® VPN ADSL Router SL6000/SL6300 User’s Manual
Copyright Information No part of this manual, including the products and software described in it, may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means, except documentation kept by the purchaser for backup purposes, without the express written permission of ASUSTeK COMPUTER INC. (“ASUS”).
Copyright Information ASUSTeK COMPUTER INC. (Asia-Pacific) Address: General Tel: General Fax: Web Site: 150 Li-Te Road, Peitou, Taipei, Taiwan 112 +886-2-2894-3447 +886-2-2894-3449 www.asus.com.
Table of Contents 1. Introduction ............................................................................. 9 1.1 Features .................................................................................... 9 1.2 System Requirements ............................................................... 9 1.3 Using this Document ................................................................ 10 1.4 Getting Support ............................................................................. 10 2.
Table of Contents 5. System Information .............................................................. 35 6. Configuring LAN Settings .................................................... 36 6.1 LAN IP Address ............................................................................. 36 6.1.1 LAN IP Configuration Parameters ......................................... 36 6.1.2 Configuring the LAN IP Address ............................................ 36 6.2 DHCP (Dynamic Host Configuration Protocol) .......
Table of Contents 9. Configuring Firewall/NAT Settings ...................................... 52 9.1 DoS Protection and Stateful Packet Inspection .............................. 52 9.2 Default ACL Rules ......................................................................... 53 9.3 Configuring Inbound ACL Rules ..................................................... 53 9.3.2 Add Inbound ACL Rules ........................................................ 60 9.3.3 Modify Inbound ACL Rules ......................
Table of Contents 9.9 Policy List ...................................................................................... 78 9.9.1 Application Filter ................................................................... 78 9.9.2 NAT Pool .............................................................................. 81 9.9.3 IP Pool .................................................................................. 82 9.9.4 Firewall User .........................................................................
Table of Contents 13.System Reset ...................................................................... 114 14.Logout Configuration Manager ......................................... 115 A. IP Addresses, Network Masks, & Subnets ....................... 116 A.1 IP Addresses ................................................................................ 116 A.1.1 Structure of an IP address .................................................. 116 A.1.2 Network classes ...........................................
Chapter 1 Chapter 1 1. Introduction Congratulations on becoming the owner of the SL6000/SL6300 VPN ADSL Router. Your LAN (local area network) will now be able to access the Internet via SL6000/SL6300’s ADSL connection. This User Manual will show you how to set up the SL6000/SL6300 VPN ADSL Router, and how to customize its configuration to get the most out of this product. 1.1 Features • • • • • • Built-in ADSL modem in SL6000 (G.992.1 Annex A) / SL6300 (G.992.
Chapter 1 Chapter 1 1.3 Using this Document 1.3.1 Notational conventions • • • Acronyms are defined the first time they appear in text and in the glossary (Appendix C). For brevity, the SL6000/SL6300 is referred to as “the router.” The terms LAN and network are used interchangeably to refer to a group of Ethernet-connected computers at one site. 1.3.2 Typographical conventions • • Italics are used to identify terms that are defined in the glossary (Appendix C).
Chapter 2 2. Getting to Know SL6000/SL6300 2.1 Parts List In addition to this document, your SL6000/SL6300 should come with the following: SL6000/SL6300 VPN ADSL Router Power adapter Ethernet cable (RJ-45) “straight-through” type) Phone cable (RJ-11) Chapter 2 • • • • 2.2 Front Panel The front panel contains LED indicators that show the status of the unit. 1 2 POWER STATUS 4 5 6 7 3 R VPN ADSL ROUTER TRAFFIC LAN1 LAN2 LAN3 LAN4 Figure 2.2 Front Panel LEDs Table 2.
Chapter 2 2.3 Rear Panel The rear panel contains the ports for the unit’s data and power connections. Chapter 2 1 2 3 LINE P4 P3 4 P2 5 P1 6 CONSOLE 7 Reset 8 9 POWER Figure 2.3 Rear Panel Connections Table 2.2 Rear Panel Labels and Switch/Connectors 1. LINE Connects to your ADSL line. This is a standard RJ-11 telephone jack on your wall but routed through an ADSL system by your phone company and may have an optional splitter to allow telephone use on the same line. 2.
Chapter 3 3. Quick Start Guide This Quick Start Guide provides basic instructions for connecting the SL6000/ SL6300 to a computer or a LAN and to the Internet via ADSL. • • Part 1 provides instructions to set up the hardware. Part 2 describes how to configure Internet properties on your computer(s). • Part 3 shows you how to configure basic settings on the SL6000/SL6300 to get your LAN connected to the Internet.
Chapter 3 3.1.2 Connect the computers or a LAN If your LAN has no more than 4 computers, you can use Ethernet cable to connect computers directly to the built-in switch on the device. Note that you should attach one end of the Ethernet cable to any of the port labeled LAN1 LAN4 on the rear panel of the device and connect the other end to the Ethernet port of a computer.
Chapter 3 3.2 Configuring Your Computers 3.2.1 Before you begin By default, the SL6000/SL6300 automatically assigns all required Internet settings to your PCs. You need only to configure the PCs to accept the information when it is assigned. Note: In some cases, you may want to assign Internet information manually to some or all of your computers rather than allow the SL6000/SL6300 to do so. See “Assigning static Internet information to your PCs” for instructions.
Chapter 3 3.2.3 Windows® 2000 PCs: First, check for the IP protocol and, if necessary, install it: Chapter 3 1. In the Windows task bar, click the Start button, point to Settings, and then click Control Panel. 2. Double-click the Network and Dial-up Connections icon. 3. In the Network and Dial-up Connections window, right-click the Local Area Connection icon, and then select Properties. The Local Area Connection Properties dialog box displays with a list of currently installed network components.
Chapter 3 3.2.4 Windows® Me PCs ASUS VPN ADSL Router Chapter 3 1. In the Windows task bar, click the Start button, point to Settings, and then click Control Panel. 2. Double-click the Network and Dial-up Connections icon. 3. In the Network and Dial-up Connections window, right-click the Network icon, and then select Properties. The Network Properties dialog box displays with a list of currently installed network components.
Chapter 3 3.2.5 Windows® 95, 98 PCs: First, check for the IP protocol and, if necessary, install it: Chapter 3 1. In the Windows task bar, click the Start button, point to Settings, and then click Control Panel. 2. Double-click the Network icon. The Network dialog box displays with a list of currently installed network components. If the list includes TCP/IP, and then the protocol has already been enabled. Skip to step 9. 3. If TCP/IP does not display as an installed component, click Add.
