Netopia® Software User Guide Version 7.
Copyright Copyright © 2005 Netopia, Inc. Netopia and the Netopia logo are registered trademarks belonging to Netopia, Inc., registered U.S. Patent and Trademark Office. Broadband Without Boundaries and 3-D Reach are trademarks belonging to Netopia, Inc. All other trademarks are the property of their respective owners. All rights reserved. Netopia, Inc.
Table of Contents Table of Contents Copyright CHAPTER 1 ..........................................2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 What’s New in 7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Web-based User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Command Line Interface and SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . 13 About Netopia Documentation . . . . . . . . . . . . .
Table of Contents Update Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Factory Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Access Control Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 CHAPTER 3 Expert Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Access the Expert Web Interface . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Can I use IPMaps with my PPPoE or PPPoA connection? . . . . . 77 Will IPMaps allow IP addresses from different subnets to be assigned to my Gateway? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 IPMaps Block Diagram. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Default Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Configure a Default Server . . . . . . . . . . . . . . . . . . .
Table of Contents Configuring a SafeHarbour VPN . . . . . . . . . . . . . . . . . . . . . . . . 132 Parameter Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Stateful Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Stateful Inspection Firewall installation procedure . . . . . . . . . . . . . . . 140 Exposed Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Stateful Inspection Options. . . . .
Table of Contents Example 1 Example 2 Example 3 Example 4 Example 5 ......................................... ......................................... ......................................... ......................................... ......................................... Policy-based Routing using Filtersets . . . . . . . . . . . . . . . . . . 173 TOS field matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Log. . . . . . . . . . . . . . . . . . . . . .
Table of Contents CHAPTER 6 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . 213 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Starting and Ending a CLI Session . . . . . . . . . . . . . . . . . . . . . 216 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Ending a CLI Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Saving Settings. . . . . . .
Table of Contents Static ARP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPsec Passthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Differentiated Services (DiffServ) . . . . . . . . . . . . . . . . . . . . . . . . SIP Passthrough . . . . . . . . . . . . . . . . . .
Table of Contents -----E----- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -----F----- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -----H----- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -----I----- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -----K----- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Declaration for Canadian users . . . . . . . . . . . . . . . . . . . . . . . . . 307 Caution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Important Safety Instructions . . . . . . . . . . . . . . . . . . . . . . . . . 308 Australian Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . Caution . . . . . . . . . . . . . . . .
Table of Contents 12
What’s New in 7.5 CHAPTER 1 Introduction What’s New in 7.5 New in Netopia Firmware Version 7.5 are the following features: Web-based User Interface • Wireless auto-channel detection for 802.11G models. See “Advanced” on page 55. • IPSec Invalid Security Parameter Index (SPI) Recovery allows the Gateway to re-establish the tunnel if either the Netopia Gateway or the peer gateway is rebooted. See “SafeHarbour IPSec VPN” on page 131. • Concurrent Bridging/Routing.
About Netopia Documentation ☛ NOTE: This guide describes the wide variety of features and functionality of the Netopia Gateway, when used in Router mode. The Netopia Gateway may also be delivered in Bridge mode. In Bridge mode, the Gateway acts as a pass-through device and allows the workstations on your LAN to have public addresses directly on the Internet. Netopia, Inc. provides a suite of technical information for its 3300-series family of intelligent enterprise and consumer Gateways.
Documentation Conventions Documentation Conventions General This manual uses the following conventions to present information: Convention (Typeface) Description bold italic monospaced Menu commands bold italic sans serif Web GUI page links and button names terminal bold terminal Computer display text Italic Italic type indicates the complete titles of manuals.
curly ({ }) brackets, with values sep- Alternative values for an argument are prearated with vertical bars (|). sented in curly ({ }) brackets, with values separated with vertical bars (|).
Organization Organization This guide consists of eight chapters, including a glossary, and an index. It is organized as follows: • Chapter 1, “Introduction” — Describes the Netopia document suite, the purpose of, the audience for, and structure of this guide. It gives a table of conventions. • Chapter 2, “Basic Mode Setup” — Describes how to get up and running with your • • • • • • • • Netopia Gateway. Chapter 3, “Expert Mode” — Focuses on the “Expert Mode” Web-based user interface for advanced users.
CHAPTER 2 Basic Mode Setup Most users will find that the basic Quickstart configuration is all that they ever need to use. This section may be all that you ever need to configure and use your Netopia Gateway. The following instructions cover installation in Router Mode.
