Vigor 2700 Series Firewall Router User’s Guide Version: 2.5 Date: 2007/03/19 Copyright 2006 All rights reserved. This publication contains information that is protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders. The scope of delivery and other details are subject to change without prior notice. Microsoft is a registered trademark of Microsoft Corp.
This page is left blank.
Table of Contents 1 Preface ...............................................................................................................1 1.1 LED Indicators and Connectors .............................................................................................. 2 1.1.1 Front and Rear View for Vigor2700 .................................................................................. 2 1.1.2 Front and Rear View for Vigor2700G ........................................................................
3.4.1 Basics for Firewall........................................................................................................... 49 3.4.2 General Setup................................................................................................................. 52 3.4.3 Filter Setup ..................................................................................................................... 53 3.4.4 IM Blocking ..................................................................................
3.12.3 Configuration Backup ................................................................................................. 135 3.12.4 Syslog/Mail Alert ......................................................................................................... 136 3.12.5 Time and Date ............................................................................................................ 138 3.12.6 Management................................................................................................
This page is left blank.
1 Preface Targeting requirement for residential, SOHO (Small Office and Home Office) and business users, the Vigor2700 series is an ADSL2/2+ enabled integrated access device. With downstream speed up to 12Mbps (ADSL2) or 24Mbps (ADSL2+), the Vigor2700 series provides exceptional bandwidth for Internet access.
1.1 LED Indicators and Connectors 1.1.1 Front and Rear View for Vigor2700 LED VPN QoS Firewall ADSL2+ ACT (Activity) LAN (1, 2, 3, 4) Status On On Off On Blinking On (Green) Blinking (Green) Blinking (Orange) On Blinking Green Blinking Explanation The VPN tunnel is launched. The QoS function is active. The QoS function is inactive. The DoS function is enabled. When encountered DoS attacks. ADSL is show time. The device starts handshaking. The data is transmitting. The router is powered on.
1.1.2 Front and Rear View for Vigor2700G LED WLAN QoS Firewall ADSL2+ ACT (Activity) LAN (1, 2, 3, 4) Status On Blinking Off On Off On Blinking On (Green) Blinking (Green) Blinking (Orange) On Blinking Green Blinking Explanation Wireless access point is ready. Ethernet packets are transmitting over wireless LAN. The WLAN function is inactive. The QoS function is active. The QoS function is inactive. The DoS function is enabled. When encountered DoS attacks. ADSL is show time.
1.1.3 Front and Rear View for Vigor2700Gi LED WLAN QoS Firewall ADSL2+ ACT (Activity) LAN (1, 2, 3, 4) Status On Blinking Off On Off On Blinking On (Green) Blinking (Green) Blinking (Orange) On Blinking Green Blinking Explanation Wireless access point is ready. Ethernet packets are transmitting over wireless LAN. The WLAN function is inactive. The QoS function is active. The QoS function is inactive. The DoS function is enabled. When encountered DoS attacks. ADSL is show time.
1.1.4 Front and Rear View for Vigor2700V (MODULE:2S1L) LED VPN Phone 1 & 2 (FXS1, FXS2) ADSL2+ ACT (Activity) LAN (1, 2, 3, 4) Status On On Blinking On (Green) Blinking (Green) Blinking (Orange) On Blinking Green Blinking Explanation The VPN tunnel is launched. The phone is off hook (the handset of phone is hanging). A phone call is incoming. ADSL is show time. The device starts handshaking. The data is transmitting. The router is powered on. The router is powered on and running properly.
1.1.5 Front and Rear View for Vigor2700V (MODULE:2S) LED VPN Phone 1 & 2 (FXS1, FXS2) ADSL2+ ACT (Activity) LAN (1, 2, 3, 4) Status On On Blinking On (Green) Blinking (Green) Blinking (Orange) On Blinking Green Blinking Explanation The VPN tunnel is launched. The phone is off hook (the handset of phone is hanging). A phone call is incoming. ADSL is show time. The device starts handshaking. The data is transmitting. The router is powered on. The router is powered on and running properly.
1.1.6 Front and Rear View for Vigor2700VGi LED WLAN Phone 1 & 2 (FXS1, FXS2) ADSL2+ ACT (Activity) LAN (1, 2, 3, 4) Status On Blinking Off On Blinking On (Green) Blinking (Green) Blinking (Orange) On Blinking Green Blinking Explanation Wireless access point is ready. Ethernet packets are transmitting over wireless LAN. The WLAN function is inactive. The phone is off hook (the handset of phone is hanging). A phone call is incoming. ADSL is show time. The device starts handshaking.
1.1.7 Front and Rear View for Vigor2700VG (MODULE:2S1L) LED WLAN Phone 1 & 2 (FXS1, FXS2) ADSL2+ ACT (Activity) LAN (1, 2, 3, 4) Status On Blinking Off On Blinking On (Green) Blinking (Green) Blinking (Orange) On Blinking Green Blinking Explanation Wireless access point is ready. Ethernet packets are transmitting over wireless LAN. The WLAN function is inactive. The phone is off hook (the handset of phone is hanging). A phone call is incoming. ADSL is show time. The device starts handshaking.
1.1.8 Front and Rear View for Vigor2700VG (MODULE:2S) LED WLAN Phone 1 & 2 (FXS1, FXS2) ADSL2+ ACT (Activity) LAN (1, 2, 3, 4) Status On Blinking Off On Blinking On (Green) Blinking (Green) Blinking (Orange) On Blinking Green Blinking Explanation Wireless access point is ready. Ethernet packets are transmitting over wireless LAN. The WLAN function is inactive. The phone is off hook (the handset of phone is hanging). A phone call is incoming. ADSL is show time. The device starts handshaking.
1.2 Hardware Installation Before starting to configure the router, you have to connect your devices correctly. 1. Connect the ADSL interface to the external ADSL splitter with an ADSL line cable for all models. For the VoIP model with MODULE:2S1L (Annex A), also connect Life interface to external ADSL splitter. (refer to Example 1 to 3) 2. Connect one port of 4-port switch to your computer with a RJ-45 cable. 3. Connect one end of the power cord to the power port of this device.
Example 2: Connect the ADSL interface to the external ADSL splitter with an ADSL line cable. For the model of Vigor2700VGi (Annex B), also connect ISDN interface to external ADSL splitter. Example 3: Connect the ADSL interface to the external ADSL splitter with an ADSL line cable and connect to ISDN wall outlet. For the VoIP model with MODULE:2S1L (Annex B), also connect Life interface to POTS wall outlet.
This page is left blank.
2 Configuring Basic Settings For use the router properly, it is necessary for you to change the password of web configuration for security and adjust primary basic settings. This chapter explains how to setup a password for an administrator and how to adjust basic settings for accessing Internet successfully. Be aware that only the administrator can change the router configuration. 2.
14 4. Go to System Maintenance page and choose Administrator Password. 5. Enter the login password (the default is blank) on the field of Old Password. Type a new one in the field of New Password and retype it on the field of Retype New Password. Then click OK to continue. 6. Now, the password has been changed. Next time, use the new password to access the Web Configurator for this router.
2.2 Quick Start Wizard If your router can be under an environment with high speed NAT, the configuration provide here can help you to deploy and use the router quickly. The first screen of Quick Start Wizard is entering login password. After typing the password, please click Next. 2.2.1 Adjusting Protocol/Encapsulation In the Quick Start Wizard, you can configure the router to access the Internet with different protocol/modes such as PPPoE, PPPoA, Bridged IP, or Routed IP.
VCI Stands for Virtual Channel Identifier. It is a 16-bit field inside ATM cell’s header that indicates the cell’s next destination as it travels through the network. A virtual channel is a logical connection between two end devices on the network. Protocol/Encapsulation Select an IP mode for this WAN interface. There are several available modes for Internet access such as PPPoE, PPPoA, Bridged IP and Routed IP. Fixed IP Click Yes to specify a fixed IP for the router.
If your ISP provides you the PPPoE or PPPoA connection, please select PPPoE or PPPoA for this router. The following page will be shown: ISP Name Assign a specific name for ISP requirement. User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP. Confirm Password Retype the password. Always On Check this box to allow the router connecting to Internet forever.
