and so on, see Figure B-0-3.
Figure B-0-3 Routing Table - Example 1
Step 9 Configure the LAN hosts according to the steps described in Appendix A How to configure your PC .
Page 380
Appendix B FAQ
2.
How to connect the Device to the Internet using
Static IP
Step 1 Please make sure the Internet connection is normal. You may use your PC to test.
Step 2 Connect a network cable from the network device provided by your ISP to a
WAN port of the Device.
Step 3 Configure the static IP Internet connection related parameters in the Basic >
WAN page or through the Quick Wizard . Refer to section 6.2.2.2 Static IP
Internet Connection Settings for more information.
Step 4 After you finish configuring the static IP Internet connection, you may go to the
Status > Route Stats page to view the related route information in the Routing
Table , such as the Gateway IP Address provided by your ISP, Flag ( N should appear, which means NAT is enabled on the route), and so on, see Figure B-0-4
Figure B-0-4 Routing Table - Example 2
Step 5 Configure the LAN hosts according to the steps described in Appendix A How to configure your PC .
Page 381
Appendix B FAQ
3.
How to connect the Device to the Internet using
DHCP
Step 1 Please make sure the Internet connection is normal. You may use your PC to test.
Step 2 Connect a network cable from the Cable modem to a WAN port of the Device.
Step 3 Configure the DHCP Internet connection related parameters in the Basic >
WAN page or through the Quick Wizard . Refer to section 6.2.2.3 DHCP
Internet Connection Settings for more information.
Note
For DHCP Internet connection, the Cable Modem may record the old connected network device’s MAC address, and only allows the network device with the recorded MAC address to connect to it. Thus you should set the new Device’s
MAC address to the recorded MAC address, the operation is as follows: Go to the Basic > WAN page to select DHCP from the Connection Type , enter the recorded MAC address in the MAC Address text box, and then click Save to save the change, lastly restart the Device to make the change take effect.
Step 4 After the DHCP Internet connection is established successfully, you can view its configuration and status information in the Basic > WAN > WAN List page, such as Status ( Connected means the connection is established successfully, and in this case, it will also display the left time before the lease expires for the current IP address), the connection’s IP address and Gateway provided by your ISP, and so on, see Figure B-0-5.
Figure B-0-5 View DHCP Internet Connection Status Information
Step 5 You may go to the Status > Route Stats page to view the related route information in the Routing Table , such as the Gateway IP Address provided by your ISP, Flag ( N should appear, which means NAT is enabled on the route), and so on, see Figure B-0-6.
Page 382
Appendix B FAQ
Figure B-0-6 Routing Table - Example 3
Step 6 Configure the LAN hosts according to the steps described in Appendix A How to configure your PC .
Page 383
Appendix B FAQ
4.
How to reset the Device to factory default settings
The following describes how to reset the Device to factory default settings. There are two cases depending on whether you remember the administrator password or not.
Note
1) The reset operation will clear all the custom settings on the Device, so do it with caution.
2) Here we take Windows XP for example.
4-1 Case One: Remember the administrator password
When you remember the administrator password, you can use the following two ways to reset the Device to factory default settings. Note that only when the Device has a terminal port, you can use the second way.
The first way: Reset the Device to factory default settings via Wed UI.
The operation is as follows: Go to the System > Configuration > Restore Default page, and then click Reset button to reset the Device to factory default settings.
The second way: Reset the Device to factory default settings via Hyper
Terminal.
The operation steps are the following:
Step 1 Connect the RJ-45 connector of the supplied serial cable to the terminal port on the Device, and the DB9 connector of the cable to an open COM port on your
PC.
Step 2 Click Start > Programs > Accessories > Communications > HyperTerminal , the first screen that appears is the New Connection dialog box, see Figure
B-0-7; enter a name ( Term9600 in this example) in the Name text box, and then click OK button.
Note that if HyperTerminal is not installed, click Start > Settings > Control
Panel > Add or Remove Programs > Add/Remove Windows Components >
Page 384
Appendix B FAQ
Accessories and Utilities > Details > Communications > Details , select the
HyperTerminal check box, and then click OK .
