Vigor2900 Series Security Router User’s Guide Version: 2.0 Date: 2006/1/16 Copyright 2005 All rights reserved. This publication contains information that is protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders. The scope of delivery and other details are subject to change without prior notice. Microsoft is a registered trademark of Microsoft Corp.
ii Vigor2900 Series User’s Guide
Table of Contents 1 Preface ...............................................................................................................1 1.1 LED Indicators and Connectors .............................................................................................. 1 1.1.1 Front and Rear View for Vigor2900 .................................................................................. 2 1.1.2 Front and Rear View for Vigor2900G ........................................................................
3.1 Dynamic DNS Setup ............................................................................................................. 53 3.2 Call Control and PPP/MP Setup ........................................................................................... 55 3.3 Call Schedule Setup.............................................................................................................. 56 3.4 NAT Setup .................................................................................................
4.7.2 Triggered Dial-out Packet Header ................................................................................ 132 4.7.3 Viewing Routing Table.................................................................................................. 132 4.7.4 View ARP Cache Table ................................................................................................ 133 4.7.5 Viewing DHCP Assigned IP Addresses........................................................................ 134 4.7.
1 Preface Targeting requirement for residential, SOHO (Small Office and Home Office) and business users, the Vigor2900 series provides exceptional bandwidth for Internet access.
1.1.1 Front and Rear View for Vigor2900 LAN ACT DMZ QoS Attack VPN Printer WAN LED ACT (Activity) DMZ QoS Attack P1 Status Blinking On On On Blinking On On Orange Green Blinking Orange VPN Printer WAN LAN (1, 2, 3, 4) Blinking Interface Printer PWR 0/1 P1 – P4 WAN Factory Reset 2 PWR P3 P4 Explanation The router is powered on and running properly. DMZ Host is specified in certain site. The QoS function is active. DoS Defense function is active. An attack is detected.
1.1.2 Front and Rear View for Vigor2900G LAN ACT QoS WLAN Attack VPN Printer WAN LED ACT (Activity) QoS WLAN Status Blinking On On Blinking On Blinking On On Orange Green Blinking Orange Attack VPN Printer WAN LAN (1, 2, 3, 4) Green Blinking Printer Interface Printer PWR 0/1 P1 – P4 WAN Factory Reset Vigor2900 Series User’s Guide PWR P1 P2 P3 P4 Explanation The router is powered on and running properly. The QoS function is active. The wireless LAN function is enabled.
1.1.3 Front and Rear View for Vigor2900Gi LAN ACT ISDN WLAN Attack VPN Printer WAN LED ACT (Activity) ISDN Status Blinking On Blinking WLAN On Blinking On Blinking On On Orange Green Blinking Orange Attack VPN Printer WAN LAN (1, 2, 3, 4) Green Blinking Printer Interface Printer PWR 0/1 P1 – P4 WAN ISDN Factory Reset 4 PWR P1 P2 P3 P4 Explanation The router is powered on and running properly. The ISDN network is correctly setup. A successful remote connection on the ISDN BRI B1/B2 channel.
1.1.4 Front and Rear View for Vigor2900i LAN ACT ISDN QoS Attack VPN Printer WAN LED ACT (Activity) ISDN Status Blinking On Blinking QoS Attack On On Blinking On On Orange Green Blinking Orange VPN Printer WAN LAN (1, 2, 3, 4) Green Blinking Printer Interface Printer PWR 0/1 P1 – P4 WAN ISDN Factory Reset Vigor2900 Series User’s Guide PWR P1 P2 P3 P4 Explanation The router is powered on and running properly. The ISDN network is correctly setup.
1.1.5 Front and Rear View for Vigor2900V LED ACT (Activity) QoS Phone (FXS1, FXS2) VPN Printer WAN LAN (1, 2, 3, 4) Status Blinking On On Blinking On On Orange Green Blinking Orange Green Blinking Interface Printer PWR 0/1 FXS 2 - 1 P1 – P4 WAN Factory Reset 6 Explanation The router is powered on and running properly. The QoS function is active. The phone is off hook (the handset of phone is hanging). A phone call is incoming. The VPN tunnel is launched. The USB interface printer is ready.
1.1.6 Front and Rear View for Vigor2900VG LED ACT (Activity) QoS Phone (FXS1, FXS2) WLAN Printer WAN LAN (1, 2, 3, 4) Status Blinking On On Blinking On Blinking On Orange Green Blinking Orange Green Blinking Interface Printer PWR 0/1 FXS 2 - 1 P1 – P4 WAN Factory Reset Vigor2900 Series User’s Guide Explanation The router is powered on and running properly. The QoS function is active. The phone is off hook (the handset of phone is hanging). A phone call is incoming.
1.1.7 Front and Rear View for Vigor2900VGi LED ACT (Activity) ISDN Status Blinking On Blinking On Phone (FXS1, FXS2) WLAN Printer WAN LAN (1, 2, 3, 4) Blinking On Blinking On Orange Green Blinking Orange Green Blinking Interface Printer PWR 0/1 FXS 2 - 1 P1 – P4 WAN Factory Reset 8 Explanation The router is powered on and running properly. The ISDN network is correctly setup. A successful remote connection on the ISDN BRI B1/B2 channel. The phone is off hook (the handset of phone is hanging).
1.1.8 Front and Rear View for Vigor2900Vi LED ACT (Activity) ISDN Status Blinking On Blinking On Phone (FXS1, FXS2) VPN Printer WAN LAN (1, 2, 3, 4) Blinking On On Orange Green Blinking Orange Green Blinking Interface Printer PWR 0/1 FXS 2 - 1 P1 – P4 WAN Factory Reset Vigor2900 Series User’s Guide Explanation The router is powered on and running properly. The ISDN network is correctly setup. A successful remote connection on the ISDN BRI B1/B2 channel.
1.2 Hardware Installation Before starting to configure the router, you have to connect your devices correctly. 1. Connect this device to a router with an Ethernet cable. 2. Connect one port of 4-port switch to your computer with a RJ-45 cable. This device allows you to connect 4 PCs directly. 3. Connect one end of the power cord to the power port of this device. Connect the other end to the wall outlet of electricity. 4. Connect detachable antennas to the router for Vigor2900 Series. 5.
2 Configuring Basic Settings For use the router properly, it is necessary for you to change the password of web configuration for security and adjust primary basic settings. This chapter explains how to setup a password for an administrator and how to adjust basic settings for accessing Internet successfully. Be aware that only the administrator can change the router configuration. 2.1 Changing Password For security reasons, it is strongly recommend that you set the administrator password for the router.
Notice: Some of the settings might not appear as above, because the home page will change slightly according to the features that your router has. 12 4. Click Administrator Password Setup from the Basic Setup group. 5. Enter the login password (the default is blank) on the field of Old Password. Type a new one in the field of New Password and retype it on the field of Retype New Password. Then click OK to continue. 6. Now, the password has been changed.
2.2 Quick Start Wizard If your router can be under an environment with high speed NAT, the configuration provide here can help you to deploy and use the router quickly. The first screen of Quick Start Wizard is entering login password. After typing the password, please click Next. The following screen will appear.
