BiGuard 10 iBusiness Security Gateway Small-Office BiGuard 2 iBusiness Security Gateway Home-Office User’s Manual Version Release 4.00 (FW:1.
BiGuard 2/10 User’s Manual (Updated June 1, 2006) Copyright Information © 2006 Billion Electric Corporation, Ltd. The contents of this publication may not be reproduced in whole or in part, transcribed, stored, translated, or transmitted in any form or any means, without the prior written consent of Billion Electric Corporation. Published by Billion Electric Corporation. All rights reserved.
Safety Warnings Your BiGuard 2/10 is built for reliability and long service life. For your safety, be sure to read and follow the following safety warnings. • Read this installation guide thoroughly before attempting to set up your BiGuard 2/10. • Your BiGuard 2/10 is a complex electronic device. DO NOT open or attempt to repair it yourself. Opening or removing the covers can expose you to high voltage and other risks.
Table of Contents Chapter 1: Introduction 1.1 Overview 1.2 Product Highlights 1.2.1 Virtual Private Network Support 1.2.2 Advanced Firewall Security 1.2.3 Intelligent Bandwidth Management 1.3 Package Contents 1.3.1 BiGuard 10 1.3.1.1 Front Panel 1.3.1.2 Rear Panel 1.3.1.3 Rack Mounting 1.3.1.4 Cabling 1.3.2 BiGuard 2 1.3.2.1 Front Panel 1.3.2.2 Rear Panel 1.3.2.3 Cabling Chapter 2: Router Applications 2.1 Overview 2.2 Bandwidth Management with QoS 2.2.1 QoS Technology 2.2.
Chapter 3: Getting Started 3.1 Overview 3.2 Before You Begin 3.3 Connecting Your Router 3.4 Configuring PCs for TCP/IP Networking 3.4.1 Overview 3.4.2 Windows XP 3.4.2.1 Configuring 3.4.2.2 Verifying Settings 3.4.3 Windows 2000 3.4.3.1 Configuring 3.4.3.2 Verifying Settings 3.4.4 Windows 98 / ME 3.4.4.1 Installing Components 3.4.4.2 Configuring 3.4.4.3 Verifying Settings 3.5 Factory Default Settings 3.5.1 Username and Password 3.5.2 LAN and WAN Port Addresses 3.6 Information From Your ISP 3.6.
Chapter 4: Router Configuration 4.1 Overview 4.2 Status 4.2.1 ARP Table 4.2.2 Routing Table 4.2.3 Session Table 4.2.4 DHCP Table 4.2.5 IPSec Status 4.2.6 PPTP Status 4.2.7 System Log 4.2.8 4.3 IPSec Log Quick Start 4.3.1 DHCP 4.3.2 Static IP 4.3.3 PPPoE 4.3.4 PPTP 4.3.5 4.4 Big Pond Configuration 4.4.1 LAN 4.4.1.1 Ethernet 4.4.1.2 DHCP Server 4.4.1.3 LAN Address Mapping 4.4.2 WAN 4.4.2.1 WAN 4.4.2.1.1 DHCP 4.4.2.1.2 Static IP 4.4.2.1.3 PPPoE 4.4.2.1.4 PPTP 4.4.2.1.5 Big Pond 4.4.2.
4.4.3.7 System Log Server 4.4.3.8 E-mail Alert 4.4.4 Firewall 4.4.4.1 Packet Filter 4.4.4.2 URL Filter 4.4.4.3 LAN MAC Filter 4.4.4.4 Block WAN Request 4.4.4.5 Intrusion Detection 4.4.5 VPN 4.4.5.1 IPSec 4.4.5.1.1 IPSec Wizard 4.4.5.1.2 IPSec Policy 4.4.5.2 PPTP 4.4.6 QoS 4.4.7 Virtual Server 4.4.7.1 DMZ 4.4.7.2 Port Forwarding 4.4.8 Advanced 4.4.8.1 Static Route 4.4.8.2 Dynamic DNS 4.4.8.3 Device Management 4.4.8.4 IGMP 4.4.8.5 VLAN Bridge 4.5 Save Configuration To Flash 4.
5.2.3.2 Javascripts 5.2.3.3 Java Permissions 5.3 WAN Interface 5.3.1 5.4 Can’t Get WAN IP Address from the ISP ISP Connection 5.5 Problems with Date and Time 5.6 Restoring Factory Defaults Appendix A: Product Specifications A.1 BiGuard 10 Product Specifications A.2 BiGuard 2 Product Specifications Appendix B: Customer Support Appendix C: FCC Interference Statement Appendix D: Network, Routing, and Firewall Basics D.1 Network Basics D.1.1 IP Addresses D.1.1.1 Netmask D.1.1.2 Subnet Addressing D.1.
Appendix E: Virtual Private Networking E.1 What is a VPN? E.1.1 VPN Applications E.2 What is IPSec? E.2.1 IPSec Security Components E.2.1.1 Authentication Header (AH) E.2.1.2 Encapsulating Security Payload (ESP) E.2.1.3 Security Associations (SA) E.2.2 IPSec Modes E.2.3 Tunnel Mode AH E.2.4 Tunnel Mode ESP E.2.5 Internet Key Exchange (IKE) Appendix F: IPSec Logs and Events F.1 IPSec Log Event Categories F.2 IPSec Log Event Table Appendix G: Bandwidth Management with QoS G.1 Overview G.
Chapter 1: Introduction 1.1 Overview Congratulations on purchasing BiGuard 2/10 Router from Billion. Combining a router with an Ethernet network switch, BiGuard 2/10 is a state-of-the-art device that provides everything you need to get your network connected to the Internet over your Cable or DSL connection quickly and easily.
1.2.3 Intelligent Bandwidth Management BiGuard 2/10 utilizes Quality of Service (QoS) to give you full control over the priority of both incoming and outgoing data, ensuring that critical data such as customer information moves through your network, even while under a heavy load. Transmission speeds can be throttled to make sure users are not saturating bandwidth required for mission-critical data transfers.
Link/ACT: Lit when device is connected. Blinking when data is transmitting/receiving. LAN Lit when connected to an Ethernet device. 1–8 10/100M : Lit green when connected at 100Mbps. Not lit when connected at 10Mbps. Link/ACT: Lit when device is connected. Blinking when data is transmitting/receiving. 1.3.1.2 Rear Panel 2 3 1 Port 1 RESET 4 Meaning After the device is powered on, press it to reset the device or restore to factory default settings.
1.3.1.3 Rack Mounting To rack mount BiGuard 10, carefully secure the device to your rack on both sides using the included brackets and screws. See the diagram below for a more detailed explanation. 1.3.1.4 Cabling Most Ethernet networks currently use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. One of the most common causes of networking problems is bad cabling.
1.3.2.1 Front Panel LED Function POWER A solid light indicates a steady connection to a power source. STATUS A blinking light indicates the device is writing to flash memory. WAN Lit when connected to an Ethernet device. 10/100M : Lit green when connected at 100Mbps. Not lit when connected at 10Mbps. Link/ACT: Lit when device is connected. Blinking when data is transmitting/receiving. LAN Lit when connected to an Ethernet device. 1–8 10/100M : Lit green when connected at 100Mbps.