Figure B-0-7 New Connection - Term9600
Step 3 The Connect To dialog box appears, see Figure B-0-8. From the Connect using drop-down list, select the COM port that links your PC to the Device
( COM3 in this example), and then click OK button.
Page 385
Appendix B FAQ
Figure B-0-8 Choose a COM Port - Term9600
Step 4 The COM port properties dialog box appears (see Figure B-0-9). Select 9600 from Bits per second , 8 from Data bits , None from Parity , 1 from Stop bits ,
None from Flow control , and then click OK button.
Page 386
Appendix B FAQ
Figure B-0-9 COM Port Properties - Term9600
Step 5 Now the HyperTerminal is started and ready for use, see Figure B-0-10.
Page 387
Appendix B FAQ
Figure B-0-10 HyperTerminal Window - Term9600
Step 6 Directly press <Enter> key, the Device will acknowledge active connection with the “ Login ” prompt, see Figure B-0-11. Enter the administrator user name
( Default in this example) at the prompt and press <Enter> key. Then the
“ Password ” prompt appears; enter the password ( test in this example) at the prompt and press <Enter> key. Then the “ hiper% ” prompt appears, which means that you have logged in to the Device successfully, and the Device is ready to receive a command.
Page 388
Appendix B FAQ
Figure B-0-11 Login to the Device - Term9600
Step 7 Enter nvramc at the prompt and press <Enter> key (see Figure 8-12); the
Device will immediately restore to factory default settings and restart itself.
Once restarted, you can use the system default administrator account to login to the Device via Web UI.
Note that by default, the LAN interface IP address is 192.168.20.1
, and the administrator user name is Default (case sensitive) with a blank password.
Page 389
Appendix B FAQ
Figure B-0-12 Reset to Factory Default Settings - Term9600
4-2 Case Two: Forget the administrator password
If you forget the administrator password, you can use the following two ways to reset the
Device to factory default settings. Note that only when the Device has a reset button, you can use the first way; and only when the Device has a terminal port, you can use the second way.
The first way: Reset the Device to factory default settings via Reset Button.
The operation is as follows: While the Device is powered on, use a pin or paper clip to press and hold the Reset button for more than 5 seconds, and then release the button.
After that, the Device will restart with factory default settings.
The second way: Reset the Device to factory default settings via Hyper
Terminal.
The operation steps are the following:
Step 1 Connect the RJ-45 connector of the supplied serial cable to the terminal port on the Device, and the DB9 connector of the cable to an open COM port on your
Page 390
Appendix B FAQ
PC.
Step 2 Click Start > Programs > Accessories > Communications > HyperTerminal , the first screen that appears is the New Connection dialog box, see Figure
B-0-13; enter a name ( Term115200 in this example) in the Name text box, and then click OK button.
Note that if HyperTerminal is not installed, click Start > Settings > Control
Panel > Add or Remove Programs > Add/Remove Windows Components >
Accessories and Utilities > Details > Communications > Details , select the
HyperTerminal check box, and then click OK .
Figure B-0-13 New Connection - Term115200
Step 3 The Connect To dialog box appears, see Figure B-0-14. From the Connect using drop-down list, select the COM port that links your PC to the Device
( COM3 in this example), and then click OK button.
Page 391
Appendix B FAQ
Figure B-0-14 Choose a COM Port - Term115200
Step 4 The COM port properties dialog box appears (see Figure B-0-15). Select
115200 from Bits per second , 8 from Data bits , None from Parity , 1 from
Stop bits , None from Flow control , and then click OK button.
Page 392
Appendix B FAQ
Figure B-0-15 COM Port Properties - Term115200
Step 5 Now the HyperTerminal is started and ready for use, see Figure B-0-16.
Page 393
Appendix B FAQ
Figure B-0-16 The HyperTerminal Window - Term115200
Step 6 Restart the Device and immediately enter ast (lower case) in three seconds, then the “ Ast> ” prompt appears, see Figure B-0-17. Note that if failed to appear, please try several times until the “ Ast> ” prompt appears.