Click Finish. The online status of this protocol will be shown as below. 2.2.3 Bridged IP Click 1483 Bridged IP as the protocol. Type in all the information that your ISP provides for this protocol. After finishing the settings in this page, click Next to see the following page.
Click Finish. The online status of this protocol will be shown as below. 2.2.4 Routed IP Click 1483 Routed IP as the protocol. Type in all the information that your ISP provides for this protocol. After finishing the settings in this page, click Next to see the following page.
Click Finish. The online status of this protocol will be shown as below. 2.3 Online Status for Each Protocol The online status shows the system status, WAN status, ADSL Information and other status related to this router within one page. If you select PPPoE or PPPoA as the protocol, you will find out a button of Dial PPPoE or Dial PPPoE in the Online Status web page.
Online status for Bridge Online status for Routed IP Primary DNS Displays the assigned IP address of the primary DNS. Secondary DNS Displays the assigned IP address of the secondary DNS. IP Address (in LAN) Displays the IP address of the LAN interface. TX Packets Displays the total transmitted packets at the LAN interface. RX Packets Displays the total number of received packets at the LAN interface. GW IP Addr: Displays the assigned IP address of the default gateway.
Uncorrected Blocks Displays the total number of received ATM Blocks corrupted but uncorrected. Mode Displays the modulation mode used: G.DMT, G.Lite, or T1.413. State Displays the DSL line status. Up Speed Displays the upstream speed (bits/ second). Down Speed Displays the downstream speed (bits/ second). SNR Margin Displays the value of Signal Noise Ratio Margin (dB). The higher value has better signal quality. Loop Att. Displays the value of subscribed Loop Attenuation. 2.
3 Advanced Web Configuration After finished basic configuration of the router, you can access Internet with ease. For the people who want to adjust more settings for suiting his/her request, please refer to this chapter for getting detailed information about the advanced configuration of this router. As for other examples of application, please refer to Chapter 4. 3.1 Internet Access 3.1.1 Basics of Internet Protocol (IP) Network IP means Internet Protocol.
3.1.2 PPPoE/PPPoA PPPoA, included in RFC1483, can be operated in either Logical Link Control-Subnetwork Access Protocol or VC-Mux mode. As a CPE device, Vigor router encapsulates the PPP session based for transport across the ADSL loop and your ISP’s Digital Subscriber Line Access Multiplexer (SDLAM). To choose PPPoE or PPPoA as the accessing protocol of the internet, please select PPPoE/PPPoA from the Internet Access menu. The following web page will be shown.
PPPoE Pass-through The router offers PPPoE dial-up connection. Besides, you also can establish the PPPoE connection directly from local clients to your ISP via the Vigor router. When PPPoA protocol is selected, the PPPoE package transmitted by PC will be transformed into PPPoA package and sent to WAN server. Thus, the PC can access Internet through such direction.
like to utilize them on the WAN interface, please use WAN IP Alias. You can set up to 8 public IP addresses other than the current one you are using. By checking the checkbox Join NAT IP Pool, data from NAT hosts will be round-robin forwarded on a session basis.
IP addresses for other purpose, such as DMZ host, Open Ports. Default MAC Address Type in MAC address for the router. You can use Default MAC Address or specify another MAC address for your necessity. MAC Address – Type in the MAC address for the router manually. Index (1-15) in Schedule Setup You can type in four sets of time schedule for your request. All the schedules can be set previously in Application – Schedule web page and you can use the number that you have set in that web page.
MPoA (RFC1483/2684) Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid. DSL Modem Settings Set up the DSL parameters required by your ISP. These are vital for building DSL connection to your ISP. Multi-PVC channel - The selections displayed here are determined by the page of Internet Access – Multi PVCs. Select M-PVCs Channel means no selection will be chosen.
enable this feature if you host a web server for your customers’ access. RIP Protocol Routing Information Protocol is abbreviated as RIP(RFC1058) specifying how routers exchange routing tables information. Click Enable RIP for activating this function. Bridge Mode If you choose Bridged IP as the protocol, you can check this box to invoke the function. The router will work as a bridge modem.
3.1.4 Multi-PVCs This router allows you to create multi-PVCs for different data transferring for using. Simply go to Internet Access and select Multi-PVC Setup page. General The system allows you to set up to eight channels which are ready for choosing as the first PVC line that will be used as multi-PVCs. 30 Enable Check this box to enable that channel. The channels that you enabled here will be shown in the Multi-PVC channel drop down list on the web page of Internet Access.
Encapsulation Choose a proper type for this channel. The types will be different according to the protocol setting that you choose. ATM QoS Such configuration is applied to upstream packets. Such information will be provided by ISP. Please contact with your ISP for detailed information. QoS Type Select a proper QoS type for the channel according to the information that your ISP provides. PCR It represents Peak Cell Rate. The default setting is “0”. SCR It represents Sustainable Cell Rate.
Enable Check this box to enable that channel. Only channel 3 to 8 can be set in this page, for channel 1 to 4 are reserved for NAT using. P1 to P4 It means the LAN port 1 to 4. Check the box to designate the LAN port for channel 3 to 8. Service Type Normally, service type is used for the service of video stream (e.g., IPTV). It can divide the packets from remote control and from video stream into different PVC. In general, the protocol used by remote control is IGMP.
3.2 LAN Local Area Network (LAN) is a group of subnets regulated and ruled by router. The design of network structure is related to what type of public IP addresses coming from your ISP. 3.2.1 Basics of LAN The most generic function of Vigor router is NAT. It creates a private subnet of your own. As mentioned previously, the router will talk to other public hosts on the Internet by using public IP address and talking to local hosts by using its private IP address.
What is Routing Information Protocol (RIP) Vigor router will exchange routing information with neighboring routers using the RIP to accomplish IP routing. This allows users to change the information of the router such as IP address and the routers will automatically inform for each other. What is Static Route When you have several subnets in your LAN, sometimes a more effective and quicker way for connection is the Static routes function rather than other method.
1st IP Address Type in private IP address for connecting to a local private network (Default: 192.168.1.1). 1st Subnet Mask Type in an address code that determines the size of the network. (Default: 255.255.255.0/ 24) For IP Routing Usage Click Enable to invoke this function. The default setting is Disable. nd 2 IP Address Type in secondary IP address for connecting to a subnet. (Default: 192.168.2.1/ 24) 2nd Subnet Mask An address code that determines the size of the network. (Default: 255.255.
2nd Subnet - Select the router to change the RIP information of the 2nd subnet with neighboring routers. DHCP Server Configuration DHCP stands for Dynamic Host Configuration Protocol. The router by factory default acts a DHCP server for your network so it automatically dispatch related IP settings to any local user configured as a DHCP client. It is highly recommended that you leave the router enabled as a DHCP server if you do not have a DHCP server for your network.
If both the Primary IP and Secondary IP Address fields are left empty, the router will assign its own IP address to local users as a DNS proxy server and maintain a DNS cache. If the IP address of a domain name is already in the DNS cache, the router will resolve the domain name immediately. Otherwise, the router forwards the DNS query packet to the external DNS server by establishing a WAN (e.g. DSL/Cable) connection. There are two common scenarios of LAN settings that stated in Chapter 4.
z have set Main Router 192.168.1.1 as the default gateway for the Router A 192.168.1.2. Before setting Static Route, user A cannot talk to user B for Router A can only forward recognized packets to its default gateway Main Router. 1. Go to LAN page and click General Setup, select 1st Subnet as the RIP Protocol Control. Then click the OK button. Note: There are two reasons that we have to apply RIP Protocol Control on 1st Subnet.
4. Go to Diagnostics and choose Routing Table to verify current routing table. Disable Static Route 1. Click the Index Number that you want to disable from the Static Route Configuration page. 2. Select Inactive/Disable from the drop-down menu, and then click the OK button to disable the route.
3.2.4 VLAN Virtual LAN function provides you a very convenient way to manage hosts by grouping them based on the physical port. You can also manage the in/out rate of each port. Go to LAN menu and select VLAN. The following page will appear. Click Enable to invoke VLAN function. To add or remove a VLAN, please refer to the following example. 40 1. If, VLAN 0 is consisted of hosts linked to P1 and P2 and VLAN 1 is consisted of hosts linked to P3 and P4. 2.