Chapter 3 3.2.6 Windows® NT 4.0 workstations: First, check for the IP protocol and, if necessary, install it: ASUS VPN ADSL Router Chapter 3 1. In the Windows NT task bar, click the Start button, point to Settings, and then click Control Panel. 2. In the Control Panel window, double click the Network icon. 3. In the Network dialog box, click the Protocols tab. The Protocols tab displays a list of currently installed network protocols.
Chapter 3 3.2.7 Assigning static Internet information to your PCs In some cases, you may want to assign Internet information to some or all of your PCs directly (often called “statically”), rather than allowing the SL6000/ SL6300 to assign it. This option may be desirable (but not required) if: • You have obtained one or more public IP addresses that you want to always associate with specific computers (for example, if you are using a computer as a public web server).
Chapter 3 3.3.1 Buttons Used in Setup Wizard The SL6000/SL6300 provides a pre-installed software program called Configuration Manager that enables you to configure SL6000/SL6300 via your Web browser. The settings that you are most likely to need to change before using the device are grouped onto sequence of Configuration pages guided by Setup Wizard. The following table shows the buttons that you’ll encounter in Setup Wizard. [Next] Click this button to proceed to the next configuration page.
Chapter 3 If you have problem connecting to SL6000/SL6300, you may want to check if your PC is configured to accept IP address assignment from SL6000/SL6300. Another method is to set the IP address of your PC to any IP address in the 192.168.1.0 network, such as 192.168.1.2 but excluding 192.168.1.1 and 192.168.1.255. 2. Enter your user name and password, and then click [OK] to enter the Configuration Manager.
Chapter 3 3. Click on the [Next] button to enter the password configuration page as shown in Figure 3.4. Change the password in the spaces provided if desired. Otherwise, proceed to the next configuration page by clicking on the [Next] button. When changing passwords, make sure you enter the existing login password in the Login Password field, make any changes for the passwords and click the [Apply] button to save the changes.
Chapter 3 4. Now we are at the System Information setup page; enter the requested information in the spaces provided and click the [Apply] button to save the changes. Otherwise, proceed to the next configuration page by clicking on the [Next] button. Figure 3.6 Setup Wizard System Identity Configuration Page Chapter 3 5. Set the time zone for SL6000/SL6300 by selecting your time zone from the Time Zone drop-down list (shown in Figure 3.7 Time Zone Configuration).
Chapter 3 There is no real time clock inside SL6000/SL6300. The system date and time are maintained by external network time server via SNTP (Simple Network Time Protocol). There are five predefined SNTP servers, so you don’t need to set the date and time here. Chapter 3 You might get online help from the Setup Wizard by click the [Help] button and get Figure 3.8. Figure 3.8 Time Zone Help 6.
Chapter 3 7. It is recommended that you keep the default settings for DHCP server until after you have completed the rest of the configurations and confirm that your Internet connection is working. Click on the [Next] button to proceed to the next configuration page. Chapter 3 Figure 3.
Chapter 3 Chapter 3 8. Now we are at the last page of the Setup Wizard, which is to configure the WAN settings for SL6000/SL6300. Depending on the connection mode required from your ISP, you may select from the following connection modes from the Connection Mode drop-down list (see Figure 3.12): MPoA Bridged, PPPoE Relay, MPoA Routed, IPoA Routed, PPPoA Routed and PPPoE Routed. Figure 3.12 Setup Wizard WAN Configuration Page Configuration Parameters 1.
Chapter 3 Chapter 3 4. Default Gateway: Select this channel as default gateway of the Broadband Gateway 5. RIP Tx/Rx: Select send/accept routing updates on the channel via RIPv1 or RIPv2, this setting will only be effective if RIP is enabled in Global Setting page 6. QoS: These settings are used to specify the service category and traffic parameters that are to be applied for traffic over the specified ATM interface. Choose one of the following options depending on your traffic requirements.
Chapter 3 Chapter 3 * DHCP IP Address Assignment: Select this option if the IPoA Service interface is to obtain its IP address from your ISP via DHCP. * Static IP Address Assignment: Select this option if the IPoA Service interface is to have its or remote host’s IP addresses configured statically. * IP Address: Enter the IPoA service interface’s IP Address. Contact your ISP for details. * Subnet Mask: Enter the IPoA service interface’s Subnet Mask. Contact your ISP for details.
Chapter 3 3.3.3 Testing Your Setup At this point, SL6000/SL6300 should enable any computer on your LAN to use the SL6000/SL6300’s ADSL connection to access the Internet. To test the Internet connection, open your web browser, and type the URL of any external website (such as http://www.yahoo.com). You should be able to surf the Internet from now on. If the LEDs do not illuminate as expected or the web page does not display, see Appendix B for troubleshooting suggestions. 3.3.
Chapter 4 4. Starting the Configuration Manager The SL6000/SL6300 includes a pre-installed program called the Configuration Manager, which provides an interface to the software installed on the device. It enables you to configure the device settings to meet the needs of your network. You access it through your web browser from any PC connected to the SL6000/ SL6300 via the LAN ports. This chapter describes the general guides for using the Configuration Manager. 4.
Chapter 4 2. Enter your user name and password, and then click . The first time you log into the program, use these defaults: Default User Name: admin Default Password: admin Note: You can change the password at any time (see section 12.2 User Account Management). The Setup Wizard page displays each time you log into the program (shown in Figure 4.3). 4.2 Functional Layout Typical Configuration Manager page consists of two separate frames. The left frame, as shown in Figure 4.
Chapter 4 4.2.1 Setup Menu Navigation Tips • • • To expand a group of related menus: click on the + sign next to the corresponding file folder icon, To contract a group of related menus: click on the - sign next to the “opened” file folder icon, . To open a specific configuration page, click on the file icons, to the desired menu item. , next 4.2.2 Commonly Used Buttons and Icons The following buttons or icons are used throughout the application.
Chapter 4 4.3 The Home Page of Configuration Manager The Setup Wizard page displays when you first access the Configuration Manager. Chapter 4 Figure 4.
Chapter 5 5. System Information This chapter describes your SL6000/SL6300 system information and configuration summary when you click the “System Info” in the left column. You may get all information as shown in Figure 5.1. Chapter 5 Figure 5.1.
