Grandstream Networks, Inc.
COPYRIGHT ©2017 Grandstream Networks, Inc. http://www.grandstream.com All rights reserved. Information in this document is subject to change without notice. Reproduction or transmittal of the entire or any part, in any form or by any means, electronic or print, for any purpose without the express written permission of Grandstream Networks, Inc. is not permitted. The latest electronic version of this guide is available for download here: http://www.grandstream.
Table of Contents DOCUMENT PURPOSE ............................................................................................... 10 CHANGE LOG .............................................................................................................. 11 Firmware Version 1.0.4.23 ................................................................................................................... 11 Firmware Version 1.0.4.20 ..................................................................................
QoS ...................................................................................................................................................... 29 DDNS ................................................................................................................................................... 33 DPI ....................................................................................................................................................... 33 SETTING UP A WIRELESS NETWORK ........
Inter-Group Traffic Forwarding ...................................................................................................... 82 UPnP ............................................................................................................................................ 83 Traffic Rules Settings ........................................................................................................................... 84 Firewall Advanced Settings .................................................
Table of Tables Table 1: GWN7000 Technical Specifications .............................................................................................. 14 Table 2: GWN7000 Equipment Packaging.................................................................................................. 16 Table 3: LED Indicators ............................................................................................................................... 18 Table 4: Overview .............................................
Table 37: Basic Configuration Page ............................................................................................................ 89 Table 38: Bandwidth Rules.......................................................................................................................... 93 Table 39: Maintenance ................................................................................................................................ 95 Table 40: Debug-Capture ....................................
Table of Figures Figure 1: GWN7000 Front View .................................................................................................................. 16 Figure 2: GWN7000 Back View .................................................................................................................. 17 Figure 3: GWN7000 Web GUI Login Page ................................................................................................. 19 Figure 4: Change Password on first boot ........................
Figure 39: User Management ..................................................................................................................... 61 Figure 40: Client Certificate......................................................................................................................... 63 Figure 41: Create OpenVPN® Server ......................................................................................................... 66 Figure 42: OpenVPN® ...............................................
DOCUMENT PURPOSE This document describes how to configure the GWN7000 to manage wired and wireless networks via an intuitive WebGUI. The intended audiences of this document are network administrators. Please visit http://www.grandstream.com/support to download the latest “GWN7000 User Manual”.
CHANGE LOG This section documents significant changes from previous versions of the GWN7000 user manuals. Only major new features or major document updates are listed here. Minor updates for corrections or editing are not documented here. Firmware Version 1.0.4.23 • Added support for enable/disable MPPE in both PPTP server and client. [MPPE] Firmware Version 1.0.4.20 • Added support for Additional Routed Subnets.
Firmware Version 1.0.2.71 • This is the initial version. GWN7000 User Manual Version 1.0.4.
WELCOME Thank you for purchasing Grandstream GWN7000 Enterprise Multi-WAN Gigabit VPN Router. The GWN7000 is a powerful enterprise-grade multi-WAN Gigabit VPN router. Ideal for the enterprise, smallto-medium business, retail, education, hospitality and medical markets, the GWN7000 supports comprehensive Wi-Fi and VPN solutions that can be shared across one or many different physical locations.
PRODUCT OVERVIEW Technical Specifications Table 1: GWN7000 Technical Specifications Network Interfaces WAN LAN Auxiliary Ports Routing Performance USB Network Protocols VPN • 2 x autosensing 10/100/1000 WAN Ports • 1 x autosensing 10/100/1000 configurable as LAN, WAN or VoIP port • 4 x autosensing 10/100/1000 LAN Ports • DHCP • Static IP • PPPoE • Load balance & failover • Rule based routing • DHCP server • DNS Cache • Multiple zones • VLAN • 2 x USB 3.
Environmental Physical Package Content Compliance • Operation: 0°C to 50°C • Storage: -10°C to 60°C • Humidity: 10% to 90% Non-condensing Unit Dimensions: 200 x 136 x 37mm; Unit Weight: 570g Entire Package Dimensions: 324 x 163.5 x 54mm; Entire Package Weight: 930g • GWN7000 Enterprise Router • 12V/2A Power Adapter • Quick Installation Guide • GPL License FCC, CE, RCM, IC GWN7000 User Manual Version 1.0.4.
INSTALLATION Before deploying and configuring the GWN7000, the device needs to be properly powered up and connected to the network. This section describes detailed information on installation, connection and warranty policy of the GWN7000. Equipment Packaging Table 2: GWN7000 Equipment Packaging Main Case Yes (1) Power adaptor Yes (1) Quick Installation Guide Yes (1) GPL License Yes (1) Connect your GWN7000 Figure 1: GWN7000 Front View GWN7000 User Manual Version 1.0.4.
Figure 2: GWN7000 Back View To set up the GWN7000, follow the steps below: 1. Connect one end of an RJ-45 Ethernet cable into the WAN1 or/and WAN2 port(s) of the GWN7000. 2. Connect the other end of the Ethernet cable(s) into a DSL modem or router(s). 3. Connect the 12V DC power adapter into the power jack on the back of the GWN7000. Insert the main plug of the power adapter into a surge-protected power outlet. 4. Wait for the GWN7000 to boot up and connect to internet/network.