3.2.5 Bind IP to MAC This function is used to bind the IP and MAC address in LAN to have a strengthen control in network. When this function is enabled, all the assigned IP and MAC address binding together cannot be changed. If you modified the binding IP or MAC address, it might cause you not access into the Internet. Click LAN and click Bind IP to MAC to open the setup page. Enable Click this radio button to invoke this function.
IP Bind List It displays a list for the IP bind to MAC information. Add It allows you to add the one you choose from the ARP table or the IP/MAC address typed in Add and Edit to the table of IP Bind List. Edit It allows you to edit and modify the selected IP address and MAC address that you create before. Remove You can remove any item listed in IP Bind List. Simply click and select the one, and click Remove. The selected item will be removed from the IP Bind List.
The port redirection can only apply to incoming traffic. To use this function, please go to NAT page and choose Port Redirection web page. The Port Redirection Table provides 10 port-mapping entries for the internal hosts. Service Name Enter the description of the specific network service. Protocol Select the transport layer protocol (TCP or UDP). Public Port Specify which port can be redirected to the specified Private IP and Port of the internal host.
For example, the built-in web configurator in the router is with default port 80, which may conflict with the web server in the local network, http://192.168.1.13:80. Therefore, you need to change the router’s http port to any one other than the default port 80 to avoid conflict, such as 8080. This can be set in the System Maintenance >>Management. You then will access the admin screen of by suffixing the IP address with 8080, e.g., http://192.168.1.1:8080 instead of port 80. 3.3.
Note: The inherent security properties of NAT are somewhat bypassed if you set up DMZ host. We suggest you to add additional filter rules or a secondary firewall. Click DMZ Host to open the following page: Drop Down List The drop down list allows you to set Private IP or Active True IP as the DMZ host. Private IP If you choose Private IP as the selection for DMZ host, please type in private IP or select any one by clicking the Choose PC button.
Enable Check to enable the DMZ Host function. Private IP Enter the private IP address of the DMZ host, or click Choose PC to select one. Choose PC Click this button and then a window will automatically pop up, as depicted below. The window consists of a list of private IP addresses of all hosts in your LAN network. Select one private IP address in the list to be the DMZ host. When you have selected one private IP from the above dialog, the IP address will be shown on the following screen.
Index Indicate the relative number for the particular entry that you want to offer service in a local host. You should click the appropriate index number to edit or clear the corresponding entry. Comment Specify the name for the defined network service. Aux. WAN IP Display the private IP address of the local host that you specify in WAN Alias. This field will not appear if you did not specify any WAN IP in the WAN Alias page.
48 Choose PC Click this button and, subsequently, a window having a list of private IP addresses of local hosts will automatically pop up. Select the appropriate IP address of the local host in the list. Protocol Specify the transport layer protocol. It could be TCP, UDP, or ----(none) for selection. Start Port Specify the starting port number of the service offered by the local host. End Port Specify the ending port number of the service offered by the local host.
3.3.4 Well-Known Ports List This page provides you a view of well-known ports. 3.4 Firewall 3.4.1 Basics for Firewall While the broadband users demand more bandwidth for multimedia, interactive applications, or distance learning, security has been always the most concerned. The firewall of the Vigor router helps to protect your local network against attack from unauthorized outsiders. It also restricts users in the local network from accessing the Internet.
Firewall Facilities The users on the LAN are provided with secured protection by the following firewall facilities: z User-configurable IP filter (Call Filter/ Data Filter).
Stateful Packet Inspection (SPI) Stateful inspection is a firewall architecture that works at the network layer. Unlike legacy static packet filtering, which examines a packet based on the information in its header, stateful inspection builds up a state machine to track each connection traversing all interfaces of the firewall and makes sure they are valid. The stateful firewall of Vigor router not just examine the header information also monitor the state of the connection.
Content Filtering To provide an appropriate cyberspace to users, Vigor router equips with URL Content Filter not only to limit illegal traffic from/to the inappropriate web sites but also prohibit other web feature where malicious code may conceal. Once a user type in or click on an URL with objectionable keywords, URL keyword blocking facility will decline the HTTP request to that web page thus can limit user’s access to the website.
Call Filter Check Enable to activate the Call Filter function. Assign a start filter set for the Call Filter. Data Filter Check Enable to activate the Data Filter function. Assign a start filter set for the Data Filter. Log Flag For troubleshooting needs you can specify the filter log here. None - The log function is not activated. Block - All blocked packets will be logged. Pass - All passed packets will be logged. No Match - The log function will record all packets that are not matched.
Filter Rule Click a button numbered (1 ~ 7) to edit the filter rule. Click the button will open Edit Filter Rule web page. For the detailed information, refer to the following page. Active Enable or disable the filter rule. Comment Enter filter set comments/description. Maximum length is 23–character long Next Filter Set Set the link to the next filter set to be executed after the current filter run. Do not make a loop with many filter sets.
Pass If No Further Match - A packet matching the rule, and that does not match further rules, will be passed through. Block If No Further Match - A packet matching the rule, and that does not match further rules, will be dropped. Branch to other Filter If the packet matches the filter rule, the next filter rule will branch to the specified filter set. Select next filter rule to branch from the Set drop-down menu. Log Check this box to enable the log function. Use the Telnet command log-f to view the logs.
Example As stated before, all the traffic will be separated and arbitrated using on of two IP filters: call filter or data filter. You may preset 12 call filters and data filters in Filter Setup and even link them in a serial manner. Each filter set is composed by 7 filter rules, which can be further defined. After that, in General Setup you may specify one set for call filter and one set for data filter to execute first. 3.4.4 IM Blocking IM Blocking means instant messenger blocking.
3.4.5 P2P Blocking P2P is the short name of peer to peer. Click Firewall and click P2P Blocking to open the setup page. You will see a list of common P2P applications. Check Enable P2P Blocking and select the one(s) to block. To block selected P2P applications during specific periods, enter the number of the scheduler predefined in Applications >> Schedule. Action Vigor2700 Series User’s Guide Specify the action for each protocol.
3.4.6 DoS Defense As a sub-functionality of IP Filter/Firewall, there are 15 types of detect/ defense function in the DoS Defense setup. The DoS Defense functionality is disabled for default. Click Firewall and click DoS Defense to open the setup page. 58 Enable Dos Defense Check the box to activate the DoS Defense Functionality. Enable SYN flood defense Check the box to activate the SYN flood defense function.
port-scanning Threshold rate, the Vigor router will send out a warning. By default, the Vigor router sets the threshold as 150 packets per second. Block IP options Check the box to activate the Block IP options function. The Vigor router will ignore any IP packets with IP option field in the datagram header.
the protocol types greater than 100 are reserved and undefined at this time. Therefore, the router should have ability to detect and reject this kind of packets. Warning Messages We provide Syslog function for user to retrieve message from Vigor router. The user, as a Syslog Server, shall receive the report sending from Vigor router which is a Syslog Client. (Refer to System Maintenance >> Syslog/Mail Alert for detail information.
Enable URL Access Control Check the box to activate URL Access Control. Black List (block those Click this button to restrict accessing into the corresponding webpage with the keywords listed on the box below. matching keyword) White List (pass those Click this button to allow accessing into the corresponding webpage with the keywords listed on the box below. matching keyword) Keyword The Vigor router provides 8 frames for users to define keywords and each frame supports multiple keywords.
Enable Restrict Web Feature Check the box to activate the function. Java - Check the checkbox to activate the Block Java object function. The Vigor router will discard the Java objects from the Internet. ActiveX - Check the box to activate the Block ActiveX object function. Any ActiveX object from the Internet will be refused. Compressed file - Check the box to activate the Block Compressed file function to prevent someone from downloading any compressed file.
To activate the function of limit session, simply click Enable and set the default session limit. Enable Click this button to activate the function of limit session. Disable Click this button to close the function of limit session. Default session limit Define the default session number used for each computer in LAN. Limitation List Display a list of specific limitations that you set on this web page. Start IP Define the start IP address for limit session.