Port 1 RESET Meaning After the device is powered on, press it to reset the device or restore to factory default settings. 0-3 seconds: The Status LED will light 6 seconds above: restore to factory default settings (this is used when you cannot login to the router. E.g. forgot the password) 2 LAN Connect a UTP Ethernet cable (Cat-5 or Cat-5e) to one of the eight LAN 1X — 8X (RJ-45 connector) ports when connecting to a PC or an office/home network of 10Mbps or 3 WAN 4 DC12V 1.3.2.3 100Mbps.
Chapter 2: Router Applications 2.1 Overview Your BiGuard 2/10 Router is a versatile device that can be configured to not only protect your network from malicious attackers, but also ensure optimal usage of available bandwidth with Quality of Service (QoS). Alternatively, BiGuard 2/10 can also be set to handle secure connections with Virtual Private Networking (VPN). The following chapter describes how BiGuard 2/10 can work for you. 2.
Scheduler Meter Classifier Outbound Inbound 2.2.2 QoS Policies for Different Applications By setting different QoS policies according to the applications you are running, you can use BiGuard 2/10 to optimize the bandwidth that is being used on your network.
As illustrated in the diagram above, applications such as Voiceover IP (VoIP) require low network latencies to function properly. If bandwidth is being used by other applications such as an FTP server, users using VoIP will experience network lag and/or service interruptions during use. To avoid this scenario, this network has assigned VoIP with a guaranteed bandwidth and higher priority to ensure smooth communications.
2.2.4 Policy Based Traffic Shaping Policy Based Traffic Shaping allows you to apply specific traffic policies across a range of IP addresses or ports. This is particularly useful for assigning different policies for different PCs on the network. Policy based traffic shaping lets you better manage your bandwidth, providing reliable Internet and network service to your organization. 2.2.
2.2.6 Management by IP or MAC address BiGuard 2/10 can also be configured to apply traffic policies based on a particular IP or MAC address. This allows you to quickly assign different traffic policies to a specific computer on the network.
2.2.7 DiffServ (DSCP Marking) DiffServ (a.k.a. DSCP Marking) allows you to classify traffic based on IP DSCP values. These markings can be used to identify traffic within the network. Other interfaces can match traffic based on the DSCP markings. DSCP markings are used to decide how packets should be treated, and is a useful tool to give precedence to varying types of data. 2.
secure tunnel. The next type of VPN setup is the Gateway to Multiple Gateway setup, where one gateway (Headquarter) is communicating with multiple gateways (Branch Offices) over the Internet. As with all VPNs, data is kept secure with secure tunnels. The final type of VPN setup is the Client to Gateway. A good example of where this can be applied is when a remote sales person accesses the corporate network over a secure VPN tunnel.
Concentrator: Please refer to appendix H for example settings. Local ID Type: Subnet Local subnet: 192.168.3.0 Local mask: 255.255.255.0 Remote ID Type: Subnet Remote subnet: 0.0.0.0 Remote mask: 0.0.0.0 Local ID Type: Subnet Local subnet: 0.0.0.0 Local mask: 0.0.0.0 Remote ID Type: Subnet Remote subnet: 192.168.3.0 Remote mask: 255.255.255.0 200.200.200.1 192.168.3.x BiGuard 2 192.168.2.x 100.100.100.1 BiGuard 2 BiGuard 2 Local ID Type: Subnet Local subnet: 0.0.0.0 Local mask: 0.0.0.
Chapter 3: Getting Started 3.1 Overview BiGuard 2/10 is designed to be a powerful and flexible network device that is also easy to use. With an intuitive web-based configuration, BiGuard 2/10 allows you to administer your network via virtually any Java-enabled web browser and is fully compatible with Linux, Mac OS, and Windows 98/Me/NT/2000/XP operating systems. The following chapter takes you through the very first steps to configuring your network for BiGuard 2/10.
Be sure to also review the Safety Warnings located in the preface of this manual before working with your BiGuard 2/10. 3.3 Connecting Your Router Connecting BiGuard 2/10 is an easy three-step process: 1. Connect BiGuard 2/10 to your LAN by connecting Ethernet cables from your networked PCs to the LAN ports on the router. Connect BiGuard 2/10 to your broadband Internet connection via router’s WAN port. 2. Plug BiGuard 2/10 to an AC outlet with the included AC Power Adapter. 3.
3.4 Configuring PCs for TCP/IP Networking Now that your BiGuard 2/10 is connected properly to your network, it’s time to configure your networked PCs for TCP/IP networking. In order for your networked PCs to communicate with your router, they must have the following characteristics: 1. Have a properly installed and functioning Ethernet Network Interface Card (NIC). 2. Be connected to BiGuard 2/10, either directly or through an external repeater hub via an Ethernet cable. 3.
- Mac OS 7 and later - All versions of UNIX/Linux If you are using Windows 3.1, you must purchase a third-party TCP/IP application package. Any TCP/IP capable workstation can be used to communicate with or through the BiGuard 2/10. To configure other types of workstations, please consult the manufacturer’s documentation. 3.4.2 Windows XP 3.4.2.1 Configuring 1. Select Start > Settings > Network Connections. 2. In the Network Connections window, right-click Local Area Connection and select Properties.
3. Select Internet Protocol (TCP/IP) and click Properties. 4a. To have your PC obtain an IP address automatically, select the Obtain an IP address automatically and Obtain DNS server address automatically radio buttons.
4b. To manually assign your PC a fixed IP address, select the Use the following IP address radio button and enter your desired IP address, subnet mask, and default gateway in the blanks provided. Remember that your PC must reside in the same subnet mask as the router. To designate a DNS server, select the Use the following DNS server and fill in the preferred DNS address. 5. Click OK to finish the configuration.
3.4.2.2 Verifying Settings To verify your settings using a command prompt: 1. Click Start > Programs > Accessories > Command Prompt. 2. In the Command Prompt window, type ipconfig and then press ENTER. If you are using BiGuard 2/10’s default settings, your PC should have: - An IP address between 192.168.1.1 and 192.168.1.253 - A subnet mask of 255.255.255.
To verify your settings using the Windows XP GUI: 1. Click Start > Settings > Network Connections. 2. Right click one of the network connections listed and select Status from the pop-up menu.
3. Click the Support tab. If you are using BiGuard 2/10’s default settings, your PC should: - Have an IP address between 192.168.1.1 and 192.168.1.253 - Have a subnet mask of 255.255.255.
3.4.3 Windows 2000 3.4.3.1 Configuring 1. Select Start > Settings > Control Panel. 2. In the Control Panel window, double-click Network and Dial-up Connections.
3. In Network and Dial-up Connections, double-click Local Area Connection. 4. In the Local Area Connection window, click Properties.
5. Select Internet Protocol (TCP/IP) and click Properties. 6a. To have your PC obtain an IP address automatically, select the Obtain an IP address automatically and Obtain DNS server address automatically radio buttons.
6b. To manually assign your PC a fixed IP address, select the Use the following IP address radio button and enter your desired IP address, subnet mask, and default gateway in the blanks provided. Remember that your PC must reside in the same subnet mask as the router. To designate a DNS server, select the Use the following DNS server and fill in the preferred DNS address. 7. Click OK to finish the configuration. 3.4.3.2 Verifying Settings 1. Click Start > Programs > Accessories > Command Prompt.