Chapter 6 6. Configuring LAN Settings This chapter describes how to configure LAN properties for the LAN interface on the SL6000/SL6300 that communicates with your LAN computers. You’ll learn to configure IP address, DHCP and DNS server for your LAN in this chapter. 6.1 LAN IP Address If you are using the SL6000/SL6300 with multiple PCs on your LAN, you must connect the LAN via the Ethernet ports on the built-in Ethernet switch. You must assign a unique IP address to each device residing on your LAN.
Chapter 6 6.1.1 LAN IP Configuration Parameters Table 6.1 describes the configuration parameters available for LAN IP configuration. Table 6.1 LAN IP Configuration Parameters IP Address The LAN IP address of SL6000/SL6300. This IP is used by your computers to identify SL6000/SL6300’s LAN port. Note that the public IP address assigned to you by your ISP is not your LAN IP address. The public IP address identifies the WAN port on SL6000/SL6300 to the Internet.
Chapter 6 2. Enter a LAN IP address and subnet mask for SL6000/SL6300 in the space provided. 3. Click [Apply] to save the LAN IP address. If you were using an Ethernet connection for the current session, and changed the IP address, the connection will be terminated. 4. Reconfigure your PCs, if necessary, so that their IP addresses place them in the same subnet as the new IP address of the LAN port. See the Quick Start Guide chapter, “Configuring Your Computers,” for instructions. 5.
Chapter 6 6.2.2 Why use DHCP? DHCP allows you to manage and distribute IP addresses throughout your network from SL6000/SL6300. Without DHCP, you would have to configure each computer separately with IP address and related information. DHCP is commonly used with large networks and those that are frequently expanded or otherwise updated. 6.2.3 Configuring DHCP Server Note: By default, SL6000/SL6300 is configured as a DHCP server on the LAN side, with a predefined IP address pool of 192.168.1.
Chapter 6 2. To add an IP address pool, click [Add]. The DHCP Server Pool - Add page displays. 3. Enter the Start IP Address, End IP Address, Net Mask, and Default Gateway IP Address, fields are required; the others, such as DNS Server IP Address and WINS Server IP Address are optional. However, it is recommended that you enter DNS server IP address in the space provided. You may enter the LAN IP or your ISP’s DNS IP in the DNS Server IP Address field.
Chapter 6 6.2.4 Viewing Current DHCP Address Assignments When the SL6000/SL6300 functions as a DHCP server for your LAN, it keeps a record of any addresses it has leased to your computers. To view a table of all current IP address assignments, just go to the DHCP Server Configuration page. A page displays similar to that shown in Figure 6.2; the lower half of the same page shows the existing DHCP address assignments.
Chapter 6 6.3.2 Assigning DNS Addresses Multiple DNS addresses are useful to provide alternatives when one of the servers is down or is encountering heavy traffic. ISPs typically provide primary and secondary DNS addresses, and may provide additional addresses. Your LAN PCs learn these DNS addresses in one of the following ways: Statically: If your ISP provides you with their DNS server addresses, you can assign them to each PC by modifying the PCs’ IP properties.
Chapter 6 Note: DNS addresses that are assigned to LAN PCs prior to enabling DNS relay will remain in effect until the PC is rebooted. DNS relay will only take effect when a PC’s DNS address is the LAN IP address. Similarly, if after enabling DNS relay, you specify a DNS address (other than the LAN IP address) in a DHCP pool or statically on a PC, then that address will be used instead of the DNS relay address. 6.4 Viewing LAN Statistics You can view statistics of your LAN traffic on SL6000/SL6300.
Chapter 7 Chapter 7 7. Configuring WAN/ADSL Settings This chapter describes how to configure WAN/ADSL settings for the WAN/ ADSL interface on the SL6000/SL6300 that communicates with your ISP. You’ll learn how to configure ADSL, IP address, and connection mode for your WAN in this chapter. 7.1 ADSL Connection There are several ADSL line configurations available on SL6000 and SL6300, for Annex A and Annex B, respectively. Figure 7.1 shows the available modes of SL6000: Multi, G.DMT, G.Lite and ANSI.
Chapter 7 Chapter 7 7.2 WAN Configuration For WAN port configuration, there are several different protocols supported by SL6000/SL6300 to match your ISP’s requirement, including MPoA Bridged, PPPoE Relay, MPoA Routed, IPoA Routed, PPPoA Routed and PPPoE Routed. 7.2.1 MPoA Bridged and PPPoE Relay: No further configuration parameters need to be specified for MpoA Bridged and PPPoE Relay services. 7.2.
Chapter 7 Chapter 7 7.2.4 PPPoA Routed and PPPoE Routed: * Username: The user name for setting up the PPPoA/PPPoE Service. Contact your ISP for the specific user name to be used. * Password: The password for setting up the PPPoA/PPPoE Service. Contact your ISP for the specific password to be used for initial setup. * DoD : Dial on Demand. The SL6000/SL6300 attempts to connect to your ISP when an outgoing traffic is detected.
Chapter 7 Chapter 7 7.3 Viewing WAN/ADSL Statistics You can view statistics of your WAN/ADSL traffic. You will not typically need to view this data, but you may find it helpful when working with your ISP to diagnose network and Internet data transmission problems. To view WAN/ADSL statistics, click Statistics on the WAN submenu. Figure 7.3 shows the WAN/ADSL Statistics page. Figure 7.3 WAN Statistics Page To see the updated statistics since you opened the page, simply click [Refresh].
Chapter 8 8. Configuring Routes You can use Configuration Manager to define specific routes for your Internet and network data communication. This chapter describes basic routing concepts and provides instructions for creating routes. Note that most users do not need to define routes. Chapter 8 8.
Chapter 8 8.2 DNS Relay Configuration Chapter 8 You may input your ISP’s Primary/Secondary DNS server address here if your PC’s DNS server address is directed to SL6000/SL6300, instead of automatically getting DNS server address from the ISP. Click [Apply] after typing your ISP’s Primary/Secondary DNS server address. Figure 8.1 DNS Relay Configuration Page 8.3 Static Routing 8.3.
Chapter 8 Table 8.1 Static Route Configuration Parameters Destination IP Address Specifies the IP address of the destination computer or an entire destination network. It can also be specified as all zeros to indicate that this route should be used for all destinations for which no other route is defined (this is the route that creates the default gateway). Note that destination IP must be a network ID. The default route uses a destination IP of 0.0.0.0.