3.5.2 Bandwidth Limit The downstream or upstream from FTP, HTTP or some P2P applications will occupy large of bandwidth and affect other normal applications. You can use Limit Bandwidth to make the bandwidth usage more efficient. In the Bandwidth Management menu, click Bandwidth Limit to open the web page. To activate the function of limit bandwidth, simply click Enable and set the default upstream and downstream limit. 64 Enable Click this button to activate the function of limit bandwidth.
Add Add the specific speed limitation onto the list above. Edit Allows you to edit the settings for the selected limitation. Remove Remove the selected settings existing on the limitation list. Index (1-15) in Schedule Setup You can type in four sets of time schedule for your request. All the schedules can be set previously in Application – Schedule web page and you can use the number that you have set in that web page. 3.5.
However, each node may take different attitude toward packets with high priority marking since it may bind with the business deal of SLA among different DS domain owners. It’s not easy to achieve deterministic and consistent high-priority QoS traffic throughout the whole network with merely Vigor router’s effort. In the Bandwidth Management menu, click Quality of Service to open the web page. Enable the QoS Control The factory default for this setting is checked.
Enable UDP Bandwidth Control Check this and set the limited bandwidth ratio on the right field. This is a protection of TCP application traffic since UDP application traffic such as streaming video will exhaust lots of bandwidth. Outbound TCP ACK Prioritize Check to enable this function. Limited_bandwidth Ratio The ratio typed here is reserved for limited bandwidth of UDP application. On Line Statistics Display an online statistics for quality of service for your reference.
Enable UDP Bandwidth Control Check this and set the limited bandwidth ratio on the right field. This is a protection of TCP application traffic since UDP application traffic such as streaming video will exhaust lots of bandwidth. Outbound TCP ACK Prioritize Check to enable this function. Limited_bandwidth Ratio The ratio typed here is reserved for limited bandwidth of UDP application. On Line Statistics Display an online statistics for quality of service for your reference.
Advanced Settings for QoS Click this button to open advanced configuration for each index number. You can insert, move, edit or delete select rule in this page. For inserting a rule, click Insert to open the following page. SrcEdit/DestEdit It allows you to edit source address information. Address Type – Determine the address type for the source address. For Single Address, you have to fill in Start IP address. For Range Address, you have to fill in Start IP address and End IP address.
Service Name – Type in a new service for your request. Service Type – Choose the type (TCP, UDP or TCP/UDP) for the new service. Type for Port Configuration – Click Single or Range. If you select Range, you have to type in the starting port number and the end porting number on the boxes below. Port Number – Type in the starting port number and the end porting number here if you choose Range as the type. You can add a new service name for your necessity.
3.6 Applications 3.6.1 Dynamic DNS The ISP often provides you with a dynamic IP address when you connect to the Internet via your ISP. It means that the public IP address assigned to your router changes each time you access the Internet. The Dynamic DNS feature lets you assign a domain name to a dynamic WAN IP address. It allows the router to update its online WAN IP address mappings on the specified Dynamic DNS server.
4. Service Provider Select the service provider for the DDNS account. Service Type Select a service type (Dynamic, Custom, Static). Domain Name Type in a domain name that you applied previously. Login Name Type in the login name that you set for applying domain. Password Type in the password that you set for applying domain. Click OK button to activate the settings. You will see your setting has been saved. The Wildcard and Backup MX features are not supported for all Dynamic DNS providers.
Enable Schedule Setup Check to enable the schedule. Start Date (yyyy-mm-dd) Specify the starting date of the schedule. Start Time (hh:mm) Specify the starting time of the schedule. Duration Time (hh:mm) Specify the duration (or period) for the schedule. Action Specify which action Call Schedule should apply during the period of the schedule. Force On -Force the connection to be always on. Force Down -Force the connection to be always down.
4. Assign these two profiles to the PPPoE Internet access profile. Now, the PPPoE Internet connection will follow the schedule order to perform Force On or Force Down action according to the time plan that has been pre-defined in the schedule profiles. 3.6.3 RADIUS Remote Authentication Dial-In User Service (RADIUS) is a security authentication client/server protocol that supports authentication, authorization and accounting, which is widely used by Internet service providers.
Enable UPNP Service Accordingly, you can enable either the Connection Control Service or Connection Status Service. After setting Enable UPNP Service setting, an icon of IP Broadband Connection on Router on Windows XP/Network Connections will appear. The connection status and control status will be able to be activated. The NAT Traversal of UPnP enables the multimedia features of your applications to operate. This has to manually set up port mappings or use other similar methods.
The reminder as regards concern about Firewall and UPnP: Can't work with Firewall Software Enabling firewall applications on your PC may cause the UPnP function not working properly. This is because these applications will block the accessing ability of some network ports. Security Considerations Activating the UPnP function on your network may incur some security threats. You should consider carefully these risks before activating the UPnP function.
3.6.5 IGMP IGMP is the abbreviation of Internet Group Management Protocol. It is a communication protocol which is mainly used for managing the membership of Internet Protocol multicast groups. For invoking IGMP Snooping function, you have to check the Enable IGMP Proxy box first for activating the IGMP proxy function. Enable IGMP Proxy Check this box to enable this function. The application of multicast will be executed through WAN port. Enable IGMP Snooping Check this box to enable this function.
If you check Enable IGMP Proxy only, you will get the following page. All the multicast groups will be listed and all the LAN ports (P1 to P4) are available for use. If you check Enable IGMP Snooping only, you will get the following page. Though all the multicast groups are listed, yet all the LAN ports (P1 to P4) are not available for use.
3.6.6 Wake on LAN A PC client on LAN can wake up specified PC through the router. Yet the specified PC must have installed a network card supporting WOL function. By the way, WOL function must be set as “Enable” on the BIOS setting of the specified PC. Wake by Two types provide for you to wake up the binded IP. If you choose Wake by MAC Address, you have to type the correct MAC address of the host in MAC Address boxes. If you choose Wake by IP Address, you have to choose the correct IP address.
3.7 VPN and Remote Access A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. In short, by VPN technology, you can send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link. In addition, ISDN Internet access settings, LAN to LAN for ISDN and remote dial-in with ISDN also will be explained in this section. 3.7.
3.7.2 PPP General Setup This submenu only applies to PPP-related connections, such as PPTP, L2TP, L2TP over IPSec of VPN or ISDN. Select this option to force the router to authenticate dial-in Dial-In PPP Authentication PAP Only users with the PAP protocol. PAP or CHAP Selecting this option means the router will attempt to authenticate dial-in users with the CHAP protocol first. If the dial-in user does not support this protocol, it will fall back to use the PAP protocol for authentication.
Start IP Address Enter a start IP address for the dial-in PPP connection. You should choose an IP address from the local private network. For example, if the local private network is 192.168.1.0/255.255.255.0, you could choose 192.168.1.200 as the Start IP Address. But, you have to notice that the first two IP addresses of 192.168.1.200 and 192.168.1.201 are reserved for ISDN remote dial-in user. 3.7.3 IPSec General Setup In IPSec General Setup, there are two major parts of configuration.
Pre-Shared Key- Specify a key for IKE authentication Re-type Pre-Shared Key-Confirm the pre-shared key. IPSec Security Method Medium - Authentication Header (AH) means data will be authenticated, but not be encrypted. By default, this option is active. High - Encapsulating Security Payload (ESP) means payload (data) will be encrypted and authenticated. You may select encryption algorithm from Data Encryption Standard (DES), Triple DES (3DES), and AES. 3.7.
Profile Name Type in a name in this file. Accept Any Peer ID Click to accept any peer regardless of its identity. Accept Subject Alternative Click to check one specific field of digital signature to accept the peer with matching value. The field can be IP Address, Name Domain Name, or E-Mail. The box under the Type will appear according to the type you select and ask you to fill in corresponding setting.
Set to Factory Default Click to clear all indexes. Index Click the number below Index to access into the setting page of Remote Dial-in User. User Display the username for the specific dial-in user of the LAN-to-LAN profile. The symbol ??? represents that the profile is empty. Status Display the access state of the specific dial-in user. The symbol V and X represent the specific dial-in user to be active and inactive, respectively.
