LP-3014PW Wireless ADSL Modem Installation Guide and User’s Manual Version 2.0.16 COMTAC.
© Copyright 2002-2004 COMTAC. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, decryption, decompilation, and reverse engineering. No part of this product or document may be reproduced in any form by any means without prior written authorization of COMTAC. or its licensors, if any. The information in this document is subject to change without notice.
TABLE OF CONTENTS C H A P T E R 1 INTRODUCTION TO WIRELESS ADSL MODEM ROUTER ............................. 1 PRODUCT FEATURES .................................................................................................................................. 1 RELATED DOCUMENTS ............................................................................................................................... 4 C H A P T E R 2 BEFORE INSTALLATION .....................................................................
PPP DISCONNECT TIMER CONFIGURATION .............................................................................................. 38 Enable/Disable Idle Timer Filter ........................................................................................................ 38 Filter Application................................................................................................................................ 38 Filter Details..........................................................................
CHAPTER 1 INTRODUCTION TO WIRELESS ADSL MODEM ROUTER The Wireless ADSL Ethernet Modem Router is optimized to address the growing demand for high-speed Internet access. With an USB 1.1-compliant interface, an IEEE 802.3-compliant Ethernet interface and a high performance 54Mbps IEEE 802.11g compliant interface, this complete device provides the widest array of connectivity options without relaying on host PC drivers.
• • • • • ATM Forum UNI 3.1/4.0 PVC Up to 8 VCs (Virtual Circuits) ATM SAR (Segmentation and Reassembly) ATM AAL5 (Adoption Layer type 5) OAM F4/F5 • Bridge Mode • Ethernet to ADSL self-learning Transparent Bridging (IEEE 802.
• HTTP Web-based Management • Firmware upgrade via FTP • Customizable Web pages • WAN and LAN side connection statistics • Configuration of static routes and Routing table • Configuration of NAT/NAPT • Password protected access • Selection of Bridge or Router Mode • PPP user ID and password • Configuration of VCs (Virtual Circuits) • Ethernet Interface • IEEE 802.
Related Documents • • • • • • • • • • • • • • • • • • • • • • • ITU G.992.1 (G.dmt Full-rate ADSL) ITU.G.992.2 (G.
CHAPTER 2 BEFORE INSTALLATION Package Content Make sure that you have the following items: • • • • • ADSL Wireless Ethernet Modem Router (Single-Port/Four-Ports) 12VDC Power Adaptor Telephone cable Installation guide Splitter/ CAT-5 UTP Fast Ethernet cable/ USB cable (Optional) Note : If any of the items is damaged or missing, contact your dealer immediately.
Wireless ADSL Ethernet Modem Router (Four-Ports) LED Indicators The LED Indicators read as follows: LED NAME READY ADSL LAN 1-4 Descriptions Blink: ADSL modem is ready. Off: ADSL modem is not ready or has malfunctioned. Always On: Please send back for repair. Blink: ADSL modem is ready to connect or the link is down On: ADSL modem links to DSLAM successfully. On: ADSL modem has a successful Ethernet connection.
Wireless ADSL Ethernet Modem Router (Four-Port) The rear panel of the Wireless Router provides access to the DC power adapter, one USB connection, four LAN connections, one WAN connection, one antenna, and power on/off switch.
CHAPTER 3 HARDWARE INSTALLATION LP-AL3011PW Power Switch Factory Reset button USB CABLE Power Adapter Power cord connect here Splitter (optional and changes depending on country specification) RJ-45 Ethernet port connect Ethernet cable here RJ-11 ADSL port connect ADSL cable here Wireless ADSL Modem User’s Manual 8
LP-AL3014PW Power Switch Power Adapter Power cord connect here Factory Reset button USB CABLE RJ-45 Ethernet port connect Ethernet cable here Splitter (optional and changes depending on country specification) RJ-11 ADSL port connect ADSL cable here Wireless ADSL Modem User’s Manual 9
Installation Procedures • Power on: Connect the Adapter to power inlet and turn the power switch on, this product will enter a self-test phase. When it is in the self-test phase, the indicators READY LED will be lighted ON for about 8 seconds, and the READY LED will be flashed to indicate that the self-test phase has finished. Finally, the READY LED will be flashed to indicate that router is in normal operation.
CHAPTER 4 NETWORKING SETTINGS TCP/IP Configuration for Windows 95/98/ME Use the following steps to configure the manager PC to be a DHCP client. These same steps must be performed for every host PC on your network if you use the DHCP function of the Router. 1. Click Start button, Settings and choose Control Panel. 2. Double click Network icon and select Configuration tab. 3. Select the TCP/IP line that has been associated to your network card in the Configuration tab and click Properties. 4.