Please select the appropriate time zone for the router. Then, click Next. 2.2.1 Selecting Protocol In the Quick Start Wizard, you can configure the router to access the Internet with different protocol/modes such as PPPoE, PPTP, L2TP, Static IP or DHCP. The router supports the DSL WAN interface for Internet access. 2.2.2 PPPoE PPPoE stands for Point-to-Point Protocol over Ethernet. It relies on two widely accepted standards: PPP and Ethernet.
PPPoE is used for most of DSL modem users. All local users can share one PPPoE connection for accessing the Internet. Your service provider will provide you information about user name, password, and authentication mode. If your ISP provides you the PPPoE connection, please select PPPoE for this router. The following page will be shown: User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP. Retype Password Retype the password.
2.2.3 PPTP For PPTP connection, please click PPTP as the protocol. Click Next to see the following page. 16 User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP. Retype Password Retype the password. Obtain an IP address automatically Click this selection to get the IP address from the router automatically. Specify an IP address Click this selection to specify an IP address and subnet mask manually.
PPTP Server IP Specify the IP address of the PPTP Server. After finishing the settings in this page, click Next to see the following page. Click Finish to save current settings and restart the router.
2.2.4 L2TP Note: This setting is available only for Vigor 2900, Vigor 2900G, Vigor 2900Gi and Vigor 2900i. Click L2TP as the protocol. Click Next to see the following page. 18 User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP. Retype Password Retype the password. Obtain an IP address automatically Click this selection to get the IP address from the router automatically.
Subnet Mask Type the subnet mask. PPTP Server IP Specify the IP address of the PPTP Server. After finishing the settings in this page, click Next to see the following page. Click Finish to save current settings and restart the router. 2.2.5 Static IP Click Static IP as the protocol.
Click Next to see the following page. WAN IP Type the WAN IP address that obtained from ISP. Subnet Mask Type the subnet mask obtained from ISP. Gateway Type the gateway address obtained from ISP. Primary DNS Type the IP address as the primary DNS obtained from ISP. Second DNS Type the IP address as the secondary DNS. After finishing the settings in the above page, click Next to see the following page. Click Finish to save current settings and restart the router.
2.2.6 DHCP Click DHCP as the protocol. Click Next to see the following page. Host Name Specify the host name for the router. MAC This is an optional setting. The router will detect the MAC address automatically. If not, click Clone MAC Address to obtain it. Type in all the information that your ISP provides for this protocol. After finishing the settings in this page, click Next to see the following page.
Click Finish to save current settings and restart the router. 2.3 LAN TCP/IP and DHCP Server Basics of LAN The most generic function of Vigor router is NAT. It creates a private subnet of your own. As mentioned previously, the router will talk to other public hosts on the Internet by using public IP address and talking to local hosts by using its private IP address.
will serve for IP routing to help hosts in the public subnet to communicate with other public hosts or servers outside. Therefore, the router should be set as the gateway for public hosts. What is Routing Information Protocol (RIP) Vigor router will exchange routing information with neighboring routers using the RIP to accomplish IP routing. This allows users to change the information of the router such as IP address and the routers will automatically inform for each other.
What are Virtual LANs You can group local hosts by physical ports and create up to 4 virtual LANs. To manage the communication between different groups, please set up rules in Virtual LAN (VLAN) function and the rate of each. Web Page Configuration This page provides you the general settings for LAN. Click LAN to open the LAN settings page and choose General Setup. 24 1st IP Address Type in private IP address for connecting to a local private network (Default: 192.168.1.1).
2nd DHCP Server You can configure the router to serve as a DHCP server for the 2nd subnet. Start IP Address: Enter a value of the IP address pool for the DHCP server to start with when issuing IP addresses. If the 2nd IP address of your router is 220.135.240.1, the starting IP address must be 220.135.240.2 or greater, but smaller than 220.135.240.254. IP Pool Counts: Enter the number of IP addresses in the pool. The maximum is 10. For example, if you type 3 and the 2nd IP address of your router is 220.
DHCP server for your network. If you want to use another DHCP server in the network other than the Vigor Router’s, you can let Relay Agent help you to redirect the DHCP request to the specified location. Enable Server - Let the router assign IP address to every host in the LAN. Disable Server – Let you manually assign IP address to every host in the LAN. Relay Agent – (1st subnet/2nd subnet) Specify which subnet that DHCP server is located the relay agent should redirect the DHCP request to.
2.4 ISDN Setup ISDN stands for Integrated Services Digital Network. It is an international communications standard for sending voice, video, and data over digital telephone lines or normal telephone wires. Note: The following is available for Vigor2900VGi/Vi only. ISDN Port Click Enable to open the ISDN port and Disable to close it. Country Code For proper operation on your local ISDN network, you should choose the correct country code. Own Number Enter your ISDN number.
which can simulate a real ISDN terminal adapter installed on your computer. You can install the CAPI-compliant software for dial-up networking, fax or voice applications depending on the functionality of the CAPI software you installed. To employ the VTA feature, please download the VTA drivers (available only to Windows 98SE/2000/XP) from http://www.draytek.com/english/support/download.php. 2.5 Wireless LAN Setup Note: The following is available for G models only. 2.5.
Security Overview Real-time Hardware Encryption: Vigor Router is equipped with a hardware AES encryption engine so it can apply the highest protection to your data without influencing user experience. Complete Security Standard Selection: To ensure the security and privacy of your wireless communication, we provide several prevailing standards on market. WEP (Wired Equivalent Privacy) is a legacy method to encrypt each frame transmitted via radio using either a 64-bit or128-bit key.
Example 3 Separate the Wireless and the Wired LAN- WLAN Isolation enables you to isolate your wireless LAN from wired LAN for either quarantine or limit access reasons. To isolate means neither of the parties can access each other. To elaborate an example for business use, you may set up a wireless LAN for visitors only so they can connect to Internet without hassle of the confidential information leakage.
2.5.2 General Settings By clicking the General Settings, a new web page will appear so that you could configure the SSID and the wireless channel. Please refer to the following figure for more information. Enable Wireless LAN Check the box to enable wireless function. Mode Select an appropriate wireless mode. Mixed (11b+11g) - The radio can support both IEEE802.11b and IEEE802.11g protocols simultaneously. 11g only - The radio only supports IEEE802.11g. 11b only - The radio only supports IEEE802.11b.
LAN. SSID can be any text numbers or various special characters. 32 Channel The channel of frequency of the wireless LAN. The default channel is 6. You may switch channel if the selected channel is under serious interference. Hide SSID Check it to prevent from wireless sniffing and make it harder for unauthorized clients or STAs to join your wireless LAN.
2.5.3 Security By clicking the Security Settings, a new web page will appear so that you could configure the settings of WEP and WPA. Mode There are several modes provided for you to choose. Disable - Turn off the encryption mechanism. WEP Only - Accepts only WEP clients and the encryption key should be entered in WEP Key. WEP/802.1x Only - Accept WEP clients with 802.1x authentication.
applicable if you select WPA/PSK. WEP/802.1x or WPA/802.1x - Accept WEP or WPA clients with 802.1x authentication. Only Mixed(WPA+WPA2) is applicable if you select WPA/PSK. Since the key will be auto-negotiated during authentication, the field of key setting below will be not available for input. WPA/PSK Only - Accepts WPA clients and the encryption key should be entered in PSK. Remember to select WPA type to define either Mixed or WPA2 only in the field below. WPA/802.1x Only - Accept WPA clients with 802.
