HP R100-Series Wireless VPN Routers Configuration and Administration Guide HP Part Number: 5998-5394 Published: September 2014 Edition: 1
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Acknowledgments Microsoft® and Windows® are U.S.
Contents 1 Deploying the HP R110/R120 ...................................................................... 7 2 Using the Wizard Setup ............................................................................. 11 Overview................................................................................................................................................ 11 Automatically running the Wizard Setup the first time you log in ...............................................................
DHCP client list....................................................................................................................................... 47 VLAN settings......................................................................................................................................... 47 IGMP settings ......................................................................................................................................... 49 6 Wireless configuration ......................
DHCPv6 client list ...................................................................................................................................111 MLD settings ......................................................................................................................................... 112 12 QoS configuration ................................................................................. 113 Viewing QoS status ............................................................................
1 Deploying the HP R110/R120 In a small office, the HP R110/R120 can be directly connected to a broadband modem (DSL or cable) to provide secure wireless networking for all employees. In the following scenario, employees can share data and resources with each other and access the Internet at the same time: Wireless community High security wireless network for employees using WPA/WPA2.
In the following scenario, HP R110/R120 #1 provides wireless network services to the employees in the main office, while HP R110/R120 #2 and HP R110/R120 #3 use the Wireless Distribution System (WDS) to create a wireless link between the main office network and a small network in a warehouse. WDS eliminates the need to run cabling, allowing for fast and easy deployment.
In the following scenario, four HP R110/R120s provide a virtual private network (VPN) across the Internet between a headquarters and three branch offices. The R110/R120 #1 forms secure VPN tunnel connections to R110/R120 #2, R110/R120 #3, and R110/R120 #4 at three branch locations. The computers on each branch network can access the computers and servers on the headquarters network.
Deploying the HP R110/R120
2 Using the Wizard Setup Overview The Wizard Setup provides an easy way to quickly configure basic settings on the R110/R120 and make the router operational. Automatically running the Wizard Setup the first time you log in The first time you log in to the management interface (see the HP R100-Series Wireless VPN Routers Quickstart for first time login procedure), the HP end user license agreement displays.
Select to configure the system time manually or have it automatically configured by an NTP server. You can also enable support for daylight savings time, if required for your location This page includes the following settings: Set system time • NTP: Enables the router to use NTP to synchronize the system clock to global Internet time, or allows the time to be set manually. • Current System Time: Displays the current time setting of the router. • Time Server Address: The IP address or name of an NTP server.
DHCP IP Address A dynamic connection type is the most common method used with cable modems. In many cases, setting the connection type to dynamic is enough to complete the connection to your ISP. Some dynamic connection types may require a Host Name. Enter the Host Name in the space provided if you were assigned one by your ISP (do not use characters ` " & ' # \). Some dynamic connections may require that you clone the MAC address of the PC that was originally connected to the modem.
PPPoE The Point-to-Point Protocol over Ethernet (PPPoE) is a common WAN protocol that provides a secure “tunnel” connection between the service provider and the local network. Enter the PPPoE information in the provided spaces, and then click Next to activate your settings. • Username: Enter your ISP-assigned user name. (Do not use characters ` " & ' # \) • Password: Enter your password (usually assigned by your ISP). (Do not use characters ` " & ' # \) • Confirm Password: Confirm the password.
L2TP The Layer 2 Tunneling Protocol (L2TP) is a common WAN protocol used for Virtual Private Networks (VPNs) that provides a secure “tunnel” connection between the service provider and the local network. Step 3: Specify wireless settings The R110 router supports a dual-band single radio for 2.4 GHz or 5 GHz operation. The R120 router supports two radios, one for 2.4 GHz and one for 5 GHz. This means that the R110 can operate at 2.4 GHz or 5 GHz, but not both at the same time.
Enable Radio Enables the 2.4 GHz or 5 GHz wireless section of your LAN. When disabled, no wireless computers can gain access to either the Internet or other computers on your wired or wireless LAN. Configure the radio band and mode Radio Band (Applies to HP R110 only) Allows you to select the band of your wireless network. The R110 router can operate in the 2.4 GHz band (for 802.11b/g/n) or the 5 GHz band (for 802.11a/ n). The R110 router does not support concurrent operation at 2.4 GHz and 5 GHz.
Configure the primary SSID The R110 allows you to create up to four wireless communities, and the R120 allows you to create up to eight wireless communities. Each wireless community defines the settings for a distinct wireless network, with its own network name (SSID), settings for wireless protection, user authentication, VLANs, and more. Radio settings are shared by all wireless communities. A default wireless community is defined on the R110/R120.
WPA and WPA2: Wi-Fi Protected Access (WPA) was introduced as an interim solution for the vulnerability of WEP, replacing WEP encryption with TKIP. WPA2 includes the complete wireless security standard (802.11i) and offers backward compatibility with WPA, but uses the stronger AES-CCMP encryption. Both WPA and WPA2 provide an “enterprise” and “personal” mode of operation.
• Key Type: Hexadecimal (characters 0-9, a-f, and A-F) ASCII (characters 0-9, a-z, and A-Z) • Key 1-4 String: Enter encryption keys Hexadecimal: Enter keys as 10 hexadecimal characters (0-9 and A-F) for 64 bit keys, or 26 hexadecimal characters for 128 bit keys. ASCII: Enter keys as 5 alphanumeric characters for 64 bit keys, or 13 alphanumeric characters for 128 bit keys. • Default Key: You can enter up to four keys (Key 1 to Key 4). Select the key number from the list that is used to transmit data.
• Secondary RADIUS Server: Enter the IPv4 address for a backup RADIUS server. If authentication fails with the primary server, the configured backup server is tried instead. If a secondary RADIUS server is configured, be sure to enter the RADIUS key. • Accounting Enable: Select this option to track and measure the resources a particular user has consumed, such as system time, amount of data transmitted and received, and so on.