GETTING STARTED The GWN7000 Enterprise Router provides an intuitive web GUI configuration interface for easy management to give users access to all the configurations and options for the GWN7000’s setup. This section provides step-by-step instructions on how to read LED indicators and use Web GUI interface of the GWN7000. LED Indicators The front panel of the GWN7000 has LED indicators for power and interfaces activities, the table below describes the LED indicators status.
Figure 3: GWN7000 Web GUI Login Page To access the Web GUI: 1. Connect a computer to a LAN Port of the GWN7000. 2. Ensure the device is properly powered up, and the Power, LAN port LEDs light up in green. 3. Open a Web browser on the computer and enter the web GUI URL in the following format: https://192.168.1.1 (Default IP address). 4. Enter the administrator’s login and password to access the Web Configuration Menu. The default administrator's username and password are "admin" and "admin".
Figure 4: Change Password on first boot At first login, a Setup Wizard tool will pop up to help going through the configuration setup, or exit to configure manually. Setup Wizard can be accessed anytime by clicking on while on the web interface. Figure 5: Setup Wizard WEB GUI Languages Currently the GWN7000 series web GUI supports English and Simplified Chinese. To change default language, select the displayed language at the upper right of the web GUI either before or after logging in.
Figure 6: GWN7000 Web GUI Language Figure 7: GWN7000 Web GUI Language WEB GUI Configuration GWN7000 web GUI includes 8 main sections to configure and manage the router and check connection status. • Overview: Provides an overall view of the GWN7000’s information presented in a Dashboard style for easy monitoring. • Router: Displays device’s status and used to configure ports settings such as IP configuration for WAN ports, load balancing, failover, static routes, port mirroring, QoS and DDNS.
• Network Group: To add and manage wireless network groups using paired access points via VLANs. • System Settings: For Maintenance and debugging features, as well as generating certificates and file sharing. Overview Page Overview is the first page shown after successful login to the GWN7000’s Web Interface. It provides an overall view of the GWN7000’s information presented in a Dashboard style for easy monitoring.
AP Channel Distribution Shows the Channel used for all APs that are paired with this Access Point. Shows the Top APs list, assort the list by number of clients connected to each AP or data usage combining upload and download. Click on Top AP to go to Access Points page for basic and advanced configuration options for the APs. Shows the Top SSIDs list, assort the list by number of clients connected Top SSID to each SSID or data usage combining upload and download.
ROUTER CONFIGURATION This section includes configuration pages for network WAN ports, static routes, QoS and DDNS and shows also the router status. Status Status page displays Device Status to check MAC address, Part Number, Firmware related information and Uptime for the GWN7000; and WAN Status showing general information about WAN Ports such as uptime, current throughput, aggregate usage, and IP address and also the application traffic. Router’s Status page can be accessed from Web GUIRouterStatus.
WAN Ports Settings The GWN7000 has 2 WAN ports configured as DHCP clients by default. Each port can be connected with DSL modem or routers. WAN ports support also setting static IPv4/IPv6 addresses, and configure PPPoE for each WAN port. Please refer to the following table for basic network configuration parameters on WAN ports for GWN7000. Table 5: GWN7000 WEB GUIRouterPortWAN Port (1,2) Enabled Choose whether to enable or disable the WAN port. Name Specify the port name.
This option appears only when “Native IPv6” option is enabled. Preferred IPv6 DNS It is used to set a preferred DNS server address (IPv6 address). If Preferred DNS is set, GWN7000 will use it in priority. This option appears only when “Native IPv6” option is enabled. Alternate IPv6 DNS It is used to set an Alternate DNS server address (IPv6 address). If Preferred DNS is set, GWN7000 will use it in when the Preferred DNS fails.
Password Set the password (used for endpoint update). Update Key Set the update key, it overrides the password used for endpoint update. Table 7: 6rd Tunnels WAN Interface MTU 6rd IPv4 Peer Address Choose the WAN port on which to setup the 6rd tunnel. Set the Maximum Transmission Unit value. The valid range is 64-9000 and default value is 1500. Enter the IPv4 Peer address. 6rd IPv6 Address Specifies the IPv6 prefix given by the provider.
In addition to failover, load balance will be used on both ports to optimize the Load Balance + resource utilization. Please note that for this feature to work, WAN ports should be Failover connected to different networks. When selected, user can set Multi-WAN parameters on WAN ports. Banned Client MAC Shows the list of banned clients MAC addresses, other MAC addresses could be also added by clicking on or removed by clicking on .
Table 11: IPv4 Static Routes Name Enter the Name of the static route to be configured. Enabled Select whether to enable or disable this static route. Group Choose the LAN’s Network Group, which will be using this static route. Target Network/Host Netmask NextHop Metric Enter the Network/Host IP address on which to route the traffic to. Example: 192.168.5.0 Enter the Network/Host Netmask. Example: 255.255.255.0 Enter the NextHop IP address. Example: 192.168.5.1. Set the metric value.
To activate QoS, check “Enable QoS”. Three tabs are available for configuration: • Basic: Download and upload bandwidth speeds settings on each WAN interface. • Upstream QoS: Upstream QoS allows creating Traffic Classes to prioritize traffic for specific resources on the network by controlling transmission/upload rate.