Chapter 8 8.3.4 Deleting Static Routes Follow these instructions to delete a static route from the routing table. Chapter 8 3. In the Static Routes Configuration page (as shown in Figure 8.2), select the route from the service drop-down list or click on the icon of the route to be deleted in the Static Routing Table. 4. Click [Delete] to delete the selected route. WARNING: Do not remove the route for default gateway unless you know what you are doing.
Chapter 9 9. Configuring Firewall/NAT Settings SL6000/SL6300 provides built-in firewall/NAT functions, enabling you to protect the system against denial of service (DoS) attacks and other types of malicious accesses to your LAN while providing Internet access sharing at the same time. You can also specify how to monitor attempted attacks, and who should be automatically notified.
Chapter 9 9.2 Default ACL Rules SL6000/SL6300 supports four types of default access rules: • Inbound Access Rules: for controlling incoming access to computers on your LAN. • Outbound Access Rules: for controlling outbound access to external networks for hosts on your LAN. • Group Access Rules: for controlling users and user group information on your LAN. • Self Access Rules: for controlling access privilege to SL6000/SL6300 itself.
Chapter 9 Figure 9.
Chapter 9 9.3.1 Options in Inbound ACL Configuration Page Table 9.1 describes the options available for an inbound ACL rule. Table 9.1 Options in the Firewall Inbound ACL Configuration Page ID Add New Click on this option to add a new ‘basic’ Firewall rule. Rule Number Select a rule from the drop-down list, to modify its attributes. Action Allow Chapter 9 Select this button to configure the rule as an allow rule. This rule when bound to the Firewall will allow matching packets to pass through.
Chapter 9 Source IP This section allows you to set the source network to which this rule should apply. Use the drop-down list to select one of the following: WAN This option allows you to apply this rule inclusively on all computers in the external network. IP Address Chapter 9 This option allows you to specify an IP address on which this rule will be applied. IP Address: Specify the appropriate network address in the blank field.
Chapter 9 Destination IP This section allows you to set the destination network to which this rule should apply. Use the drop-down list to select one of the following: LAN This option allows you to apply this rule inclusively on all computers in the local network. IP Address This option allows you to specify an IP address on which this rule will be applied. IP Address: Specify the appropriate network address in the blank field.
Chapter 9 Source Port Any Select this option if you want this rule to apply to all applications with an arbitrary source port number. Single This option allows you to apply this rule to an application with a specific source port number. Port: Enter the source port number Range Select this option if you want this rule to apply to applications with this port range. The following fields become available for entry when this option is selected.
Chapter 9 Protocol You may select proper protocols here, including “All”, “TCP”, “UDP”, “ICMP”, “AH” and “ESP”. Port Mapping None Select this to not use Port Mapping. NAT Pool Select this to use the IP addresses in the NAT Pool (see section 9.9.2). IP Address Select this option to specify the IP address of the computer that you want the incoming traffic to be directed. Chapter 9 Time Range Only “Always” available for the time being. Application Filters FTP: Only “None” available for the time being.
Chapter 9 9.3.2 Add Inbound ACL Rules To add an inbound ACL rule, follow the instructions below: Chapter 9 1. Log into Configuration Manager as admin, click the Firewall menu, and then click Inbound ACL submenu. The Firewall Inbound ACL Configuration page displays, as shown in Figure 9.1. Note that when you open the Inbound ACL Configuration page, a list of existing ACL rules are also displayed in the lower half of the configuration page such as those shown in Figure 9.2.
Chapter 9 9.3.3 Modify Inbound ACL Rules To modify an inbound ACL rule, follow the instructions below: 1. Log into Configuration Manager as admin, click the Firewall menu, and then click Inbound ACL submenu. Chapter 9 2. Select the rule number from the “ID” drop-down list or click on the icon of the rule to be modified in the inbound ACL table. 3. Make desired changes to any or all of the following fields: action, source/ destination IP, source/destination port, protocol, port mapping, log, and VPN.
Chapter 9 9.4 Configuring Outbound ACL Rules By creating ACL rules in outbound ACL configuration page as shown in Figure 9.3, you can control (allow or deny) Internet or external network access for computers on your LAN. Options in this configuration page allow you to: • • • • Add a rule, and set parameters for it Modify an existing rule Delete an existing rule View configured ACL rules Chapter 9 Figure 9.
Chapter 9 9.4.1 Options in Outbound ACL Configuration Page Table 9.2 describes the options available for an outbound ACL rule. Table 9.2 Options in the Firewall Outbound ACL Configuration Page ID Add New Click on this option to add a new ‘basic’ Firewall rule. Rule Number Select a rule from the drop-down list, to modify its attributes. Action Chapter 9 Allow Select this button to configure the rule as an allow rule. This rule when bound to the Firewall will allow matching packets to pass through.
Chapter 9 Source IP This section allows you to set the source network to which this rule should apply. Use the drop-down list to select one of the following: LAN This option allows you to apply this rule inclusively on all computers in your local network. IP Address This option allows you to specify an IP address on which this rule will be applied. IP Address: Specify the appropriate network address in the blank field.
Chapter 9 Destination IP This section allows you to set the destination network to which this rule should apply. Use the drop-down list to select one of the following: WAN This option allows you to apply this rule inclusively on all computers in the external network. IP Address This option allows you to specify an IP address on which this rule will be applied. IP Address: Specify the appropriate network address in the blank field.
Chapter 9 Source Port Any Select this option if you want this rule to apply to all applications with an arbitrary source port number. Single This option allows you to apply this rule to an application with a specific source port number. Port: Enter the source port number Destination Port Any Select this option if you want this rule to apply to all applications with an arbitrary source port number.
Chapter 9 Protocol You may select proper protocols here, including “All”, “TCP”, “UDP”, “ICMP”, “AH” and “ESP”. NAT Type None Select this to not use NAT. NAT Pool Select this to use the associated IP addresses in the NAT Pool (see section 9.9.2. IP Address Chapter 9 Select this option to specify the IP address of the computer that you want the incoming traffic to be directed. Interface Select the external interface as the NAT IP address. Time Range Only “Always” available for the time being.