B. Configure IP Address manually. Select Specify an IP address on the IP address tab. The default IP address of Router is 10.0.0.2. So please use 10.0.0.X (X is between 1 and 253, except 2) for IP address field and 255.0.0.0.0 for Subnet Mask field.
In the Gateway tab, add the IP address of the Router (default IP is 10.0.0.2) in the New gateway field and click Add button.
In the DNS Configuration tab, add the DNS values which are provided by the ISP into DNS Server Search Order field and click Add button.
TCP/IP Configuration for Windows W2K/XP Use the following steps to configure the manager PC to be a DHCP client. These same steps must be performed for every host PC on your network if you use the DHCP function of the Router. 1. Click Start button, Settings and choose Control Panel. 2. Double click Network connections icon . 3. Select “Local Area Connection” from Network Connections. Right click on the icon and select “Properties”.
4. Now, you have two setting methods: A. Get IP Address from Router ( DHCP ) B. Configure IP Address manually. Select Use the following IP address. The default IP address of Router is 10.0.0.2. So please use 10.0.0.X (X is between 1 and 253, except 2) for IP address field and 255.0.0.0.0 for Subnet Mask field.
In the Default Gateway field, add the IP address of the Router (default IP is 10.0.0.2) Select Use the following DNS server addresses. Add DNS IP addresses which are provided by the ISP. Then click OK button.
Check your TCP/IP protocol After configuring the TCP/IP protocol, you can use the ping command to check if your computer has successfully connected to this Router. The following example shows the ping procedure for Windows 98. First, execute the ping command in MS-DOS Command prompt. Ping 10.0.0.2 If the following messages appear: Pinging 10.0.0.2 with 32 bytes of data: Reply from 10.0.0.2 : bytes=32 times<10ms TTL=64 Reply from 10.0.0.2 : bytes=32 times<10ms TTL=64 Reply from 10.0.0.
CHAPTER 5 ACCESS AND STATUS OF MODEM The modem offers a web-based (HTML) graphical user interface allowing users to manage the Router using standard browser software such as Netscape Navigator or Microsoft Internet Explorer. Accessing the Web Manager • • • • • Launch the Web browser. Enter the LAN port default IP address http://10.0.0.2. Entry of the user name and password will be prompted. Enter the default login User Name and Password.
Home Page The Home page shows the firmware versions, WAN and LAN interface status. The LAN session shows the information and status of LAN port, DHCP client table, Ethernet link and USB link. PPP Page The PPP Status page shows the status of PPP for each PPP interface PPP: These fields display the Connection Name (user defined), Interface (PVC), Mode (PPPoE or PPPoA), Status (Connected or Not Connected), Packets Sent, Packets Received, Bytes Sent and Byte Received.
ADSL Status Page The ADSL Status page shows the ADSL physical layer status.
CHAPTER 6 CONFIGURE ADSL MODEM The links under Configuration column are associated to the pages that represent the configurations of system and interfaces. Note: When the configurations are changed, please go to the Save Settings page to save the new setting and reboot modem. WAN Configuration The WAN configuration page allows user to set the configuration for the WAN/ADSL ports. First, you select adapter, say, Pvc 0: 1.
PPPoE / PPPoA mode with DHCP function As shown on highlighted parameters, Enter VPI, VCI, User name, Password and Encapsulation. Disable Bridge mode and left other parameters unchanged. Click Submit, Save, then Reboot system. You will need these parameters from your ISP or phone company.
Router mode for Static IP with DHCP function Enter Gateway, VPI, VCI, Static IP address, Subnet Mask, Encapsulation, disable Bridge mode. You will need these parameters from your ISP or phone company. Note: The default IP address of this Router is 10.0.0.2. If you forget the modified IP address, you can’t access this device anymore and the only solution is to reset it by pushing reset button. You may also need to enter DNS information if you can’t access to internet: • Click DNS page.
Bridge mode with DHCP function Enter VPI, VCI, Enable Bridge Mode, enter Encapsulation, IP, Subnet Mask, Gateway, and leave others unchanged. Save, Submit, then Reboot.
Additional Configuration of Router Modes In a typical routed configuration, the ADSL router is treated as a separate device on the network that the PC and DSLAM send packets to. The Ethernet and ADSL networks are configured as separate IP subnets. The PC must have the ADSL router set up as its default gateway. Descriptions of the protocols supported in this mode of operation are discussed in the next sections.
• • PPP password: Provided by ISP NAT Configuration: NAPT Please see scenario 4: Router Mode Configuration PPPoA in Appendix for more detail configuration. PPPoE ( RFC 2516) Following settings are necessary when working under this mode: • • • • • • VPI/VCI Encapsulation: PPPoE LLC Bridged: Disabled PPP User Name: Provided by ISP PPP password: Provided by ISP NAT Configuration: NAPT Please see scenrio 5: Router Mode Configuration PPPoE in Appendix for more detail configuration.