2. In the Command Prompt window, type ipconfig and then press ENTER. If you are using BiGuard 2/10’s default settings, your PC should have: - An IP address between 192.168.1.1 and 192.168.1.253 - A subnet mask of 255.255.255.0 3.4.4 Windows 98 / Me 3.4.4.1 Installing Components To prepare Windows 98/Me PCs for TCP/IP networking, you may need to manually install TCP/IP on each PC. To do this, follow the steps below.
1. On the Windows taskbar, select Start > Settings > Control Panel. 2. Double-click the Network icon. The Network window displays a list of installed components.
You must have the following installed: - An Ethernet adapter - TCP/IP protocol - Client for Microsoft Networks If you need to install a new Ethernet adapter, follow these steps: a. Click Add.
b. Select Adapter, then Add. c. Select the manufacturer and model of your Ethernet adapter, then click OK. If you need TCP/IP: a. Click Add.
b. Select Protocol, then click Add. c. Select Microsoft. Æ TCP/IP, then OK. If you need Client for Microsoft Networks: a. Click Add.
b. Select Client, then click Add. c. Select Microsoft. Æ Client for Microsoft Networks, and then click OK. 3. Restart your PC to apply your changes. 3.4.4.2 Configuring 1. Select Start > Settings > Control Panel.
2. In the Control Panel, double-click Network and choose the Configuration tab.
3. Select the name of your PC’s TCP/IP Network Interface Card (NIC) and click Properties. TCP/IP > ASUSTeK is illustrated in the example below. 4. Select the IP Address tab and click the Obtain an IP address automatically radio button.
5. Select the DNS Configuration tab and select the Disable DNS radio button. 6. Click OK to apply the configuration.
3.4.4.3 Verifying Settings To check the TCP/IP configuration, use the winipcfg.exe utility: 1. Select Start > Run. 2. Type winipcfg, and then click OK.
3. From the drop-down box, select your Ethernet adapter. The window is updated to show your settings. Using the default BiGuard 2/10 settings, your PC should have: - An IP address between 192.168.1.1 and 192.168.1.253 - A subnet mask of 255.255.255.0 - A default gateway of 192.168.1.254 3.
IP Address: 192.168.1.254 Subnet Mask: 255.255.255.0 ISP setting in WAN site: Obtain an IP Address automatically (DHCP Client) DHCP server: DHCP server is enabled. Start IP Address: 192.168.1.100 End IP Address: 192.168.1.199 3.5.1 Username and Password The default user name and password are "admin" and "admin" respectively.
3.6 Information From Your ISP 3.6.1 Protocols Before configuring this device, you have to check with your ISP (Internet Service Provider) to find out what kind of service is provided such as DHCP, Static IP, PPPoE, or PPTP. The following table outlines each of these protocols: Configure this WAN interface to use DHCP client protocol to get an IP DHCP Static IP address from your ISP automatically. Your ISP provides an IP address to the router dynamically when logging in.
Depending on your ISP, a host name and domain suffix may also be provided. If any of these items are dynamically supplied by the ISP, your BiGuard 2/10 will automatically acquire them. If an ISP technician configured your computer or if you configured it using instructions provided by your ISP, you need to copy the configuration information from your PC’s Network TCP/IP Properties window before reconfiguring your computer for use with BiGuard 2/10.
3. In the Network Connections window, right-click Local Area Connection and select Properties. 4. Select Internet Protocol (TCP/IP) and click Properties.
5. If an IP address, subnet mask and a Default gateway are shown, write down the information. If no address is present, your account’s IP address is dynamically assigned. Click the Obtain an IP address automatically radio button. 6. If any DNS server addresses are shown, write them down. Click the Obtain DNS server address automatically radio button.
7. Click OK to save your changes. 3.7 Web Configuration Interface BiGuard 2/10 includes a Web Configuration Interface for easy administration via virtually any browser on your network. To access this interface, open your web browser, enter the IP address of your router, which by default is 192.168.1.254, and click Go. A user name and password window prompt will appear. Enter your user name and password (the default user name and password are "admin" and "admin") to access the Web Configuration Interface.
If the Web Configuration Interface appears, congratulations! You are now ready to configure your BiGuard 2/10. If you are having trouble accessing the interface, please refer to Chapter 5: Troubleshooting for possible resolutions.
Chapter 4: Router Configuration 4.1 Overview The Web Configuration Interface makes it easy for you to manage your network via any PC connected to it. On the Web Configuration homepage, you will see the navigation pane located on the left hand side. From it, you will be able to select various options used to configure your router. 1. Click Apply if you would like to apply the settings on the current screen to the device.
restricted to only one PC accessing the web configuration interface at a time. Once a PC has logged into the web interface, other PCs cannot gain access until the current PC has logged out. If the previous PC forgets to logout, the second PC can access the page after a user-defined period (5 minutes by default). The following sections will show you how to configure your router using the Web Configuration Interface. 4.
address of your PC’s network interface to use with the router’s Firewall – MAC Address Filter function. See the Firewall section of this chapter for more information on this feature. No.: Number of the list. IP Address: A list of IP addresses of devices on your LAN. MAC Address: The Media Access Control (MAC) addresses for each device on your LAN. Interface: The interface name (on the router) that this IP address connects to. Static: Static status of the ARP table entry.
No.: Number of the list. Destination: The IP address of the destination network. Netmask: The destination netmask address. Gateway/Interface: The IP address of the gateway or existing interface that this route will use. Cost: The number of hops counted as the cost of the route. 4.2.3 Session Table The NAT Session Table displays a list of current sessions for both incoming and outgoing traffic with protocol type, source IP, source port, destination IP and destination port, each page shows 10 sessions. No.
Last: To the last page. Jump to the session: please input the session number you would like to see and press “GO” 4.2.4 DHCP Table The DHCP Table displays a list of IP addresses that have been assigned to PCs on your network via Dynamic Host Configuration Protocol (DHCP). No.: Number of the list. IP Address: A list of IP addresses of devices on your LAN. Device Name: The host name (computer name) of the client. MAC Address: The MAC address of client. 4.2.
Enable: Whether the IPSec connection is currently Enable or Disable. Status: Whether the IPSec is Active, Inactive or Disable. Local Subnet: The local IP address or subnet used. Remote Subnet: The subnet of the remote site. Remote Gateway: The remote gateway IP address. SA: The Security Association for this IPSec entry. Action: Manually connect or drop the tunnel. 4.2.6 PPTP Status The PPTP Status window displays the status of the PPTP Tunnels that are currently configured on your BiGuard 2/10.
Refresh: Refresh the System Log. Clear Log: Clear the System Log. Send Log: Send the System Log to your email account. You can set the email address in Configuration > System > Email Alert. See the Email Alert section for more details. Save Log: Save the System log to a text file. 4.2.8 IPSec Log This page displays the router’s IPSec Log entries. Major events are logged to this window. Refresh: Refresh the IPSec Log. Clear Log: Clear the IPSec Log. Send Log: Send IPSec Log to your email account.
details. Save Log: Save the IPSec log to a text file. Please refer to Appendix F: IPSec Log Events for more information on log events. 4.3 Quick Start The Quick Start menu allows you to quickly configure your network for Internet access using the most basic settings. Connection Method: Select your router’s connection to the Internet. Selections include Obtain an IP Address Automatically, Static IP Settings, PPPoE Settings, PPTP Settings, and Big Pond Settings. 4.3.