Interface Select the WAN interface from which the traffic will be classified, make sure to enable the desired interface it from QoS Basic in order to appear. Set Upstream bandwidth value. The value should end with “Mbit”, “Kbit” or with no unit if the set value is referring to “bit” unit. Note that the sum of created classes should have upstream bandwidth speeds Upstream lower than the Upstream bandwidth value configured on QoS Basic.
UDP Source Port Specify the UDP Source port from which the policer rule will be applied. UDP Destination Port Specify the UDP Source port to which the policer rule will be applied. Choose the LAN group of the specified Source IP address. Group Source If no Source IP address has been defined, the rule will be applied to all members of that LAN group. Table 16: QoS Smart Queue Enabled Check this option in order to enable the feature on the WAN interface.
Ignore DSCP on Select whether to ignore DSCP on ingress packets or not. By default, this option ingress is disabled. ECN Status on Inbound packets Select whether to set or not ECN status on inbound packets. DDNS DDNS allows accessing GWN7000 via domain name instead of IP address, the GWN7000 supports following DDNS providers: • Dyndns.org • Changeip.com • Zoneedit.com • Free.editdns.net • Freedns.afraid.org • He.Net • Dnsomatic.Com • No-ip.pl • Myonlineportal.
GWN7000 is using Snort for packet inspection and displays traffic status under StatusApplication Traffic as shown on the figure below. Figure 12: DPI Status The following table contains the description of the DPI configuration settings. Table 17: DPI Settings Enable Application Tracking Interface Enables the application tracking. By default, it’s disabled. Select the interface on which the application tracking will be performed. By default, it’s WAN Port 1.
SETTING UP A WIRELESS NETWORK The GWN7000 Enterprise Router provides the user with the capability to create a wireless network by adding multiple GWN76xx series access points, with connectivity over the most common wireless standards (802.11b/g/n) operating in both 2.4GHz and 5GHz range. The GWN7000 integrates multiple layers of security including the IEEE 802.1x port-based authentication protocol, Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA and WPA2) and firewall and VPN tunnels.
Figure 14: Discovered Devices 3. Click on Pair under Actions, to pair the discovered Access Point with the GWN7000. 4. The paired GWN76xx will appear Online, Click on to unpair it. Figure 15: GWN7610 online 5. Click on next to paired access point to check device configuration for its status, users connected to it and configuration, or select multiple GWN76xx APs from the same model, and click on 6. Click on to apply same configuration on selected units.
• Fixed IP: Used to set a static IP for the GWN76xx, if checked, the following needs to be configured: -IPv4 Address: Enter the IPv4 address to be set as static for the device -IPv4 Subnet Mask: Enter the Subnet Mask. -IPv4 Gateway: Enter the Network Gateway’s IPv4 Address. -Preferred IPv4 DNS: Enter the Primary IPv4 DNS. -Alternate IPv4 DNS: Enter the Alternate IPv4 DNS. • Frequency: Set the GWN76xx’s frequency, it can be either 2.4GHz, 5GHz or Dual-band.
• Radio Power: Set the Radio Power depending on desired cell size to be broadcasted, three options are available: “Low”, “Medium” or “High”. Default is “High”. • Allow Legacy Device(802.11b): This feature appears when “Mode” option is set to “802.11g” or “802.11n”, it allows legacy devices not supporting “802.11g/n” mode to connect using the “802.11b” mode. • Custom Wireless Power(dBm): allows users to set a custom wireless power for both 5GHz/2.
Figure 17: Network Group The GWN7000 will have a default network group named group0, click on to edit it, or click on “Add” to add a new network group. Figure 18: Add a New Network Group When editing or adding a new network group, following tabs will appear to configure a network group: GWN7000 User Manual Version 1.0.4.
• Basic: Used to name the network group, and set a VLAN ID if adding a new network group, and addressing plans, refer to below table for each field. Table 19: Basic Network Group Name Specifies the name for the network group. Enabled Check to activate the newly created network group. WAN Membership LAN Membership VLAN Select the WAN port membership. Or use Multi-WAN option if enabled under RouterPortGlobal Settings Select the LAN port membership. Check to enable VLAN.
Enable IPv6 IPv6 Relay from WAN DHCP Enabled for IPv6 IPv6 Prefix for Assignment Check to enable IPv6 addressing for this network group. Check to allow GWN7000 to relay IPv6 DHCP request from network group’s clients to WAN port. Check weather to enable IPv6 DHCP server for this network group. Set the prefix value to be assigned to the network group. Valid range is between 1 to 64. Example: 64 will assign /64 prefixes. IPv6 Subnet Hint Set the subnet mask value. IPv6 Uplink Select the WAN port.
• WEP 128-bit: Using a static WEP key. The characters can only be 0-9 or A-F with a length of 26, or printable ASCII characters with a length of 13. • WPA/WPA2: Using “PSK” or “802.1x” as WPA Key Mode, with “AES” or “AES/TKIP” Encryption Type. • WPA2: Using “PSK” or “802.1x” as WPA Key Mode, with “AES” or “AES/TKIP” Encryption Type. Recommended configuration for authentication. • Open: No password is required. Users will be connected without authentication. Not recommended for security reasons.