Please use following table to configure a valid setting for each of PVC, or go to Appendix page to choose the suitable scenario.
Following settings are necessary when working under this mode: • VPI/VCI • Encapsulation: 1483 Bridged IP LLC • Bridged: Enabled • NAT Configuration: Disabled • LAN DHCP Server: Disabled Please see scenario 1: Bridge Mode Configuration Table in Appendix for more detail configuration. IGMP IGMP relay/proxy specification and environment: • Support IGMP proxy/relay function for ADSL modem, based on the following requirement and case. • On CO side, there must be at least one IGMP querier (router) present.
ATM • VPI: Virtual Path Identifier is a virtual path used for cell routing that is identified by aneight bit field in the ATM cell header. The VPI field specifies this eight bit identifier for routing. Range for VPI field is 0-255, default is 0. • VCI: A Virtual Channel Identifier is a virtual channel that is identified by a unique numerical tag that is defined by a 16-bit field in the ATM cell header. The purpose of the virtual channel is to identify where the cell should travel.
• Sustainable Cell Rate: This is the sustained rate at which a PVC enabled with VBR-nrt can transmit ATM cells. Sustainable Cell Rate (SCR) can be considered as the true reserved bandwidth for a PVC. Range for Sustainable Cell Rate field is 0-32767, default is 0. • Max Burst Size: This is the number of cells a PVC enabled with VBR-nrt can transmit continuously at peak cell rate (PCR). Range for Max Burst Size field is 0-32767, default is 0.
DHCP Client DHCP Client: This is to enable or disable (default) the ADSL Bridge/Router WAN as a DHCP client, where the ISP would be the DHCP server. DHCP Client is generally used in the following encapsulations: 1483 Bridged IP LLC, 1483 Routed IP LLC, 1483 Bridged IP VC-MUX, 1483 Routed IP VC-Mux, and Classical IP over ATM. This option is for non-static (dynamic) IP addresses. Host Name: When DHCP Client is Enabled, copy the ISP recognized Host Name here. The Host Name can be up to 19 characters.
PPP Configuration The current release supports multiple PPP sessions per PVC. The PPP configuration in the WAN configuration page is for the first PPP session for each of PVC. The predefined PPP Account Name (Account ID) is “Simple PPP Account 0” for PVC0 and predefined PPP Connection Name is “Simple PPP Session 0” for PVC0. For the other PVC X, the predefined account name and connection name will be Simple PPP Account X and Simple PPP Session X. X is the PVC number from 1 to 7.
LAN Configuration The LAN configuration page allows user to set the configuration for the LAN port. The modem comes with a preset default IP address setting of 10.0.0.2 for the LAN port. There are two ways to use this default IP address, you can manually assigned an IP address and subnet mask for each PC on the LAN or you can instruct the Router to automatically assign them using DHCP. The DHCP function is active by default. • LAN IP Address & Subnet Mask: The default is 10.0.0.2 and 255.0.0.0.
o System Allocated: The DHCP address pool is based on LAN port IP address plus 12 IP addresses. For example, the LAN IP address is 10.0.0.2; the DHCP address pool is at the range of 10.0.0.3 to 10.0.0.14. o User Defined: The DHCP address pool is at the range of User Defined Start Address and User Defined End Address. The maximum pool size can be 253 IP addresses: 255 total IP addresses – 1 broadcast address – 1 LAN port IP address.
PPP Configuration The PPP Configuration page allows you to configure multiple PPP sessions for each of PVC. It can support up to total of 16 PPP sessions, and each of PVC can support up to 8 PPP sessions. The multiple PPP sessions may be configured with any combination over 8 PVCs. To configure the PPP, must go to the PPP Account Configuration page first to configure Account ID, Users Name and Password. • Session Name: This field allows you to enter a Session Name.
• MRU: The MRU (Maximum Receive Unit) field indicates the maximum size IP packet that the peer of PPP connection (this device) can receive. During the PPP negotiation, the peer of the PPP connection will indicate its MRU and will accept any value up to that size. The actual MTU of the PPP connection will be set to the smaller of the two (MTU and the peer’s MRU). In the normal negotiation, the peer will accept this MRU and will not send packet with information field larger than this value.
PPP Disconnect Timer Configuration The PPP Disconnect Timer Configuration page enables you to configure what action will bring a PPP Session out of the Idle state (disconnected state) and reset the Idle Timer. This is done by specifying criteria contained in packets, namely IP Protocol and Port. The Idle Timer refers to the Disconnect Timeout, specified on the PPP Configuration page.