All wireless devices must support the same WEP encryption bit size and have the same key. Four keys can be entered here, but only one key can be selected at a time. The keys can be entered in ASCII or Hexadecimal. Check the key you wish to use. 2.5.4 Access Control For additional security of wireless access, the Access Control facility allows you to restrict the network access right by controlling the wireless LAN MAC address of client.
Client’s MAC Address - Manually enter the MAC address of wireless client. Attribute v - select to apply VPN to the connection of the wireless client of the MAC address. s - select to isolate the wireless connection of the wireless client of the MAC address from LAN. Add Add a new MAC address into the list. Remove Delete the selected MAC address in the list. Edit Edit the selected MAC address in the list. Cancel Give up the access control set up.
2.6 Internet Access Setup Quick Start Wizard offers user an easy method to quick setup the connection mode for the router. Moreover, if you want to adjust more settings for different WAN modes, please go to Quick Setup group and click the Internet Access Setup link. This section will introduce some basic concepts of Internet and explain the connection modes in details. 2.6.1 Basics of Internet Protocol (IP) Network IP means Internet Protocol.
If your router supports ISDN function, you will get the following page with ISDN dial-up Internet Access. The following sections will introduce the Internet Access Modes. 2.6.2 PPPoE As a CPE device, Vigor router encapsulates the PPP session based for transport across the ADSL loop and your ISP’s Digital Subscriber Line Access Multiplexer (DSLAM). To choose PPPoE as the accessing protocol of the internet, please select PPPoE from the Internet Access menu. The following web page will be shown.
PPPoE Link Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid. ISP Name Type in the ISP Name provided by ISP in this field. Username Type in the username provided by ISP in this field. Password Type in the password provided by ISP in this field. Index (1-15) in Schedule Setup You can type in four sets of time schedule for your request.
By checking the checkbox Join NAT IP Pool, data from NAT hosts will be round-robin forwarded on a session basis.
IP addresses for other purpose, such as DMZ host, Open Ports. WAN physical type Check and choose a proper type used for duplex between this device and other router that you want to communicate. Both sides should use the same physical type; otherwise, the connection might be failed due to inconsistent type. It is recommended for you to set Auto negotiation as the physical type. After finishing all the settings here, please click OK to activate them. 2.6.
Access Control Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid. ISDN Dial Backup Setup This setting is available for the routers supporting ISDN function only. Before utilizing the ISDN dial backup feature, you must create a dial backup profile first. Please click Internet Access Setup > Dialing to a Single ISP to enter the backup profile.
PING Interval - Enter the interval for the system to execute the PING operation. WAN physical type Check and choose a proper type used for duplex between this device and other router that you want to communicate. Both sides should use the same physical type; otherwise, the connection might be failed due to inconsistent type. It is recommended for you to set Auto negotiation as the physical type.
Specify an IP address – Click this radio button to specify some data if you want to use Static IP mode. IP Address – Type the IP address. Subnet Mask – Type the subnet mask. Gateway IP Address – Type the gateway IP address. DNS Server IP Address Type in the primary IP address for the router if you want to use Static IP mode. If necessary, type in secondary IP address for necessity in the future. After finishing all the settings here, please click OK to activate them. 2.6.
PPTP Setup PPTP Link - Click Enable to enable a PPTP client to establish a tunnel to a DSL modem on the WAN interface. PPTP Server - Specify the IP address of the PPTP server. ISP Access Setup ISP Name - Type in the ISP Name provided by ISP in this field. Username -Type in the username provided by ISP in this field. Password -Type in the password provided by ISP in this field. Index (1-15) in Schedule Setup - You can type in four sets of time schedule for your request.
Idle Timeout - Set the timeout for breaking down the Internet after passing through the time without any action. IP Address Assignment Method(IPCP) Fixed IP - Usually ISP dynamically assigns IP address to you each time you connect to it and request. In some case, your ISP provides service to always assign you the same IP address whenever you request. In this case, you can fill in this IP address in the Fixed IP field. Please contact your ISP before you want to use this function.
L2TP Setup L2TP Link - Click Enable to enable a L2TP client to establish a tunnel to a DSL modem on the WAN interface. L2TP Server - Specify the IP address of the L2TP server. ISP Access Setup ISP Name - Type in the ISP Name provided by ISP in this field. Username -Type in the username provided by ISP in this field. Password -Type in the password provided by ISP in this field. Index (1-15) in Schedule Setup - You can type in four sets of time schedule for your request.
use the same physical type; otherwise, the connection might be failed due to inconsistent type. It is recommended for you to set Auto negotiation as the physical type. 2.6.6 Dialing to a Single ISP If you access the Internet via a single ISP, press this link. ISP Name Enter your ISP name. Dial Number Enter the ISDN access number provided by your ISP. Username Enter the username provided by your ISP. Password Enter the password provided by your ISP.
Idle Timeout Idle timeout means the router will be disconnect after being idle for a preset amount of time. The default is 180 seconds. If you set the time to 0, the ISDN connection to the ISP will always remain on. Fixed IP In most environments, you should not change these settings as most ISPs provide a dynamic IP address for the router when it connects to the ISP. If your ISP provides a fixed IP address, check Yes to invoke this function and enter the IP address in the field of Fixed IP Address.
z The Virtual TA client only supports the CAPI 2.0 protocol and has no built-in FAX engine. z One ISDN BRI interface has two B channels. The maximum number of active clients is also two. z Before you configure the Virtual TA, you must set the correct country code. As depicted in the above application scenario, the Virtual TA client can make an outgoing call or accept an incoming call to/from a peer FAX machine or ISDN TA, etc.
Virtual TA Server Enable: Select it to activate the server. Disable: Select it to deactivate the server. All Virtual TA applications will be terminated. Username Enter the username of a specific client. Password Enter the password of a specific client. MSN1/ MSN2/MSN3 MSN stands for Multiple Subscriber Number. It means you can apply to more than one ISDN lines number over a single subscribed line. Note that the service must be acquired from your telecom. Specify the MSN numbers for a specific client.
On the client - Right-click the mouse on the VT icon. The following pop-up menu will be shown. Click the Virtual TA Login tab to launch the login box. Enter the Username/Password and then click OK. After a short time, the VT icon text will turn green. MSN Configuration If you have applied to an MSN number service, the Virtual TA server can assign which client has the specified MSN number. When an incoming call arrives, the server will inform the appropriate client.
3 Advanced Web Configuration After finished basic configuration of the router, you can access Internet with ease. For the people who want to adjust more setting for suiting his/her request, please refer to this chapter for getting detailed information about the advanced configuration of this router. As for other examples of application, please refer to chapter 4. 3.1 Dynamic DNS Setup The ISP often provides you with a dynamic IP address when you connect to the Internet via your ISP.
3. 4. Active Display if this account is active or inactive. View Log It opens another dialog and shows log for DDNS information. Force Update Click this button to get the newest DDNS information. Select Index number 1 to add an account for the router. Check Enable Dynamic DNS Account, and choose correct Service Provider: dyndns.org, type the registered hostname: hostname and domain name suffix: dyndns.org in the Domain Name block.