Important Safety Instructions POWER SUPPLY INSTALLATION Connect the power supply cord to the power jack on the Netopia Gateway. Plug the power supply into an appropriate electrical outlet. ☛ CAUTION: Depending on the power supply provided with the product, either the direct plug-in power supply blades, power supply cord plug or the appliance coupler serves as the mains power disconnect.
Set up the Netopia Gateway Set up the Netopia Gateway Refer to your Quickstart Guide for instructions on how to connect your Netopia gateway to your power source, PC or local area network, and your Internet access point, whether it is a dedicated DSL outlet or a DSL or cable modem. Different Netopia Gateway models are supplied for any of these connections. Be sure to enable Dynamic Addressing on your PC. Perform the following: Microsoft Windows: Step 1. Navigate to the TCP/IP Properties Control Panel. a.
b. Some Windows versions follow a path like this: Start menu -> Control Panel -> Network and Internet Connections -> Network Connections -> Local Area Connection -> Properties -> Internet Protocol [TCP/IP] -> Properties Then go to Step 2. Step 2. Select Obtain an IP address automatically. Step 3. Select Obtain DNS server address automatically, if available. Step 4. Remove any previously configured Gateways, if available. Step 5. OK the settings. Restart if prompted.
Set up the Netopia Gateway Macintosh MacOS 8 or higher or Mac OS X: Step 1. Access the TCP/IP or Network control panel. a.
b. Mac OS X follows a path like this: Apple Menu -> System Preferences -> Network Then go to Step 2. Step 2. Select Built-in Ethernet Step 3. Select Configure Using DHCP Step 4. Close and Save, if prompted. Proceed to “Configure the Netopia Gateway” on page 25.
Configure the Netopia Gateway Configure the Netopia Gateway 1. Run your Web browser application, such as Netscape Navigator or Microsoft Internet Explorer, from the computer connected to the Netopia Gateway. Enter http://192.168.1.254 in the Location text box. The Admin Password page appears. Access to your Netopia device can be controlled through two access control accounts, Admin or User.
The browser then displays the Welcome page. The browser then displays the Quickstart web page. 2. Enter the username and password supplied by your Internet Service Provider. Click the Connect to the Internet button. Once you enter your username and password here, you will no longer need to enter them whenever you access the Internet. The Netopia Gateway stores this information and automatically connects you to the Internet. The Gateway displays a message while it configures itself. 3.
Configure the Netopia Gateway Once a connection is established, your browser is redirected to your service provider’s home page or a registration page on the Internet. 4. Congratulations! Your installation is complete. You can now surf to your favorite Web sites by typing an URL in your browser’s location box or by selecting one of your favorite Internet bookmarks.
Netopia Gateway Status Indicator Lights Colored LEDs on your Netopia Gateway indicate the status of various port activity. Different Gateway models have different ports for your connections and different indicator LEDs. The Quickstart Guide accompanying your Netopia Gateway describes the behavior of the various indicator LEDs.
Home Page - Basic Mode Home Page - Basic Mode After you have performed the basic Quickstart configuration, any time you log in to your Netopia Gateway you will access the Netopia Gateway Home Page. You access the Home Page by typing http://192.168.1.254 in your Web browser’s location box. The Basic Mode Home Page appears.
The Home Page displays the following information in the center section: Item Serial Number Software Release Description This is the unique serial number of your Gateway. This is the version number of the current embedded software in your Gateway. Warranty Date This is the date that your Gateway was installed and enabled.
Home Page - Basic Mode Link: Manage My Account You can change your ISP account information for the Netopia Gateway. You can also manage other aspects of your account on your service provider’s account management Web site. Click on the Manage My Account link. The Manage My Account page appears. Enter your username, and then your new password. Confirm your new password. For security, your actual passwords are not displayed on the screen as you type.
Link: Status Details If you need to diagnose any problems with your Netopia Gateway or its connection to the Internet, you can run a sophisticated diagnostic tool. It checks several aspects of your physical and electronic connection and reports its results on-screen. This can be useful for troubleshooting, or when speaking with a technical support technician. Click on the Status Details link. The Diagnostics page appears. Click on the Run Diagnostics button to run your diagnostic tests.
Home Page - Basic Mode Link: Enable Remote Management This link allows you to authorize a remotely-located person, such as a support technician, to directly access your Netopia Gateway. This is useful for fixing configuration problems when you need expert help. You can limit the amount of time such a person will have access to your Gateway. This will prevent unauthorized individuals from gaining access after the time limit has expired. Click the Enable Rmt Mgmt link.