86 Enable this account Check the box to enable this function. Idle Timeout- If the dial-in user is idle over the limitation of the time, the router will drop this connection. By default, the Idle Timeout is set to 300 seconds. ISDN Allow the remote ISDN dial-in connection. You can further set up Callback function below. You should set the User Name and Password of remote dial-in user below. This feature is for i model only.
Uncheck the checkbox-This means the connection type you select above will apply the authentication methods and security methods in the general settings. User Name This field is applicable when you select PPTP or L2TP with or without IPSec policy above. Password This field is applicable when you select PPTP or L2TP with or without IPSec policy above.
3.7.6 LAN to LAN Here you can manage LAN-to-LAN connections by maintaining a table of connection profiles. You may set parameters including specified connection direction (dial-in or dial-out), connection peer ID, connection type (ISDN connection, VPN connection - including PPTP, IPSec Tunnel, and L2TP by itself or over IPSec) and corresponding security methods, etc. The router provides up to 32 profiles, which also means supporting 32 VPN tunnels simultaneously.
Profile Name Specify a name for the profile of the LAN-to-LAN connection. Enable this profile Check here to activate this profile. Call Direction Specify the allowed call direction of this LAN-to-LAN profile: Both- initiator/responder Dial-Out- initiator only Dial-In- responder only Always On or Idle Timeout Always On-Check to enable router always keep VPN connection. Idle Timeout: The default value is 300 seconds. If the connection has been idled over the value, the router will drop the connection.
Enable PING to Keep Alive is used to handle abnormal IPSec VPN connection disruption. It will help to provide the state of a VPN connection for router’s judgment of redial. Normally, if any one of VPN peers wants to disconnect the connection, it should follow a serial of packet exchange procedure to inform each other. However, if the remote peer disconnect without notice, Vigor router will by no where to know this situation.
IPSec Security Method This group of fields is a must for IPSec Tunnels and L2TP with IPSec Policy. Medium Authentication Header (AH)- means data will be authenticated, but not be encrypted. By default, this option is active. High (ESP-Encapsulating Security Payload)- means payload (data) will be encrypted and authenticated. Select from below: DES without Authentication -Use DES encryption algorithm and not apply any authentication scheme.
IKE phase 1 key lifetime-For security reason, the lifetime of key should be defined. The default value is 28800 seconds. You may specify a value in between 900 and 86400 seconds. IKE phase 2 key lifetime-For security reason, the lifetime of key should be defined. The default value is 3600 seconds. You may specify a value in between 600 and 86400 seconds. Perfect Forward Secret (PFS)-The IKE Phase 1 key will be reused to avoid the computation complexity in phase 2.
Allowed Dial-In Type Determine the dial-in connection with different types. ISDN Allow the remote ISDN dial-in connection. You can further set up Callback function below. You should set the User Name and Password of remote dial-in user below. This feature is useful for i model only. PPTP Allow the remote dial-in user to make a PPTP VPN connection through the Internet. You should set the User Name and Password of remote dial-in user below.
Must- Specify the IPSec policy to be definitely applied on the L2TP connection. Specify ISDN CLID or Remote VPN Gateway Peer ISDN Number or Peer VPN Server IP You can specify the IP address of the remote dial-in user or peer ID (should be the same with the ID setting in dial-in type) by checking the box. Enter Peer ISDN number if you select ISDN above (This feature is useful for i model only.). Also, you should further specify the corresponding security methods on the right side.
the dial-in user. The budget will be decreased automatically per callback connection. The default value 0 means no limitation of callback period. My WAN IP This field is only applicable when you select PPTP or L2TP with or without IPSec policy above. The default value is 0.0.0.0, which means the Vigor router will get a PPP IP address from the remote router during the IPCP negotiation phase. If the PPP IP address is fixed by remote side, specify the fixed IP address here.
interfaces are enabled. 3.7.7 Connection Management You can find the summary table of all VPN connections. You may disconnect any VPN connection by clicking Drop button. You may also aggressively Dial-out by using Dial-out Tool and clicking Dial button. Dial Click this button to execute dial out function. Refresh Seconds Choose the time for refresh the dial information among 5, 10, and 30. Refresh Click this button to refresh the whole connection status.
3.8 Certificate Management A digital certificate works as an electronic ID, which is issued by a certification authority (CA). It contains information such as your name, a serial number, expiration dates etc., and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Here Vigor router support digital certificates conforming to standard X.509.
View Click this button to view the detailed settings for certificate request. After clicking Generate, the generated information will be displayed on the window below: 3.8.2 Trusted CA Certificate Trusted CA certificate lists three sets of trusted CA certificate. To import a pre-saved trusted CA certificate, please click IMPORT to open the following window. Use Browse… to find out the saved text file. Then click Import. The one you imported will be listed on the Trusted CA Certificate window.
3.9 VoIP Voice over IP network (VoIP) enables you to use your broadband Internet connection to make toll quality voice calls over the Internet. There are many different call signaling protocols, methods by which VoIP devices can talk to each other. The most popular protocols are SIP, MGCP, Megaco and H.323. These protocols are not all compatible with each other (except via a soft-switch server).
The major benefit of this mode is that you don’t have to memorize your friend’s IP address, which might change very frequently if it’s dynamic. Instead of that, you will only have to using dial plan or directly dial your friend’s account name if you are with the same SIP Registrar. Please refer to the Example 1 and 2 in the Calling Scenario. z Peer-to-Peer Before calling, you have to know your friend’s IP Address. The Vigor VoIP Routers will build connection between each other.
3.9.1 DialPlan This page allows you to set phone book and digit map for the VoIP function. Click the Phone Book and Digit Map links on the page to access into next pages for dialplan settings. Note: The PSTN Setup link is available for Vigor2700V(MODULE: 2S1L) and Vigor2700VG(MODULE: 2S1L) only. Phone Book In this section, you can set your VoIP contacts in the “phonebook”, called DialPlan. It can help you to make calls quickly and easily by using “speed-dial” Phone Number.
Click any index number to display the dial plan setup page. Below is a sample page obtained from Vigor 2700V(MODUEL:2S)/2700VG(MODUEL:2S). Enable Click this to enable this entry. Phone Number The speed-dial number of this index. This can be any number you choose, using digits 0-9 and * . Display Name The Caller-ID that you want to be displayed on your friend’s screen. This let your friend can easily know who’s calling without memorizing lots of SIP URL Address.
Display Name The Caller-ID that you want to be displayed on your friend’s screen. This let your friend can easily know who’s calling without memorizing lots of SIP URL Address.
Enable Check this box to invoke this setting. Prefix Number The phone number set here is used to add, strip, or replace the OP number. Mode None - No action. Add - When you choose this mode, the OP number will be added with the prefix number for calling out through the specific VoIP interface. Strip - When you choose this mode, the OP number will be deleted by the prefix number for calling out through the specific VoIP interface.
Then, check the Enable box to make the PSTN number available for dial whenever you need. Note: This function is available for Vigor2700V/2700VG (MODULE 2S1L) only. 3.9.2 SIP Accounts In this section, you set up your own SIP settings. When you apply for an account, your SIP service provider will give you an Account Name or user name, SIP Registrar, Proxy, and Domain name. (The last three might be the same in some case).
106 External IP Type in the gateway IP address. SIP PING interval The default value is 150 (sec). It is useful for a Nortel server NAT Traversal Support. Status Show the status for the corresponding SIP account. R means such account is registered on SIP server successfully. – means the account is failed to register on SIP server. Profile Name Assign a name for this profile for identifying. You can type similar name with the domain. For example, if the domain name is draytel.
Account Number/Name Enter your account name of SIP Address, e.g. every text before @. Authentication ID Check the box to invoke this function and enter the name or number used for SIP Authorization with SIP Registrar. If this setting value is the same as Account Name, it is not necessary for you to check the box and set any value in this field. Password The password provided to you when you registered with a SIP service.
Below shows successful SIP accounts for your reference.
3.9.3 Phone Settings This page allows user to set phone settings for VoIP 1 and VoIP 2 respectively. RTP Symmetric RTP – Check this box to invoke the function. To make the data transmission going through on both ends of local router and remote router not misleading due to IP lost (for example, sending data from the public IP of remote router to the private IP of local router), you can check this box to solve this problem. Dynamic RTP port start - Specifies the start port for RTP stream.