IP assigned by your ISP: Enter the assigned IP address from your IP. IP Subnet Mask: Enter your IP subnet mask. ISP Gateway Address: Enter your ISP gateway address. Primary DNS: Enter your primary DNS. Secondary DNS: Enter your secondary DNS. Click Apply to save your changes. To reset to defaults, click Reset. 4.3.3 PPPoE Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password.
4.3.4 PPTP Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. PPTP Client IP: Enter the PPTP Client IP provided by your ISP. PPTP Client IP Netmask: Enter the PPTP Client IP Netmask provided by your ISP. PPTP Client IP Gateway: Enter the PPTP Client IP Gateway provided by your ISP. PPTP Server IP: Enter the PPTP Server IP provided by your ISP. Connection: Select whether the connection should Always Connect or Trigger on Demand.
Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. Login Server: Enter the IP of the Login server provided by your ISP. Click Apply to save your changes. To reset to defaults, click Reset. For detailed instructions on configuring WAN settings, please refer to the WAN section of this chapter. 4.4 Configuration The Configuration menu allows you to set many of the operating parameters of the BiGuard 2/10.
4.4.1 LAN There are two items within this section: Ethernet ,DHCP Server and LAN Address Mapping. 4.4.1.1 Ethernet IP Address: Enter the internal LAN IP address for BiGuard 2/10 (192.168.1.254 by default). Subnet Mask: Enter the subnet mask (255.255.255.0 by default). RIP: RIP v2 Broadcast and RIP v2 Multicast. Check to enable RIP. 4.4.1.2 DHCP Server In this menu, you can disable or enable the Dynamic Host Configuration Protocol (DHCP) server.
To disable the router’s DHCP Server, select the Disable radio button, and then click Apply. When the DHCP Server is disabled, you will need to manually assign a fixed IP address to each PC on your network, and set the default gateway for each PC to the IP address of the router (192.168.1.254 by default).
reserved IP. Candidates: You can also select the Candidates which are referred from the ARP table for automatic input. Click the Apply button to add the configuration into the Host Table. Press the Delete button to delete a configuration from the Host Table. 4.4.1.
Name: Please input the name of the rule. IP Address: Please input the LAN Gateway IP Address you would like to use. Netmask: Please input the Netmask you would like to use. WAN IP Address: Please click Candidates to select the WAN IP address you would like to use from WAN Alias list. Click the Apply button to add the configuration into the LAN Address Mapping. 4.4.2 WAN WAN refers to your Wide Area Network connection. In most cases, this means your router’s connection to the Internet through your ISP.
4.4.2.1 WAN Connection Method: Select how your router will connect to the Internet. Selections include Obtain an IP Address Automatically, Static IP Settings, PPPoE Settings, PPTP Settings, and Big Pond Settings. For each WAN port, the factory default is DHCP. If your ISP does not use DHCP, select the correct connection method and configure the connection accordingly. Configurable items will vary depending on the connection method selected. 4.4.2.1.
RIP: To activate RIP, select Send, Receive, or Both from the drop down menu. To disable RIP, select Disable from the drop down menu. MTU: Enter the Maximum Transmission Unit (MTU) for your network. Click Apply to save your changes. To reset to defaults, click Reset. 4.4.2.1.2 Static IP IP assigned by your ISP: Enter the static IP assigned by your ISP. IP Subnet Mask: Enter the IP subnet mask provided by your ISP. ISP Gateway Address: Enter the ISP gateway address provided by your ISP.
4.4.2.1.3 PPPoE Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. Connection: Select whether the connection should Always Connect or Trigger on Demand. If you want the router to establish a PPPoE session when starting up and to automatically re-establish the PPPoE session when disconnected by the ISP, select Always Connect. If you want to establish a PPPoE session only when there is a packet requesting access to the Internet (i.e.
MTU: Enter the Maximum Transmission Unit (MTU) for your network. Click Apply to save your changes. To reset to defaults, click Reset. 4.4.2.1.4 PPTP Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. PPTP Client IP: Enter the PPTP Client IP provided by your ISP. PPTP Client IP Netmask: Enter the PPTP Client IP Netmask provided by your ISP. PPTP Client IP Gateway: Enter the PPTP Client IP Gateway provided by your ISP.
MAC Address: If your ISP requires you to input a WAN Ethernet MAC, check the checkbox and enter your MAC address in the blanks below. Candidates: You can also select the MAC address from the list in the Candidates. DNS: If your ISP requires you to manually setup DNS settings, check the checkbox and enter your primary and secondary DNS. RIP: To activate RIP, select Send, Receive, or Both from the drop down menu. To disable RIP, select Disable from the drop down menu.
Click Apply to save your changes. To reset to defaults, click Reset. A simpler alternative is to select Quick Start from the main menu. Please see the Quick Start section of this chapter for more information. 4.4.2.2 Bandwidth Settings Under Bandwidth Settings, you can easily configure both inbound and outbound bandwidth. WAN: Enter your ISP inbound and outbound bandwidth for WAN. NOTE: These values entered here are referenced by QoS. 4.4.2.
Please click Create to create a LAN Address Mapping rule. Name: Please input the name of the rule. IP Address: Please input the additional WAN IP address you would like to use. Click the Apply button to add the configuration into the WAN IP Alias. 4.4.3 System The System menu allows you to adjust a variety of basic router settings, upgrade firmware, set up remote access, and more.
4.4.3.1 Time Zone BiGuard 2/10 does not use an onboard real time clock; instead, it uses the Network Time Protocol (NTP) to acquire the current time from an NTP server outside your network. Simply choose your local time zone, enter NTP Server IP Address, and click Apply. After connecting to the Internet, BiGuard 2/10 will retrieve the correct local time from the NTP server you have specified. Your ISP may provide an NTP server for you to use. Time Zone: Select Enable or Disable this function.
Time, please check the Automatic checkbox. Resync Period: Please input the resync circle of time zone update. Click Apply to apply the rule, Click Cancel to discard the changes. 4.4.3.2 Remote Access To allow remote users to configure and manage BiGuard 2/10 through the Internet, select the Enable radio button. To deactivate remote access, select the Disable radio button. This function also enables you grant access from any PC or from a specific IP address. Click Apply to save your settings.
Allow Remote Access By: Everyone: Please check if you allow any IP addresses for the remote user to access. Only the PC: Please specify the IP Address that is allowed to access. PC from the subnet: Please specify the subnet that is allowed to access. 4.4.3.
Upgrading your BiGuard 2/10’s firmware is a quick and easy way to enjoy increased functionality, better reliability, and ensure trouble-free operation. To upgrade your firmware, simply visit Billion’s website (http://www.billion.com) and download the latest firmware image file for BiGuard 2/10. Next, click Browse and select the newly downloaded firmware file. Click Upgrade to complete the update. NOTE: DO NOT power down the router or interrupt the firmware upgrade while it is still in process.
select a file from your PC to restore. Be sure to only restore setting files that have been generated by the Backup function, and that were created when using the same firmware version. Settings files saved to your PC should not be manually edited in any way. After selecting the settings file you wish to use, clicking Restore will load those settings into the router. 4.4.3.5 Restart The Restart feature allows you to easily restart BiGuard 2/10.
In order to prevent unauthorized access to your router’s configuration interface, it requires the administrator to login with a password. You can change your password by entering your new password in both fields. Click Apply to save your changes. Click Reset to reset to the default administration password (admin). 4.4.3.