Chapter 9 9.4.2 Add an Outbound ACL Rule To add an outbound ACL rule, follow the instructions below: 1. Log into Configuration Manager as admin, click the Firewall menu, and then click Outbound ACL submenu. The Firewall Outbound ACL Configuration page displays, as shown in Figure 9.3. Note that when you open the Outbound ACL Configuration page, a list of existing ACL rules are also displayed in the lower half of the configuration page such as those shown in Figure 9.3. Chapter 9 2.
Chapter 9 9.4.3 Modify Outbound ACL Rules To modify an outbound ACL rule, follow the instructions below: 1. Log into Configuration Manager as admin, click the Firewall menu, and then click Outbound ACL submenu. Chapter 9 2. Select the rule number from the “ID” drop-down list or click on the icon of the rule to be modified in the outbound ACL table. 3. Make desired changes to any or all of the following fields: action, source/ destination IP, source/destination port, protocol, port mapping, log, and VPN.
Chapter 9 9.5 Configuring Group ACL Rules With this option, you can allow users belonging to different groups to access different services at any desired time-frame. For instance, you can configure user1 belonging to group1 to have access to services like NetMeeting during morning and configure user2 of group2 to deny access to ICQ chat during office hours. This user login is quite different from administrator’s login to SL6000/SL6300.
Chapter 9 13. Finally, click on the [Add] button. To view the existing or the configured rules, choose the rule id from the drop down list. To delete an existing rule, choose the rule id in the drop down list and click on [Delete] the button. Chapter 9 The detail inbound/outbound ACL rule configurations are also described in 9.3 Configuring Inbound ACL Rules and 9.4 Configuring Outbound ACL Rules. Figure 9.
Chapter 9 9.6 Configuring Self Access Rules With this option, you can configure the rules for controlling packets addressed to SL6000/SL6300 itself. 9.6.1 Add a Self Access Rule 1. To add a new user groups access rule, choose the Add New option in the drop down list. 2. Select the protocol from the drop down list and enter the port number that you want to configure. 3. Choose the direction (from LAN/WAN) that you want to add. 4. Finally, click on the [Add] button (Figure 9.6). Chapter 9 Figure 9.
Chapter 9 9.7 Configuring Service List Services are a combination of Protocol and Port number. It is used in inbound and outbound ACL rule configuration. You may use Service Configuration Page to: Chapter 9 • Add a service, and set parameters for it • Modify an existing service • Delete an existing service • View configured services Figure 9.7 shows the Firewall Service Configuration page. The configured services are listed at the lower half of the same page. Figure 9.
Chapter 9 9.7.1 Options in Service Configuration Page Table 9.3 describes the available configuration parameters for firewall service list. Table 9.3. Service List configuration parameters Service Name Enter the name of the Service to be added. Note that only alphanumeric characters are allowed in a name. Protocol Enter the type of protocol the service uses. Port Enter the port number that is set for this service. Chapter 9 9.7.2 Add a Service To add a service, follow the instructions below: 1.
Chapter 9 2. Select the service from the service drop-down list or click on the icon of the service to be modified in the service list table. 3. Make desired changes to any or all of the following fields: service name, public port and protocol. Please see Table 9.3 for explanation of these fields. 4. Click on the [Modify] button to modify this service. The new settings for this service will then be displayed in the service list table at the lower half of the Service Configuration page. 9.7.
Chapter 9 9.8 DoS (Denial of Service) SL-600/SL6300 is able to protect your network against the following attacks by proper configuration in this page (Figure 9.8) 9.8.1 SYN Flooding Attack Check This attack involves sending connection requests to a server, but never fully completing the connections. This will cause some computers to get into a “stuck state” where they cannot accept connections from legitimate users.
Chapter 9 9.8.4 Maximum IP Fragment Count Chapter 9 This data is used during transmission or reception of IP fragments. When large sized packets are sent via SL6000/SL6300, SL6000/SL6300 fragments the large sized packets (depending on the Maximum Transmission Unit). By default, it’s set to 45. If the Maximum Transmission Unit (MTU) of the interface is 1500 (default for Ethernet) then there can be a maximum of 45 fragments per IP packet.
Chapter 9 9.9 Policy List 9.9.1 Application Filter With this option, you can define filters that can be associated with access rules for filtering commands of SMTP, FTP and RPC services and HTTP file extensions. Chapter 9 * For FTP, SMTP and RPC service filters: If an application filter is configured to allow certain commands, SL6000/SL6300 will allow ONLY those commands. If an application filter is configured to deny certain commands, SL6000/SL6300 will deny ONLY those commands.
Chapter 9 Table 9.4 Application Filter configuration parameters Filter Type You can select the Filter Type from the drop down list. Filter Name Type the Filter name that you would like to add. Protocol You can select the protocol from the drop down list. Port Type the port number. For example, if you’re adding a HTTP filter the port would be 80 Log Chapter 9 You can enable or disable logging of messages whenever Broadband Gateway denies or allows a packet based on the filter that you’ve set.
Chapter 9 9.9.2 NAT Pool With this option you can configure NAT Pools and NAT IP Addresses and eventually you can associate NAT pools with policies. The NAT database and access rule database (or the Rule database) are closely associated. Interpretation of NAT database records is based on the usage of the records in the access rule database. A general idea about the access rule database is useful for understanding the NAT database. Chapter 9 1.
Chapter 9 Chapter 9 * Start IP: Specify the starting IP address in LAN and WAN (Internet) * End IP: Specify the ending IP address in LAN and WAN (Internet) * Overload: This is also referred to as NAPT. This type of NAT record allows ou to use a single Internet IP address to connect multiple LAN machines to Internet.. When this NAT record is associated with a policy, matching packets will be subject to NAT using this Internet IP address. It also manages port translation.
Chapter 9 9.9.3 IP Pool With this option, you can configure IP addresses and eventually you can associate IP pools with access rules. Each IP pool contains: Chapter 9 * The name of IP pool * The type of the IP address: single IP address, range of IP addresses or a subnet address. 1. To add a new IP Pool name, choose the Add New option in the drop down list 2. Enter the IP pool name in the text box and choose the IP pool type from the drop down list. 3.
Chapter 9 Table 9.6 IP Pool configuration parameters IP Pool Name Type the IP pool name that you would like to add. IP Pool Type * * * * * Chapter 9 * You can select the IP Pool Type from the drop down list.
Chapter 9 9.9.4 Firewall User With this option, you can add user groups and set users for each group. These user groups and users will be used to create rules that can permit remote access to users to access their LANs without compromising on security.