3.2 Call Control and PPP/MP Setup Some applications require that the router (only for the i models) be remotely activated, or be able to dial up to the ISP via the ISDN interface. Vigor routers provide this feature which allows you to make a phone call to the router and then ask it to dial up to the ISP. Accordingly, you can access your remote network to retrieve resources.
PPP Authentication It specifies the PPP authentication method for PPP/MP connections. Normally you can set it to PAP/CHAP for better compatibility. TCP Header Compression VJ Compression - It is used for TCP/IP protocol header compression. Normally it is set to None to improve bandwidth utilization. Idle Timeout Because our IDSN link type is “Dial On Demand”, the connection will be initiated only when needed.
Index Click the number below Index to access into the setting page of schedule. Status Display if this schedule setting is active or inactive. You can set up to 15 schedules. Then you can apply them to your Internet Access or VPN and Remote Access >> LAN-to-LAN settings. To add a schedule, please click any index, say Index No. 1. The detailed settings of the call schedule with index 1 are shown below. Enable Schedule Setup Check to enable the schedule.
Disable Dial-On-Demand -Specify the connection to be up when it has traffic on the line. Once there is no traffic over idle timeout, the connection will be down and never up again during the schedule. Idle Timeout Specify the duration (or period) for the schedule. How often Specify how often the schedule will be applied. Once -The schedule will be applied just once Weekdays -Specify which days in one week should perform the schedule.
On NAT page, you will see the private IP address defined in RFC-1918. Usually we use the 192.168.1.0/24 subnet for the router. As stated before, the NAT facility can map one or more IP addresses and/or service ports into different specified services. In other words, the NAT function can be achieved by using port mapping methods. Click NAT Setup on the Advanced Setup page. The setting items for NAT will be shown as below. 3.4.
Service Name Enter the description of the specific network service. Protocol Select the transport layer protocol (TCP or UDP). Public Port Specify which port can be redirected to the specified Private IP and Port of the internal host. Private IP Specify the private IP address of the internal host providing the service. Private Port Specify the private port number of the service offered by the internal host. Active Check this box to activate the port-mapping entry you have defined.
3.4.2 DMZ Host Setup As mentioned above, Port Redirection can redirect incoming TCP/UDP or other traffic on particular ports to the specific private IP address/port of host in the LAN. However, other IP protocols, for example Protocols 50 (ESP) and 51 (AH), do not travel on a fixed port. Vigor router provides a facility DMZ Host that maps ALL unsolicited data on any protocol to a single host in the LAN.
Enable Check to enable the DMZ Host function. Private IP Enter the private IP address of the DMZ host, or click Choose PC to select one. Choose PC Click this button and then a window will automatically pop up, as depicted below. The window consists of a list of private IP addresses of all hosts in your LAN network. Select one private IP address in the list to be the DMZ host. When you have selected one private IP from the above dialog, the IP address will be shown on the following screen.
Index Indicate the relative number for the particular entry that you want to offer service in a local host. You should click the appropriate index number to edit or clear the corresponding entry. Comment Specify the name for the defined network service. Aux. WAN IP Display the private IP address of the local host that you specify in WAN Alias. If you did not specify any IP address in WAN Alias, this item will not be shown.
However, if you previously have set up WAN Alias in Internet Access>>PPPoE, you will find that WAN IP appeared for your selection. 64 Enable Open Ports Check to enable this entry. Comment Make a name for the defined network application/service. Local Computer Enter the private IP address of the local host or click Choose PC to select one. Choose PC Click this button and, subsequently, a window having a list of private IP addresses of local hosts will automatically pop up.
3.4.4 View Well-Known Ports List There is a list providing some well-known port numbers of certain services/applications for your reference. 3.4.5 Multi-NAT Setup If you have a group of static public IP addresses obtained from your ISP, you can use the Multi-NAT feature to set up multiple DMZ hosts or multiple hosts with open ports on your Vigor router. Click Internet Access Setup on the Quick Setup group of the main page. Next, click Static or Dynamic IP. The following screen will appear.
When you press the WAN IP Alias button, a window will show up for you to input other public IP addresses. The Join NAT IP Pool check box indicates that the local users can use this IP to connect to the Internet. If you do not chick this check box, this IP address will not be available to the local users. After you configure the WAN IP Alias feature, these addresses can be selected on DMZ Hosts or Open Ports pages.
3.5 RADIUS Setup Remote Authentication Dial-In User Service (RADIUS) is a security authentication client/server protocol that supports authentication, authorization and accounting, which is widely used by Internet service providers. It is the most common method of authenticating and authorizing dial-up and tunneled network users. The built-in RADIUS client feature enables the router to assist the remote dial-in user or a wireless station and the RADIUS server in performing mutual authentication.
Shared Secret The RADIUS server and client share a secret that is used to authenticate the messages sent between them. Both sides must be configured to use the same shared secret. Re-type Shared Secret Re-type the Shared Secret for confirmation. 3.6 Static Route Setup Choose Static Route Setup on the Advanced Setup group. Index The number (1 to 10) under Index allows you to open next page to setup static route. Destination Address Displays the destination address of the static route.
is that those hosts on the internal private subnets (ex. 192.168.10.0/24) can access the Internet via the router, and continuously exchange of IP routing information with different subnets. 2. Click Index Number 1 from the Static Route Configuration page. Please add a static route as shown below, which regulates all packets destined to 192.168.10.0 will be forwarded to 192.168.1.2. Click OK. 3. Return to Static Route Setup page.
Delete Static Route 70 1. Click the Index Number that you want to delete from the Static Route Configuration page. 2. Select Empty/Clear from the drop-down menu, and then click the OK button to delete the route.
Deactivate Static Route 1. Click the Index Number that you want to disable from the Static Route Configuration page. 2. Select Inactive/Disable from the drop-down menu, and then click the OK button to delete the route.
3.7 IP Filter/Firewall Setup 3.7.1 Basics for Firewall While the broadband users demand more bandwidth for multimedia, interactive applications, or distance learning, security has been always the most concerned. The firewall of the Vigor router helps to protect your local network against attack from unauthorized outsiders. It also restricts users in the local network from accessing the Internet. Furthermore, it can filter out specific packets that trigger the router to build an unwanted outgoing connection.
z Data Filter - When there is an existing Internet connection, Data Filter is applied to incoming and outgoing traffic. It will check packets according to the filter rules. If legal, the packet will pass the router. The following illustrations are flow charts explaining how router will treat incoming traffic and outgoing traffic respectively. Stateful Packet Inspection (SPI) Stateful inspection is a firewall architecture that works at the network layer.
Denial of Service (DoS) Defense The DoS Defense functionality helps you to detect and mitigate the DoS attack. The attacks are usually categorized into two types, the flooding-type attacks and the vulnerability attacks. The flooding-type attacks will attempt to exhaust all your system's resource while the vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the protocol or operation system.
Web Content Filter (for V models only) We all know that the content on the Internet just like other types of media may be inappropriate sometimes. As a responsible parent or employer, you should protect those in your trust against the hazards. With Web filtering service of the Vigor router, you can protect your business from common primary threats, such as productivity, legal liability, network and security threats. For parents, you can protect your children from viewing adult websites or chat rooms.
Filter Rule Click a button numbered (1 ~ 7) to edit the filter rule. Click the button will open Edit Filter Rule web page. For the detailed information, refer to the following page. Active Enable or disable the filter rule. Comment Enter filter set comments/description. Maximum length is 23–character long Next Filter Set Set the link to the next filter set to be executed after the current filter run. Do not make a loop with many filter sets.