WAN side. The disconnect timer will reset when outbound traffic is detected (if they match the filter table criteria). • Inbound and Outbound Traffic: Selecting this will allow both WAN and LAN source packets to reset the idle timer. Filter Details The table displayed in the Filter Details section of the page shows all the current Idle Filters. Traffic must match the criteria of one of these filters in order to cause an Idle Timeout, unless All Traffic will reset Idle Timer is selected.
Wireless ADSL Modem User’s Manual 40
NAT Configuration The NAT Configuration page allows the user to set the configuration for the Network Address Translation. The default setting is Dynamic NAPT. It provides dynamic Network Address Translation capability between LAN and multiple WAN connections, and the LAN traffic is routed to appropriate WAN connections based on the destination IP addresses and Route Table. This eliminates the need for the static NAT session configuration between multiple LAN clients and multiple WAN connections.
• • • • • Interface: This field allows the user to choose specific WAN Interface (PVC or PPP Session) for NAT Session. NAT Session Name Status will be displayed at the bottom of this page to show all the Session Names with its WAN Interface. Click the link Go back to NAT Configuration to the NAT configuration page. Select the NAT option. Input the session name and the PC IP address, and choose the Add action. Click the Submit button and go to the Save Settings to save this configuration.
Virtual Server The Virtual Server Configuration page allows users to set the configuration of Virtual Server. The firmware includes the Free BSD version firewall. All UDP/TCP ports are protected from intrusion. If any specific local PCs need to be mapped to the UDP/TCP port on WAN side, please input the mappings here. This product’s NAT firewall filters out unrecognized packets to protect your Intranet, so all hosts behind this product are invisible to the outside world.
• • • Public Port: This field allows the user to enter the port number of the Public Network. Private Port: This field allows the user to enter the port number of the Private Network. In most cases, the private port number is same as public port number. Host IP Address: This field allows the user to enter the private network IP address for the particular sever. For example, IP of Windows machine that connected with modem is 192.168.2.
Bridge filtering Bridge Filtering allows packets to be forwarded or blocked, depending on the MAC address The Bridge Filtering configuration page allows users to set the configuration of IP filtering. • • • • • Source MAC: When the bridge filtering is enabled, enter the Source MAC address, select Block and click Add. Then all incoming WAN and LAN Ethernet packets matched with this source MAC address will be filtered out.
DNS Configuration Domain Name Service (DNS) is a service used on the Internet for resolving fully qualified domain names (FQDN) to their Internal Protocol (IP) address. You can type the preferred DNS server IP address, Alternative DNS server IP address that provided by ISP or automatically assigned by ISP. Click Submit and Save Settings to save your setting. The DNS Configuration page allows users to set the configuration of DNS proxy. The firmware supports the DNS proxy function.
There are four DNS proxy modes available: • Disable DNS Proxy: The LAN port does not process the DNS query message. For the DHCP requests from local PCs, the DHCP server will set the userconfigured preferred DNS sever or alternate DNS server whichever is available as the DNS server. Then all DNS query messages will be directly sent to the DNS servers. • Use Auto Discovered DNS Servers Only: The DNS proxy will store the DNS server IP addresses obtained from DHCP client or PPP into the table.
Wireless This page allows you to configure basic wireless properties and security. • SSID : An SSID (acronym for Service Set Identifier) is the unique name shared among all points in a wireless network. The SSID must be identical for all points in the network. It is case sensitive and must not exceed 31 characters. • Channel: Select the appropriate channel to correspond with your network settings, between 1 and 14. All access points and wireless PC adaptors must share the same channel to interoperate.
• Security: The ADSL Bridge/Router provides a security encryption tool known as WEP (Wired Equivalent Privacy). WEP is designed to provide security and privacy equivalent to that found in a wired network. This is done by encrypting the data packets sent between client and host with an encryption key. Both the client (PC) and the host (access point/router) must have the same WEP key in order to communicate. The available WEP settings are 64 bit and 128 bit.
Wireless LAN (WLAN) Security WiFi Protected Access (WPA) security certification is a partial snapshot of 802.11i. It includes Temporal Key Integrity Protocol (TKIP) and 802.1x mechanisms. The combination of these two mechanisms provides dynamic key encryption and mutual authentication, With WPA, you can connect this modem with RADIUS server to perform 802.1x for authentication. 802.1x is an IEEE standard that enables authentication and key management for LANs.
• • • Firmware Version: This is the version of the Wireless Security firmware. WPA Mode: This field allows you to enable/disable WLAN Security. Network Authentication: There are two available methods of WLAN Security: o WPA RADIUS: This option uses 802.1X for authentication with RADIUS server while using TKIP encryption. o WPA Pre-Shared Key: This option uses a pre-shared key (psk) for authentication while using TKIP encryption. • Data Encryption: support TKIP.