Enable Radio Shows if the router’s wireless radio is enabled. The R120 includes a radio setting for 2.4 GHz and 5 GHz. Radio Band The operating band of the R110. The R110 includes one radio that can operate at 2.4 GHz or 5 GHz. Mode The wireless standard operating mode of the radio. SSID The primary wireless network SSID. MAC Authentication The configured MAC authentication setting used for the primary SSID. Authentication Mode The configured wireless security mode used for the primary SSID.
Using the Wizard Setup
3 Managing the HP R110/R120 system The HP R110/R120 is managed via its web-based management interface using Microsoft Internet Explorer 8 or later, Google Chrome v29, or Mozilla Firefox v24 or later. You can access the HP R110/R120 management tool using either http or https. Using https is more secure, but you will see a warning because the security certificate is issued by the router and not a known certificate authority.
The Status page includes these items: Device Information Shows the router's software version, hardware serial number, host name, device description, and country selection. Resource Utilization Indicates the status of the router's resources, including CPU and memory usage. Security Displays the current settings for Denial of Service (DoS) and Stateful Packet Inspection (SPI) features.
General administration settings The Admin page configures the following settings for the router: System information (General) settings Configures settings that help identify the router, including the system name, location, and the name of a person to contact for administrative purposes. The system name appears on the banner and login screen. (Do not use characters ` " & ' # \) Administrator login credentials Configures the web management interface login username and password.
HTTP Server HTTPS Server The router software includes HTTP and HTTPS functionality to enable communication with your web browser. Unlike HTTP, HTTPS enables secure sessions, using a digital certificate to encrypt data exchanged between the router and your web browser. HTTP and HTTPS are both enabled by default. Session Timeout Configure the Session Timeout for automatic log out from the web interface.
Set system time This section displays the current system time. You can configure the time manually or have it automatically configured by a Network Time Protocol (NTP) server. Manually Select the date, time (in 24-hour notation), and timezone. Using network time protocol (NTP) NTP servers transmit Coordinated Universal Time (UTC, also known as Greenwich Mean Time) to their client systems. NTP sends periodic time requests to servers, using the returned time stamp to adjust its clock.
Daylight saving Use this section to enable support for daylight saving time, if required for your location. When you select Manually Set Time For Daylight Savings, additional fields display to enable you to configure the starting and ending dates and times, and the DST offset. The DST offset specifies how many minutes to move the clock forward or backward.
get or set SNMP information on the router. By default, the name is set to private. (Do not use characters ` " & ' # \) The router can also be configured to send status messages to an SNMP server if a problem occurs on the network. This is done by setting the Trap Receiver option. To configure an SNMP Trap Receiver, set the following options: • Trap Receiver IP Address: The IP address of the computer to which the status messages are to be sent.
• Notice indicates normal but significant conditions. • Informational indicates informational messages. • Debug indicates debug-level messages. For example, if you select Critical, only critical, alert, and emergency messages are written to the log. Max Size Specifies the maximum number of log entries to store in the router's volatile memory. When the maximum number is reached, the old log messages are overwritten by new messages. Log Prefix A text identification string that is added to the log messages.
Proxy ARP settings Proxy ARP (Address Resolution Protocol) is a mechanism that enables a computer in a network connected to a router appear to be logically part of another network connected to the same router. This means that a computer on the router’s LAN network can appear to be logically on the WAN network, accessible using a public IP address. Note that although the computer appears as part of the public network, it is actually protected behind the router’s firewall on the LAN network.
To configure Proxy ARP, set the following options: Enable ARP Proxy Enables the feature on the router. Name A text name (1-31 alphanumeric or special characters) that describes the Proxy ARP service. (Do not use characters ` " & ' # \) Popular Services Selects common protocols that identify traffic that can be forwarded through the router to a host computer on the local LAN. Type Selects TCP or UDP as the protocol type, or other special protocols.
Rebooting the router For maintenance purposes or as a troubleshooting measure, you can reboot the HP R110/R120 by selecting Reboot. The process may take several minutes during which time the AP is unavailable. The HP R110/ R120 resumes normal operation with the same configuration settings it had before the reboot. Viewing traffic statistics To view statistics on Ethernet packets received and transmitted on the wired and wireless ports, select System > Traffic Statistics.
Interface Statistics Displays a summary of traffic statistics for the WAN and LAN ports. Set the poll interval for updating statistics on the page and click Start. You can also click Refresh anytime to immediately update values. Click Reset Counters to set all statistics values back to zero.
4 WAN configuration The WAN pages are used to configure the parameters for your Internet connection. The information necessary to set up a connection can be obtained from your ISP. Check with your ISP first to find out what type of connection you should choose. Viewing the WAN interface status The Status page displays the setting of the WAN interface. If you are using DHCP as the connection type, you can click Renew to request a new IP address.
DDNS The status of a dynamic DNS service. MAC Clone Indicates if the WAN port MAC address has been copied from a LAN computer. Settings The WAN settings page configures the method that the router uses to connect to an ISP through the WAN port. The router supports five Internet connection methods. DHCP IP address A dynamic connection type is the most common method used with cable modems. In many cases, setting the connection type to dynamic is enough to complete the connection to your ISP.
This page includes the following information: Connection Type Select Static IP Address as the router’s method of connecting to the ISP. IP Address Enter the IP address assigned to the router’s WAN port by the ISP. Subnet Mask Enter the IP subnet mask assigned to the router’s WAN port by the ISP. Gateway Enter the IP address of the ISP’s gateway. Primary/Secondary DNS Address Enter the IP addresses of primary and secondary domain name servers.
This page includes the following information: Connection Type Select PPPoE as the router’s method of connecting to the ISP. Username Enter your ISP-assigned user name. (Do not use characters ` " & ' # \) Password Enter your password (usually assigned by your ISP). (Do not use characters ` " & ' # \) Confirm Password Enter the password again to confirm it. Service Name The service name is normally optional, but may be required by some service providers.