Page 394
Appendix B FAQ
Figure B-0-17 Login to the Device - Term115200
Step 7 Enter nv at the prompt and press <Enter> key (see Figure B-0-18), the Device will immediately restore to the factory default settings. The appearance of
“ Erasing NVRAM………Done ” means that the Device has restored to the factory default settings successfully. Once you have restarted the Device, you can use the system default administrator to login to the Device via Web UI.
Note that by default, the LAN interface IP address is 192.168.20.1
, and the administrator user name is Default (case sensitive) with a blank password.
Page 395
Appendix B FAQ
Figure B-0-18 Reset to Factory Default Settings - Term115200
Page 396
Appendix B FAQ
5.
How to use CLI Rescue Mode
In most cases, the Device can normally boot or reboot in Normal Startup Mode . However, sometimes you are unable to start the Device in Normal Startup Mode due to configuration errors, forgetting the administrator password or other reasons. To solve this problem, we provide Rescue Mode in the Device with ReOS 5.0 or a latter version.
After boot into Rescue Mode , the Device will run with factory default settings without custom settings, so it will like a new device that hasn’t been configured. In Rescue Mode , it allows you to use any CLI command to perform any operation.
Note
Only the Device having a serial port supports Rescue Mode .
Here we take Windows XP for example to describe how to start the Device in Rescue
Mode . The operation steps are the following:
Step 1 Connect the RJ-45 connector of the supplied serial cable to the terminal port on the Device, and the DB9 connector of the cable to an open COM port on your
PC.
Step 2 Click Start > Programs > Accessories > Communications > HyperTerminal , the first screen that appears is the New Connection dialog box, see Figure
B-0-19; enter a name ( rescue in this example) in the Name text box, and then click OK button.
Note that if HyperTerminal is not installed, click Start > Settings > Control
Panel > Add or Remove Programs > Add/Remove Windows Components >
Accessories and Utilities > Details > Communications > Details , select the
HyperTerminal check box, and then click OK .
Page 397
Appendix B FAQ
Figure B-0-19 New Connection - Rescue
Step 3 The Connect To dialog box appears, see Figure B-0-20. From the Connect using drop-down list, select the COM port that links your PC to the Device
( COM3 in this example), and then click OK button.
Page 398
Appendix B FAQ
Figure B-0-20 Choose a COM port - Rescue
Step 4 The COM port properties dialog box appears (see Figure B-0-21). Select 9600 from Bits per second , 8 from Data bits , None from Parity , 1 from Stop bits ,
None from Flow control , and then click OK button.
Figure B-0-21 COM Port Properties - Rescue
Step 5 Now the HyperTerminal is started and ready for use, see Figure B-0-22.
Page 399
Appendix B FAQ
Figure B-0-22 The HyperTerminal Window - Rescue
Step 6 Restart the Device; and during restarting, once the “ ***booting with factory default configuration , *** ” prompt appears, please immediately press <Ctrl + C> keys three consecutive times within three seconds. Then the appearance of “ BREAK detected, skip restore user nvram profile by _restoreUserNvramTask.
” prompt means that the system has booted into Rescue Mode successfully.
Page 400
Appendix B FAQ
Figure B-0-23 Boot into Rescue Mode - Rescue
Step 7 After the Device has booted into Rescue Mode , you can use the system default administrator account to login to the Device. Enter Default at the “ Login ” prompt and press <Enter> key, see Figure 8-24Then the “ Password ” prompt appears; directly press <Enter> key. Then the “ rescue# ” prompt appears, which means that you have logged in to Rescue Mode configuration interface successfully, and the Device is ready to receive a command. Now you can perform any operation.
Page 401
Appendix B FAQ
Figure B-0-24 Login to Rescue Mode Configuration Interface - Rescue
Step 8 In Rescue Mode configuration interface, see Figure B-0-25, if you enter show running-config at the prompt and press <Enter> key, it will only output firmware version information, but not output any custom settings, which means that the system is running with the factory default settings; if you enter show nvram at the prompt and press <Enter> key, it will output not only firmware version information but also your custom settings.