This field is required when using Client Isolation, so users will not lose access to the Network (usually Internet). Gateway MAC Address Type in the default LAN Gateway’s MAC address (router’s MAC address for instance) in hexadecimal separated by “:”. Example: 00:0B:82:8B:4D:D8 RSSI Enabled Check to enable RSSI function, this will lead the AP to disconnect users below the configured threshold in Minimum RSSI (dBm). Enter the minimum RSSI value in dBm.
Figure 19: Device Membership Click on • to add the GWN76xx to the network group, or click on to remove it. Wi-Fi Schedule: Used to schedule the times when the Wi-Fi is ON or OFF. In the below example, the Wi-Fi is scheduled to be active Monday starting from 8:00 AM until 5:00 PM. Note: The hour field is in 24 format (from 0 to 23). Valid range for minutes is 0-59. GWN7000 User Manual Version 1.0.4.
Figure 20: Wi-Fi Schedule Note: The schedule feature is based on SSID and not network group, meaning that you can schedule the broadcasting of different SSID on different periods of the day. Users can Also add a device to a Network Group from Access Points Page: - Select the desired AP to add to a Network Group and click on GWN7000 User Manual Version 1.0.4.23 .
Figure 21: Add AP to Network Group from Access Points Page - Check to select the desired Network, on which the selected APs will be added, as shown in the above figure. Create an SSID under a Network Group Under Network Group Page, click to edit a network group or create a new network group and go to Wi-Fi tab. GWN7000 User Manual Version 1.0.4.
Figure 22: Create an SSID Refer to [Table 20: Wi-Fi] for Wi-Fi options. Additional SSID under Same Network Group GWN7000 provides the ability to create an additional SSID under the same group. To create an additional SSID go to Network GroupAdditional SSID. GWN7000 User Manual Version 1.0.4.
Figure 23: Additional SSID Select one of the available network groups from Network Group Membership dropdown menu; this will create an additional SSID with the same Device Membership configured when creating the main network group. Figure 24: Additional SSID Created Click on to delete the additional SSID, or to edit it. GWN7000 User Manual Version 1.0.4.
Client Bridge The Client Bridge feature allows an access point to be configured as a client for bridging wired only clients wirelessly to the network. When an access point is configured in this way, it will share the WiFi connection to the LAN ports transparently. This is not to be confused with a mesh setup. The client will not accept wireless clients in this mode.
CLIENTS CONFIGURATION Clients Connected clients to different network groups can be shown and managed from a single interface. Clients list can be accessed from GWN7000’s Web GUIClients to perform different actions to wired and wireless clients. GWN7000 Enterprise Router with its DHCP server enabled on LAN ports level, will assign automatically an IP address to the devices connected to its LAN ports like a computer or GWN76xx access points and to wireless clients connected to paired GWN76xx access points.
Figure 27: Client's Status Edit IP and Name Configuration tab allowing to set a name for a client and set a static IP. Figure 28: Client's Configuration Bandwidth Rules As mentioned on the BANDWIDTH RULES section, users can set bandwidth rules for upstream and downstream links per SSID, or per Client. For Clients users can set bandwidth rules by navigating to the menu ClientEditBandwidth Rules then click add new item. GWN7000 User Manual Version 1.0.4.
The following figure shows the settings: Figure 29: Client Bandwidth Rules Block a client To block a client, click on under actions, this will add automatically the blocked client to Banned Client MAC list under RouterPortGlobal Settings. Figure 30: Block a Client To unban a client, go to RouterPortGlobal Settings. Click on to remove it from the banned list.
Figure 32: Global Blacklist Figure 33: Managing the Global Blacklist A second option, is to add custom access lists that will be used as matching mechanism for MAC address filtering option under network groups and SSIDs to allow (whitelist) or disallow (blacklist) clients access to the WiFi network. Click on in order to create new access list, then fill it with all MAC addresses to be matched.
In order to create a new policy, go under ClientsTime Policy and add new one., then the following parameters: Table 21: Time Policy Parameters Option Description Name Enter the name of the policy Enabled Check the box to enable the policy Limit Client Connection Time Sets amount of time a client may be connected. Select the method with which we will reset a client’s connection timer so they may reconnect again. Options are: Client Reconnect Timeout Type • Reset Daily. • Reset Weekly.
VPN (VIRTUAL PRIVATE NETWORK) Overview VPN allows the GWN7000 to be connected to a remote VPN server using PPTP, L2TP/IPSec and OpenVPN® protocols, or configure an OpenVPN® server and generate certificates and keys for clients, VPN page can be accessed from the GWN7000 Web GUIVPN. OpenVPN® Server Configuration To use the GWN7000 as an OpenVPN® server, you will need to start creating OpenVPN® certificates and client certificates.
Figure 36: Create CA Certificate Table 22: CA Certificate Field Description Enter the common name for the CA. Common Name It could be any name to identify this certificate. Example: “CATest”. Choose the key length for generating the CA certificate. Following values are available: Key Length • 1024: 1024-bit keys are no longer sufficient to protect against attacks. • 2048: 2048-bit keys are a good minimum. (Recommended). GWN7000 User Manual Version 1.0.4.