MTU Sets the size of the Maximum Transmission Unit (MTU) for the largest packet that the network protocol can transmit. Manual Connection: You can click Connect and Disconnect to connect or disconnect the PPPoE connection immediately. Multiple-PPPoE Allows you to configure a second PPPoE session to run over the same connection. The second session connects to another PPPoE server and the configuration allows routing rules to be defined so that different traffic can be routed through either PPPoE channel.
Server IP Enter the PPTP server IPv4 address as assigned by your ISP. Username Enter your ISP-assigned user name. (Do not use characters ` " & ' # \) Password Enter your password (usually assigned by your ISP). (Do not use characters ` " & ' # \) Confirm Password Enter the password again to confirm it. Idle Time Select the number of minutes to elapse without activity before the PPTP connection is disconnected.
Password Enter your password (usually assigned by your ISP). (Do not use characters ` " & ' # \) Confirm Password Enter the password again to confirm it. Idle Time Select the number of minutes to elapse without activity before the L2TP connection is disconnected. Or, you can leave the default setting of Always On so that the connection is kept open regardless of any activity.
The DDNS related parameters are described as follows: Enable DDNS Select to use a Dynamic DNS service. DDNS Server This is the name of your Dynamic DNS service provider. Domain Name The name of your host domain. Username Enter the user name assigned by your DDNS service. (Do not use characters ` " & ' # \) Password Enter your password. (Do not use characters ` " & ' # \) Confirm Password Enter the password again to confirm it.
5 LAN configuration The HP R110/R120 router is equipped with a DHCP server that automatically assigns IP addresses to each computer on your network. The factory default settings for the DHCP server work with most applications. If you need to make changes to the settings, the LAN setting pages allow you to: • Change the default IP address of the router. • Configure VLANs • Enable the DHCP server function for each VLAN. • Enable NAT features for each VLAN. • Enable IGMP Snooping and IGMP Proxy for each VLAN.
This page includes the following information: LAN Displays current settings for the default VLAN. • MAC address: The Ethernet base MAC address of the router. • IP address: The IPv4 address of the router. • Subnet mask: The subnet mask for the IP address. • DHCP Server: The status of the DHCP server for the default VLAN.
This page includes the following settings: IP Address The IPv4 address of the router for the default VLAN. Subnet Mask There should be no need to change the subnet mask; however, it is possible to change the subnet mask if necessary. Only make changes to the subnet mask if you have a specific reason to do so. Enable DHCP Server The Dynamic Host Configuration Protocol (DHCP) server function automatically assigns IP addresses to each computer in a VLAN. The DHCP server can be turned off if necessary.
DHCP relay Dynamic Host Configuration Protocol (DHCP) can dynamically allocate IP addresses and other configuration information to network clients that broadcast a request. To receive broadcast requests, a DHCP server would normally have to be in the same broadcast domain (VLAN) as the clients. However, when the router's DHCP relay feature is enabled, the received client requests can be forwarded directly by the router to a specified DHCP server on another broadcast domain (VLAN).
DHCP client list The DHCP Clients List displays the IP address, host name, MAC address, and client type of each client that has requested an IP address since the last reboot of the router. Only clients that have requested an IP address since the router’s last reboot and fixed associations are displayed in this list. Click Manual Assignment to reserve the dynamically assigned IP address for a specific computer. A maximum of 32 static-lease rules can be defined.
On the Add VLAN page, you can set the parameters to configure the behavior of VLANs. This page includes the following settings: Name A text description of the VLAN. (Do not use characters ` " & ' # \) IP Address The IP address of the VLAN interface. Subnet Mask The subnet mask of the VLAN interface. Enable NAT Enables the NAT function for the VLAN interface.
Enable IGMP Snooping Enables the feature that blocks unnecessary IP multicast traffic from flooding VLAN ports without a specific multicast membership. This feature is based on snooping IGMP join/leave messages from VLAN ports to update the bridging forwarding database. IGMP Snooping is extremely useful in saving bandwidth of low-speed interfaces to improve the network utilization. Enable DHCP Server Enables the automatic assignment of IP addresses to clients in the VLAN.
LAN configuration
6 Wireless configuration The wireless settings section displays configuration settings for the access point functionality of the router. The sections include configuration options for radio signal characteristics, wireless security features, Wireless Distribution System (WDS), Wi-Fi Protected Setup (WPS), Wi-Fi Multimedia (WMM), and MAC authentication. The R110 router supports a dual-band single radio for 2.4 GHz and 5 GHz operation. The R120 router suppports two radios, one for 2.4 GHz and one for 5 GHz.
This page includes the following information: Wireless Displays the basic radio settings and the status of other features. • Radio: Displays the status of the router’s radio. • Operating Frequency: (Applies to the R110 only) Shows if the radio is operating at 2.4 GHz or 5 GHz. • Mode: The current radio mode. • Channel: The current operating channel. • WMM: Displays the status of the WMM feature.
This page includes the following settings: Enable Radio Enables the wireless section of your LAN. When disabled, no wireless clients can have access to either the Internet or other clients on your wired or wireless LAN. Radio Band (Applies to the R110 only) Allows you to select the band of your wireless network. The R110 can operate in the 2.4 GHz band (for 802.11b/g/n) or the 5 GHz band (for 802.11a/n). The R110 does not support concurrent operation at 2.4 GHz and 5 GHz. Radio Mode For 2.
• 11b/g/n Mixed: (Compatibility mode.) Up to 11 Mbps for 802.11b, 54 Mbps for 802.11g, and 450 Mbps for 802.11n. If support for 802.11b/g is not required, it is recommended that you choose the 802.11n-only mode. • 11n only: (Pure 802.11n) Up to 450 Mbps. Select a 5 GHz radio mode for the R110. • 11a only: (Pure 802.11a) Up to 54 Mbps. • 11n only: (Pure 802.11n) Up to 450 Mbps. • 11a/n Mixed: (Compatibility mode.) Up to 450 Mbps for 802.11n and 54 Mbps for 802.11a. Select a 5 GHz radio mode for the R120.