Page 402
Appendix B FAQ
Figure B-0-25 View Settings - Rescue
Note
In Rescue Mode , it will only save the settings you have made in Rescue Mode configuration interface by write command, and all of your original custom settings will be lost. Thus if you want to save the original custom settings, please do the following:
Perform show nvram command to display all the original custom settings firstly, and then re-enter the settings that you need by copy and paste function, lastly perform write command to save those settings; or save the settings that you need as a text file, and then perform write command, lastly re-enter the settings in Normal Startup
Mode configuration interface.
Step 9 Finally, you need restart the Device to exit Rescue Mode configuration interface.
Page 403
Appendix B FAQ
6.
IP/MAC Binding and Access Control
This section mainly describes the characteristics of the IP/MAC binding and access control functions, and the relationship between them. Its purpose is to help you better understand them, and use them to flexibly control and manage the Internet behaviors of the LAN users to enhance network security.
To achieve network security management, you should firstly implement user identification, and then you should implement user authorization. On the Device, you can use IP/MAC binding feature to implement user identification, and use access control feature to use access control rules to control the Internet behaviors of the LAN users.
Refer to section 12.2 IP/MAC Binding for more information about IP/MAC binding; refer to section 12.3 Firewall for more information about access control.
A. IP/MAC Binding
The Device provides IP/MAC binding feature to implement user identification. Using the
IP/MAC address pair as a unique user identity, you can protect the Device and your network against IP address theft, MAC address theft, IP spoofing attack, and MAC spoofing attack.
For those non-IP/MAC binding users (i.e., the users whose IP address and MAC address both are different from any IP/MAC binding’s.
), the Device allows them to access the Device and Internet by default. If you want to block them from accessing, please unselect the Allow
Undefined LAN PCs check box in the Security > IP/MAC Binding > IP/MAC Binding
List page.
IP/MAC binding feature can only act on the packets initiated from the LAN hosts to the
Device or outside hosts, but cannot act on the packets within the LAN. If you change a
LAN host’s IP address or MAC address, this LAN host will be unable to access the Device and access the Internet through the Device, but it still can communicate with the other
LAN hosts, such as, it can browse Network Neighborhood, use windows file and printer sharing services within the LAN, and so on.
B. Access Control
The Device allows you to create access control rules by referencing address groups, service groups and schedules . By default, as no access control rule exists on the Device, the Device will forward all the valid packets received by the LAN interface. After you have enabled access control, the Device will examine each packet received by the LAN interface to determine whether to forward or drop the packet, based on the criteria you specified in the access control rules.
C. The Relationship between Them
Page 404
Appendix B FAQ
1) Using IP/MAC binding feature can only implement user identification, but cannot control and manage the Internet behaviors of the LAN users. The latter is implemented by access control function module.
2) In most cases, you can create an access control rule for a group of users. If some users have the privileges of accessing the Internet, you can create an address group for these hosts even their IP addresses are discontinuous. Then you only need to create one access control rule by using the address group to meet the hosts’ requirements, instead of creating a rule for each user respectively. Of course, you can create access control rules for individual users if needed.
3) On the Device, at first you can use IP/MAC binding feature to implement user identification, and then divide the LAN users into several address groups (the users with the same Internet access privileges are divided into the same group), lastly create different access control rules for different address groups.
Thus, you can implement not only user identification, but also Internet behavior management of LAN users to ensure network security and efficient use of network resources.
D. Operation Process
When receiving a packet initiated from LAN to the Device or outside host, the Device will process the packet in the following order:
1) User identification (i.e., the packet is processed by the IP/MAC binding function module) a) If the sender is a legal user, the packet will be allowed to pass, and then be further processed by the firewall access control function module. b) If the sender is an illegal user, the packet will be dropped immediately c) If the sender is an undefined user, there are two cases: i. If the Allow Undefined LAN PCs check box is selected, the packet will be allowed to pass, and then be further processed by the firewall access control function module. ii. Else, the packet will be dropped immediately.
Note
The definitions of legal user, illegal user and undefined user are as follows:
●
Legal User: A legal user’s IP and MAC address pair matches an IP/MAC binding whose Allow Internet Access check box is selected.