This function allows BiGuard 2/10 to send system logs to an external Syslog Server. Syslog is an industry-standard protocol used to capture information about network activity. To enable this function, select the Enable radio button and enter your Syslog server IP address in the Log Server IP Address field. Click Apply to save your changes. To disable this feature, simply select the Disable radio button and click Apply. 4.4.3.
Select Enable to activate SMTP server login function, disable to deactivate. Username: Input the SMTP server’s username. Password: Input the SMTP server’s password. Alert via Email when: Select the frequency of each email update. Choose one of the five options: Immediately: The router will send an alert immediately. Hourly: The router will send an alert once every hour. Daily: The router will send an alert once a day. The exact time can be specified using the pull down menu.
The Packet Filter function is used to limit user access to certain sites on the Internet or LAN. The Filter Table displays all current filter rules. If there is an entry in the Filter Table, you can click Edit to modify the setting of this entry, or click Delete to remove this entry, or click Move to change this entry’s priority. When the entry is upper, the priority is higher. To create a new filter rule, click Create. ID: This is an identify that allows you to move the rule by before or after an ID.
rules prevent unauthorized computers or applications accessing the Internet. Select if the new filter rule is incoming or outgoing. Source IP: Select Any, Subnet, IP Range or Single Address. Starting IP Address: Enter the source IP or starting source IP address this filter rule is to be applied. End IP Address: Enter the End source IP Address this filter rule is to be applied. (for IP Range only) Netmask: Enter the subnet mask of the above IP address.
The URL Filter is a powerful tool that can be used to limit access to certain URLs on the Internet. You can block web sites based on keywords or even block out an entire domain. Certain web features can also be blocked to grant added security to your network. URL Filtering: You can choose to Enable or Disable this feature. Keyword Filtering: Click the checkbox to enable this feature. To edit the list of filtered keywords, click Details.
checkbox. To edit the list of filtered domains, click Details. Enter a domain and selected whether this domain is trusted or forbidden with the pull-down menu. Next, click Apply. Your new domain will be added to either the Trusted Domain or Forbidden Domain listing, depending on which you selected previously. Restrict URL Features: Use this to disable certain web features.
Enter a name for the IP Address and then enter the IP address itself. Click Apply to save your changes. The IP address will be entered into the Exception List, and excluded from the URL filtering rules in effect. 4.4.4.3 LAN MAC Filter LAN Mac Filter can decide that BiGuard will serve those devices at LAN side or not by MAC Address. Default Rule: Forward or Drop all LAN requests.
Rule: Enable or disable this entry. Action When Matched: Select to Drop or Forward the packet specified in this filter entry. MAC Address: The MAC Address you would like to apply. Candidates: You can also select the Candidates which are referred from the ARP table for automatic input. 4.4.4.4 Block WAN Request Blocking WAN requests is one way to prevent DDoS attacks by preventing ping requests from the Internet. Use this menu to enable or disable function.
4.4.4.5 Intrusion Detection Intrusion Detection can prevent most common DoS attacks from the Internet or from LAN users. Intrusion Detection: Enable or disable this function. Intrusion Log: All the detected and dropped attacks will be shown in the system log. 4.4.5 VPN 4.4.5.1 IPSec IPSec is a set of protocols that enable Virtual Private Networks (VPN). VPN is a way to establish secured communication tunnels to an organization’s network via the Internet. 4.4.5.1.
Connection Name: A user-defined name for the connection. Pre-shared Key: This is for the Internet Key Exchange (IKE) protocol. IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require a key. Before any IPSec traffic can be passed, each router must be able to verify the identity of its peer. This can be done by manually entering the pre-shared key into both sides (router or hosts).
Remote Secure Gateway Address (or HostName): The IP address or hostname of the remote VPN device that is connected and establishes a VPN tunnel. Remote Network: The subnet of the remote network. Allows you to enter an IP address and netmask. Back: Back to the Previous page. Next: Go to the next page. (2)LAN to LAN (Mobile LAN): BiGuard would like to establish an IPSec VPN tunnel with remote router using Dynamic Internet IP by using aggressive mode.
Remote Secure Gateway Address (or Hostname): The IP address or hostname of the remote VPN device that is connected and establishes a VPN tunnel. Back: Back to the Previous page. Next: Go to the next page. (4)LAN to Host (Mobile Client): BiGuard would like to establish an IPSec VPN tunnel with remote client software using Dynamic Internet IP by using aggressive mode. Remote Identifier: The Identifier of remote gateway, all input value type will be auto-defined as IP Address, FQDN(DNS) or FQUN(E-mail).
(5)LAN to Host (For BiGuard VPN Client only): BiGuard would like to establish an IPSec VPN tunnel with BiGuard VPN Client software C01 by using aggressive mode. VPN Client IP Address: The VPN Client Address for BiGuard VPN Client, this value will be apply on both remote ID and remote Network as single address. Back: Back to the Previous page. Next: Go to the next page.
After your configuration is done, you will see a Configuration Summary. Back: Back to the Previous page. Done: Click Done to apply the rule. 4.4.5.1.2 IPSec Policy Click Create to create a new IPSec VPN connection account.
Connection Name: A user-defined name for the connection. Tunnel: Select Enable to activate this tunnel. Select Disable to deactivate this tunnel. Local: This section configures the local host. ID: This is the identity type of the local router or host. Choose from the following four options: WAN IP Address: Automatically use the current WAN Address as ID IP Address: Use an IP address format. FQDN DNS(Fully Qualified Domain Name): Consists of a hostname and domain name. For example, WWW.VPN.COM is a FQDN.
VPN.COM is the domain name. When you enter the FQDN of the local host, the router will automatically seek the IP address of the FQDN. FQUN E-Mail(Fully Qualified User Name): Consists of a username and its domain name. For example, user@vpn.com is a FQUN. "user" is the username and "vpn.com" is the domain name. Data: Enter the ID data using the specific ID type. Network: Set the IP address, IP range, subnet, or address range of the local network.
degrees of security and speed of negotiation: Main Mode: Uses the automated Internet Key Exchange (IKE) setup; most secure method with the highest level of security. Aggressive Mode: Uses the automated Internet Key Exchange (IKE) setup; mid-level security. Speed is faster than Main mode. Manual Key: Standard level of security. It is the fastest of the three methods. Method: There are two methods of checking the authentication information, AH (Authentication Header) and ESP (Encapsulating Security Payload).
Key Life Time: Allows you to specify the timer interval for renegotiation of another key. The value is in seconds e.g. 3600 seconds = 1 hour. Netbios Broadcast: Allows BiGuard to send local Netbios Broadcast packet through the IPSec Tunnel, please select Enable or Disable. DPD Setting: DPD, Dead Peer Detection. DPD Function: Select Enable or Disable DPD function. Detection Interval: please input the interval time to send out DPD packet.
PPTP function: Select Enable to activate PPTP Server. Disable to deactivate PPTP Server function. Auth. Type: The authentication type, Pap or Chap, PaP, Chap. Data Encryption: Select Enable or Disable the Data Encryption. Encryption Key Length: Auto, 40 bits or 128 bits. Peer Encryption Mode: Only Stateless or Allow Stateless and Stateful. IP Addresses Assigned to Peer Start from: 192.168.1.x: please input the IP assigned range from 1 ~ 254 (except BiGuard 30’s LAN IP address with 192.168.1.