Save Settings / Reboot The Save Settings page allows users to save the new configuration to the flash and reboot the system. When you change all setting, you must click save settings and click submit. The Router will save settings and software reset router for about 20 seconds. • • Save & Reboot: Click this to apply all changes. Reboot Only: Do this to discard all changes since last save.
CHAPTER 7 ADMIN PRIVILEGE The links under Admin Privilege are only accessible when user is logged in as Admin. Regular user account does not have authorization to view or alter the content on the pages in the Admin Privilege section. WAN Status The WAN Status page shows the information and status of WAN PVCs. WAN: This field displays the IP address, Subnet Mask and MAC address for the WAN (ADSL) interface. Use the Virtual Circuit selection to select different PVCs for status display.
ADSL Configuration The ADSL Configuration page allows you to set the configuration for ADSL protocols. Annex Mode Config: This allows you to manually configure the ADSL Bridge/Router for Annex A or Annex B mode by selecting User Configured and choosing the Annex Mode in the next field.
User Selected Annex Mode: This allows you to select from Annex A and Annex B. Trellis: Trellis Code is an advanced method of FEC (Forward Error Correction). This field allows you to enable or disable the Trellis Code. By default, it is always enabled. Handshake Protocol: This field allows you to select from the following ADSL handshake protocols: Autosense – G.dmt first (default), Autosense – T1.413 first, G.dmt/G.lite, T1.413, G.dmt, and G.lite.
• The Gateway field of the static route entry allows users to either enter a Gateway IP address or select a Network Interface. • All user-defined routes retained in the CPE memory, regardless if they are already in the Routing Table, are displayed on the same Route Table page. • All user defined route entries kept in the CPE memory during run time are saved to flash when the user chooses to save and reboot the CPE.
Route Configuration Destination: This field allows you to enter the remote network or host IP address for the static routing. Netmask: This field allows you to enter the Subnet Mask for the static routing. Gateway: This field allows you to enter the IP address of the gateway device that allows the router to contact the remote network or the host for Specified IP or select an Interface for the Gateway. Manually Configured Routes: This field displays the static route entries entered by the user.
RIP Configuration RIP (Routing Information Protocol) is a management protocol that ensures that all hosts in a particular network share the same information about routing paths. In a RIP, a host computer will send its entire routing table to another host computer every X seconds, where X is the supply interval. The receiving host computer will in turn repeat the same process by sending the same information to another host computer.
RIP: This field allows you to Enable or Disable the RIP session. The resulting RIP session will monitor all network interfaces that are currently available for messages from other RIP routers. RIP is disabled by default. Border Gateway: RIP implements Border Gateway as specified in RFC 1058 and RFC 1723. This limits all subnet routes and host routes to routers within that same network.
RIP Per Interface Configuration The RIP Per Interface Configuration page allows you to set the configuration for each Interface (PVCs, PPP Sessions, USB and LAN). Interface: This field allows you to choose the Interface (PVCs, PPP Sessions, USB and LAN), for the RIP to be configured. The available selections are: IP Ethernet 0, IP USB 0, IP PVC0...
Current RIP Settings: This field displays the each interface’s RIP status.
SNMP Configuration Simple Network Management Protocol (SNMP) is an optional feature that may or may not be supported by your ADSL Bridge/Router. SNMP is an application layer protocol that is used for managing networks. SNMP is an optional feature that may or may not be in the specific firmware that you are working with. There are several components that make up the SNMP structure, including agents, network management stations (NMS), network management protocols, and a management information base (MIB).
SNMP System Identification: The System Name, System Contact, System Location, and System OID are provided to identify the SNMP NMS. The System OID is the ID number placed in all Trap reports. The System Name, System Contact, and System Location can be up to 127 characters. Default value for System OID is 1.3.6.1.4.1.4900. Read Community: This is the password to access public information. The Read Community can be up to 127 characters. Default is “public.
Miscellaneous Configuration The Miscellaneous Configuration page allows you to set miscellaneous configurations for the following: HTTP, FTP, TFTP, DMZ, Command Line Interface, DHCP, PPP, IGMP, and SNTP. HTTP Server Access: This field allows you to configure where these Web pages can be accessed from. • All: When this field is checked, it allows both WAN and LAN access to the Web pages. This is the system default. • Restricted LAN: This field allows the Web pages access from LAN side.