Pass or Block Specifies the action to be taken when packets match the rule. Block Immediately - Packets matching the rule will be dropped immediately. Pass Immediately - Packets matching the rule will be passed immediately. Block If No Further Match - A packet matching the rule, and that does not match further rules, will be dropped. Pass If No Further Match - A packet matching the rule, and that does not match further rules, will be passed through.
Don’t care -No action will be taken towards fragmented packets. Unfragmented -Apply the rule to unfragmented packets. Fragmented - Apply the rule to fragmented packets. Too Short - Apply the rule only to packets that are too short to contain a complete header. 78 IP Address Specify a source and destination IP address for this filter rule to apply to. Click Edit to open the following page and type in the IP address.
Example of Restricting Unauthorized Internet Services To set a simple example to restrict someone from accessing WWW services, we assume the IP address of the access-restricted user is 192.168.1.10. The filter rule is created in the Data Filter set and is shown as below. 3.7.2 General Setup General Setup allows you to adjust settings of IP Filter and common options. Here you can enable or disable the Call Filter or Data Filter.
Call Filter Check Enable to activate the Call Filter function. Assign a start filter set for the Call Filter. Data Filter Check Enable to activate the Data Filter function. Assign a start filter set for the Data Filter. Log Flag For troubleshooting needs you can specify the filter log here. None - The log function is not activated. Block - All blocked packets will be logged. Pass - All passed packets will be logged. No Match - The log function will record all packets that are not matched.
Active Check this box to invoke this setting. MAC Address Type in the MAC Address of the device that the router connects to. Pass Scheduler (1..15) Let the device with the specific MAC address to be passed within certain time interval only. You may choose up to 4 schedules out of the 15 schedules pre-defined in Call Schedule Setup in Advanced Setup group setup. If the four boxes are left blank, that means the traffic for the MAC address is “always pass”.
82 Enable Dos Defense Check the box to activate the DoS Defense Functionality. Enable SYN flood defense Check the box to activate the SYN flood defense function. Once detecting the Threshold of the TCP SYN packets has exceeded the defined value, the Vigor router will start to discard the subsequent TCP SYN packets for a period defined in Timeout. The goal for this is prevent the TCP SYN packets’ attempt to exhaust the limited-resource of Vigor router.
header. The reason for limitation is IP option appears to be a vulnerability of the security for the LAN because it will carry significant information, such as security, TCC (closed user group) parameters, a series of Internet addresses, routing messages...etc. An eavesdropper outside might learn the details of your private networks. Block Land Check the box to enforce the Vigor router to defense the Land attacks. The Land attack combines the SYN attack technology with IP spoofing.
the protocol types greater than 100 are reserved and undefined at this time. Therefore, the router should have ability to detect and reject this kind of packets. Warning Messages We provide Syslog function for user to retrieve message from Vigor router. The user, as a Syslog Server, shall receive the report sending from Vigor router which is a Syslog Client. All the warning messages related to DoS defense will be sent to user and user can review it through Syslog daemon.
Enable URL Access Control Check the box to activate URL Access Control. Block websites with matching keywords Click this button to restrict accessing into the corresponding webpage with the keywords listed on the box below. Allow websites with matching keywords Click this button to allow accessing into the corresponding webpage with the keywords listed on the box below. Keyword The Vigor router provides 8 frames for users to define keywords and each frame supports multiple keywords.
Prevent web access from IP address Check the box to deny any web surfing activity using IP address, such as http://202.6.3.2. The reason for this is to prevent someone dodges the URL Access Control. You must clear your browser cache first so that the URL content filtering facility operates properly on a web page that you visited before. Enable Restrict Web Feature Check the box to activate the function. Java - Check the checkbox to activate the Block Java object function.
3.7.6 Web Content Filter (for V models only) Choose IP Filter/Firewall Setup on the Advanced Setup group and click the Web Content Filter link. For this section, please refer to Web Content Filter user’s guide.
3.7.7 IM Blocking IM Blocking means instant messenger blocking. You will see a list of common IM (such as MSN, Yahoo, ICQ/AQL) applications. Check Enable IM Blocking and select the one(s) that you want to block. To block selected IM applications during specific periods, enter the number of the scheduler predefined in Call Schedule Setup. Choose IP Filter/Firewall Setup on the Advanced Setup group and click the IM Blocking link. 3.7.8 P2P Blocking P2P is the short name of peer to peer.
Action Vigor2900 Series User’s Guide Specify the action for each protocol. Allow – Allow the client to access into the application through the specified protocol. Disallow – Forbid the client to access into the application through the specified protocol. Disallow upload – Forbid the client to access into the application through the specified protocol for uploading. Yet downloading is allowed.
3.8 VPN and Remote Access Setup A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. In short, by VPN technology, you can send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link. Choose VPN and Remote Access Setup on the Advanced Setup group, you can see the following page. 3.8.
Dial-In PPP Authentication PAP Only - Select this option to force the router to authenticate dial-in users with the PAP protocol. PAP or CHAP - Selecting this option means the router will attempt to authenticate dial-in users with the CHAP protocol first. If the dial-in user does not support this protocol, it will fall back to use the PAP protocol for authentication.
3.8.3 VPN IKE/IPSec General Setup In IPSec General Setup, there are two major parts of configuration. There are two phases of IPSec. ¾ Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman parameter values, and lifetime to protect the following IKE exchange, authentication of both peers using either a Pre-Shared Key or Digital Signature (x.509).
(data) will be encrypted and authenticated. You may select encryption algorithm from Data Encryption Standard (DES), Triple DES (3DES), and AES. 3.8.4 Remote User Profile Setup (Teleworker) You can manage remote access by maintaining a table of remote user profile, so that users can be authenticated to dial-in or build the VPN connection.
94 Enable this account Check the box to enable this function. Idle Timeout- If the dial-in user is idle over the limitation of the timer, the router will drop this connection. By default, the Idle Timeout is set to 300 seconds. ISDN Allow the remote ISDN dial-in connection. You can further set up Callback function below. You should set the User Name and Password of remote dial-in user below. This feature is for i model only.
IKE Pre-Shared Key Check the box of Pre-Shared Key to invoke this function and type in the required characters (1-63) as the pre-shared key. IPSec Security Method This group of fields is a must for IPSec Tunnels and L2TP with IPSec Policy when you specify the remote node. Check the Medium, DES, 3DES or AES box as the security method. Medium -Authentication Header (AH) means data will be authenticated, but not be encrypted. By default, this option is invoked. You can uncheck it to disable it.
Click to clear all indexes. Name Indicate the name of the LAN-to-LAN profile. The symbol ??? represents that the profile is empty Status Indicate the status of individual profiles. The symbol V and X represent the profile to be active and inactive, respectively. Click each index to edit each profile and you will get the following page. Each LAN-to-LAN profile includes 4 subgroups. If the fields gray out, it means you may leave it untouched.
Profile Name Specify a name for the profile of the LAN-to-LAN connection. Enable this profile Check here to activate this profile. Call Direction Specify the allowed call direction of this LAN-to-LAN profile. Both:-initiator/responder Dial-Out- initiator only Dial-In- responder only. Always On or Idle Timeout Always On-Check to enable router always keep VPN connection. Idle Timeout: The default value is 300 seconds. If the connection has been idled over the value, the router will drop the connection.