• 4096: 4096-bit keys are accepted by nearly all RSA systems. Using 4096-bit keys will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations. Choose the digest algorithm: • SHA1: This digest algorithm provides a 160-bit fingerprint output based on arbitrary length input. Digest Algorithm • SHA-256: This digest algorithm generates an almostunique, fixed size 256-bit (32-byte) hash. Hash is a one-way function – it cannot be decrypted back.
Figure 37: CA Certificate Generate Server/Client Certificates Create both server and client certificates for encrypted communication between clients and GWN7000 acting as an OpenVPN® server. ❖ Creating Server Certificate To create server certificate, follow below steps: 1. Navigate to “System SettingsCert. ManagerCertificates”. 2. Click on button. A popup window will appear.
Figure 38: Generate Server Certificates Table 23: Server Certificate Field Description Enter the common name for the server certificate. Common Name It could be any name to identify this certificate. Example: “ServerCertificate”. Select CA certificate previously generated from the drop-down list. CA Certificate Example: “CATest”. GWN7000 User Manual Version 1.0.4.
Choose the certificate type from the drop-down list. It can be either Certificate Type a client or a server certificate. Choose “Server” to generate server certificate. Choose the key length for generating the server certificate. Following values are available: • 1024: 1024-bit keys are no longer sufficient to protect against attacks. Not recommended. Key Length • 2048: 2048-bit keys are a good minimum. Recommended. • 4096: 4096-bit keys are accepted by nearly all RSA systems.
Click on button to export the server certificate file in “.crt” format. Click on button to export the server key file in “. key” format. Click on button to revoke the server certificate if no longer needed. Notes: • The server certificates (.crt and .key) will be used by the GWN7000 when acting as a server. • The server certificates (.crt and .key) can be exported and used on another OpenVPN® server. ❖ Creating Client Certificate To create client certificate, follow below steps: 1- Create Users a.
Field Description Enabled Check to enable the user. Full Name Choose full name to identify the users. Username Choose username to distinguish client’s certificate. Password Enter user password for each username. IPSec Pre-Shared Key Enter the pre-shared key to connect to VPN server. This field is used when clients are using pre-shared key. d. Repeat above steps for each user. 2- Create Client Certificate a. Navigate under “System SettingsCert. ManagerCertificates”. b. Click on c. button.
Figure 40: Client Certificate Table 24: Client Certificate Field Description Enter the common name for the client certificate. Common Name It could be any name to identify this certificate. Example: “ClientCertificate”. CA Certificate Certificate Type Select the generated CA certificate from the drop-down list. Choose the certificate type from the drop-down list. It can be either a client or server certificate. GWN7000 User Manual Version 1.0.4.
Username Select created user to generate his certificate. Choose the key length for generating the client certificate. Following values are available: • 1024: 1024-bit keys are no longer sufficient to protect against attacks. Not recommended. Key Length • 2048: 2048-bit keys are a good minimum. Recommended. • 4096: 4096-bit keys are accepted by nearly all RSA systems. Using 4096-bit keys will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations.
Click on to revoke the client certificate if no longer needed. The client certificates (“.crt” and “.key”) will be used by clients connected to the GWN7000 in order to establish TLS handshake. Notes: • Client certificates generated from the GWN7000 need to be uploaded to the clients. • For security improvement, each client needs to have his own username and certificate, this way even if a user is compromised, other users will not be affected.
Figure 41: Create OpenVPN® Server Table 25: OpenVPN® Server Field Description Click on the checkbox in order to enable the OpenVPN® server Enable feature. VPN Name Enter a name for the OpenVPN® server. Choose the server mode the OpenVPN® server will operate with. Server Mode 4 modes are available: GWN7000 User Manual Version 1.0.4.
• PSK: used to establish a point-to-point OpenVPN® configuration. A VPN tunnel will be created with a server endpoint of a specified IP and a client endpoint of specified IP. Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN® port. • SSL: Authentication is made using certificates only (no user/pass authentication). Each user has a unique client configuration that includes their personal certificate and key.
This option uses a static Pre-Shared Key (PSK) that must be generated in advance and shared among all peers. This feature TLS Authentication adds extra protection to the TLS channel by requiring that incoming packets have a valid signature generated using the PSK key. Enter the generated TLS Pre-Shared Key when using TLS TLS Pre-Shared Key Authentication. Certificate Authority Select a generated CA from the drop-down list.
OpenVPN® Client configuration The GWN7000 act as both, an OpenVPN® client and server, once users and client certificate created, navigate under “VPNOpenVPN®Client” and follow steps below: 1. Click on and the following window will pop up. Figure 43: OpenVPN® Client GWN7000 User Manual Version 1.0.4.
Table 26: OpenVPN® Client Field Description Enable Click on the checkbox to enable the OpenVPN® client feature. VPN Name Enter a name for the OpenVPN® client. Protocol Interface Choose the Transport protocol from the dropdown list, either TCP or UDP. The default protocol is UDP. Select the interface used to connect the GWN7000 to the uplink, either WAN1, WAN2 or All. Local Port Configure the listening port for OpenVPN® server. Default is 1194.
Choose the encryption algorithm from the drop-down list, in order to Encryption Algorithm encrypt data so that the receiver can decrypt it using the same algorithm. Choose the digest algorithm from the drop-down list, which will Digest Algorithm uniquely identify the data to provide data integrity and ensure that the receiver has an unmodified data from the one sent by the original host. This option uses a static Pre-Shared Key (PSK) that must be generated in advance and shared among all peers.