HTTP Server Port: This field allows you to specify the port of the Web access. . For example, when it is changed to 8080, the HTTP server address for the LAN side is http://10.0.0.2:8080. Range for HTTP Server port is 0 – 32767, default value is 80. FTP server: This field allows you to enable or disable the FTP server connection. System default is Enabled. • Disable WAN side FTP access: This will disable WAN side access to the FTP server, default is Disabled.
DHCP • NONE: This will disable the DHCP server. Note that this setting will override the DHCP Server Enable/Disable on the LAN configuration page. • DHCP Server (default): Select this to activate the DHCP server. • DHCP Relay: If it is enabled, the DHCP requests from local PCs will forward to the DHCP server runs on WAN side.
PPP Half Bridge: When PPP Half Bridge is enabled, only one PC is able to access the Internet, and the DHCP server will duplicate the WAN IP address from the ISP to the local client PC. Only the PC with the WAN IP address can access the Internet. System default is Disabled. PPP reconnect on WAN access: If enabled, the PPP session will automatically establish a connection when a packet tries to access the WAN. System default is Enabled.
TCP Status The TCP Status page shows the statistics for all TCP connections. This page contains information that is dynamic and will refresh every 2 seconds. Reset Counters: This button allows user to reset the TCP Status counter. General: Total Packets, Data Packets, Data Bytes, Out of Order Packets, Out of Order Bytes Discarded Packets: Bad Checksum, Bad Offset Header, Too Short Connections: Initiated, Accepted, Established, Closed.
Admin Password Configuration The Admin Password Configuration page allows you to set the password for administrator. The Admin password is same as the FTP password, so it must have at least 8characters for the FTP to work. The Admin password can be up to 65 characters (excluding ‘&’).
Reset to Factory Default The Reset to Factory Default page allows you to reset the ADSL Bridge/Router to original factory default configuration.
Diagnostic Test The Diagnostic Test page shows the test results for the connectivity of the physical layer and protocol layer for both LAN and WAN sides. This page will continually refresh every 2 seconds until all tests are complete. Testing Ethernet LAN Connection: This test passes if the Ethernet LAN interface is working properly. Testing ADSL Synchronization: This test checks your ADSL Bridge/Router to see if it can successfully negotiate and establish an ADSL connection with your service provider.
Test ATM OAM End-to-End Loop Back: This test sends ATM OAM F5 End to End loop back request cells to the central office equipment through your ADSL connection. This test returns PASS if response cell is received. Since your service provider might not support this test, your ADSL Bridge/Router could still be working properly even if this test fails. If this test returns FAIL consistently and your ADSL Bridge/Router seems to not be working, check to make sure the VPI and VCI are configured correctly.
Ping Gateway: This test returns PASS if the gateway can be reached through a ping request. The gateway is assigned by your service provider, or obtained from your service provider by PPP or DHCP negotiation. If this test returns FAIL, run this test again a few minutes after this test is completed.
System Log The System Log page shows the events triggered by the system. This page contains information that is dynamic and will refresh every 5 seconds. Clear Log: This field allows you to clear the current contents of the System Log. Save Log: This field allows you to save the current contents of the System Log by right click HERE and select “Save Target As” to save it into a text file.
• PPP Layer − PPP authenticated − PPP invalid user name or password − PPP unable to connect with PPP server • IP Layer − IP protocol up − PPP IP address − PPP Gateway IP address PPP DNS Primary IP address − PPP DSN Secondary IP address Local Code Image Update The Code Image Update page allows you to upgrade the image code locally. Browse the location of file, firmware.dlf or bootrom.dlf file, and click the Upload to start the update.
CHAPTER 8 FIREWALL CONFIGURATION A Statefull Packet Inspection (SPI) firewall is an optional feature that may or may not be included in your ADSL Bridge/Router. A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets that violate a set of rules defined by the firewall administrator. The firewall is located at the point of entry for the network.
Firewall Enable/Disable: This option enables/disables all the protection provided on these pages. Protection Policy Protection Policies defend against common methods of attacking a network and computers within the network. Some of these attacks are classified as a DoS (Denial of Service). DoS is an attack in which a network or components of a network are disabled, usually by overloading traffic on the network, in order to prevent authorized and legitimate users to access network resources.
• Land Attack checking: Land attack is a type of DoS attack that works by sending a spoofed packet containing the same source and destination IP address and port (the victim’s IP address). This packet contains a connection request, resulting in a handshake process. At the end of the handshake, the victim sends out an ACK (ACKnowledge) request. Since the source and the destination are the same, the victim receives the ACK request it just sent out.
nodes in a network, making it easy to exploit any weakness. Enabling Source Routing checking will cause the firewall to filter out any packet with Source Routing properties. • WinNuke Attack checking: WinNuke exploits a large networking bug found in Windows 95 and NT. WinNuke sends erroneous OOB (Out-of-Band) data that Windows is unable to process, causing the target computer to crash. Enable this if you are running an early (95 or NT) version of Windows that is vulnerable to this attack.