Hotline Check the box to enable it. Type in the SIP URL in the field for dialing automatically when you pick up the phone set. Session Timer Check the box to enable the function. In the limited time that you set in this field, if there is no response, the connecting call will be closed automatically. T.38 Fax function If the remote end also supports FAX function, you can check this box to enable this function. Call Forwarding There are four options for you to choose.
CLIR (hide caller ID) Check this box to hide the caller ID on the display panel of the phone set for the remote side. Call Waiting Check this box to invoke this function. A notice sound will appear to tell the user new phone call is waiting for your response. Click hook flash to pick up the waiting phone call. Call Transfer Check this box to invoke this function. Click hook flash to initiate another phone call. When the phone call connection succeeds, hang up the phone.
To ISDN: Current used phone is connected through ISDN network. If the caller dials the characters listed in this box, then the ISDN phone will be switched into VoIP phone on Internet. To VoIP: Current used phone is VoIP phone. If the caller dials the characters listed in this box, then the VoIP phone will be switched into phone through ISDN connection on Internet. In addition, you can press the Advanced button to configure tone settings, volume gain, MISC and DTMF mode.
Also, you can specify each field for your necessity. It is recommended for you to use the default settings for VoIP communication. Volume Gain Mic Gain (1-10)/Speaker Gain (1-10) - Adjust the volume of microphone and speaker by entering number from 1- 10. The larger of the number, the louder the volume is. MISC Dial Tone Power Level - This setting is used to adjust the loudness of the dial tone. The smaller the number is, the louder the dial tone is. It is recommended for you to use the default setting.
114 Refresh Seconds Specify the interval of refresh time to obtain the latest VoIP calling information. The information will update immediately when the Refresh button is clicked. Port It shows current connection status for the port of VoIP1, VoIP2, ISDN1 and ISDN2. Status of ISDN is available for VGi model only. Status It shows the VoIP connection status. IDLE - Indicates that the VoIP function is idle. HANG_UP - Indicates that the connection is not established (busy tone).
Out Calls The accumulating times of out-call. Speaker Gain The volume of present call. Log Display logs of VoIP calls. 3.10 ISDN ISDN stands for Integrated Services Digital Network. It is an international communications standard for sending voice, video, and data over digital telephone lines. Note: The feature is available for i models only. 3.10.1 General Setup ISDN Port Click Enable to open the ISDN port and Disable to close it.
3.10.2 Dialing to a Single ISP If you access the Internet via a single ISP, press this link. ISP Name Enter your ISP name. Dial Number Enter the ISDN access number provided by your ISP. Username Enter the username provided by your ISP. Password Enter the password provided by your ISP. Require ISP Callback If your ISP supports the callback function, check this box to activate the Callback Control Protocol during the PPP negotiation.
this function and enter the IP address in the field of Fixed IP Address. Fixed IP Address Type the IP address. 3.10.3 Dialing to Dual ISPs If you have more than one ISP, press this link to configure two ISP dialup profiles. You will be able to dial to both ISPs at the same time. This is mainly for those ISPs that do not support Multiple-Link PPP (ML-PPP) function. In such cases, dialing to two ISPs can increase the bandwidth utilization of the ISDN channels to 128kbps data speed.
As depicted in the above application scenario, the Virtual TA client can make an outgoing call or accept an incoming call to/from a peer FAX machine or ISDN TA, etc. Before you configure the Virtual TA (Remote CAPI) Setup, please install the virtual TA client first. Simply insert the CD bundled with your Vigor router, or directly double-click one of the installer files. In which Vsetup95.exe is for Windows 95 OSR2.1 or higher; Vsetup98.exe is for Windows 98, 98SE and Me; and Vsetup2k.
Virtual TA Server Enable: Select it to activate the server. Disable: Select it to deactivate the server. All Virtual TA applications will be terminated. Username Enter the username of a specific client. Password Enter the password of a specific client. MSN1/ MSN2/MSN3 MSN stands for Multiple Subscriber Number. It means you can apply to more than one ISDN lines number over a single subscribed line. Note that the service must be acquired from your telecom. Specify the MSN numbers for a specific client.
Click the Virtual TA Login tab to launch the login box. Enter the Username/Password and then click OK. After a short time, the VT icon text will turn green. MSN Configuration If you have applied to an MSN number service, the Virtual TA server can assign which client has the specified MSN number. When an incoming call arrives, the server will inform the appropriate client. Now we set an example to describe the configuration of the MSN number.
3.10.5 Call Control Some applications require that the router (only for i models) be remotely activated, or be able to dial up to the ISP via the ISDN interface. Vigor routers provide this feature which allows you to make a phone call to the router and then ask it to dial up to the ISP. Please set Dialing to a Single ISP first before configuring this web page. Dial Retry It specifies the dial retry counts per triggered packet.
utilization. Idle Timeout Because our ISDN link type is “Dial On Demand”, the connection will be initiated only when needed. High Water Mark and High Water Time BOD stands for bandwidth-on-demand for Multiple-Link PPP (ML-PPP or MP). High Water Mark/ High Water Time/ Low Water Mark/Low Water Time parameters are applied when you set the Link Type to Dialup BOD. The ISDN usually uses one B channel to access the Internet or remote network when you choose the Dialup BOD link type.
Security Overview Real-time Hardware Encryption: Vigor Router is equipped with a hardware AES encryption engine so it can apply the highest protection to your data without influencing user experience. Complete Security Standard Selection: To ensure the security and privacy of your wireless communication, we provide several prevailing standards on market. WEP (Wired Equivalent Privacy) is a legacy method to encrypt each frame transmitted via radio using either a 64-bit or 128-bit key.
Example 2 Example 3 Separate the Wireless and the Wired LAN- WLAN Isolation enables you to isolate your wireless LAN from wired LAN for either quarantine or limit access reasons. To isolate means neither of the parties can access each other. To elaborate an example for business use, you may set up a wireless LAN for visitors only so they can connect to Internet without hassle of the confidential information leakage.
3.11.2 General Settings By clicking the General Settings, a new web page will appear so that you could configure the SSID and the wireless channel. Please refer to the following figure for more information. Enable Wireless LAN Check the box to enable wireless function. Mode Select an appropriate wireless mode. Mixed (11b+11g)-The router communicates with standard 802.11b and standard 802.11g STAs simultaneously. 11g only-The router communicates with standard 802.11b STAs.
Hide SSID Check it to prevent from wireless sniffing and make it harder for unauthorized clients or STAs to join your wireless LAN. Depending on the wireless utility, the user may only see the information except SSID or just cannot see any thing about Vigor wireless router while doing site survey. SSID Means the identification of the wireless LAN. SSID can be any text numbers or various special characters. The default SSID is "default". We suggest you to change it.
upload. Default value is 30,000 kbps. Download – Type the transmitting rate for data download. Default value is 30,000 kbps. 3.11.3 Security This page allows you to set security with different modes for SSID 1, 2, 3 and 4 respectively. After configuring the correct settings, please click OK to save and invoke it. Mode Disable-Turn off the encryption mechanism. For the security of your router, please select any one of the encryption mode here.
WEP For key length 64 bits - For 64 bits WEP key, either 5 ASCII characters, such as 12345 (or 10 hexadecimal digitals leading by 0x, such as 0x4142434445.) For key length 128 bits - For 128 bits WEP key, either 13 ASCII characters, such as ABCDEFGHIJKLM. (or 26 hexadecimal digits leading by 0x, such as 0x4142434445464748494A4B4C4D) All wireless devices must support the same WEP encryption bit size and have the same key. Four keys can be entered here, but only one key can be selected at a time.
3.11.5 WDS WDS means Wireless Distribution System. It is a protocol for connecting two access points (AP) wirelessly. Usually, it can be used for the following application: y y Provide bridge traffic between two LANs through the air. Extend the coverage range of a WLAN. To meet the above requirement, two WDS modes are implemented in Vigor router. One is Bridge, the other is Repeater.
Click WDS from Wireless LAN menu. The following page will be shown. 130 Mode Choose the mode for WDS setting. Disable mode will not invoke any WDS setting. Bridge mode is designed to fulfill the first type of application. Repeater mode is for the second one. Security There are three types for security, Disable, WEP and Pre-shared key. The setting you choose here will make the following WEP or Pre-shared key field valid or not. Choose one of the types for the router.