User Name This field is applicable when you select PPTP or L2TP w/ or w/out IPSec policy above. Password This field is applicable when you select PPTP or L2TP w/ or w/out IPSec policy above. PPP Authentication This field is applicable when you select PPTP or L2TP w/ or w/out IPSec policy above. PAP/CHAP is the most common selection due to wild compatibility. VJ compression This field is applicable when you select PPTP or L2TP w/ or w/out IPSec policy above.
Main mode. IKE phase 1 proposal-To propose the local available authentication schemes and encryption algorithms to the VPN peers, and get its feedback to find a match. Two combinations are available for Aggressive mode and nine for Main mode. We suggest you select the combination that covers the most schemes. IKE phase 2 proposal-To propose the local available algorithms to the VPN peers, and get its feedback to find a match. Three combinations are available for both modes.
100 Allowed Dial-In Type Determine the dial-in connection with different types. ISDN Allow the remote ISDN dial-in connection. You can further set up Callback function below. You should set the User Name and Password of remote dial-in user below. This feature is useful for i model only. PPTP Allow the remote dial-in user to make a PPTP VPN connection through the Internet. You should set the User Name and Password of remote dial-in user below.
methods on the right side. If you uncheck the checkbox, the connection type you select above will apply the authentication methods and security methods in the general settings. User Name This field is applicable when you select PPTP or L2TP w/ or w/out IPSec policy above. Password This field is applicable when you select PPTP or L2TP w/ or w/out IPSec policy above. VJ Compression VJ Compression is used for TCP/IP protocol header compression.
phase. If the PPP IP address is fixed by remote side, specify the fixed IP address here. Remote Network IP/ Remote Network Mask Add a static router to direct all traffic destined to this Remote Network IP Address/ Remote Network Mask through the VPN connection. For IPSec, this is the destination clients IDs of phase 2 quick mode. More Add a static router to direct all traffic destined to more Remote Network IP Addresses/ Remote Network Mask through the VPN connection.
your applications to operate. This has to manually set up port mappings or use other similar methods. The screenshots below show examples of this facility. The UPnP facility on the router enables UPnP aware applications such as MSN Messenger to discover what are behind a NAT router. The application will also learn the external IP address and configure port mappings on the router.
¾ Some Microsoft operating systems have found out the UPnP weaknesses and hence you need to ensure that you have applied the latest service packs and patches. ¾ Non-privileged users can control some router functions, including removing and adding port mappings. The UPnP function dynamically adds port mappings on behalf of some UPnP-aware applications. When the applications terminate abnormally, these mappings may not be removed. 3.10 VoIP Setup Note: This setting is available for V model series.
The major benefit of this mode is that you don’t have to memorize your friend’s IP address, which might change very frequently if it’s dynamic. Instead of that, you will only have to using dial plan or directly dial your friend’s account name if you are with the same SIP Registrar. Please refer to the Example 1 and 2 in the Calling Scenario. z Peer-to-Peer Before calling, you have to know your friend’s IP Address. The Vigor VoIP Routers will build connection between each other.
3.10.1 DialPlan Setup In this section, you can set your VoIP contacts in the “phonebook” we called DialPlan - help you to make calls quickly and easily by using “speed-dial” Phone Number. There are total 60 index entries in the DialPlan for you to store all your friends and family members’ SIP addresses. Click any index number to display the dial plan setup page. Enable Click this to enable this entry. Phone Number The speed-dial number of this index.
3.10.2 SIP Related Functions Setup In this section, you set up your own SIP settings. When you apply for an account, your SIP service provider will give you an Account Name or user name, SIP Registrar, Proxy, and Domain name. (The last three might be the same in some case). Then you can tell your folks your SIP Address as in Account Name@ Domain name As Vigor VoIP Router is turned on, it will first register with Registrar using accountname@Domain/Realm.
choose None and check the box to achieve the goal. Some SIP server allows user to use VoIP function without registering. For such server, please check the box of make call without register. Choosing Auto is recommended. The system will select a proper way for your VoIP call. 108 Display Name You can enter any string as a display name in this field. This will be shown on the caller side.
3.10.3 CODEC/RTP/DTMF Setup The codec used for each call can be negotiated with the peer party before each session. Mic/Speaker Gain Adjust the volume of microphone and speaker by entering number from 1- 10. The larger of the number, the louder the volume is. Default Codec There are five different CODECs you can choose as your prefer CODEC that you wish to use. However, the real CODEC be used was negotiate with peer party before session was established. The default CODEC is G.
will contains 20 ms voice information. The more data contains in a single packet the less overhead it creates but may increase. 110 Voice Active Detector Choose On to enable this function to detect if the user is talking or not. If it is silent, the Vigor router will take action to save the bandwidth.
Dial Tone Power Level This setting is used to adjust the loudness of the dial tone. The smaller the number is, the louder the dial tone is. It is recommended for you to use the default setting. Ring Frequency This setting is used to drive the frequency of the ring tone. It is recommended for you to use the default setting. 3.10.4 Tone Settings This setting is provided for fitting the telecommunication custom for the local area of the router installed.
supports, please use the default setting. 3.10.5 Voice Call Status On VoIP call status, you can find codec, connection and other important call status for both VoIP 1 and 2 ports. 112 Refresh Seconds Specify the interval of refresh time to obtain the latest VoIP calling information. The information will update immediately when the Refresh button is clicked. Refresh Update current VoIP communication status. Channel It shows current connection status for the port of VoIP1 and VoIP2.
Rx Pkts Total number of received voice packets during this connection session. Rx Losts Total number of lost packets during this connection session. Rx Jitter The jitter of received voice packets. In Calls The accumulating in-call times. Out Calls The accumulating out-call times. Volume Gain The volume of present call. Log Display logs of VoIP calls. 3.11 VLAN/Rate Control Virtual LAN function provides you a very convenient way to manage hosts by grouping them based on the physical port.
Enable Check this box to enable this function (for VLAN Configuration). P1 – P4 Check the box to make the computer connecting to the port being grouped in specified VLAN. Be aware that each port can be grouped in different VLAN at the same time only if you check the box. For example, if you check the boxes of VLAN0-P1 and VLAN1-P1, you can make P1 to be grouped under VLAN0 and VLAN1 simultaneously. VLAN0-3 This router allows you to set 4 groups of virtual LAN.
3. To remove VLAN, uncheck the needed box and click OK to save the results. 3.12 QoS Control Setup Deploying QoS (Quality of Service) management to guarantee that all applications receive the service levels required and sufficient bandwidth to meet performance expectations is indeed one important aspect of modern enterprise network.
Vigor routers as edge routers of DS domain shall check the marked DSCP value in the IP header of bypassing traffic, thus to allocate certain amount of resource execute appropriate policing, classification or scheduling. The core routers in the backbone will do the same checking before executing treatments in order to ensure service-level consistency throughout the whole QoS-enabled network.