Configuring virtual access point interfaces The router supports up to four virtual access point (VAP) interfaces per radio; a total of four for the R110 and eight for the R120. One VAP is the primary (with default SSID “HP1” for R110), and the others can be enabled if required. Each VAP essentially functions as a separate access point, and can be configured with its own Service Set Identifier (SSID) and security settings.
Configuring wireless security The router’s wireless interface is configured by default as an open system, which broadcasts a beacon signal including the configured SSID. Wireless clients can read the SSID from the beacon and automatically connect to the wireless network. To implement wireless security, you need to employ authentication, which verifies users connecting to the network, and traffic encryption, to protect transmitted data from interception and eavesdropping.
• WPA2: The Enterprise mode of WPA2 using AES encryption. If all clients in the network are WPA2 compatible, select this option for maximum security. This mode requires the use of a RADIUS server. See “WPA2” on page 59. • WPA2-PSK: The Personal (pre-shared key) mode of WPA2 using AES encryption. The pre-shared key mode uses a common password phrase for user authentication that is manually entered on the router and all wireless clients.
WEP security includes the following settings: Authentication Mode Leave as OPEN to configure WEP security. The static WEP security does not support user authentication. Encryption Type Select WEP to display the security options and to configure the keys. 802.1X Enables dynamic WEP security on the router. IEEE 802.1X enables you to authenticate wireless clients via user accounts stored on a third-party RADIUS server.
Re-Key Interval When using 802.1X dynamic WEP keys, enter the interval at which the router refreshes the keys for each associated client. Specify a value in the range of 60 to 86400 seconds. Configuring WPA and WPA2 security Wi-Fi Protected Access (WPA) was introduced as an interim solution for the vulnerability of WEP, replacing WEP encryption with TKIP. WPA2 includes the complete wireless security standard (802.11i) and offers backward compatibility with WPA, but uses the stronger AESCCMP encryption.
Session Key Interval Enter the interval at which the router refreshes session (unicast) keys for each client associated with the VAP interface. To enable session key refreshing, specify a value in the range of 60 to 86400 seconds. Specify a value of 0 to disable session key refresh. WPA2-PSK If your network does not have a RADIUS server, select the WPA2 preshared key (PSK) option. The WPA2-PSK security option is typically used for home or small business networks.
WPA/WPA2 enterprise If you have a mix of wireless clients, some of which support WPA2 (AES) and others which support only the original WPA (TKIP), select the WPA/WPA2 Enterprise security mode. This setting enables both WPA and WPA2 wireless clients to associate to the router, but uses the more robust WPA2 for clients that support it. This security option allows more interoperability, at the expense of some security.
WPA/WPA2-PSK security includes the following settings: Authentication Mode Select WPA/WPA2-PSK Mixed to display all settings for WPA/WPA2-PSK security. Encryption Type The TKIP/AES type is the only encryption available for mixed WPA/WPA2 security. In mixed mode, the unicast encryption (TKIP or AES) is negotiated for each client as they associate with the network.
The RADIUS server configuration includes the following settings: Primary RADIUS Server Enter the IPv4 address for the primary RADIUS server that the router uses by default, for example 192.168.1.23. RADIUS Key The RADIUS key is the shared secret key for the RADIUS server. You can use up to 64 alphanumeric and special characters (do not use characters ` " & ' # \). Do not use blank spaces in the key. The key is case-sensitive, and you must configure the same key on the router and on the RADIUS server.
Advanced wireless settings The Advanced wireless settings page includes additional parameters concerning the wireless network. This page includes the following settings: Beacon Interval The Beacon Interval value indicates the frequency interval of the beacon. A beacon is a packet broadcast by the router to synchronize the wireless network. DTIM Interval The DTIM Interval indicates the interval of the Delivery Traffic Indication Message (DTIM).
The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long). Support of the 400ns interval is optional for transmit and receive. The guard interval is the dead time, in nanoseconds, between symbols (or characters) transmitted by the AP. The guard interval helps distinguish where one symbol transmission stops and another starts, thereby reducing intersymbol interference. Enabling the Short Guard Interval improves throughput and is recommended. 802.
WDS settings The router supports WDS (wireless Distribution System). WDS enables one or more access points to rebroadcast received signals to extend the range and reach of the wireless network, although this can affect the overall throughput of data. Note that WDS implementations can vary from product to product. Hence, there is no guarantee that different products will interoperate. In addition, the security settings for WDS links are the same as those set up for your wireless clients.
WPS settings Wi-Fi Protected Setup (WPS) is designed to be a convenient method to securely add new clients to a wireless network. WPS has two basic modes of operation, Push-button Configuration (PBC) and Personal Identification Number (PIN). The WPS PIN setup is optional to the PBC setup and provides more security. You can use this mode by entering a PIN number on the web page. Alternatively, the WPS button on the back of the router can be pressed to allow a single WPScompliant device to join the network.
Enter the 8-digit PIN number and click Start to activate the PIN method. If the WPS function is working correctly, you should see the WPS LED light up. • PBC: Uses the push-button method. Make sure the WPS function has been enabled on the device. On the client side, start the WPS utility that is provided by your Wi-Fi card’s vendor and select the PBC method. Follow the instruction of your WPS utility. Push the WPS button on the router; the WPS LED begins blinking.
Enable Power Saving The WMM-Power Save feature enables mobile client devices to save a significant amount of battery life by going into a sleep mode between sending and receiving data. WMM Parameters The WMM table includes these parameters: • AC_BK: Access Category - Background. Lowest priority. Data with no delay or throughput requirement, such as bulk data transfers. • AC_BE: Access Category - Best Effort. Normal priority, medium delay and throughput. Data only affected by long delays.