●
Illegal User: A illegal user’s IP and MAC address pair matches an IP/MAC
Page 405
Appendix B FAQ binding whose Allow Internet Access check box is unselected; or the IP address or MAC address is the same with an IP/MAC binding’s, but not both.
●
Undefined User: An undefined user’s IP address and MAC address both are different from any IP/MAC binding. The undefined users are all the users except legal and illegal users.
2) User authorization (i.e., the packet is processed by the firewall access control function module )
When receiving a packet initiated from LAN, the Device will analyze the packet by extracting its source MAC address, source IP address, destination IP address, protocol type (TCP, UDP or ICMP), port number, content, and the date and time at which the packet was received, and then compare them with each rule in the order in which the rules are listed in the Access Control List . The first rule that matches the packet will be applied to the packet, and the Device will forward or drop it according to this rule ’s action. Note that after a match is found, no further rules will be checked; and if no match is found, the Device will drop the packet to ensure security.
Note that if a schedule is referenced in an access control rule, you need judge whether the schedule is in effect or not at first. If the schedule has expired, it will be of no effect. In this case, if the access control rule still needs a time restriction, you should reconfigure the schedule.
E. Configuration Procedure
From the above analysis, we can see that if you want to configure the network access privileges for the LAN users, you need follow these steps:
1 ) At first, you need assign network access privileges to each LAN user: determine whether a user can access and pass through the Device, and assign specific Internet access privileges to the user.
2 ) Divide the LAN users into several address groups: the users with the same Internet access privileges are divided into the same address group.
3 ) Configure TCP/IP properties for each LAN user’s host, and record each host’s MAC address.
4 ) Go to the Security > IP/MAC Binding page to create IP/MAC bindings. Note that if you want to block the undefined LAN users from accessing the Device and Internet, you should unselect the Allow Undefined LAN PCs check box.
5 ) Go to the Security > Address Group page to create address groups.
6 ) Go to the Security > Service Group page to create service groups.
Page 406
Appendix B FAQ
7 ) Go to the System > Time page to synchronize the system clock.
8 ) If you want to create the access control rules based on schedules, go to the Security >
Schedule page to create schedules.
9 ) Go to the Security > Firewall page to create access control rules for each address group respectively.
Page 407
Appendix B FAQ
7.
How to find out who uses the most bandwidth?
By viewing the NAT Statistics list in the Status > NAT Stats page, you can find out the
LAN user who uses the most bandwidth.
A. How to find out who has downloaded the most packets?
Query the Rx Packets in the NAT Statistics list: the larger value means the more downloaded packets. The most Rx Packets means the corresponding LAN user has downloaded the most packets from the Internet.
B. How to find out who has uploaded the most packets?
Query the Tx Packets in the NAT Statistics list: the larger value means the more uploaded packets. The most Tx Packets means the corresponding LAN user has uploaded the most packets to the Internet.
C. How to find out who is most active in the LAN?
Query the Active Sessions in the NAT Statistics list: the larger value means the user is more active. The most Active Sessions means the corresponding user is the most active in the LAN.
Page 408
Appendix B FAQ
8.
How to troubleshoot faults caused by worm viruses or hacker attacks on the Device?
Note
Each of the following points can only be used as a reference for network troubleshooting, but cannot be used as a basis for finding a network virus or attack.
A. How to find out who is using an IP/Port Scanner
When using an IP/Port Scanner , a host sends a larger number of ICMP/UDP/TCP packets to the target host in a very short time to detect whether the target IP address exists or there are open ports on the target host. The host using an IP/Port Scanner can generate a large amount of traffic, and too much traffic (i.e., too heavy network load) will cause network congestion, thus the other users may be unable to surf the Internet normally.
On the Device, you can find out who is using an IP/Port Scanner through the following three ways.
1) You can view the NAT Statistics list in the Status > NAT Stats page to find out if there is a LAN host whose Overflow is larger than 100. If a host’s concurrent NAT sessions has reached the maximum value (configured in the Security > NAT
Session Limit page), any further request for creating a new session will be discarded, and the Overflow will be updated synchronously; so if a host’s Overflow is larger than 100, the host is suspicious of using an IP/Port Scanner .