Click on “Upload” and select the “Client Private Key” generated Client Private Key previously on this guide. Client Private Key Password Enter the client private key password 2. Click after completing all the fields. 3. Click on top of the webGUI in order to apply changes. Figure 44: OpenVPN® Client L2TP/IPSEC Configuration Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs.
Figure 45: L2TP Client Configuration Table 27: L2TP Configuration Field Description Enable Click on the checkbox in order to enable the L2TP client feature. VPN Name Enter a name for the L2TP client. Select which WAN port is connected to the uplink, either WAN1 or WAN Port WAN2. Remote L2TP Server Enter the IP/Domain of the remote L2TP Server. Username Enter the Username for authentication against the VPN Server. Password Enter the Password for authentication against the VPN Server.
Select either Transport mode or Tunnel mode: • Transport mode is commonly used between end stations or between an end station and a gateway, if the gateway is being treated as a host. Connection Type • Tunnel mode is used between gateways, or at an end station to a gateway, the gateway acting as a proxy for the hosts behind it. Pre-Shared Key Enter the L2TP pre-shared key.
Figure 46: L2TP Client PPTP CONFIGURATION A data-link layer protocol for wide area networks (WANs) based on the Point-to-Point Protocol (PPP) and developed by Microsoft that enables network traffic to be encapsulated and routed over an unsecured public network such as the Internet. Point-to-Point Tunneling Protocol (PPTP) allows the creation of virtual private networks (VPNs), which tunnel TCP/IP traffic through the Internet.
Figure 47: PPTP Client Configuration Table 28: PPTP Configuration Field Description Enable Click on the checkbox to enable the PPTP VPN client feature. VPN Name Enter a name for the PPTP client. Remote PPTP Server Enter the IP/Domain of the remote PPTP Server. GWN7000 User Manual Version 1.0.4.
Username Enter the Username for authentication against the VPN Server. Password Enter the Password for authentication against the VPN Server. Auto Forward Group Traffic If enabled, choose which groups you want to forward, if not, you can manually configure the forward rules under firewall settings. Configures the remote subnet for the VPN. The format should be “IP/Mask” where IP could be either IPv4 or Subnet IPv6 and mask is a number between 1 and 32. For example: 192.168.5.
GWN7000 PPTP Server Configuration To configure PPTP server on the GWN7000, go to “VPNPPTPServer” and set the following: 1- Click on and the following window will pop up. Figure 49: PPTP Server Configuration Table 29: PPTP Server Configuration Parameters Field Description Enable Click on the checkbox to enable the PPTP VPN Server. VPN Name Enter a name for the PPTP Server. PPTP Server Address Configure the PPTP server local address (ex: 192.168.1.1). GWN7000 User Manual Version 1.0.4.
Configure the remote client IP start address. Client Start Address Note: this address should be in the same subnet as the end address and PPTP server address. Configure the remote client IP end address. Client End Address Note: this address should be in the same subnet as the start address and PPTP server address. This option allows forwarding between multiple site-to-site VPNs. i.e.
FIREWALL GWN7000 supports firewall feature to control incoming and outgoing traffic by restricting or rejecting specific traffic, as well as preventing attacks to the GWN7000 networks for enhanced security. The Firewall feature includes 3 menus: • Basic Settings: Used to enable SYN Flood, setup port forwarding, DMZ, inter-group traffic forwarding and UPnP.
Figure 51: Port Forward Refer to following table for Port Forwarding option when editing or creating a port-forwarding rule: Table 30: Port Forward Name Specify a name for the port forward rule. Enabled Check to enable this port forward rule. Protocol Select a protocol, users can select TCP, UDP or TCP/UDP. Source Group Select the WAN Interface. Source Port Set the Source Port number. Destination Group Select the LAN group. Destination IP Set the destination IP address.
Figure 52: DMZ Refer to below table for DMZ fields: Table 31: DMZ Name Specify a name for the DMZ entry. Enabled Check to enable this DMZ entry. Source Group Select the WAN interface Destination Group Select the LAN group. Destination IP Set the destination IP address. Inter-Group Traffic Forwarding GWN7000 offers the possibility to allow traffic between different groups and interfaces.
Figure 54: Enabling inter-group traffic UPnP GWN7000 supports UPnP that enables programs running on a host to configure automatically port forwarding. UPnP allows a program to make the GWN7000 to open necessary ports, without any intervention from the user, without making any check. UPnP settings can be accessed from GWN7000 WebGUIFirewallBasicUPnP Settings. Refer to below Table for UPnP settings. Table 32: UPnP Settings Enable Daemon External Interface Check to enable Daemon for UPnP.
Traffic Rules Settings GWN7000 offers the possibility to fully control incoming/outgoing traffic for different protocols in customized scheduled times, and taking actions for specified rules such as Accept; Reject and Drop. Following actions are available to configure Input, output and forward rules for configured protocols • To add new rule, Click on • To edit a rule, Click on • To delete a rule, Click on . . .