MAC authentication settings For a more secure wireless network, you can specify that only certain wireless computers can connect to the router. Up to 20 MAC addresses can be added to the MAC Filtering Table. When enabled, all registered MAC addresses are controlled by the access rule. MAC Authentication is a powerful security feature that allows you to specify which wireless computers are allowed on the network.
Viewing the client list The Client List page allows you to view all the wireless clients currently associated with the router. Select the SSID interface from the SSID list to display associated clients. The table of associated clients lists the MAC address, Receive Signal Strength Indicator (RSSI) value, wireless mode, and traffic statistics.
Wireless configuration
7 VPN configuration The router includes a Virtual Private Network feature to provide a secure link between remote users and the corporate network by establishing an authenticated and encrypted tunnel for passing secure data over the Internet. The router supports IPSec, L2TP over IPSec client and server, and PPTP client and server for security protection. A maximum of five VPN connections can be enabled. Viewing VPN status The Status page displays the current status of VPN tunnel connections to the router.
VPN settings The VPN Settings page allows you to add and edit IPSec, L2TP over IPSec, and PPTP connections for the router. When creating VPN connections, remember that both ends of the connection must be configured in the same way. When you click Add on this page, the VPN connection page opens where the connection details can be configured. The VPN connection details depend on the protocol selected. IPSec settings The router supports the IPSec tunneling protocol.
This page includes the following settings: VPN Tunnel Parameters • Tunnel Type: Select IPSec as the tunnel type. • Tunnel Name: Enter a descriptive text name for the tunnel. (Do not use characters ` " & ' # \) • Remote VPN Gateway: Enter the IP address or host name of the remote VPN server, or select ANY if there is no specific server. • IP Address / Host Name: The IP address or host name of the remote VPN server.
If ID_FQDN or ID_USER_FQDN (fully qualified domain name) is selected, enter the name for the Remote Party ID in the text box next to the list. For example, an FQDN name could be “mycompany.com”, and a user FQDN could be a mail address, such as “my_name@mycompany.com.” This name must be unique for each connection rule that you create. • Remote Network Address: Enter the IPv4 address of the remote network. • Remote Subnet Mask: Enter the subnet mask for the remote network.
L2TP over IPSec settings The Layer 2 Tunneling Protocol is a common connection method used for VPN connections. You can specify the detailed L2TP tunnel settings on the VPN connections page by clicking Add. You can specify the Keep Alive time, which defines the time period without traffic after which the PPP session is terminated. For a client tunnel, both host mode and router mode (LAN-toLAN) are supported.
• Enable Auto Reconnect: For L2TP client connections, you can automatically reconnect when there is activity after a disconnection. • Remote Server: Enter the remote server IP address. IPSec Setting • Pre-shared Key: When set to client mode, enter the key for the client connection. (Do not use characters ` " & ' # \) • Remote Party ID: When set to server mode, select either ID_IPV4_ADDR or ID_USER_FQDN. If ID_IPV4_ADDR is selected, enter the IPv4 address in the text box next to the list.
This page includes the following settings: VPN Tunnel Parameters • Tunnel Type: Select PPTP as the tunnel type. • Tunnel Name: Enter a descriptive text name for the tunnel. (Do not use characters ` " & ' # \) • Username: Enter the user name for PPTP tunnel. (Do not use characters ` " & ' # \) • Password: Enter the password for the PPTP tunnel. (Do not use characters ` " & ' # \) • Confirm Password: Confirm the PPTP tunnel password.
VPN configuration
8 Routing configuration Routing configuration allows a static and dynamic methods to set up routing between networks. The network administrator configures static routes by entering routes directly into the routing table. Static routing has the advantage of being predictable and easy to configure. Alternatively, you can enable dynamic routing using RIP for IPv4 or RIPng for IPv6.
This page includes the following information: Status • RIP: The current status of RIP on the router. • RIPng: The current status of RIPng on the router. IPv4 routing table Displays the IPv4 routes statically configured or dynamically learned by the router. For a detailed description, see “Viewing the IPv4 routing table” on page 82. IPv6 routing table Displays the IPv6 routes statically configured or dynamically learned by the router.
Interface The VLAN interface used to route data to the network specified by the destination network address. Metric A number used to indicate the cost of a route so that the best route, among potentially multiple routes to the same destination, can be selected. IPv4 Dynamic route settings The router supports the Routing Information Protocol (RIP).
• Enable: RIP is enabled for the interface. The router will transmit and receive RIP update information to and from other RIP-enabled devices. • Silent: RIP is enabled, however the router only receives RIP update messages, it will not transmit any of its own. Version Use this field to select RIPv1 or RIPv2. Poison Reverse This enables RIP Poison Reverse on the router interface.
Destination Enter the IP address of the destination host or network to which the route leads. Subnet Mask Enter the IPv4 subnet mask for the destination host or network. For example, for Class C IP domains, the subnet mask is 255.255.255.0. Gateway Enter the IP address of the gateway through which the destination host or network can be reached. If this router is used to connect your network to the Internet, your gateway IP is the router's IP address.
Interface The VLAN interface used to route data to the network specified by the destination network address. Metric A number used to indicate the cost of a route so that the best route, among potentially multiple routes to the same destination, can be selected. IPv6 Dynamic route settings The router supports RIP next generation (RIPng) over IPv6. Like IPv4 RIP version2, RIPng uses the same distance-vector algorithm and hop-count metric, as well as the 30 second update timer.
Prefix Length Enter the IPv6 prefix length for the destination host or network. Gateway Enter the IP address of the gateway through which the destination host or network can be reached. If this router is used to connect your network to the Internet, your gateway IP is the router's IP address. If you have another router handing your network's Internet connection, enter the IP address of that router instead.