Chapter 9 Table 9.7 Firewall User configuration parameters User Group Name Type the User group name that you would like to add. User Name Type the User name that you would like to add. Confirm Password Type the User’s password again to confirm. Inactivity Timeout Chapter 9 Type the timeout period, which is used to delete the User related associations whenever there is no traffic across this connection. Figure 9.
Chapter 9 9.9.5 Time Range With this option, you can configure access time range records for eventual association with access rules. Access rules associated with time range record will be active only during the scheduled period of time. If the Access rule denies HTTP access during 10.00hrs to 18hrs then before 10.00hrs and after 1800 hrs the HTTP traffic will be permitted to pass through. When you configure Time range record they are saved in the Time Range (or schedules) database.
Chapter 9 Table 9.8 Time Range configuration parameters Time Range Name Enter the name of the Time range Record Days of week You can set the days-range for the new schedule: * In the left-side list - You can select the starting day of the range * In the right-side list - You can select the ending day of the range Time Chapter 9 Type the time during which you’d like to allow the traffic in hh:mm format. Figure 9.
Chapter 9 9.10 Firewall Statistics The Firewall Statistics page displays details regarding the active connections. Figure 9.14 shows a sample firewall statistics for active connections. To see an updated statistics, click on [Refresh] button. Chapter 9 Figure 9.
Chapter 10 10. Configuring VPN The chapter contains instructions for configuring VPN connections using automatic keying and manual keys. 10.1 Default Parameters The SL6000/SL6300 is pre-configured with a default set of proposals/ connections. They cover the most commonly used sets of parameters, required for typical deployment scenarios. It is recommended that you use these preconfigured proposals/connections to simplify VPN connection setup.
Chapter 10 Pre-configured IPSec proposals IPSec proposals decide the type of encryption and authentication of the traffic that flows between the endpoints of the tunnel. Default lifetime Default lifetime for the pre-configured IKE proposals and IPSec proposals is 3600 seconds. (One hour). It is recommended to set lifetime value greater than 600 seconds, for a new IKE proposal or IPSec proposal. This will reduce quick re-keying which will unnecessarily burden the system.
Chapter 10 10.2 Establish VPN Connection Using Automatic Keying This section describes the steps to establish the VPN tunnel using the Configuration Manager. Internet Key Exchange (IKE) is the automatic keying protocol used to exchange the key that is used to encrypt/authenticate the data packets according to the user-configured rule. The parameters that should be configured are: • the network addresses of internal and remote networks. • the remote gateway address and the local gateway address.
Chapter 10 VPN Connection Settings ID Add New: Click on this option to add a new VPN rule. Rule number: Select a rule from the drop-down list, to modify its attributes. Name Enter a unique name, preferably a meaningful name that signifies the tunnel connection. Note that only alphanumeric characters are allowed in this field. Enable Select this radio button to enable this rule (default). Disable Select this radio button to disable this rule. Move to This option allows you to set a priority for this rule.
Chapter 10 IP Range This option allows you to include a range of IP addresses for applying this rule. The following fields become available for entry when this option is selected: Start IP: Enter the starting IP address of the range. End IP: Enter the ending IP address of the range. Remote Secure Group This option allows you to set the remote (destination) secure network to which this rule should apply. This option allows you to apply this rule inclusively on all computers in the external network.
Chapter 10 Life Time Enter the IKE security association life time in seconds, minutes, hours or days. IPSec Proposal Settings Encryption / Authentication Select one of the following pre-configured IKE proposals from the drop-down list. If “All” is selected, all the pre-configured proposals will be associated with existing tunnel and one (among the set of IPSec proposals) will be selected automatically and used by IPSec to communicate with its peer.
Chapter 10 10.2.2 Add a Rule for VPN Connection Using Preshared Key Chapter 10 VPN Tunnel Configuration Page, as illustrated in the Figure 10.1, is used to configure a rule for VPN connection using preshared key. Figure 10.
Chapter 10 To add a rule for a VPN connection, follow the instructions below: 1. Log into Configuration Manager as admin, click the VPN menu, and then click Tunnel submenu. The VPN Tunnel Configuration page displays, as shown in Figure 10.1. Note that when you open the VPN Tunnel Configuration page, a list of existing rules for VPN connections are also displayed in the lower half of the configuration page such as those shown in Figure 10.1. Chapter 10 2.
Chapter 10 4. Click on “Enable” or “Disable” radio button to enable or disable this rule. 5. Make changes to any or all of the following fields: local/remote secure group, remote gateway, key management type (select Preshared Key), preshared key for IKE, encryption/authentication algorithm for IKE, lifetime for IKE, encryption/authentication algorithm for IPSec, operation mode for IPSec, PFS group for IPSec and lifetime for IPSec. Please see Table 10.4 for explanation of these fields. 6.
Chapter 10 10.3.1 VPN Tunnel Configuration Parameters - Manual Key Table 10.5 describes the VPN tunnel configuration parameters using manual key. Table 10.5 VPN tunnel configuration parameters using manual key for key management VPN Connection Settings ID Add New: Click on this option to add a new VPN rule. Rule number: Select a rule from the drop-down list, to modify its attributes. Name Enter a unique name, preferably a meaningful name that signifies the tunnel connection.
Chapter 10 Subnet This option allows you to include all the computers that are connected in an IP subnet. The following fields become available for entry when this option is selected: Subnet Address Specify the appropriate network address. Subnet Mask Enter the subnet mask. IP Range This option allows you to include a range of IP addresses for applying this rule. The following fields become available for entry when this option is selected: Start IP Enter the starting IP address of the range.
Chapter 10 IPSec Proposal Settings Encryption / Authentication Select one of the following pre-configured IKE proposals from the drop-down list. If “All” is selected, all the pre-configured proposals will be associated with existing tunnel and one will be selected automatically and used by IPSec to communicate with its peer.
Chapter 10 10.3.2 Add a Rule for VPN Connection Using Manual Key Chapter 10 VPN Tunnel Configuration Page, as illustrated in the Figure 10.2, is used to configure a rule for VPN connection using manual key. Figure 10.2 VPN Tunnel Configuration Page - Manual Key Mode To add a rule for a VPN connection, follow the instructions below: 1. Log into Configuration Manager as admin, click the VPN menu, and then click Tunnel submenu. The VPN Tunnel Configuration page displays, as shown in Figure 10.2.