Source MAC address Set the Source MAC address. Destination IP Set the destination IP address, it can be an IPv4 or IPv6 address. Destination Port(s) Set the destination’s port(s). Schedule Start Date Click on icon to schedule a start date for this rule to be applied. Schedule End Date Click on icon to schedule an end date for this rule to cease effect. Schedule Start Time Click on icon to schedule a start time for this rule to be applied.
Check to enable MSS Clamping. This will provide a method to prevent MSS Clamping fragmentation when the MTU value on the communication path is lower than the MSS value. Log Dropped and Reject Check to send all rejected and dropped traffic logs to configured Syslog Traffic to Syslog Server. Limit for Dropped and Rejected Traffic Specify the limit for dropped and reject traffic. The value format is N/unit, where N is a digit number, and unit can either be in second, minute, hour or day.
Schedule Start Time Click on icon to schedule a start time for this SNAT entry to be applied. Schedule End Time Click on Schedule Weekdays List of Select the days, on which the SNAT entry will be applied, the unselected Weekdays days will ignore this rule. icon to schedule an end time for this SNAT entry to end. Enter the days of the months (separated by space) on which the SNAT Schedule Days of the Month entry will be applied.
Schedule Start Date Click on icon to schedule a start date for this DNAT entry to be applied. Schedule End Date Schedule Start Time Click on Click on icon to schedule an end date for this DNAT entry to end. icon to schedule a start time for this DNAT entry to be applied. Schedule End Time Click on Schedule Weekdays List of Select the days, on which the DNAT entry will be applied, the unselected Weekdays days will ignore this rule. icon to schedule an end time for this DNAT entry to end.
CAPTIVE PORTAL Captive Portal feature on GWN7000 Router allows to define a Landing Page (Web page) that will be displayed on Wi-Fi clients’ browsers when attempting to access Internet. Once connected to an Ethernet port or a GWN76xx AP connected to the router, Wired or Wi-Fi clients will be forced to view and interact with that landing page before Internet access is granted. The Captive Portal feature can be configured from the GWN7000 Web page, by navigating to “Captive Portal”.
RADIUS Server Secret Enter the shared key between authenticator and RADIUS server. ShopId Enter the ShopId for WeChat. AppId Enter the AppId for WeChat. SecretKey Enter the SecretKey for WeChat authentication.
Figure 56: portal_default.html page The following figure shows portal_pass.html page: Figure 57: portal_pass.html page GWN7000 User Manual Version 1.0.4.
The following figure shows default files used for Captive Portal: Figure 58: Files Settings Page • Click • Click to add a new folder. • Click to upload files to the selected folder. • Folder can be selected from the dropdown list to upload a new Web page. . Clients Page Clients page lists MAC addresses of authenticated devices using captive portal. Figure 59: Client Web Page GWN7000 User Manual Version 1.0.4.
BANDWIDTH RULES The bandwidth rule is a GWN7000 feature that allows users to limit bandwidth utilization per SSID, MAC address or IP address. This option can be configured from the GWN7000 WebGUI under “Bandwidth Rules”. Click to add a new rule, the following table provides an explanation about different options for bandwidth rules.
Figure 60: MAC Address Bandwidth rule The following figure shows examples of bandwidth rules: Figure 61: Bandwidth Rules GWN7000 User Manual Version 1.0.4.
MAINTENANCE AND TROUBLESHOOTING GWN7000 offers multiple tools and options for maintenance and debugging to help further troubleshooting and monitoring the GWN7000 resources. Maintenance Maintenance page can be accessed from GWN7000 WebGUISystem SettingsMaintenance. Refer to below table for maintenance tabs and fields. Table 39: Maintenance Basic Web WAN Access Enable the web WAN access. By default, it’s disabled Web HTTP Access Enable the web HTTP Access. By default, it’s disabled.
Upgrade Now Factory Reset Click on Upgrade, to launch firmware/config file provisioning. Please make sure to Save and Apply changes before clicking on Upgrade. Click on Reset to restore the GWN7000 as well as all online GWN76xx units to factory default settings Access Current Administrator Password Enter the current administrator password New Administrator Change the current password. This field is case sensitive with a maximum Password length of 32 characters.
• X hour of day (0-23). • X day of week (Sunday-Saturday) + X hour of day (0-23). Hours Enter the number of hours period after which trigger file rotation. Minutes Enter the number of Minutes period after which trigger file rotation. Hour of the day Enter the hour of day at which trigger file rotation. Day of the week Enter Day of the week + hour of day, at which trigger file rotation. Devices Select the path (a USB partition) to store collected logs. Required.
Figure 62: Logserver Configuration Debug Many debugging tools are available on GWN7000’s WebGUI to check the status and troubleshoot GWN7000’s services and networks. Debug page offers 4 tabs: Capture, Ping/Traceroute, Syslog and Nat Table. Capture This section is used to capture packet traces from the GWN7000 interfaces (WAN ports and network groups) for troubleshooting purpose or monitoring... It is needed to plug an USB storage device to one of the USB ports on the back of the GWN7000.
Click on to show the captured files on a chosen device, and the capture files details will appear, click on folder, or click on to delete all files, click on next to a capture file to download it on a local to delete it. Figure 63: Capture Files The below table will show different fields used on capture page Table 40: Debug-Capture File Name Interface Enter the name of the capture file that will be generated. Choose an Interface (WAN port1 or 2, or a network group) from where to begin the capture.