Routing configuration
9 Firewall configuration Your router is equipped with a firewall that will protect your network from a wide array of common hacker attacks, including Denial of Service (DoS) attacks. You can turn the firewall function off, if needed. Turning off the firewall protection will not leave your network completely vulnerable to hacker attacks, but HP recommends that you leave the firewall enabled whenever possible.
Security settings The Security page allows you to configure global security parameters for the router. This page includes the following settings: Enable PING from WAN Computer hackers use what is known as “Pinging” to find potential victims on the Internet. By pinging a specific IP address and receiving a response from the IP address, a hacker can determine that something of interest might be there. The router can be set up so it does not respond to an ICMP Ping from the outside.
“telling” the router which way it needs the firewall configured. The router ships with the UPnP feature disabled. If you are using any applications that are UPnP compliant and want to take advantage of UPnP, you can enable the feature. Select Enable UPnP in the UPnP section, and then click Save to save the change. Remote Administration Remote administration allows you to make changes to your router’s settings from anywhere on the Internet.
Client filtering The router can be configured to restrict access to the Internet, email, or other network services on specific days and times. Restriction can be set for a single computer, a range of computers, or multiple computers. Enter the filter details in the fields provided, and then click Add to add the entry to the filter table. A maximum of 10 rules can be defined. This page includes the following settings: Client PC IP The IPv4 address of a computer on the local network.
MAC filtering You can deny traffic from certain known machines or devices. Use its MAC address to identify a computer or device on the network and deny access. Traffic from a specified MAC address is filtered depending upon the policy. Enter the filter details in the fields provided, and then click Add to add the entry to the filter table. A maximum of 20 rules can be defined. This page includes the following settings: MAC Address The MAC address of a computer on the local network.
URL filtering The URL Filter feature blocks access to websites based on matching a specified URL address or specific keywords (HTTPS is not supported). For each filter rule, enter the URL address or a keyword, and then select a time schedule rule to apply, if needed. Also, specified computers on the local LAN can be excluded from the URL filtering by adding them to the Exclusion List. A maximum of 20 URL filter rules and 10 URL exclusion rules can be defined.
URL Filtering Deny List The list of URL text and keywords that match blocked websites for computers on the LAN. Exclusion List The list of computers on the local LAN that are excluded from the URL filtering. Content filtering Based on keywords contained on web pages, you can use this screen to restrict access to certain websites that you do not want users in your network to open. Note that web page content that is compressed is not filtered. A maximum of 10 rules can be defined.
This page includes the following settings: Enable Enables the SPI features on the router. Connection Policy • Fragmentation half-open wait: Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the un-assembled packet, freeing that structure for use by another packet. • TCP SYN wait: Defines how long the software waits for a TCP session to synchronize before dropping the session.
DoS Detect Criteria • Total incomplete TCP/UDP sessions HIGH: Defines the rate of new unestablished sessions that cause the software to start deleting half-open sessions. • Total incomplete TCP/UDP sessions LOW: Defines the rate of new unestablished sessions that cause the software to stop deleting half-open sessions. • Incomplete TCP/UDP sessions (per min) HIGH: Maximum number of allowed incomplete TCP/UDP sessions per minute.
Firewall configuration
10 NAT configuration Network Address Translation (NAT) is a commonly used IP translation and mapping technology. It is a technology that allows your network to share Internet access. Using a device or software that implements NAT allows an entire home network to share a single Internet connection using a single IP address. A single cable modem, DSL modem, or even 56k modem could connect all the computers in your home to the Internet simultaneously.
NAT settings The Settings page includes the global NAT enable for all VLANs on the router. If NAT is disabled on this page, the NAT features for all VLANs are also disabled. Turning off NAT does not affect the firewall functions. Virtual server settings This function allows you to route external (Internet) calls for services, such as a web server (port 80), FTP server (port 21), or other applications, through your router to your internal network.
Use Client List Selects a computer name or IP address from the list of clients already discovered by the router. Popular Services Select one of the services to automatically configure the correct protocol and port numbers.
DMZ settings If you have a client PC that cannot run an Internet application properly from behind the firewall, you can open the client up to unrestricted two-way Internet access. This may be necessary if the NAT feature is causing problems with an application, such as a game or video conferencing application. The DMZ feature allows all traffic from the public WAN that is destined for a specified computer (wired or wireless) on the private LAN, to pass through the router's firewall.
Client PC IP Address The IP address of the DMZ computer on the local LAN. ALG settings The Application-Layer Gateway (ALG) feature enables Session Initiation Protocol (SIP) and H323 VoIP traffic to pass through the router without being blocked by its firewall features. The ALG feature works with the router's NAT feature to control and monitor SIP and H323 sessions, dynamically opening ports as required between SIP/H323 servers on the Internet and clients on the local network.
Port Trigger lets you specify ports to be opened for specific applications to work properly with the Network Address Translation (NAT) feature of the router. A maximum of 10 rules can be defined. A list of popular applications has been included to choose from. Select your application from the Popular Applications list, and then click Add. The settings are transferred to a row in the Port Trigger table. Click Save to save the settings for that application.
11 IPv6 configuration If the attached network uses the IPv6 protocol, you can enable IPv6 support on the router. IPv6 functionality is disabled by default. IPv6 includes two distinct address types, link-local unicast and global unicast. A link-local address makes the router accessible over IPv6 for all devices attached to the local LAN. Traffic using this kind of address cannot be passed by any router outside of the LAN. A link-local address is easy to set up and is useful in small networks.
DHCP-PD The status of the DHCPv6 Prefix Delegation feature. IPv6 settings The router supports static, stateless address autoconfiguration (SLAAC), DHCPv6, and PPPoE modes for IPv6 settings for the WAN port. Select the method to use as instructed by your ISP, and then enter the required information and click Save. Static IPv6 The Static IP addresses mode sets the router to operate with a fixed IP address to connect to the Internet.
fields. Therefore, the same IPv6 address could be written instead as 2001:adca::123a:4567. • Subnet Prefix Length: The length of the IPv6 address prefix. For unicast addresses, the prefix is typically the first 64 bits, with the following 64 bits being the host identifier. • IPv6 Gateway: The IPv6 address of the default next hop router to use when no routing information is known about an IPv6 address.