Connection Name: A user-defined name for the connection. Tunnel: Select Enable to activate this tunnel. Select Disable to deactivate this tunnel. Username: Please input the username for this account. Password: Please input the password for this account. Retype Password: Please repeat the same password as previous field. Connection Type: Select Remote Access for single user, Select LAN to LAN for remote gateway. Peer Network IP: Please input the IP for remote network.
The first menu screen gives you an overview of which WAN ports currently have QoS active, and the bandwidth settings for each. WAN Outbound: QoS Function: QoS status for WAN outbound. Select Enable to activate QoS for WAN’s outgoing traffic. Select Disable to deactivate. Max ISP Bandwidth: The maximum bandwidth afforded by the ISP for WAN’s outbound traffic. WAN Inbound: QoS Function: QoS status for WAN inbound. Select Enable to activate QoS for WAN’s incoming traffic. Select Disable to deactivate.
Next, click Create to open the QoS Rule Configuration window. Application: User defined application name for the current rule. Packet Type: The type of packet this rule applies to. Choose from Any, TCP, UDP, or ICMP. Guaranteed: The guaranteed amount of bandwidth for this rule as a percentage. Maximum: The maximum amount of bandwidth for this rule as a percentage. Priority: The priority assigned to this service. Select a value from 0 to 6, 0 being highest. DSCP Marking: Used to classify traffic.
Bandwidth per source IP Address: Please select Bandwidth per source IP Address if you would like the specified bandwidth to be applied individually per source IP address in specified IP range. For IP Address (default)… Source IP Address Range: The range of source IP Addresses this rule applies to. Destination IP Address Range: The range of destination IP Addresses this rule applies to. Source Port Range: The range of source ports this rule applies to.
application program (usually a server) incoming connections should be delivered to. Some ports have numbers that are pre-assigned to them by the Internet Assigned Numbers Authority (IANA), and these are referred to as "well-known ports". Servers follow the well-known port assignments so clients can locate them. If you wish to run a server on your network that can be accessed from the WAN (i.e.
Enable DMZ function: Enable: Activates your router’s DMZ function. Disable: Default setting. Disables the DMZ function. DMZ IP Address: Give a static IP address to the DMZ Host when the Enable radio button is selected. Be aware this IP will be exposed to the WAN/Internet. Candidates: You can also select the Candidates which are referred from the ARP table for automatic input. Select the Apply button to apply your changes. 4.4.7.
Click Create to add a new port forwarding rule. There are two port forwarding modes: Port Range Mapping and Port Redirection. This function allows any incoming data addressed to a range of service port numbers (from the Internet/WAN Port) to be re-directed to a particular LAN private/internal IP address. This option gives you the ability to handle applications that use more than one port such as games and audio/video conferencing. Application: User defined application name for the current rule.
Internal IP Address: Enter the LAN server/host IP address that the service request from the Internet will be sent to. Candidates: You can also select the Candidates which are referred from the ARP table for automatic input. NOTE: You need to give your LAN server/host a static IP address for the Virtual Server to work properly. Click Apply to save your changes. Using port forwarding does have security implications, as outside users will be able to connect to PCs on your network.
(subnet). The routing table stores the routing information so the router knows where to redirect the IP packets. Click on Static Route and then click Create to add a routing table. Rule: Select Enable to activate this rule, Disable to deactivate this rule. Destination: This is the destination subnet IP address. Netmask: This is the subnet mask of the destination IP addresses based on above destination subnet IP. Gateway: This is the gateway IP address to which packets are to be forwarded.
Click Apply to save your changes. 4.4.8.2 Dynamic DNS The Dynamic DNS function allows you to alias a dynamic IP address to a static hostname, allowing users whose ISP does not assign them a static IP address to use a domain name. This is especially useful when hosting servers via your WAN connection, so that anyone wishing to connect to you may use your domain name, rather than having to use a dynamic IP address that changes periodically.
Enable: Check to enable the Dynamic DNS function. The following fields will be activated and required: Dynamic DNS Server: Select the DDNS service you have established an account with. Wildcard: Select this check box to enable the DYNDNS Wildcard. Domain Name: Enter your registered domain name for this service. Username: Enter your registered user name for this service. Password: Enter your registered password for this service. Click Apply to save your changes. 4.4.8.
Management IP Address: You may specify an IP address allowed to logon and access the router’s web server. Setting the IP address to 0.0.0.0 will disable IP address restrictions, allowing users to login from any IP address. Expire to auto-logout: Specify a time frame for the system to auto-logout the user’s configuration session. Example: User A changes HTTP port number to 100, specifies their own IP address of 192.168.1.100 and sets the logout time to be 100 seconds.
IGMP Snooping: Please select enable or disable IGMP Snooping function. IGMP Proxy: Please select enable or disable the IGMP Proxy function. Click Apply to apply this function, and please note that the setting will become effective after you save to flash and restart the router. 4.4.8.5 VLAN Bridge This section allows you to create VLAN group and specify the member. VLAN Bridge: Select enable or disable to use VLAN Bridge function. Click Create to create another VLAN group.
VLAN Name: Please input VLAN name of this rule. VLAN ID: Please input VLAN ID that will be used for Tagged member port(s). Tagged Member port(s): Please check the interface that you would like to use in this VLAN ID group. Untagged Member port(s): Please check the interface that you would like to use in this VLAN ID group. Click Apply to add this rule. 4.
your configuration settings before you logout. Be aware that the router is restricted to only one PC accessing the web configuration interface at a time. Once a PC has logged into the web interface, other PCs cannot gain access until the current PC has logged out. If the previous PC forgets to logout, the second PC can access the page after a user-defined period (5 minutes by default). You can modify this value using the Advanced > Device Management section of the Web Configuration Interface.
Chapter 5: Troubleshooting 5.1 Basic Functionality This section deals with issues regarding your BiGuard 2/10’s basic functions. 5.1.1 Router Won’t Turn On If the Power and other LEDs fail to light when your BiGuard 2/10 is turned on: - Make sure that the power cord is properly connected to your firewall and that the power supply adapter is properly connected to a functioning power outlet. - Check that you are using the 12VDC power adapter supplied by Billion for this product.
- Make sure each Ethernet cable connection is secure at the firewall and at the hub or workstation. - Make sure that power is turned on to the connected hub or workstation. - Be sure you are using the correct cable. When connecting the firewall’s Internet port to a cable or DSL modem, use the cable that was supplied with the cable or DSL modem. This cable could be a standard straight-through Ethernet cable or an Ethernet crossover cable. 5.1.
- Check the 10/100 LAN LEDs on BiGuard 2/10’s front panel. One of these LEDs should be on. If they are both off, check the cables between BiGuard 2/10 and the hub or PC. - Check the corresponding LAN LEDs on your PC’s Ethernet device are on. - Make sure that driver software for your PC’s Ethernet adapter and TCP/IP software is correctly installed and configured on your PC. - Verify the IP address and the subnet mask of BiGuard 2/10 and the computers are on the same subnet. 5.2.
3. Make sure that the Delete All Offline Content checkbox is checked, and click OK. 4. Click OK under Internet Options to close the dialogue. - In Windows, type arp –d at the command prompt to clear you computer’s ARP table.
5.2.3.1 Pop-up Windows To use the Web Configuration Interface, you need to disable pop-up blocking. You can either disable pop-up blocking, which is enabled by default in Windows XP Service Pack 2, or create an exception for your BiGuard 2/10’s IP address. Disabling All Pop-ups In Internet Explorer, select Tools > Pop-up Blocker and select Turn Off Pop-up Blocker. You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab of the Internet Options dialogue. 1.