Link: Expert Mode Most users will find that the basic Quickstart configuration is all that they ever need to use. Some users, however, may want to do more advanced configuration. The Netopia Gateway has many advanced features that can be accessed and configured through the Expert Mode pages. Click on the Expert Mode link to display the Expert Mode Confirmation page. You should carefully consider any configuration changes you want to make, and be sure that your service provider supports them.
Home Page - Basic Mode Click the Update Firmware link. The Firmware Update Confirmation page appears. If you click the Continue button, the Gateway will check a remote Firmware Server for the latest firmware revision. If a newer version is found, your firmware will be automatically updated once you confirm the installation.
Link: Factory Reset In some cases, you may need to clear all the configuration settings and start over again to program the Netopia Gateway. You can perform a factory reset to do this. Click on Factory Reset to reset the Gateway back to its original factory default settings. ☛ NOTE: Exercise caution before performing a Factory Reset. This will erase any configuration changes that you may have made and allow you to reprogram your Gateway.
Home Page - Basic Mode Link: Access Control Login If you have configured Access Controls (see “Access Control” on page 91) an additional link Access Control Login displays. The Access Control Login link shows the login challenge page that access-controlled users will encounter upon attempting to access the Internet. • Username: Select a username from the drop-down list. • Password: Enter your password for Access Control. • Session Timeout: This field indicates web access session timeout.
Access the Expert Web Interface CHAPTER 3 Expert Mode Using the Expert Mode Web-based user interface for the Netopia 3300-series Gateway you can configure, troubleshoot, and monitor the status of your Gateway. Access the Expert Web Interface Open the Web Connection Once your Gateway is powered up, you can use any recent version of the best-known web browsers such as Netscape Navigator or Microsoft Internet Explorer from any LAN-attached PC or workstation. The procedure is: 1. 2.
3. Click on the Expert Mode link in the left-hand column of links. You are challenged to confirm your choice. Click OK. The Home Page opens in Expert Mode.
Access the Expert Web Interface Home Page - Expert Mode The Home Page is the summary page for your Netopia Gateway. The toolbar at the top provides links to controlling, configuring, and monitoring pages. Critical configuration and operational status is displayed in the center section. Home Page - Information The Home page’s center section contains a summary of the Gateway’s configuration settings and operational status.
Product ID Date & Time Breakwater Firewall Safe Harbour Refers to internal circuit board series; useful in determining which software upgrade applies to your hardware type. This is the current UTC time; blank if this is not available due to lack of a network connection. If the optional feature key is installed: Status of the Breakwater Firewall: ClearSailing, SilentRunning, or LANdLocked. If the optional feature key is installed: SafeHarbour VPN IPsec Tunnel option (if installed): either On or Off.
Toolbar Toolbar The toolbar is the dark blue bar at the top of the page containing the major navigation buttons. These buttons are available from almost every page, allowing you to move freely about the site.
Restart Button: Restart The Restart button on the toolbar allows you to restart the Gateway at any time. You will be prompted to confirm the restart before any action is taken. The Restart Confirmation message explains the consequences of and reasons for restarting the Gateway.
Restart Link: Alert Symbol The Alert symbol appears in the upper right corner if you make a database change; one in which a change is made to the Gateway’s configuration. The Alert serves as a reminder that you must Save the changes and Restart the Gateway before the change will take effect. You can make many changes on various pages, and even leave the browser for up to 5 minutes, but if the Gateway is restarted before the changes are applied, they will be lost.
Help Button: Help Context-sensitive Help is provided in your Gateway. The page shown here is displayed when you are on the Home page or other transitional pages. To see a context help page example, go to Security -> Passwords, then click Help.
Configure Configure Button: Configure The Configuration options are presented in the order of likelihood you will need to use them. Quickstart is typically accessed during the hardware installation and initial configuration phase. Often, these settings should be changed only in accordance with information from your Service Provider. LAN and WAN settings are available to fine-tune your system.
1. 2. Enter your ISP Username and ISP Password. Click Connect to the Internet. A brief message is displayed while the Gateway attempts to establish a connection. 3. When the connection succeeds, your browser will display your Service Provider’s home page. If you encounter any problems connecting, refer to the chapters “Basic Troubleshooting” on page 189 or “Advanced Troubleshooting” on page 199.