SLAAC Stateless Address Auto Configuration (SLAAC) enables IPv6 hosts to automatically configure themselves when connected to an IPv6 network using the Neighbor Discovery Protocol through the Internet Control Message Protocol version 6 (ICMPv6) route discovery message.
• Auto Configuration: Select Stateless (RADVD) or Stateful (DHCPv6). • Disable: Disables the automatic assignment of IPv6 addresses to local hosts. • Stateless (RADVD): Enables the automatic assignment of IPv6 addresses by hosts on the local network. The network portion of the address is based on prefixes received in IPv6 router advertisement messages, and the host portion is automatically generated using the modified EUI-64 form of the client identifier (that is, the client MAC address).
VLAN (Default) Settings Sets the IPv6 settings for the local VLAN. • Enable DHCP-PD: Enables the Prefix Delegation feature that automatically uses an IPv6 prefix for the local LAN defined by the ISP. When disabled, the IPv6 address and prefix length need to be manually defined. • IPv6 Address: The IPv6 address of the router for the local LAN. • Subnet Prefix Length: The prefix length of the IPv6 address. • Auto Configuration: Select Stateless (RADVD) or Stateful (DHCPv6).
• Username: Enter the name assigned by the ISP. (Do not use characters ` " & ' # \) • Password: Enter the password provided by the ISP. (Do not use characters ` " & ' # \) • Confirm Password: Enter the password again for confirmation. DNS Settings Configures IPv6 DNS settings: • Obtain IPv6 DNS servers automatically: Sets the IPv6 addresses for primary and secondary DNS servers automatically. • Use the following IPv6 DNS servers: Enter the primary and secondary DNS server IPv6 addresses.
MLD settings Multicast Listener Discovery (MLD) proxy enables the router to issue MLD host messages on behalf of hosts that the router has discovered through standard MLD interfaces.
12 QoS configuration The bandwidth gap between the LAN and WAN may significantly degrade performance of critical network applications, such as VoIP, gaming, and VPN. The router’s Quality of Service (QoS) function allows users to classify application traffic and provide them with differentiated services (DiffServ). The QoS feature allows you to specify which data packets have greater priority when traffic is transmitted from the WAN port. This router supports QoS with four priority queues on the WAN port.
Traffic shaping The Traffic Shaping page enables the bandwidth of the WAN port output queues to be configured. For higher priority traffic, such as voice and video, the bandwidth allocation of queues 3 and 4 can be increased, and those for queues 1 and 2 decreased. This page includes the following settings: General Enables the traffic shaping settings on the router. Diffserv Displays the table of bandwidth settings for the WAN port’s four output queues. Name Identifies the port queue (numbered 1 to 4).
Traffic mapping Up to 16 rules can be defined to classify traffic into DiffServ forwarding groups and outgoing connections. These rules can be mapped to the WAN port forwarding queues, for which the bandwidth can be configured on the Traffic Shaping page. This page includes the following settings: Rule Name A name to identify the traffic mapping rule. (Do not use characters ` " & ' # \) Source Address Select Any, or a specific LAN host MAC address or IP subnet.
Map to Forwarding Queue Maps the traffic to one of the WAN port forwarding queues. Queue 1 is the lowest priority queue and queue 4 the highest priority. Remark 802.1p priority as Before the identified traffic is sent to the forwarding queue, the 802.1p priority tag can be set to the specified value. Remark DSCP as Before the identified traffic is sent to the forwarding queue, the IP DSCP can be set to the specified value.
13 USB configuration The router provides a USB 2.0-compliant port for network-connected users to share files through FTP or File Sharing. The files can be on an attached storage device that supports any number of partitions in VFAT, NTFS, EXT2, EXT3, or EXT4 format. User Account A File Sharing user can use Windows Network Neighborhood to access files on a USB drive. An FTP user can log into the FTP server using an FTP client.
Authority Sets the file sharing access rights for an FTP user; either Read and Write or Read. An FTP user with Read access can only download shared files. An FTP user with Read and Write access can download and upload files to the USB storage, however they cannot delete or modify any existing shared folders or files (existing files can be overwritten). Enable Select Yes to enable the user account for USB access.
with Read and Write access can download and upload files to the shared folder, however they cannot delete or modify any existing shared folders (existing files can be overwritten). Note that a shared folder allows only four File Sharing client connections at one time. FTP settings The router can be presented as an FTP server to provide a file transfer service (depending on a user’s access rights to the shared folders).
Safe removal To ensure USB data correctness, this router supports a USB safe removal function. Click Remove before unplugging a USB drive.
14 Tools The router includes a number af system tools for managing software and configuration files, troubleshooting network problems, and sending email alert messages. All tools and utilities are described in this chapter. Viewing tools status This page displays the current versions of firmware installed on the router, the status of the email alert feature, and lists any configured time schedules. Updating software The Software page displays the current software versions installed on the router.
This page includes the following settings: Firmware Version Displays the software versions installed on the router. • Active Image: The version number of the software currently running on the router. • Backup image: The version number of the software installed as a backup on the router. • Switch to Backup: Selecting this option and clicking Start reboots the router using the backup software image.
Backup settings Select to backup the router’s settings. Select HTTP or TFTP as the transfer method (TFTP requires the server IPv4 address), and then click Save. Restore settings Select to restore the router’s settings and choose HTTP or TFTP as the transfer method. For HTTP, browse button to the location of the saved configuration file on the management computer. For TFTP, specify the file path and name on the TFTP server and enter the IPv4 server address. Click Save to restore the saved settings.