2) You can view the NAT Statistics list in the Status > NAT Stats page to find out if there is a LAN host whose Tx Packets is far larger than Rx Packets . An IP/Port
Scanner often uses a forged source IP address to send out packets, this will cause that the response packets cannot arrive at the sender; so if a host’s Tx Packets is far larger than Rx Packets , the host is suspicious of using an IP/Port Scanner .
3) You can view system logs in the Status > System Log page to find out if there is a
NAT exceeded log message. For example, the log message of “ NAT exceeded
192.168.20.221
” means that the host with IP address 192.168.20.221 has exceeded the maximum concurrent NAT sessions limited by the Device (configured in the
Security > NAT Session Limit page), and this host is suspicious of an IP/Port
Scanner .
Note
Page 409
Appendix B FAQ
Recommended solution: It is recommended that you stop all the running applications on that suspicious host, and then run an effective antivirus software, lastly restart or reinstall the operating system.
B. How to find out who is attacking an Internet host with DoS/DDoS
A DoS attack (denial-of-service attack) or DDoS attack (distributed denial-of-service attack) is an attempt to make a host resource unavailable to its intended users. When performing a DoS/DDoS attack, a host sends a larger number of packets to the target host (typically it is a web server) in a very short time to cause too heavy load on the host, thus the host is unable to provide normal services. The host performing DoS/DDoS attacks can generate a large amount of traffic, and too much traffic (i.e., too heavy network load) will cause network congestion, thus the other users may be unable to surf the
Internet normally.
On the Device, you can find out who is performing a DoS/DDoS attack through the following three ways.
1) You can view the NAT Statistics list in the Status > NAT Stats page to find out if there is a LAN host whose Tx Packets is far larger than the other hosts’, but its Rx
Packets is very small or zero. When a LAN host attacks an Internet host with
DoS/DDoS, it sends a large number of packets to the Internet host; so if a LAN host meets the above conditions, it is suspicious of performing a DoS/DDoS attack.
Note that the user who is uploading files via HTTP/FTP should be excluded.
2) You can view the NAT Statistics list in the Status > NAT Stats page to find out if there is a LAN host whose Tx Packets is far larger than Rx Packets . A DoS/DDoS attack program often uses a forged source IP address to send out packets, this will cause that the response packets cannot arrive at the sender; so if a host’s Tx
Packets is far larger than Rx Packets , the host is suspicious of performing a
DoS/DDoS attack.
3) You can view system logs in the Status > System Log page to find out if there is a
NAT exceeded log message. For example, the log message of “ NAT exceeded
192.168.20.221
” means that the host with IP address 192.168.20.221 has exceeded the maximum concurrent NAT sessions limited by the Device (configured in the
Security > NAT Session Limit page), and this host is suspicious of performing a
DoS/DDoS attack.
Note
Recommended solution: It is recommended that you stop all the running applications on that suspicious host, and then run an effective antivirus software, lastly restart or reinstall the operating system.
Page 410
Appendix B FAQ
C. How to find out a host infected with Code Red worm virus?
You can view the NAT Statistics list in the Status > NAT Stats page to find out if there is a LAN host whose Tx Packets is very large but Rx Packets is very small or zero. If a host meets the above conditions and hasn’t used any LAN server, the host is likely to be infected with Code Red worm virus.
D. How to find out a host performing a TCP SYN Flood, UDP Flood or
ICMP Flood attack?
You can view the NAT Statistics list in the Status > NAT Stats page to find out if there is a LAN host whose Tx Packets is very large but Rx Packets is very small. If a host meets the above conditions, the host is likely to perform a TCP SYN Flood , UDP Flood or ICMP
Flood attack.
Note
The user who is uploading files via HTTP/FTP should be excluded.
E. How to find out a host performing an ARP Spoofing attack?
You can view system logs in the Status > System Log page to find out if there is a LAN host whose MAC address is changing constantly, for example, the following log message means that the host with IP address 192.168.1.1 is likely to perform an ARP Spoofing attack.