Configure Link: LAN * Enable Interface: Enables all LAN-connected computers to share resources and to connect to the WAN. The Interface should always be enabled unless you are instructed to disable it by your Service Provider during troubleshooting. * IP Address: The LAN IP Address of the Gateway. The IP Address you assign to your LAN interface must not be used by another device on your LAN network. * IP Netmask: Specifies the subnet mask for the TCP/IP network connected to the virtual circuit.
• Advanced: Clicking on the Advanced link displays the Advanced LAN IP Interface page. • IGMP Forwarding: The default setting is Disabled. If you check this option, it will enable Internet Group Management Protocol (IGMP) multicast forwarding. IGMP allows a router to determine which host groups have members on a given network segment. • RIP Send Mode: Specifies whether the gateway should use Routing Information Protocol (RIP) broadcasts to advertise its routing tables to other routers on your network.
Configure • DHCP Server: Your Gateway can provide network configuration information to computers on your LAN, using the Dynamic Host Configuration Protocol (DHCP). If you already have a DHCP server on your LAN, you should turn this service off. If you want the Gateway to provide this service, click the Server Mode pull-down menu, choose Server, then configure the range of IP addresses that you would like the Gateway to hand out to your computers.
Wireless If your Gateway is a wireless model (such as a 3347W) you can enable or disable the wireless LAN (WLAN) by clicking the Wireless link. Wireless functionality is enabled by default. If you uncheck the Enable Wireless checkbox, the Wireless Options are disabled, and the Gateway will not provide or broadcast any wireless LAN services. SSID (Network ID): The SSID is preset to a number that is unique to your unit.
Configure Privacy • Off - No Privacy provides no encryption on your wireless LAN data. • WPA-802.1x provides RADIUS server authentication support. • WPA-PSK provides Wireless Protected Access, the most secure option for your wireless network. This mechanism provides the best data protection and access control.
The Pre Shared Key is a passphrase shared between the Router and the clients and is used to generate dynamically changing keys. The passphrase can be 8-63 characters or up to 64 hex characters. It is recommended to use at least 20 characters for best security. • WEP - Automatic is a passphrase generator. You enter a passphrase that you choose in the Passphrase field. The passphrase can be any string of words or numbers.
Configure Advanced If you click the Advanced link, the advanced 802.11 Wireless Settings page appears. Note: This page displays different options depending on which form of Privacy or other options you have enabled.
You can then configure: Enable Multiple Wireless IDs: This feature allows you to add additional network identifiers (SSIDs or Network Names) for your wireless network. To enable it, check the checkbox. The screen expands to allow you to add additional Wireless IDs. These additional Wireless IDs are “Closed System Mode” Wireless IDs (see below) that will not be shown by a client scan, and therefore must be manually configured at the client.
Configure the same channel, the Netopia Gateway will initiate a three- to four-minute scan of the channels, locate a better one, and switch. Once it has switched, it will remain on this channel for at least 30 minutes before switching again if another Access Point is detected. Enable Closed System Mode: If enabled, Closed System Mode hides the wireless network from the scanning features of wireless client computers.
☛ NOTE: While clients may also have a passphrase feature, these are vendor-specific and may not necessarily create the same keys. You can passphrase generate a set of keys on one, and manually enter them on the other to get around this. Block Wireless Bridging: Check the checkbox to block wireless clients from communicating with other wireless clients on the LAN side of the Gateway. • On - Manual allows you to enter your own encryption keys manually.
Configure Encryption Key Size #1 – #4: Selects the length of each encryption key. The longer the key, the stronger the encryption and the more difficult it is to break the encryption. Encryption Key #1 – #4: The encryption keys. You enter keys using hexadecimal digits. For 40/64bit encryption, you need ten digits; 26 digits for 128bit, and 58 digits for 256bit WEP. Hexadecimal characters are 0 – 9, and a – f.
The screen expands as follows: Click the Add button. The Authorized Wireless MAC Address Entry screen appears. Enter the MAC (hardware) address of the client PC you want to authorize for access to your wireless LAN. The Allow Access? checkbox is enabled by default. Unchecking this checkbox specifically denies access from this MAC address. Click the Submit button. ☛ Note: When MAC Authorization is enabled, all wireless clients are blocked until their MAC addresses are added to the Authorized list.
Configure Your entry will be added to a list of up to 64 authorized addresses as shown: You can continue to Add, Edit, or Delete addresses to the list by clicking the respective buttons. After your first entry, the Alert icon will appear in the upper right corner of your screen. When you are finished adding addresses to the list, click the Alert icon, and Save your changes and restart the Gateway.