General Log: • Deny Policies: Enabling this will add Deny Policy violations to the log. Deny Policies are discussed later in the Inbound/Outbound policy section. • Allow Policies: Enabling this will add Allow Policy acceptances to the log. Allow Policies are discussed later in the Inbound/Outbound policy section. Log Database Properties: • Log Frequency: This field lets you specify how many records to keep of each event. Default is 100. Range for Log Frequency Field is 1-65535.
These are the Service Request sources that can be disabled: • Ping from External Network • Telnet from External Network • FTP from External Network • DNS from External Network • IKE from External Network • RIP from External Network • DHCP from External Network IP Group The IP Group lets you specify IP Addresses (Single or Range) and Subnet Masks and assign them to a group name for easy use when configuring inbound and outbound policies for the firewall.
IP Entry Name: This is the name you assign to the group of IP addresses and subnet masks. The IP Entry Name can be up to 19 characters. IP addr. 1: This is the IP address or subnet mask you are specifying when creating a group. IP addr. 2: This field is only active if you select to group a range of IP ddresses or subnet masks, in which case this is the end address of that range whereas the IP addr 1 is the first address of that range.
Service Group The Service Group lets you specify a Port and assign it to a group name for easy use when configuring inbound and outbound policies for the firewall. Service Entry Name: This is the name you assign to the group containing the port number. The Service Name Entry can be up to 19 characters. TCP/UDP: This specifies whether the port goes through TCP or UDP. Port #: This is the port number associated with the group name. Range for Port # is 1 – 65535.
Time Window The Time Window lets you specify certain time periods and assign them to a group name for easy use when configuring inbound and outbound policies for the firewall. Time Window Name: This is the name you assign to the group that is given the time designation. The Time Window Name can be up to 19 characters. Time Period: This field allows you to specify the time period for both start time and end time by selecting the day, hour, minute, and AM/PM.
Inbound Policy The Inbound Policy allows you to filter inbound (from the WAN into the user side LAN) packets based on a set of rules. This enables you to deny access from different sources and thus increase security. A table of inbound policies is displayed with the following information. If there are no policies, then a message stating “No Entries in Inbound Policy Database” will be displayed in place of the table. IP Address: This field specifies the IP address or addresses to which the policy applies.
Up: Clicking this button will move the corresponding policy up one space in the table. Dn: Short for down, clicking this button will move the corresponding policy down one space in the table. Note: The Inbound Policy works in a Top-Down fashion according to the Inbound Policy Table. This means that the firewall will apply the policies in order from the top of the table to the bottom. It is critical for both security and user accessibility to the WAN to have inbound policies in the correct order.
Src IP: This specifies the Source IP for the Inbound Policy. This is the external (WAN side, outside of the firewall) IP address or addresses and Subnet Masks that will be affected by the policy. In this field there are two IP Address entry fields and a dropdown menu. The dropdown menu has four options: • Any IP: Selecting this will cause all IPs to be affected by the policy. When this is selected, you will be unable to enter any information into the IP Address entry fields.
• Port Range: Selecting this will enable you to select a range of Ports to which the policy will apply. The first Port in the range must be entered in the first Port entry field and the last Port in the range must be entered in the second Port entry field. • Safe Ports: Any port greater than 1024 (1025 – 65535) is considered a safe port. Dest Port: This specifies the Destination Port for the Inbound Policy. This is the internal (LAN side, behind the firewall) Port that will be affected by the policy.
Outbound Policy The Outbound Policy allows you to filter outbound (from the user side LAN to the WAN) packets based on a set of rules. This enables you to deny access to different sources and thus increase security. A table of outbound policies is displayed with the following information. If there are no policies, then a message stating “No Entries in Outbound Policy Database” will be displayed in place of the table. IP Address: This field specifies the IP address or addresses to which the policy applies.
Dn: Short for down, clicking on this button will move the corresponding policy down one space in the table. Note: The Outbound Policy works in a Top-Down fashion according to the Outbound Policy Table. This means that the firewall will apply the policies in order from the top of the table to the bottom. It is critical for both security and user accessibility to the WAN to have outbound policies in the correct order. See Section 6.9.1 for an example of this.
Src IP: This specifies the Source IP for the Outbound Policy. This is the internal (LAN side, behind the firewall) IP address or addresses and Subnet Mask(s) that will be affected by the policy. In this field there are two IP Address entry fields and a dropdown menu. The dropdown menu has four options: • Any IP: Selecting this will cause all IPs to be affected by the policy. When this is selected, you will be unable to enter any information into the IP Address entry fields.