Reserved Bandwidth Ratio It is reserved for the group index in the form of ratio of reserved bandwidth to upstream speed and reserved bandwidth to downstream speed. Setup There are two-level of settings: Basic - setup Reserved Bandwidth Ratio according to the traffic service type. We provide a list of common service types. Click this button to open basic configuration for each index number. Choose one of the items from the left box and click ADD>>. The selected one will be shown on the right box.
level type by the system. Please assign one of the levels of the data for processing with QoS control. Service Type – It determines the service type of the data for processing with QoS control. It can also be edited. Simply click Add/Edd/Delete button to access into the following page. You can add a new service name for your necessity. Also, you can Edit/Delete to change the one that you added before.
Please type in the service name, select Service type (TCP/UDP and both). Next choose either one of the port configuration type (Single or Range) and type in the range for the Port Number. Enable UDP Bandwidth Control Check this and set the limited bandwidth ratio on the right field. This is a protection of TCP application traffic since UDP application traffic such as streaming video will exhaust lots of bandwidth.
This page is left blank.
4 System Management 4.1 Online Status The Online Status provides basic network settings of Vigor router. It includes LAN and WAN interface information. Also, you could get the current running firmware version or firmware related information from this presentation. Primary DNS Displays the assigned IP address of the primary DNS. Secondary DNS Displays the assigned IP address of the secondary DNS. IP Address (in LAN) Displays the IP address of the LAN interface.
VPN Displays the VPN connection name. Type Displays the VPN connection type. Remote IP Displays the remote IP of VPN connection. Virtual Network Displays the IP address and subnet mask of virtual network. Tx Pkts Displays the total transmitted packets. Tx Rate Displays the speed of transmitted packets. Rx Pkets Displays the total number of received packets. Rx Rate Displays the speed of received packets Uptime Displays the total system uptime of the VPN connection.
2. Click Backup button to get into the following dialog. 3. Click Save button to open another dialog for saving configuration as a file. In Save As dialog, the default filename is config.cfg. You could give it another name by yourself.
4. Click Save button, the configuration will download automatically to your computer as a file named config.cfg. The above example is using Windows platform for demonstrating examples. The Mac or Linux platform will appear different windows, but the backup function is still available.
Restore Configuration 1. Click Configuration Backup/Restoration on the System Management group. The following window will be popped-up. 2. Click Browse button to choose the correct configuration file for uploading to the router. 3. Click Restore button and wait for few seconds, the following picture will tell you that the restoration procedure is successful.
4.4 SysLog/Mail Alert Setup SysLog is a popular utility in Unix world. To monitor router activity, you can run a SysLog Daemon to capture all activities from the router. This Daemon program can run on a local PC or a remote one elsewhere on the Internet. In addition, the Vigor routers provide the Mail Alert facility so that the SysLog messages can be packed as an e-mail for someone who wants to receive these messages. In the following, we explain how to setup the SysLog and mail alert functions.
3. From the Syslog screen, select the router you want to monitor. Be reminded that in Network Information, select the network adapter used to connect to the router. Otherwise, you won’t succeed in retrieving information from the router.
The Vigor router will send many types of SysLog messages. Some examples of the SysLog messages with their individual formats are shown below.
4.5 Time Setup It allows you to specify where the time of the router should be inquired from. Current System Time Click Inquire Time to get the current time. Use Browser Time Select this option to use the browser time from the remote administrator PC host as router’s system time. Use Internet Time Select to inquire time information from Time Server on the Internet using assigned protocol. Time Protocol Select a time protocol. Server IP Address Type the IP address of the time sever.
4.6 Management Setup The port number used to send/receive SIP message for building a session. The default value is 5060 and this must match with the peer Registrar when making VoIP calls. Enable remote firmware upgrade Chick the checkbox to allow remote firmware upgrade through FTP (File Transfer Protocol). Allow management from the Internet Enable the checkbox to allow system administrators to login from the Internet. By default, it is not allowed.
Trap Community Set trap community by typing a proper name. The default setting is public. Notification Host IP Set the IP address of the host that will receive the trap community. Trap Timeout The default setting is 10 seconds. 4.7 Diagnostic Tools Diagnostic Tools provide a useful way to view or diagnose the status of your Vigor router. Below shows the menu items for Diagnostics. 4.7.1 ISDN/PPPoE/PPTP Diagnostics Click Diagnostics and click WAN Connection to open the web page.
Dial ISDN Clicking here causes the router to dial to the preset ISP. Click Internet Access Setup > Dial to a Single ISP to configure dial-up settings. Activity Display the connection name for each B channel. channel is idle, it will show Idle. Drop B1 Click it to disconnect the B1 channel. Drop B2 Click it to disconnect the B2 channel. If the B Broadband Access Mode/Status Display the broadband access mode and status.
Click it to reload the page. In the left of each routing rule, you will see a key. These keys are defined as follows. C --- Directly connected. S --- Static route. R --- RIP. * --- Default route. ~ --- Routes for private routing domain. In the right of each routing rule, you will see an interface identifier which is defined as follows. IF0 --- Local LAN interface. IF1 --- ISDN B1 channel. IF2 --- ISDN B2 channel. IF3 --- WAN interface. 4.7.
Click it to clear the whole table. 4.7.5 Viewing DHCP Assigned IP Addresses The facility provides information on IP address assignments. This information is helpful in diagnosing network problems, such as IP address conflicts, etc. Click Diagnostics and click DHCP Table to open the web page. Click it to reload the page. 4.7.
Click it to reload the page. Each line across the screen indicates an active session. The following information is displayed: Private IP:Port The internal user’s (PC’s) IP address and port number. #Pseudo Port The public port number. Peer IP:Port The peer user’s (PC’s) IP address and port number. Ifno Stands for interface number. The definition is listed below: 0 --- LAN interface. 1 --- B1 interface. 2 --- B2 interface. 3 --- WAN interface. 4.
4.9 Firmware Upgrade (TFTP Server) Before upgrading your router firmware, you need to install the Router Tools. The Firmware Upgrade Utility is included in the tools. The following web page will guide you to upgrade firmware by using an example. Note that this example is running over Windows OS (Operating System). Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.draytek.com (or local DrayTek's web site) and FTP site is ftp.draytek.com.
5 Application and Examples 5.1 Create a LAN-to-LAN Connection Between Remote Office and Headquarter The most common case is that you may want to connect to network securely, such as the remote branch office and headquarter. According to the network structure as shown in the below illustration, you may follow the steps to create a LAN-to-LAN profile. These two networks (LANs) should NOT have the same network address. Settings in Router A in headquarter: 1.
4. For using PPP based services, such as PPTP, L2TP, you have to set general settings in PPP General Setup. For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IPSec General Setup, such as the pre-shared key that both parties have known. Return to VPN and Remote Access Setup page and choose VPN IKE/IPSec General Setup. 5. 138 Return to VPN and Remote Access Setup page and choose LAN-to-LAN Profile Setup.
6. Set Common Settings as shown below. You should enable this profile. 7. Set Dial-Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial-Out method. If an IPSec-based service is selected, you should further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-Out connection.
8. Set Dial-In settings as shown below to allow Router B dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection. Otherwise, it will apply the settings defined in IPSec General Setup above. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. 9.
Settings in Router B in the remote office: 1. Choose VPN and Remote Access Setup on the Advanced Setup group. 2. Select Remote Access Control Setup. The following page will appear. Enable the necessary VPN service and click OK. 3. Then, return to VPN and Remote Access Setup page and choose PPP General Setup. 4. For using PPP based services, such as PPTP, L2TP, you have to set general settings in PPP General Setup.