Chapter 10 4. Enter a desired name, preferably a meaningful name that signifies the nature of the VPN connection, in the “Name” field. Note that only alphanumeric characters are allowed in a name. 5. Click on “Enable” or “Disable” radio button to enable or disable this rule. 6.
Chapter 10 10.3.4 Delete VPN Rules To delete an outbound ACL rule, follow the instructions below: 1. Log into Configuration Manager as admin, click the VPN menu, and then click Tunnel submenu. 2. Prior to deleting a VPN rule, make sure that the VPN service is enabled in System Service Configuration page. 3. Select the rule number from the “ID” drop-down list or click on the icon of the rule to be modified in the VPN Connection Status table. 4. Click on the [Delete] button to delete this VPN rule.
Chapter 10 Packets Dropped Number of packets dropped Packets Passed Total number of packets passed by VPN Partial Packets Total count of partial packets Packets Currently Reassembled Number of partial packets currently being reassembled Non-First Fragments Currently in the Engine Number of non-first fragments currently in the engine IKE Statistics IKE negotiation statistics IKE Phase1 Negotiation Done Number of IKE phase-1 negotiations performed Failed IKE Negotiations Done Number of failed IKE phase -1nego
Chapter 10 Total Outbound ESP SAs Number of active outbound ESP SA’s since the system has started AH Statistics SA statistics for all AH SAs Active Inbound AH SAs Number of active inbound AH SA’s Active Outbound AH SAs Number of active outbound AH SA’s Total Inbound AH SAs Number of inbound AH SA’s since the system has started Total Outbound AH SAs Number of outbound AH SA’s since the system has started Chapter 10 Figure 10.3 shows all the parameters available for VPN connections.
Chapter 11 11. System Log This chapter shows the System Log Configuration page, which you might enable/ disable the log files for Access, System, Firewall & VPN. On the other hand, you might also enable the log file backup via Email function here (Figure 11.1) Figure 11.
Chapter 12 12. System Management This chapter describes the following administrative tasks that you can perform using Configuration Manager: • • • • • • Global Setting Configuration User Account Management Modify system Information System time setting Reset, backup and restore system configuration Update system firmware You can access these tasks from the System Management menu. 12.1 Global Setting Configuration As shown in Figure 12.
Chapter 12 12.2 User Account Management The first time you log into the Configuration Manager, you use the default username and password (admin and admin). The system allows two types of accounts “Supervisor” (username/password: admin/admin) and “User” (username/password: guest/guest). “Supervisor” has the privilege to modify the system settings while “User” can only view the system settings. Passwords of both the “Supervisor” and “User” accounts can only be changed by the “Supervisor”.
Chapter 12 12.3 Modify System Information As illustrated in Figure 12.3, you can use System Identity page to enter system specific information such as system name (unique name for this device), system location (where this device is located), and contact person information for this device. Note that all fields allow only alphanumeric characters. When you are done entering system specific information, click on [Apply] button to save the changes. Figure 12.3 System Identity Page 12.
Chapter 12 12.4.1 Change/View the System Time Zone 1. Log into Configuration Manager as admin, click the System Management menu, and then click Time Zone submenu. Since there is no real time clock inside SL6000/SL6300, the system date and time are maintained by external network time server. Time Zone configuration parameters: Date: Current Date Time: Current Time Location Time: Time Zone SNTP Server: Maximum of 5 services can be configured Update Interval: SNTP update time interval. 2.
Chapter 12 12.5 System Configuration Management 12.5.1 Reset System Configuration to Default At times, you may want to revert to factory default settings to eliminate problems resulted from incorrect system configuration. Follow the steps below to reset system configuration: 1. Log into Configuration Manager as admin, click the System Management menu, click the Configuration submenu and then click Default Setting submenu. The Default Setting Configuration page displays, as shown in Figure 12.5. 2.
Chapter 12 Figure 12.6 Backup System Configuration Page 12.5.3 Restore System Configuration Follow the steps below to backup system configuration: Figure 12.7 Restore System Configuration Page Chapter 12 1. Log into Configuration Manager as admin, click the System Management menu, click the Configuration submenu and then click Restore submenu. The Restore Configuration page displays, as shown in Figure 12.7. 2.
Chapter 12 12.6 Upgrade Firmware ASUS may from time to time provide you with an update to the firmware running on the SL6000/SL6300. All system software is contained in a single file, called an image. Configuration Manager provides an easy way to upgrade the new firmware image. To upgrade the image, follow this procedure: Figure 12.8 Firmware Upgrade Page Chapter 12 1. Log into Configuration Manager, click the System Management menu and then click Firmware Upgrade submenu.
Chapter 13 Chapter 13 13. System Reset To reset your SL6000/SL6300, log into Configuration Manager, click the System Management menu and then click Reset submenu. Click on the [Apply] button to reset the modem/router. Figure 13.
Chapter 14 14. Logout Configuration Manager Chapter 14 To logout of Configuration Manager, click Logout then click on the [Apply] button in the Configuration Manager Logout. Figure 14.
Appendix A. IP Addresses, Network Masks, & Subnets A.1 IP Addresses Note: This section pertains only to IP addresses for IPv4 (version 4 of the Internet Protocol). IPv6 addresses are not covered. This section assumes basic knowledge of binary numbers, bits, and bytes. For details on this subject, see Appendix A. IP addresses, the Internet’s version of telephone numbers, are used to identify individual nodes (computers or devices) on the Internet.
Appendix Field1 Class A Class B Field2 Network ID Field3 Host ID Network ID Class C Field4 Host ID Network ID Host ID Table A.1. IP Address structure Here are some examples of valid IP addresses: Class A: 10.30.6.125 (network = 10, host = 30.6.125) Class B: 129.88.16.49 (network = 129.88, host = 16.49) Class C: 192.60.201.11 (network = 192.60.201, host = 11) A.1.2 Network classes Appendix The three commonly used network classes are A, B, and C.
Appendix A.2 Subnet masks Mask: A mask looks like a regular IP address, but contains a pattern of bits that tells what parts of an IP address are the network ID and what parts are the host ID: bits set to 1 mean “this bit is part of the network ID” and bits set to 0 mean “this bit is part of the host ID.” Subnet masks are used to define subnets (what you get after dividing a network into smaller pieces).