Ping Ping is a network tool that sends ICMP ECHO_REQUEST datagrams to a remote host and elicits an ICMP ECHO_RESPONSE datagrams from the remote host. Enter the IPv4 or IPv6 address, or enter the domain name of the host, select the number of pings to send, and then click Start. This page includes the following settings: IP Address/Domain Name You can specify an IPv4 address, an IPv6 address, or a hostname. Ping Count Specify the number of pings to send (1, 3, 5, 10, or 20).
Nslookup Nslookup is a DNS client that sends DNS requests to a DNS server to find the corresponding IP address of a target host name, or the host name of a target IP address. Traceroute Traceroute is a network tool that sends packets to a destination and produces a list of hosts that the packets have traversed to the destination. Traceroute works by increasing the "time-to-live" value of each successive batch of packets sent.
Email alert The Email alert feature allows the router to automatically send email messages when an event at or above a configured severity level occurs. This page includes the following settings: From E-mail Address Sets the email address that is used in the "From" field of alert messages. You can use a symbolic email address that identifies the router, or the address of an administrator responsible for the router.
To E-mail Address The recipient email address of the alert messages. SMTP Server Address The IPv4 or IPv6 address of the mail server. SMTP Server Port The TCP port number used by the SMTP server. The SMTP protocol typically uses port 25. Encryption If you choose to use secure connection to the mail server, select TLS/SSL and then enter the required user name and password. Username The user name to connect with the mail server.
Scheduling The Scheduling feature enables the scheduling of access control and LAN server rules. Each access control or LAN server rule can be selectively activated at a predefined scheduled time. The user must first define a schedule rule on the Scheduling page, and then associate the schedule rule with a control rule on the Firewall and Wireless pages. A maximum of 10 schedule rules can be defined. This page includes the following settings: Rules Name A name for the scheduling rule.
Support file This function allows you download the router's information for support assistance. The file is saved on your local computer with the name "showtech.rtf". This is a text readable file that includes the model, software version, wireless and other basic settings, as well as the ARP table, memory usage information, and the current system log. Viewing the EULA This page displays the HP End User License Agreement content.
Tools
15 Support and other resources Online documentation You can download documentation from the HP Support Center website at: www.hp.com/support/manuals. Search by product number or name. Contacting HP For worldwide technical support information, see the HP Networking Support website: www.hp.
Conventions The following conventions are used in this guide. Management tool This guide uses specific syntax when directing you to interact with the web management user interface. Refer to the following image for identification of key user-interface elements and then the table below for example directions: Main Sub-menu 132 Example directions in this guide What to do in the user interface Select System > Admin. Select System on the main menu, and then select Admin on the sub-menu.
A Resetting to factory defaults Factory reset procedures To force the router into its factory default state, follow the procedures in this section. Caution Resetting the router to factory defaults deletes all configuration settings, resets the manager user name and password to admin, and sets the IPv4 address to 192.168.1.1. Using the reset button Using a tool such as a paper clip, press and hold the reset button for more than three seconds, then release. Using the management interface 1.
B Factory default settings Feature Parameter Default Mode System Mode Router Admin General Settings System Name HP-R110 / HP-R120 System Location Null System Contact Null Username admin Password admin Country Code Country Code AM Models: US WW Models: Null Web Server HTTP Server Enabled HTTPs Server Enabled Session Timeout 5 minutes Trusted Users MAC/IP Address None configured System Time Set System Time SNTP System Date 2013-01-01 System Time 00:00 Time Server Address
Feature Parameter Default System logs System Log Level INFORMATIONAL Max Size 256 Log Prefix Null Remote Syslog Configuration Disabled Remote IP Address Null Remote Port 514 Remote Log Level DEBUG Proxy ARP Enable Proxy ARP Disabled WAN settings Connection Type DHCP Host Name HP-R110 / HP-R120 Static IP Address 0.0.0.0 Static Subnet Mask 0.0.0.0 Static Gateway 0.0.0.0 Primary DNS Address 0.0.0.0 Secondary DNS Address 0.0.0.
Feature Parameter Default DDNS Enable DDNS Disabled DDNS Server DynDNS.org Domain Name Null Username Null Password Null MAC Clone MAC Address Use router MAC LAN Settings IP Address 192.168.1.1 Subnet Mask 255.255.255.0 Enable DHCP Server Enabled IP Pool Starting Address 192.168.1.2 IP Pool Ending Address 192.168.1.
Feature Parameter Default R110 Wireless, Basic Enabled Radio Enabled Radio Band 2.
Feature Parameter Default R120 Wireless 5GHz, Basic Enabled Radio Enabled Radio Mode 11ac/n/a Channel Auto Bandwidth 20/40/80 MHz Enable Schedule Rules Disabled VAP 1 SSID Enabled, HP1_5G VAP 2 SSID Disabled, HP2_5G VAP 3 SSID Disabled, HP3_5G VAP 4 SSID Disabled, HP4_5G Station Isolation Disabled Broadcast Enabled MAC Authentication Disabled Authentication Mode OPEN Encryption Type NONE Beacon Interval 100 ms DTIM Interval 1 beacon RTS Threshold 2347 bytes Short Guard
Feature Parameter Default MAC Authentication Filter Block all stations in list SSID HP1 MAC Address None configured Enable IPSec Disabled Enable L2TP over IPSec Disabled Enable PPTP Disabled PPTP Passthrough Enabled L2TP Passthrough Enabled L2TP/IPSec Passthrough Enabled RIP Disabled RIP Auto Summary Disabled Static Route Disabled RIPng Disabled IPv6 Static Route Disabled PING from WAN Disabled MSS Clamping Enabled UPnP Disabled Remote Administration Disabled Enable D
Feature Parameter Default IPv6 IPv6 Connection Disabled MLD Proxy Disabled DHCP-PD Enabled QoS Enabled Traffic Mapping Disabled User Account Disabled File Sharing Disabled FTP Disabled Email Alert Disabled Scheduling Rules None configured QoS USB Tools 141