MAC New 00:22:aa:00:22:bb
MAC Old 00:22:aa:00:22:aa
ARP SPOOF 192.168.1.1
F. How to find out a host infected with Blaster/Sasser virus
The host infected with Blaster / Sasser virus randomly sends out a large number of ICMP packets and broadcasts a large of number of packets whose destination port is 135, 137,
139 or 445, thus it causes network congestion even the whole internal and external networks paralysis.
Go to the Status > Session Monitor page, select All from the Filter Option drop-down list, and then click Query button to view all the active NAT sessions in the NAT Session
List . If there are many sessions whose Protocol is ICMP, and many sessions whose Dest
Port is 135, 137, 139 or 445, the corresponding LAN host is likely to be infected with
Blaster / Sasser virus.
If a host has been infected with Blaster virus, it has the following symptoms: inexplicably
Page 411
Appendix B FAQ crashes or restarts itself; links in IE cannot be opened properly; copy and paste operation cannot be performed; sometimes there are certain applications running abnormally, such as
Word; network grows slowly; there is a process named msblast.exe
in Task Manager.
If a host has been infected with Sasser virus, it has the following symptoms: inexplicably crashes or restarts itself; there is a process named avserve.exe
, avserve2.exe
or skynetave.exe
in Task Manager; there is a virus file named avserve.exe
, avserve2.exe
or skynetave.exe
in the system directory; system is running extremely slow, and CPU usage is 100%.
Page 412
Appendix B FAQ
9.
How to enable WAN ping respond?
To facilitate debugging and testing your Internet connections, the Device provides Enable
WAN Ping Respond feature; that is, it allows you to ping each WAN interface’s IP address to detect whether each Internet connection is normal. The operation is as follows:
Go to the Security > Attack Defense > External Defense page, select the Enable WAN
Ping Respond check box, and then click the Save button.
After you have enabled WAN ping respond, you can test each Internet connection by using ping command on an outside host. When you ping the IP address of a WAN interface, correct responses from the WAN interface means that the corresponding
Internet connection is normal; else, the connection itself is abnormal, ping response is disabled on a device between your PC and Device, or there is a configuration error in the
Device.
Page 413
Appendix C Common IP Protocols
Appendix C Common IP Protocols
Protocol Name Protocol Number Full Name
IP 0 Internet Protocol
ICMP
IGMP
1
2
Internet Protocol Message Protocol
Internet Group Management
51
66
88
89
22
27
47
50
9
12
17
20
6
8
3
4
XNS-IDP
RDP
GRE
ESP
AH
RVD
EIGRP
OSPF
IGP
PUP
UDP
HMP
GGP
IPINIP
TCP
EGP
Gateway-Gateway Protocol
IP in IP Tunnel Driver
Transmission Control Protocol
Exterior Gateway Protocol
Interior Gateway Protocol
PARC Universal Packet Protocol
User Datagram Protocol
Host Monitoring Protocol
Xerox NS IDP
Reliable Datagram Protocol
General Routing Encapsulation
Encap Security Payload
Authentication Header
MIT Remote Virtual Disk
Enhanced Interior Gateway Routing Protocol
Open Shortest Path First
Page 414
Appendix D Common Service Ports
Appendix D Common Service Ports
Service Name Port echo 7 echo 7 chargen chargen ftp-data ftp telnet smtp time time rlp nameserver discard discard systat systat daytime daytime qotd qotd nameserver nicname domain domain bootps
42
43
53
53
67
23
25
37
37
19
19
20
21
39
42
13
13
17
17
9
9
11
11 udp tcp tcp udp udp tcp udp udp tcp tcp tcp tcp tcp tcp udp tcp udp
Protocol Description tcp udp tcp udp
Active users tcp udp tcp udp
Active users
Quote of the day
Quote of the day
Character generator
Character generator
FTP, data
FTP. control