Settings Encryption Mode - If you checked the box of Use the same WEP key …, you do not need to choose 64-bit or 128-bit as the Encryption Mode. If you do not check that box, you can set the WEP key now in this page. Key Index - Choose the key that you want to use after selecting the proper encryption mode. Key - Type the content for the key. Pre-shared Key Type 8 ~ 63 ASCII characters or 64 hexadecimal digits leading by “0x”.
3.11.6 AP Discovery Vigor router can scan all regulatory channels and find working APs in the neighborhood. Based on the scanning result, users will know which channel is clean for usage. Also, it can be used to facilitate finding an AP for a WDS link. Notice that during the scanning process (about 5 seconds), no client is allowed to connect to Vigor. This page is used to scan the existence of the APs on the wireless LAN. Yet, only the AP which is in the same channel of this router can be found.
3.11.7 Station List Station List provides the knowledge of connecting wireless clients now along with its status code. There is a code summary below for explanation. For convenient Access Control, you can select a WLAN station and click Add to Access Control below. Refresh Click this button to refresh the status of station list. Add Click this button to add current selected MAC address into Access Control.
3.12 System Maintenance For the system setup, there are several items that you have to know the way of configuration: Status, Administrator Password, Configuration Backup, Syslog, Time and Date, Reboot System and Firmware Upgrade. 3.12.1 System Status The System Status provides basic network settings of Vigor router. It includes LAN and WAN interface information. Also, you could get the current running firmware version or firmware related information from this presentation.
3.12.2 Administrator Password This page allows you to set new password. Old Password Type in the old password. The factory default setting for password is blank. New Password Type in new password in this filed. Retype New Password Type in the new password again. When you click OK, the login window will appear. Please use the new password to access into the web configurator again. 3.12.3 Configuration Backup Backup the Configuration Follow the steps below to backup your configuration. 1.
3. In Save As dialog, the default filename is config.cfg. You could give it another name by yourself. 4. Click Save button, the configuration will download automatically to your computer as a file named config.cfg. The above example is using Windows platform for demonstrating examples. The Mac or Linux platform will appear different windows, but the backup function is still available. Restore Configuration 1. Go to System Maintenance >> Configuration Backup.
Enable Check “Enable” to activate this function. Syslog Server IP The IP address of the Syslog server. Destination Port Assign a port for the Syslog protocol. Enable syslog message Check the required item for viewing its log on syslog message. SMTP Server The IP address of the SMTP server. Mail To Assign a mail address for sending mails out. Return-Path Assign a path for receiving the mail from outside. Authentication Check this box to activate this function.
3.12.5 Time and Date It allows you to specify where the time of the router should be inquired from. 138 Current System Time Click Inquire Time to get the current time. Use Browser Time Select this option to use the browser time from the remote administrator PC host as router’s system time. Use Internet Time Client Select to inquire time information from Time Server on the Internet using assigned protocol. Time Protocol Select a time protocol.
Automatically Update Interval Select a time interval for updating from the NTP server. Click OK to save these settings. 3.12.6 Management This page allows you to manage the settings for access control, access list, port setup, and SMP setup. For example, as to management access control, the port number is used to send/receive SIP message for building a session. The default value is 5060 and this must match with the peer Registrar when making VoIP calls.
Set Community Set community by typing a proper name. The default setting is private. Manager Host IP Set one host as the manager to execute SNMP function. Please type in IP address to specify certain host. Trap Community Set trap community by typing a proper name. The default setting is public. Notification Host IP Set the IP address of the host that will receive the trap community. Trap Timeout The default setting is 10 seconds. 3.12.
Click System Maintenance>> Firmware Upgrade to launch the Firmware Upgrade Utility. Click OK. The following screen will appear. For the detailed information about firmware update, please go to Chapter 4. 3.13 Diagnostics Diagnostic Tools provide a useful way to view or diagnose the status of your Vigor router. 3.13.1 WAN Connection Click Diagnostics and click WAN Connection to open the web page. According to the model you have, the WAN connection page will differ slightly.
Broadband Access Mode/Status WAN IP Address Display the broadband access mode and status. If the broadband connection is active, it will show Internet access mode is enabled. If the connection is idle, it will show “---”. The WAN IP address for the active connection. Dial PPPoE or PPPoA Click it to force the router to establish a PPPoE or PPPoA connection. DropPPPoE or PPPoA Click it to force the router to cut off a PPPoE or PPPoA connection. 3.13.
3.13.4 ARP Cache Table Click Diagnostics and click ARP Cache Table to view the content of the ARP (Address Resolution Protocol) cache held in the router. The table shows a mapping between an Ethernet hardware address (MAC Address) and an IP address. Refresh Click it to reload the page. Clear Click it to clear the whole table. 3.13.5 DHCP Table The facility provides information on IP address assignments. This information is helpful in diagnosing network problems, such as IP address conflicts, etc.
Refresh Click it to reload the page. 3.13.6 NAT Sessions Table Click Diagnostics and click NAT Sessions Table to open the setup page. 144 Private IP:Port It indicates the source IP address and port of local PC. #Pseudo Port It indicates the temporary port of the router used for NAT. Peer IP:Port It indicates the destination IP address and port of remote host. Ifno It displays the representing number for different interface.
3.13.7 Ping Diagnosis Click Diagnostics and click Ping Diagnosis to pen the web page. Ping to Use the drop down list to choose the destination that you would like to ping. IP Address Type in the IP address of the Host/IP that you want to ping. Run Click this button to start the ping work. The result will be displayed on the screen. Clear Click this link to remove the result on the window.
3.13.8 Data Flow Monitor This page displays the running procedure for the IP address monitored and refreshes the data in an interval of several seconds. The IP address listed here is configured in Bandwidth Management. You have to enable IP bandwidth limit and IP session limit before invoke Data Flow Monitor. If not, a notification dialog box will appear to remind you enabling it. Click Diagnostics and click Data Flow Monitor to open the web page.
Index Display the number of the data flow. IP Address Display the IP address of the monitored device. TX rate (kbps) Display the transmission speed of the monitored device. RX rate (kbps) Display the receiving speed of the monitored device. Sessions Display the session number that you specified in Limit Session web page. Action Block - can prevent specified PC accessing into Internet within 5 minutes. Unblock – the device with the IP address will be blocked in five minutes.
This page is left blank.
4 Application and Examples 4.1 Create a LAN-to-LAN Connection Between Remote Office and Headquarter The most common case is that you may want to connect to network securely, such as the remote branch office and headquarter. According to the network structure as shown in the below illustration, you may follow the steps to create a LAN-to-LAN profile. These two networks (LANs) should NOT have the same network address. Settings in Router A in headquarter: 1.
For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IPSec General Setup, such as the pre-shared key that both parties have known. 150 3. Go to LAN-to-LAN. Click on one index number to edit a profile. 4. Set Common Settings as shown below. You should enable both of VPN connections because any one of the parties may start the VPN connection. 5.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection. 6. Set Dial-In settings to as shown below to allow Router B dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. 7. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router A can direct the packets destined to the remote network to Router B via the VPN connection. Settings in Router B in the remote office: 1. 152 Go to VPN and Remote Access and select Remote Access Control to enable the necessary VPN service and click OK.
2. Then, for using PPP based services, such as PPTP, L2TP, you have to set general settings in PPP General Setup. For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IPSec General Setup, such as the pre-shared key that both parties have known. 3. Go to LAN-to-LAN. Click on one index number to edit a profile. 4. Set Common Settings as shown below.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection. 6. Set Dial-In settings to as shown below to allow Router A dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. 7. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router B can direct the packets destined to the remote network to Router A via the VPN connection.
4.2 Create a Remote Dial-in User Connection Between the Teleworker and Headquarter The other common case is that you, as a teleworker, may want to connect to the enterprise network securely. According to the network structure as shown in the below illustration, you may follow the steps to create a Remote User Profile and install Smart VPN Client on the remote host. Settings in VPN Router in the enterprise office: 1.