3. Enter the IP address of your router. 4. Click Add to add the IP address to the list of Allowed sites. 5. Click Close to return to the Privacy tab of the Internet Options dialogue. 6. Click Apply to save your changes. 5.2.3.2 Javascripts If the Web Configuration Interface is not displaying properly in your browser, check to make sure that JavaScripts are allowed. 1. In Internet Explorer, click Tools > Internet Options. 2. Under the Security tab, click Custom Level.
3. Under Scripting, check to see if Active scripting is set to Enable. 4. Ensure that Scripting of Java applets is set to Enable. 5. Click OK to close the dialogue. 5.2.3.3 Java Permissions The following Java Permissions should also be given for the Web Configuration Interface to display properly: 1. In Internet Explorer, click Tools > Internet Options. 2. Under the Security tab, click Custom Level. 3. Under Microsoft VM*, make sure that a safety level for Java permissions is selected. 4.
5.3 WAN Interface If you are having problems with the WAN Interface, refer to the tips below. 5.3.1 Can’t Get WAN IP Address from the ISP If the WAN IP address cannot be obtained from the ISP: - If you are using PPPoE or PPTP, you will need a user name and password. Ensure that you have entered the correct Service Type, User Name, and Password. Note that user names and passwords are case-sensitive.
2. Access the Web Configuration Interface by entering your router’s IP address (default is 192.168.1.254). 3. The WAN IP Status is displayed on the first page. 4. Check to see that the WAN port is properly connected to the ISP. If a Connected by (x) where (x) is your connection method is not shown, your router has not successfully obtained an IP address from your ISP. If an IP address cannot be obtained: 1. Turn off the power to your cable or DSL modem. 2. Turn off the power to your BiGuard 2/10. 3.
account as your PC’s host name on the router. - Your ISP may check for your PCs MAC address. Either inform your ISP that you have purchased a new network device and ask them to use your router’s MAC address, or configure your router to spoof your PC’s MAC address. If an IP address can be obtained, but your PC cannot load any web pages from the Internet: - Your PC may not recognize DNS server addresses. Configure your PC manually with DNS addresses.
Appendix A: Product Specifications A.
- Intrusion detection Content Filtering - URL Filter settings prevent user access to certain sites on the Internet - Java Applet/Active X/Cookie Blocking Quality of Service Control - Supports DiffServ approach - Traffic prioritization and bandwidth management based-on IP protocol, port number and IP or MAC address Web-Based Management - Easy-to-use WEB interface - Firmware upgradeable via WEB interface - Local and remote management via HTTP & HTTPS Network Protocols and Features - Web Diagnostics - Syst
Physical Specifications Dimensions: 18.98" x 6.54" x 1.77" (482mm x 166 mm x 45mm, with Bracket) 9.84" x 6.54" x 1.
A.
Firewall - Stateful Packet Inspection (SPI) and Denial of Service (DoS) prevention - Packet filter un-permitted inbound (WAN)/Inbound (LAN) Internet access by IP address, port number and packet type - Email alert and logs of attack - MAC Address Filtering - Intrusion detection Content Filtering - URL Filter settings prevent user access to certain sites on the Internet - Java Applet/Active X/Cookie Blocking Quality of Service Control - Supports DiffServ approach - Traffic prioritization and bandwidth manag
Physical Interface Ethernet WAN 1 ports (10/100 Base-T), support Auto- Crossover (MDI/MDIX) Ethernet LAN 8 ports (10/100 Base-T) switch, support Auto- Crossover (MDI/MDIX) Physical Specifications Dimensions: 10.43" x 6.93" x 1.
Appendix B: Customer Support Most problems can be solved by referring to the Troubleshooting section in the User’s Manual. If you cannot resolve the problem with the Troubleshooting chapter, please contact the dealer where you purchased this product. Contact Billion Worldwide http://www.billion.
Appendix C: FCC Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: - This device may not cause harmful interference. - This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply within the limits for a Class B digital device pursuant to Part 15 of the FCC Rules.
Appendix D: Network, Routing, and Firewall Basics D.1 Network Basics D.1.1 IP Addresses With the number of TCP/IP networks interconnected across the globe, ensuring that transmitted data reaches the correct destination requires each computer on the Internet has a unique identifier. This identifier is known as the IP address. The Internet Protocol (IP) uses a 32-bit address structure, and the address is usually written in dot notation. A typical IP address looks like this: 198.25.12.
192.168.234.245/24, which means that the net mask is 24 ones followed by 8 zeros. (11111111 11111111 11111111 00000000). D.1.1.2 Subnet Addressing Subnet addressing enables the split of one IP network address into multiple physical networks. These smaller networks are called subnetworks, and these subnetworks can make efficient use of each address when compared to needing a different network number at each end of a routed link.
D.1.2 Network Address Translation (NAT) Traditionally, multiple PCs that needed simultaneous Internet access also required a range of IP addresses from the Internet Service Provider (ISP). Not only was this method very costly, but the number of available IP addresses for PCs is limited. Instead, BiGuard 2/10 uses a type of address sharing called Network Address Translation to grant Internet access to several PCs on the same network through the same Internet account.
connected to at least two networks. Usually, this is a LAN and a WAN that is connected to an ISP network. Routers are located at gateways, the places where two or more networks connect. Routers use headers and forwarding tables to determine the best path for forwarding the packets, and they use protocols to communicate with each other and configure the best route between any two hosts.
firewall adds features that deal with outside Internet intrusion and attacks. When an attack or intrusion is detected, the firewall can be configured to log the intrusion attempt, and can also notify the administrator of the incident. With this information, the administrator can work with the ISP to take action against the hacker. Against some types of attacks, the firewall can discard intruder packets, thereby fending off the hacker from the private network. D.3.1.
Appendix E: Virtual Private Networking E.1 What is a VPN? A Virtual Private Network (VPN) is a shared network where private data is segmented from other traffic so that only the intended recipient has access. It allows organizations to securely transmit data over a public medium like the Internet. VPNs utilize tunnels, which allow data to be safely delivered to the intended recipient.
Internet Protocol Security (IPSec) is a set of protocols and algorithms that provide data authentication, integrity, and confidentiality as data is transferred across IP networks. IPSec provides data security at the IP packet level, and protects against possible security risks by protecting data. IPSec is widely used to establish VPNs. There are three major functions of IPSec: - Confidentiality: Conceals data through encryption. - Integrity: Ensures that contents did not change in transit.
A typical AH packet looks like this: Next Payload Header Length Reserved SPI Sequence Number Authentication Data E.2.1.2 Encapsulating Security Payload (ESP) Encapsulating Security Payload (ESP) provides privacy for data through encryption. An encryption algorithm combines the data with a key to encrypt it. It then repackages the data using a special format, and transmits it to the destination. The receiver then decrypts the data using the same algorithm.
like this: E.2.1.3 Security Associations (SA) Security Associations are a one-way relationships between sender and receiver that specify IPSec-related parameters. They provide data protection by using the defined IPSec protocols, and allow organizations to control according to the security policy in effect, which resources may communicate securely.