5. Return to VPN and Remote Access Setup page and choose LAN-to-LAN Profile Setup. Click on one index number to edit a profile. 6. Set Common Settings as shown below. You should enable both of VPN connections because any one of the parties may start the VPN connection. 7. Set Dial-Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial-Out method.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection. 8. Set Dial-In settings as shown below to allow Router A dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. 9. 144 At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router B can direct the packets destined to the remote network to Router A via the VPN connection.
5.2 Create a Remote Dial-in User Connection Between the Teleworker and Headquarter The other common case is that you, as a teleworker, may want to connect to the enterprise network securely. According to the network structure as shown in the below illustration, you may follow the steps to create a Remote User Profile and install Smart VPN Client on the remote host. Settings in VPN Router in the enterprise office: 1. Choose VPN and Remote Access Setup on the Advanced Setup group. 2.
For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IKE/IPSec General Setup, such as the pre-shared key that both parties have known. 5. Return to VPN and Remote Access Setup page and choose Remote User Profile Setup (Teleworker). Click on one index number to edit a profile. 6. Set Dial-In settings as shown below to allow the remote user dial-in to build VPN connection.
connection. Otherwise, it will apply the settings defined in IPSec General Setup above. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. Settings in the remote host: 1. For Win98/ME, you may use "Dial-up Networking" to create the PPTP tunnel to Vigor router.
3. In Step 2. Connect to VPN Server, click Insert button to add a new entry. If an IPSec-based service is selected as shown below, You may further specify the method you use to get IP, the security method, and authentication method. If the Pre-Shared Key is selected, it should be consistent with the one set in VPN router.
If a PPP-based service is selected, you should further specify the remote VPN server IP address, Username, Password, and encryption method. The User Name and Password should be consistent with the one set up in the VPN router. To use default gateway on remote network means that all the packets of remote host will be directed to VPN server then forwarded to Internet. This will make the remote host seem to be working in the enterprise network. 4. Click Connect button to build connection.
5.3 QoS Setting Example Assume a teleworker sometimes works at home and takes care of children. When working time, he would use Vigor router at home to connect to the server in the headquater office downtown via either HTTPS or VPN to check email and access internal database. Meanwhile, children may chat on VoIP or Skype in the restroom. 150 1. Make sure the QoS Control on the left corner is checked. And select BOTH in Direction. 2. Enter the Class Name of Index 1.
7. If the worker has connected to the headquater using host to host VPN tunnel. (Please refer to Chapter 3 VPN for detail instruction), he may set up an index for it. Enter the Class Name of Index 3. In this index, he will set reserve bandwidth for 1 VPN tunnel. And click Advanced button on the right. 8. Click edit to open a new window. First, check the ACT box. Then click SrcEdit to set a worker’s subnet address. Click DestEdit to set headquarter’s subnet address. Leave other fields and click OK. 5.
You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage. To use another DHCP server in the network rather than the built-in one of Vigor Router, you have to change the settings as show below.
You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage.
5.5 Calling Scenario for VoIP function 5.5.1 Calling via SIP Sever Example 1: Both John and David have SIP Addresses from different service providers. John’s SIP URL: 1234@draytel.org, David’s SIP URL: 4321@iptel.org Settings for John DialPlan index 1 Phone Number: 1111 Display Name: David SIP URL: 4321@iptel.org SIP Accounts Settings --Profile Name: draytel1 Register via: Auto SIP Port: 5060 (default) Domain/Realm: draytel.org Proxy: draytel.
Example 2: Both John and David have SIP Addresses from the same service provider. John’s SIP URL: 1234@draytel.org , David’s SIP URL: 4321@draytel.org Settings for John DialPlan index 1 Phone Number: 1111 Display Name: David SIP URL: 4321@draytel.org SIP Accounts Settings --Profile Name: draytel 1 Register via: Auto SIP Port: 5060 (default) Domain/Realm: draytel.org Proxy: draytel.
5.5.2 Peer-to-Peer Calling Example 3: Both Arnor and Paulin have Vigor routers respectively, they can call each other without SIP Registrar. First they must have each other’s IP address and assign an Account Name for the port used for calling. Arnor’s SIP URL: 1234@214.61.172.53 Paulin’s SIP URL: 4321@ 203.69.175.24 Settings for Arnor DialPlan index 1 Phone Number: 1111 Display Name: paulin SIP URL: 4321@ 203.69.175.
5.6 Upgrade Firmware for Your Router Before upgrading your router firmware, you need to install the Router Tools. The Firmware Upgrade Utility is included in the tools. 1. Insert CD of the router to your CD ROM. 2. From the webpage, please find out Utility menu and click it. 3. On the webpage of Utility, click Install Now! (under Syslog description) to install the corresponding program. 4. The file RTSxxx.exe will be asked to copy onto your computer. Remember the place of storing the execution file. 5.
9. Double click on the icon of router tool. The setup wizard will appear. 10. Follow the onscreen instructions to install the tool. Finally, click Finish to end the installation. 11. From the Start menu, open Programs and choose Router Tools XXX >> Firmware Upgrade Utility. 12. Type in your router IP, usually 192.168.1.1. 13. Click the button to the right side of Firmware file typing box. Locate the files that you download from the company web sites.
14. Click Send. 15. Now the firmware update is finished.
This page is left blank.
6 Trouble Shooting This section will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration. Please follow sections below to check your basic installation status stage by stage. z Checking if the hardware status is OK or not. z Checking if the network connection settings on your computer are OK or not. z Pinging the router from your computer. z Checking if the ISP settings are OK or not.
For Windows 162 The example is based on Windows XP. As to the examples for other operation systems, please refer to the similar steps or find support notes in www.draytek.com. 1. Go to Control Panel and then double-click on Network Connections. 2. Right-click on Local Area Connection and click on Properties. 3. Select Internet Protocol (TCP/IP) and then click Properties.
4. Select Obtain an IP address automatically and Obtain DNS server address automatically. For MacOs 1. Double click on the current used MacOs on the desktop. 2. Open the Application folder and get into Network. 3. On the Network screen, select Using DHCP from the drop down list of Configure IPv4.
6.3 Pinging the Router from Your Computer The default gateway IP address of the router is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the router. The most important thing is that the computer will receive a reply from 192.168.1.1. If not, please check the IP address of your computer. We suggest you setting the network connection as get IP automatically. (Please refer to the section 4.2) Please follow the steps below to ping the router correctly.
Vigor2900 Series User’s Guide 165
6.4 Checking If the ISP Settings are OK or Not Click Internet Access group and then check whether the ISP settings are set correctly. Here, we take PPPoE for an example. 1. Check if the Enable option is selected. 2. Check if Username and Password are entered with correct values that you got from your ISP. 6.5 Backing to Factory Default Setting If Necessary Sometimes, a wrong connection can be improved by returning to the default settings. Try to reset the router by software or hardware.
Hardware Reset While the router is running (ACT LED blinking), press the Factory Reset button and hold for more than 5 seconds. When you see the ACT LED blinks rapidly, please release the button. Then, the router will restart with the default configuration. After restore the factory default setting, you can configure the settings for the router again to fit your personal request. 6.