To use these tools, go to GWN7000 WebGUISystem SettingsDebug and click on Ping/Traceroute. Figure 64: IP Ping • Next to Tool choose from the dropdown menu: - IPv4 Ping for an IPv4 Ping test to Target - IPv6 Ping for an IPv6 Ping test to Target - IPv4 Traceroute for an IPv4 Traceroute to Target - IPv6 Traceroute for an IPv6 Traceroute to Target • Type in the destination’s IP address/domain name in Target field. • Click on Run. GWN7000 User Manual Version 1.0.4.
Figure 65: Traceroute Syslog GWN7000 supports dumping the syslog information to a remote server under Web GUISystem SettingsMaintenanceSyslog. Enter the syslog server hostname or IP address and select the level for the syslog information. Five levels of syslog are available: None, Debug, Info, Warning, and Error. Syslog messages are also displayed in real time under Web GUISystem SettingsDebugSyslog. GWN7000 User Manual Version 1.0.4.
Figure 66: Syslog NAT Table NAT table is updated dynamically on GWN7000’s WebGUI, to check the NAT table go to System SettingsDebugNAT Table. GWN7000 User Manual Version 1.0.4.
Figure 67: NAT table Email/Notification The Email/Notification page allows the administrator to select a predefined set of system events and to send notifications upon the change of the set events. Note: A reboot is required in order to activate email notification feature. Table 41: Email Setting Filed Description Enabled Enable/disable the email settings. By default, it’s disabled Host Configures the SMTP Email Server IP or Domain Name. Port Specifies the Port number used by server to send email.
The following table describe the notifications configuration settings. Table 42: Email Events Filed Description Enabled Enable/disable the notification. By default, it’s disabled Memory Usage Memory Usage Threshold (%) CPU Usage CPU Usage Threshold (%) Configures whether to send notification if memory usage is greater than the configured threshold. By default, it’s disabled. Specifies the Memory Usage Threshold (%). Must be integer between 1 and 100.
Schedule Start Hour Configure the hour when LEDs will be automatically turned on. Schedule Start Minute Configure the minute when LEDs will be automatically turned on. Schedule Stop Hour Configure the hour when LEDs will be automatically turned off. Schedule Stop Minute Configure the minute when LEDs will be automatically turned off. Schedule weekdays list Choose the days for which you want to schedule the LEDs.
Figure 69: Add a New File to Share Table 44: Add a New File to Share Share Name Enter the share name Path to Share Choose from the drop menu the path to share. Access to Share Choose whether to allow users to Read/Write or Read Only on the shared path. Comment Enter a comment for the added shared file. Share Accessible by Choose whether to allow All LAN network groups to access the shared path, Network Groups restrict access by selecting only some groups or None.
Figure 71: Access File Share SNMP GWN7000 supports SNMP (Simple Network Management Protocol) which is widely used in network management for network monitoring for collecting information about monitored devices. To configure SNMP settings, go to GWN7000 Web GUISystem SettingsSNMP, this page has two tabs: Basic and Advanced, refer to the below tables for each tab. Table 45: SNMP Basic Page System Location System Contact Set the System Location information, for example: SNMP-Server Lobby GWN.
Read-Write Gives the permission for the set community to access and read/write to devices in Community for IPv6 management information base via IPv6 Protocol. Trap Type Monitoring Host Choose the Trap Type from drop-down menu, 4 options are available: None, SNMPv1, SNMPv2c and SNMPv2cInforms.
Table 47: VPN User Parameters Option Description Enabled Check this option to enable/disable the user account. PPTP Server Check this option to enable the user connection to the PPTP server. Full Name Enter user full name. When using PPTP it defaults to pptpd. Username Enter user Username. Password Enter user password. IPSec Pre-Shared Key Enabled PPTP Client Subnet Set user pre-shared key for authentication. Check this option when using PPTP, and enter the client subnet.
UPGRADING AND PROVISIONING Upgrading Firmware The GWN7000 can be upgraded to a new firmware version remotely or locally. This section describes how to upgrade your GWN7000. Upgrading via WEB GUI The GWN7000 can be upgraded via TFTP/HTTP/HTTPS by configuring the URL/IP Address for the TFTP/HTTP/HTTPS server and selecting a download method. Configure a valid URL for TFTP, HTTP or HTTPS; the server name can be FQDN or IP address. Examples of valid URLs: firmware.grandstream.com/BETA 192.168.5.
Please check our website at http://www.grandstream.com/support/firmware for latest firmware. Instructions for local firmware upgrade via TFTP: 1. Unzip the firmware files and put all of them in the root directory of the TFTP server; 2. Connect the PC running the TFTP server and the GWN7000 to the same LAN segment; 3. Launch the TFTP server and go to the File menuConfigureSecurity to change the TFTP server's default setting from "Receive Only" to "Transmit Only" for the firmware upgrade; 4.
EXPERIENCING THE GWN7000 ENTERPRISE ROUTER Please visit our website: http://www.grandstream.com to receive the most up- to-date updates on firmware releases, additional features, FAQs, documentation and news on new products. We encourage you to browse our product related documentation, FAQs and User and Developer Forum for answers to your general questions. If you have purchased our products through a Grandstream Certified Partner or Reseller, please contact them directly for immediate support.