Simple Mail Transfer Protocol timserver timserver
Resource Location Protocol
Host Name Server
Host Name Server whois
Domain Name Server
Domain Name Server
Bootstrap Protocol Server
Page 415
137
137
138
139
119
123
135
135
143
158
111
111
113
117
102
107
109
110
80
88
88
101
68
69
70
79
161
162
170 bootpc tftp gopher finger http kerberos kerberos hostname iso-tsap rtelnet pop2 pop3 sunrpc sunrpc auth uucp-path nntp ntp epmap epmap netbios-ns netbios-ns netbios-dgm netbios-ssn imap pcmail-srv snmp snmptrap print-srv
Appendix D Common Service Ports tcp udp udp tcp tcp udp tcp udp tcp tcp tcp udp tcp tcp tcp tcp tcp tcp tcp tcp udp tcp udp udp tcp tcp udp udp tcp
Bootstrap Protocol Client
Trivial File Transfer
World Wide Web
Kerberos
Kerberos
NIC Host Name Server
ISO-TSAP Class 0
Remote Telnet Service
Post Office Protocol - Version 2
Post Office Protocol - Version 3
SUN Remote Procedure Call
SUN Remote Procedure Call
Identification Protocol
Network News Transfer Protocol
Network Time Protocol
DCE endpoint resolution
DCE endpoint resolution
NETBIOS Name Service
NETBIOS Name Service
NETBIOS Datagram Service
NETBIOS Session Service
Internet Message Access Protocol
PCMail Server
SNMP trap
Network PostScript
Page 416
tcp udp udp tcp udp tcp udp udp tcp tcp udp tcp udp tcp tcp udp udp tcp tcp udp tcp udp tcp tcp udp tcp tcp udp tcp
520
520
525
526
514
515
517
518
530
531
512
513
513
514
464
464
500
512
443
443
445
445
179
194
213
389
532
533
540 syslog printer talk ntalk efs router timed tempo courier conference biff login who cmd kpasswd kpasswd isakmp exec bgp irc ipx ldap https https microsoft-ds microsoft-ds netnews netwall uucp
Appendix D Common Service Ports
Border Gateway Protocol
Internet Relay Chat Protocol
IPX over IP
Lightweight Directory Access Protocol
MCom
MCom
Kerberos (v5)
Kerberos (v5)
Internet Key Exchange
Remote Process Execution
Remote Login
Extended File Name Server route routed
For emergency broadcasts
Page 417
Appendix D Common Service Ports tcp udp tcp udp tcp udp tcp udp udp udp tcp udp tcp udp udp tcp udp udp udp udp tcp tcp tcp tcp udp tcp tcp tcp klogin kshell new-rwho remotefs rmonitor monitor ldaps doom ms-sql-m ms-sql-m wins wins ingreslock l2tp pptp radius radacct nfsd doom 666 kerberos-adm 749 kerberos-adm 749 kerberos-iv 750 kpop phone ms-sql-s ms-sql-s
1109
1167
1433
1433
1524
1701
1723
1812
1434
1434
1512
1512
1813
2049 knetd man
560
561
636
666
543
544
550
556
2053
9535
Kerberos login
Kerberos remote shell
LDAP over TLS/SSL
Doom Id Software
Doom Id Software
Kerberos administration
Kerberos administration
Kerberos version IV
Kerberos POP
Conference calling
Microsoft-SQL-Server
Microsoft-SQL-Server
Microsoft-SQL-Monitor
Microsoft-SQL-Monitor
Microsoft Windows Internet Name Service
Microsoft Windows Internet Name Service
Layer Two Tunneling Protocol
Point-to-point tunnelling protocol
RADIUS authentication protocol
RADIUS accounting protocol
NFS server
Kerberos de-multiplexor
Remote Man Server
Page 418
Appendix F Table Index
Appendix E Figure Index
Page 419
Appendix F Table Index
Page 420
Appendix F Table Index
F IGURE 7-17 A PPLY FOR A DDNS A CCOUNT FROM NO IP .
ORG ........................................................................... 147
F IGURE 7-18 DDNS S ETTINGS R ELATED TO NO IP .
ORG ..................................................................................... 148
Page 421
Appendix F Table Index
Page 422
Appendix F Table Index
Page 423
Appendix F Table Index
Page 424
Appendix F Table Index
Page 425
Appendix F Table Index
Page 426
Appendix F Table Index
Page 427
Appendix F Table Index
Appendix F Table Index
Page 428
www.digicom.it
Italy 21010 Cardano al Campo VA via Alessandro Volta 39 http://www.digicom.it
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