• Safe Ports: Any port greater than 1024 (1025 – 65535) is considered a safe port. Dest Port: This specifies the Destination Port for the Inbound Policy. This is the internal (WAN side, outside of the firewall) Port that will be affected by the policy. See Src Port above for configuration detail. Transport Protocol: This specifies the Transport/Transfer protocol for the policy. The following protocol options are available: All, TCP, UDP, ICMP, AH, ESP, and GRE.
Inbound/Outbound Policy Sample Configuration This is a sample Inbound/Outbound configuration meant to guide you in making your own configurations. This configuration does not necessarily provide proper security, it is meant only as a sample to display the functionality of the Inbound and Outbound Policies. Inbound Policy Sample Configuration: You want your firewall to have the following properties: • Accept all http IP addresses, except for 204.35.82.1 • Grant FTP access from 101.64.35.4 (external) to 10.
It does not matter which order you input these in as long as you sort them into the correct order once you are finished. The configuration should look like the following when complete: Note: It should be clear now how critical it is to sort the policies in the correct order. For example, if policies one and two were switched, there would be NO HTTP access to any computer in the LAN. This would make web browsing impossible.
• Allow access from Src (LAN) IP range 10.0.0.3~10.0.0.6 to any Des (WAN) IP through port 20 (FTP), through any protocol.
Appendix A: ADSL ETHERNET MODEM ROUTER CONFIGURATION Bridge Mode Configuration WAN Configuration Default Gateway VC Setting VPI VCI Static IP Address Subnet Mask Encapsulation Bridged IGMP PPP Service Name PPP User Name PPP password DHCP Client Host name Virtual Circuit LAN Configuration LAN IP LAN subnet mask DHCP server DHCP address pool selection User defined start address User defined end address Lease Time User mode Ethernet mode NAT Configuration NAT Configuration DNS Configuration DNS proxy selection
Interval Misc Configuration WAN side HTTP server FTP server TFTP server HTTP server port DMZ DMZ Host IP DNS Proxy DHCP Relay IGMP proxy PPP reconnect on WAN access 30 seconds Disabled Disabled Disabled 80 Disabled 0.0.0.
Wiring Selection RIP Configuration RIP Supplier Gateway Multicast Interval Misc Configuration WAN side HTTP server FTP server TFTP server HTTP server port DMZ DMZ Host IP DNS Proxy DHCP Relay IGMP proxy PPP reconnect on WAN access Tip/Ring Disabled True False False 30 seconds Disabled Disabled Disabled 80 Disabled 0.0.0.
Preferred DNS Server Alternate DNS Server ADSL Configuration Trellis Handshake protocol Wiring Selection RIP Configuration RIP Supplier Gateway Multicast Interval Misc Configuration WAN side HTTP server FTP server TFTP server HTTP server port DMZ DMZ Host IP DNS Proxy DHCP Relay IGMP proxy PPP reconnect on WAN access only Provided by ISP Provided by ISP Enabled Autosense-G.dmt first Tip/Ring Disabled True False False 30 seconds Disabled Disabled Disabled 80 Disabled 0.0.0.
User mode Ethernet mode NAT Configuration NAT Configuration DNS Configuration DNS proxy selection Preferred DNS Server Alternate DNS Server ADSL Configuration Trellis Handshake protocol Wiring Selection RIP Configuration RIP Supplier Gateway Multicast Interval Misc Configuration WAN side HTTP server FTP server TFTP server HTTP server port DMZ DMZ Host IP DNS Proxy DHCP Relay IGMP proxy PPP reconnect on WAN access Multi-user Autosense NAPT Use auto discovered DNS servers only 0.0.0.0 0.0.0.
DHCP server DHCP address pool selection User defined start address User defined end address Lease Time User mode Ethernet mode NAT Configuration NAT Configuration DNS Configuration DNS proxy selection Preferred DNS Server Alternate DNS Server ADSL Configuration Trellis Handshake protocol Wiring Selection RIP Configuration RIP Supplier Gateway Multicast Interval Misc Configuration WAN side HTTP server FTP server TFTP server HTTP server port DMZ DMZ Host IP DNS Proxy DHCP Relay IGMP proxy PPP reconnect on WAN
PPP password DHCP Client Host name Virtual Circuit LAN Configuration LAN IP LAN subnet mask DHCP server DHCP address pool selection User defined start address User defined end address Lease Time User mode Ethernet mode NAT Configuration NAT Configuration DNS Configuration DNS proxy selection Preferred DNS Server Alternate DNS Server ADSL Configuration Trellis Handshake protocol Wiring Selection RIP Configuration RIP Supplier Gateway Multicast Interval Misc Configuration WAN side HTTP server FTP server TFTP