Transport Mode : - This mode is used to provide data security between two networks. It provides protection for the entire IP packet and is sent by adding an outer IP header corresponding to the two tunnel end-points. Since tunnel mode hides the original IP header, it provides security of the networks with private IP address space. IP E.2.3 AH/E TC Dat Tunnel Mode AH AH is typically applied to a data packet in the following manner: E.2.
E.2.5 Internet Key Exchange (IKE) Before either AH or ESP can be used, it is necessary for the two communication devices to exchange a secret key that the security protocols themselves will use. To do this, IPSec uses Internet Key Exchange (IKE) as a primary support protocol. IKE facilitates and automates the SA setup, and exchanges keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it.
Appendix F: IPSec Logs and Events F.1 IPSec Log Event Categories There are three major categories of IPSec Log Events for your BiGuard 2/10. These include: 1. IKE Negotiate Packet Messages 2. Rejected IKE Messages 3. IKE Negotiated Status Messages The table in the following section lists the different events of each category, and provides a detailed explanation of each. F.
Send Main mode second response message of ISAKMP Sending the main mode second response message. Done to exchange key values. Received Main mode second Received the main mode second response message. Done to exchange response message of ISAKMP key values. Send Main mode third message of Sending the third message of main mode. Done for authentication. ISAKMP Received Main mode third Received the third message of main mode. Done for authentication.
Received Quick mode first response message Received the first response message of quick mode (Phase II). Done to exchange proposal and key values (IPSec). Send Quick mode second message Sending the second message of quick mode (Phase II). Received Quick mode second Received the second message of quick mode (Phase II). message ISAKMP IKE Packet Indicates IKE packet. ISAKMP Information Indicates Information packet. ISAKMP Quick Mode Indicates quick mode packet.
(Main/Aggressive) mode peer ID is (identifier string) ISAKMP SA Established IPsec SA Established 150
Appendix G: Bandwidth Management with QoS G.1 Overview In a home or office environment, users constantly have to transmit data to and from the Internet. When too many are accessing the Internet at the same time, service can slow to a crawl, causing service interruptions and general frustration. Quality of Service (QoS) is one of the ways BiGuard 2/10 can optimize the use of bandwidth, ensuring a smooth and responsive Internet connection for all users. G.
-Prioritization: Assigns different priority levels for different applications, prioritizing traffic. High, Normal and Low priority settings. -Outbound and Inbound IP Throttling: Controls network traffic and allows you to limit the speed of each application. -DiffServ Technology: Manages priority queues and DSCP tagging through the Internet backbone. Manages traffic among Ethernet, wireless, and ADSL interfaces. G.
broadband connection. Application Data Ratio (%) Priority On-line games 30% High Skype 5% High Email 10% High FTP 20% Upload (High), Download (Normal) Other 35% G.4.2 Office Users QoS is also ideal for small businesses using an office server as a web server. With QoS control, web pages served to your customers can be given top priority and delivered first so that it will not be impeded by email and office web browsing. Here is a good example of how QoS can work in an office environment.
FTP 10% Upload (High), Download (Normal) Other 30% MP3 (Low), MSN (Normal) 154
Appendix H: Router Setup Examples H.1 VPN Configuration This section outlines some concrete examples on how you can configure BiGuard 2/10 for your VPN. H.1.1 LAN to LAN Branch Office Head Office Local ID IP Address IP Address Data 69.121.1.30 69.121.1.3 Network Any Local Address Any Local Address IP Address 192.168.0.0 192.168.1.0 Netmask 255.255.255.0 255.255.255.0 Remote Secure Gateway Address(or Hostname) 69.121.1.3 69.121.1.
ID IP Address IP Address Data 69.121.1.3 69.121.1.30 Network Subnet Subnet IP Address 192.168.1.0 192.168.0.0 Netmask 255.255.255.0 255.255.255.0 Proposal IKE Pre-shared Key 12345678 12345678 Security Algorithm Main Mode; Main ESP: ESP MD5 MD5 3DES 3DES PFS PFS H.1.
Single client Head Office Local ID IP Address IP Address Data 69.121.1.30 69.121.1.3 Network Any Local Address Any Local Address IP Address 0.0.0.0 192.168.1.0 Netmask 0.0.0.0 255.255.255.0 Remote Secure Gateway Address(or 69.121.1.3 69.121.1.30 ID IP Address IP Address Data 69.121.1.3 69.121.1.30 Network Subnet Single Address IP Address 192.168.1.0 69.121.1.30 Netmask 255.255.255.0 255.255.255.
H.2 VPN Concentrator Local ID Type: Subnet Local subnet: 192.168.3.0 Local mask: 255.255.255.0 Remote ID Type: Subnet Remote subnet: 0.0.0.0 Remote mask: 0.0.0.0 Local ID Type: Subnet Local subnet: 0.0.0.0 Local mask: 0.0.0.0 Remote ID Type: Subnet Remote subnet: 192.168.3.0 Remote mask: 255.255.255.0 200.200.200.1 192.168.3.x 192.168.2.x BiGuard 2 Branch A 100.100.100.1 BiGuard 2 Branch B BiGuard 2 Headquarter Local ID Type: Subnet Local subnet: 0.0.0.0 Local mask: 0.0.0.
Step 2: Go to Configuration > IPSec and configure the link from BiGuard 2/10 Headquarter to BiGuard 2/10 Branch B. Step 3: Go to Configuration > IPSec and configure the connection from BiGuard 2/10 Branch A to BiGuard 2/10 Headquarter.
Step 4: Go to Configuration > IPSec and configure the connection from the BiGuard 2/10 Branch B to BiGuard 2/10 Headquarter. Step 5: Click Save Config to save all changes to flash memory. H.
Step 1: Go to Configuration > Firewall > Intrusion Detection and Enable the settings. Step 2: Click Apply and then Save Config to save all changes to flash memory. H.4 PPTP Remote Access by Windows XP Internet Business Trip Headquarter Windows XP PPTP Client 100.100.100.1 Internet BiGuard &PPTP Server Local subnet: 192.168.30.0 Local mask: 255.255.255.
Step1: Go to Configuration > VPN > PPTP and Enable the PPTP function, Click Apply. Step2: Click Create to create a PPTP Account.
Step3: Click Apply, you can see the account is successfully created. Step4: Click Save Config to save all changes to flash memory. Step5: In Windows XP, go Start > Settings > Network Connections.
Step6: In Network Tasks, Click Create a new connection, and press Next. Step7: Select Connect to the network at my workplace and press Next.
Step8: Select Virtual Private Network connection and press Next. Step9: Input the user-defined name for this connection and press Next.
Step10: Input PPTP Server Address and press Next. Step11: Please press Finish.
Step12: Double click the connection, and input Username and Password that defined in BiGuard PPTP Account Settings. PS. You can also refer the Properties > Security page as below, by default.
H.5 PPTP Remote Access by BiGuard Internet Headquarter 100.100.100.1 200.200.200.1 Branch Office Internet BiGuard &PPTP Server Local subnet: 192.168.30.0 Local mask: 255.255.255.0 PPTP Tunnel BiGuard &PPTP Client Step1: Go to Configuration > VPN > PPTP and Enable the PPTP function, Disable the Encryption, then Click Apply. Step2: Click Create to create a PPTP Account.
Step3: Click Apply, you can see the account is successfully created. Step4: Click Save Config to save all changes to flash memory.
Step5: In another BiGuard as Client, Go to Configuration > WAN. Step6: Click Apply, and Save CONFIG.