3. Go to Remote Dial-In Users. Click on one index number to edit a profile. 4. Set Dial-In settings to as shown below to allow the remote user dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection. Otherwise, it will apply the settings defined in IPSec General Setup above.
Settings in the remote host: 1. For Win98/ME, you may use "Dial-up Networking" to create the PPTP tunnel to Vigor router. For Win2000/XP, please use "Network and Dial-up connections" or “Smart VPN Client”, complimentary software to help you create PPTP, L2TP, and L2TP over IPSec tunnel. You can find it in CD-ROM in the package or go to www.draytek.com download center. Install as instructed. 2. After successful installation, for the first time user, you should click on the Step 0. Configure button.
You may further specify the method you use to get IP, the security method, and authentication method. If the Pre-Shared Key is selected, it should be consistent with the one set in VPN router. If a PPP-based service is selected, you should further specify the remote VPN server IP address, Username, Password, and encryption method. The User Name and Password should be consistent with the one set up in the VPN router.
4. Click Connect button to build connection. When the connection is successful, you will find a green light on the right down corner. 4.3 QoS Setting Example Assume a teleworker sometimes works at home and takes care of children. When working time, he would use Vigor router at home to connect to the server in the headquarter office downtown via either HTTPS or VPN to check email and access internal database. Meanwhile, children may chat on VoIP or Skype in the restroom. 160 1.
3. Select POP3 and SMTP on the left column and add to right column. Click OK to exit. 4. Enter the Class Name of Index 2. In this index, she will set reserve bandwidth for HTTP. And click Basic on the right. 5. Select HTTPS in the list on the left column and click on ADD to add to right column. Click OK to exit. 6. Check the Enable UDP Bandwidth Control on the bottom to prevent enormous UDP traffic of VoIP influent other application. 7.
And click Advanced button on the right. 8. Click edit to open a new window. First, check the ACT box. Then click SrcEdit to set a worker’s subnet address. Click DestEdit to set headquarter’s subnet address. Leave other fields and click OK. 4.4 LAN – Created by Using NAT An example of default setting and the corresponding deployment are shown below. The default Vigor router private IP address/Subnet Mask is 192.168.1.1/255.255.255.0.
To use another DHCP server in the network rather than the built-in one of Vigor Router, you have to change the settings as shown below. You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage.
4.5 Calling Scenario for VoIP function 4.5.1 Calling via SIP Sever Example 1: Both John and David have SIP Addresses from different service providers. John’s SIP URL: 1234@draytel.org, David’s SIP URL: 4321@iptel.org Settings for John DialPlan index 1 Phone Number: 1111 Display Name: David SIP URL: 4321@iptel.org SIP Accounts Settings --Profile Name: draytel1 Register via: Auto SIP Port: 5060 (default) Domain/Realm: draytel.org Proxy: draytel.
Example 2: Both John and David have SIP Addresses from the same service provider. John’s SIP URL: 1234@draytel.org , David’s SIP URL: 4321@draytel.org Settings for John DialPlan index 1 Phone Number: 1111 Display Name: David SIP URL: 4321@draytel.org SIP Accounts Settings --Profile Name: draytel 1 Register via: Auto SIP Port: 5060 (default) Domain/Realm: draytel.org Proxy: draytel.
4.5.2 Peer-to-Peer Calling Example 3: Arnor and Paulin have Vigor routers respectively, they can call each other without SIP Registrar. First they must have each other’s IP address and assign an Account Name for the port used for calling. Arnor’s SIP URL: 1234@214.61.172.53 Paulin’s SIP URL: 4321@ 203.69.175.24 Settings for Arnor DialPlan index 1 Phone Number: 1111 Display Name: paulin SIP URL: 4321@ 203.69.175.
4.6 Upgrade Firmware for Your Router Before upgrading your router firmware, you need to install the Router Tools. The Firmware Upgrade Utility is included in the tools. 1. Insert CD of the router to your CD ROM. 2. From the webpage, please find out Utility menu and click it. 3. On the webpage of Utility, click Install Now! (under Syslog description) to install the corresponding program. 4. The file RTSxxx.exe will be asked to copy onto your computer. Remember the place of storing the execution file. 5.
9. Double click on the icon of router tool. The setup wizard will appear. 10. Follow the onscreen instructions to install the tool. Finally, click Finish to end the installation. 11. From the Start menu, open Programs and choose Router Tools XXX >> Firmware Upgrade Utility. 12. Type in your router IP, usually 192.168.1.1. 13. Click the button to the right side of Firmware file typing box. Locate the files that you download from the company web sites.
14. Click Send. 15. Now the firmware update is finished.
4.7 Request a Certificate from a CA Server on Windows CA Server 170 1. Go to Certificate Management and choose Local Certificate. 2. You can click GENERATE button to start to edit a certificate request. Enter the information in the certificate request.
3. Copy and save the X509 Local Certificate Requet as a text file and save it for later use. 4. Connect to CA server via web browser. Follow the instruction to submit the request. Below we take a Windows 2000 CA server for example. Select Request a Certificate.
Select Advanced request. Select Submit a certificate request a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file Import the X509 Local Certificate Requet text file. Select Router (Offline request) or IPSec (Offline request) below. Then you have done the request and the server now issues you a certificate. Select Base 64 encoded certificate and Download CA certificate. Now you should get a certificate (.cer file) and save it. 5.
you will find the below window showing “------BEGIN CERTIFICATE------.....” 6. You may review the detail information of the certificate by clicking View button.
4.8 Request a CA Certificate and Set as Trusted on Windows CA Server 1. 174 Use web browser connecting to the CA server that you would like to retrieve its CA certificate. Click Retrive the CA certificate or certificate recoring list.
2. In Choose file to download, click CA Certificate Current and Base 64 encoded, and Download CA certificate to save the .cer. file. 3. Back to Vigor router, go to Trusted CA Certificate. Click IMPORT button and browse the file to import the certificate (.cer file) into Vigor router. When finished, click REFRESH and you will find the below illustration. 4. You may review the detail information of the certificate by clicking View button.
176 Vigor2700 Series User’s Guide
5 Trouble Shooting This section will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration. Please follow sections below to check your basic installation status stage by stage. z Checking if the hardware status is OK or not. z Checking if the network connection settings on your computer are OK or not. z Pinging the router from your computer. z Checking if the ISP settings are OK or not.
For Windows 178 The example is based on Windows XP. As to the examples for other operation systems, please refer to the similar steps or find support notes in www.draytek.com. 1. Go to Control Panel and then double-click on Network Connections. 2. Right-click on Local Area Connection and click on Properties. 3. Select Internet Protocol (TCP/IP) and then click Properties.
4. Select Obtain an IP address automatically and Obtain DNS server address automatically. For MacOs 1. Double click on the current used MacOs on the desktop. 2. Open the Application folder and get into Network. 3. On the Network screen, select Using DHCP from the drop down list of Configure IPv4.
5.3 Pinging the Router from Your Computer The default gateway IP address of the router is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the router. The most important thing is that the computer will receive a reply from 192.168.1.1. If not, please check the IP address of your computer. We suggest you setting the network connection as get IP automatically. (Please refer to the section 4.2) Please follow the steps below to ping the router correctly.
Vigor2700 Series User’s Guide 181
5.4 Checking If the ISP Settings are OK or Not Click Internet Access group and then check whether the ISP settings are set correctly. For PPPoE/PPPoA Users 182 1. Check if the Enable option is selected. 2. Check if Username and Password are entered with correct values that you got from your ISP.
For MPoA Users 1. Check if the Enable option for Broadband Access is selected. 2. Check if all parameters of DSL Modem Settings are entered with correct value that provided by your ISP. Especially, check if the encapsulation is selected properly or not (it should be the same with the setting on Quick Start Wizard). 3. Check if IP Address, Subnet Mask and Gateway are set correctly (must identify with the values from your ISP) if you choose Specify an IP address. 5.
Hardware Reset While the router is running (ACT LED blinking), press the Factory Reset button and hold for more than 5 seconds. When you see the ACT LED blinks rapidly, please release the button. Then, the router will restart with the default configuration. F a ctory Reset PWR Factory Reset ADSL2+ 4 3 2 1 LAN After restore the factory default setting, you can configure the settings for the router again to fit your personal request. 5.