Appendix B. Troubleshooting This appendix suggests solutions for problems you may encounter in installing or using the SL6000 / SL6300, and provides instructions for using several IP utilities to diagnose problems. Contact Customer Support if these suggestions do not resolve the problem. LEDs Power LED does not illuminate after product is turned on. Verify that you are using the power adapter provided with the device and that it is securely connected to the SL6000/SL6300 and a wall socket/power strip.
Appendix Internet Access PC cannot access Internet Use the ping utility, discussed in the following section, to check whether your PC can communicate with the SL6000 / SL6300’s LAN IP address (by default 192.168.1.1). If it cannot, check the Ethernet cabling.
Appendix Configuration Manager Program You forgot/lost your Configuration Manager user ID or password. If you have not changed the password from the default, try using “admin” as both the user ID and password. Otherwise, you can reset the device to the default configuration by pressing the Reset button on the rear panel of SL6000/ SL6300 three times. WARNING: Resetting the device removes any custom settings and returns all settings to their default values.
Appendix B.1 Recall default configuration by “RESET” button WARNING: Resetting the device removes all custom settings and returns all settings to their default values. To ensure the reset process correctly, please attach the RS232 to RJ45 cable between the router’s console port and your PC’s COM port after the router is powered ON. 1. Start Windows HyperTerminal software. Appendix *. In Windows operating system, click “START” * You can choose Yes if you do not normally use other telnet software.
Appendix Appendix * Select COM1 or COM2 (depends on your * Select: Bits per second: 9600, Data bits: 8, serial port configuration) and click OK. Parity: None, Stop bits: 1, Flow Control: NONE and click OK. 3. Press the RESET button on the back of the SL6000/SL6300. * Hyper Terminal will show below message, press and release the “RESET” button one time now. * The router will reboot and show some system messages.
Appendix 4. Press the RESET button on the back of the SL6000/SL6300 a second time. * When you see Loading CPU 0 ... while the * If you see “Loading CPU 1 ...”, it would be too too late to press the RESET button a secdots are increasing (about 5 sec after pushond time. ing the RESET button.) 5. This time the router will show below message to indicate the system is going to be reset to default. Appendix * After the router reboots, don’t push the RESET button this time when you see “Loading CPU 0 ...”. 6.
Appendix B.2 Diagnosing Problem using IP Utilities B.2.1 ping Ping is a command you can use to check whether your PC can recognize other computers on your network and the Internet. A ping command sends a message to the computer you specify. If the computer receives the message, it sends messages in reply. To use it, you must know the IP address of the computer with which you are trying to communicate. On Windows-based computers, you can execute a ping command from the Start menu.
Appendix B.2.2 nslookup You can use the nslookup command to determine the IP address associated with an Internet site name. You specify the common name, and the nslookup command looks up the name on your DNS server (usually located with your ISP). If that name is not an entry in your ISP’s DNS table, the request is then referred to another higher-level server, and so on, until the entry is found. The server then returns the associated IP address.
Appendix C. Glossary 10BASE-T A designation for the type of wiring used by Ethernet networks with a data rate of 10 Mbps. Also known as Category 3 (CAT 3) wiring. See also data rate, Ethernet. 100BASE-T A designation for the type of wiring used by Ethernet networks with a data rate of 100 Mbps. Also known as Category 5 (CAT 5) wiring. See also data rate, Ethernet. Appendix ADSL (Asymmetric Digital Subscriber Line) The most commonly deployed “flavor” of DSL for home users.
Appendix Broadband A telecommunications technology that can send different types of data over the same medium. DSL is a broadband technology. Broadcast To send data to all computers on a network. DHCP Dynamic Host Configuration Protocol DHCP automates address assignment and management. When a computer connects to the LAN, DHCP assigns it an IP address from a shared pool of IP addresses; after a specified time limit, DHCP returns the address to the pool.
Appendix Download To transfer data in the downstream direction, i.e., from the Internet to the user. DSL (Digital Subscriber Line) A technology that allows both digital data and analog voice signals to travel over existing copper telephone lines. Ethernet The most commonly installed computer network technology, usually using twisted pair wiring. Ethernet data rates are 10 Mbps and 100 Mbps. See also 10BASE-T, 100BASE-T, twisted pair.
Appendix Hop count The number of hops that data has taken on its route to its destination. Alternatively, the maximum number of hops that a packet is allowed to take before being discarded (see also TTL). Host A device (usually a computer) connected to a network. HTTP (Hyper-Text Transfer Protocol) HTTP is the main protocol used to transfer data from web sites so that it can be displayed by web browsers. See also web browser, web site.
Appendix mask is used to define the network ID and the host ID. Because IP addresses are difficult to remember, they usually have an associated domain name that can be specified instead. See also domain name, network mask. ISP (Internet Service Provider) A company that provides Internet access to its customers, usually for a fee. LAN (Local Area Network) A network limited to a small geographic area, such as a home, office, or small building.
Appendix Network A group of computers that are connected together, allowing them to communicate with each other and share resources, such as software, files, etc. A network can be small, such as a LAN, or very large, such as the Internet. Network mask A network mask is a sequence of bits applied to an IP address to select the network ID while ignoring the host ID. Bits set to 1 mean “select this bit” while bits set to 0 mean “ignore this bit.” For example, if the network mask 255.255.255.
Appendix PPPoE (Point-to-Point Protocol over Ethernet) One of the two types of PPP interfaces you can define for a Virtual Circuit (VC), the other type being PPPoA. You can define one or more PPPoE interfaces per VC. Protocol A set of rules governing the transmission of data. In order for a data transmission to work, both ends of the connection have to follow the rules of the protocol. Remote In a physically separate location.
Appendix Subnet A subnet is a portion of a network. The subnet is distinguished from the larger network by a subnet mask which selects some of the computers of the network and excludes all others. The subnet’s computers remain physically connected to the rest of the parent network, but they are treated as though they were on a separate network. See also network mask. Subnet mask A mask that defines a subnet. See also network mask.
Appendix with two pairs. For Ethernet LANs, a higher grade called Category 3 (CAT 3) is used for 10BASE-T networks, and an even higher grade called Category 5 (CAT 5) is used for 100BASE-T networks. See also 10BASE-T, 100BASE-T, Ethernet. Upstream The direction of data transmission from the user to the Internet. WAN (Wide Area Network) Any network spread over a large geographical area, such as a country or continent. With respect to the SL6000 / SL6300, WAN refers to the Internet.
Appendix Appendix 136 ASUS VPN ADSL Router