• RADIUS Server Addr/Name: The default RADIUS server name or IP address that you want to use. • RADIUS Server Secret: The RADIUS secret key used by this server. The shared secret should have the same characteristics as a normal password. • RADIUS Server Port: The port on which the RADIUS server is listening, typically, the default 1812. Click the Submit button. You can also configure alternate RADIUS servers from the Advanced Network Configuration page, by clicking the Advanced link.
Configure The Advanced Network Configuration page appears. You access the RADIUS Server configuration screen from the Advanced Network Configuration web page, by clicking the RADIUS Server link.
Link: WAN WAN IP Interfaces Your IP interfaces are listed. Click on an interface to configure it. IP Gateway Enable Gateway: You can configure the Gateway to send packets to a default gateway if it does not know how to reach the destination host. Interface Type: If you have PPPoE enabled, you can specify that packets destined for unknown hosts will be sent to the gateway being used by the remote PPP peer.
Configure ATM Circuits: You can configure the ATM circuits and the number of Sessions. The IP Interface(s) should be reconfigured after making changes here. Available Encapsulation types: Available Multiplexing types: PPP over Ethernet (PPPoE) LLC/SNAP PPP over ATM (PPPoA) VC muxed RFC-1483 Bridged Ethernet RFC-1483 Routed IP None Netopia Firmware Version 7 supports VPI/VCI autodetection by default. If VPI/VCI autodetection is enabled, the ATM Circuits page displays VPI/VCI = 0.
You can choose UBR (Unspecified Bit Rate), CBR (Constant Bit Rate), or VBR (Variable Bit Rate) from the pull-down menu and set the Peak Cell Rate (PCR) in the editable field. UBR (Unspecified Bit Rate) guarantees no minimum transmission rate. Cells are transmitted on a “best effort” basis. However, there is a cap on the maximum transmission rate for UBR VCs. In a practical situation: • UBR VCs should be transmitted at a priority lower than CBR. • Bandwidth should be shared equally among UBR VCs.
Configure ☛ Note: The difference between VBR-rt and VBR-nrt is the tolerated Cell Delay Variation range and the provisioned Maximum Burst Size. Class PCR SCR MBS Transmit Priority Comments UBR X N/A N/A Low PCR is a cap CBR X N/A N/A High PCR is a guaranteed rate VBR X X X High PCR > SCR. SCR is a guaranteed rate. PCR is a cap.
Link: Advanced Selected Advanced options are discussed in the pages that follow. Many are self-explanatory or are dictated by your service provider.
Configure Link: IP Static Routes A static route identifies a manually configured pathway to a remote network. Unlike dynamic routes, which are acquired and confirmed periodically from other routers, static routes do not time out. Consequently, static routes are useful when working with PPP, since an intermittent PPP link may make maintenance of dynamic routes problematic. You can configure as many as 32 static IP routes for the Gateway.
Link: Pinholes Pinholes allow you to transparently route selected types of network traffic, such as FTP requests or HTTP (Web) connections, to a specific host behind the Gateway. Creating a pinhole allows access traffic originating from a remote connection (WAN) to be sent to the internal computer (LAN) that is specified in the Pinhole page. Pinholes are common for applications like multiplayer online games.
Configure visible IP address on your network is the Gateway’s WAN IP (supplied by your Service Provider). All traffic intended for that LAN Web server must be directed to that IP address. Application 2: You want one of your LAN stations to act as the “central repository” for all email for all of the LAN users. Application 3: One of your LAN stations is specially configured for game applications. You want this specific LAN station to be dedicated to games.
A diagram of this LAN example is: Gateway my-webserver Internet 192.168.1.1 WAN Ethernet Interface 210.219.41.20 LAN Ethernet Interface NAT my-mailserver 192.168.1.2 NAT Pinholes Embedded Web Server 210.219.41.20:8100 my-games 192.168.1.3 You can also use the LAN-side address of the Gateway, 192.168.1.x:8100 to access the web and 192.168.1.x:23 to access the telnet server.
Configure Pinhole Configuration Procedure. Use the following steps: 1. From the Configure toolbar button -> Advanced link, select the Internal Servers link. Since Port Forwarding is required for this example, the Netopia embedded Web server is configured first. ☛ NOTE: The two text boxes, Web (HTTP) Server Port and Telnet Server Port, on this page refer to the port numbers of the Netopia Gateway’s embedded administration ports.
5. Click Add. Type your specific data into the Pinhole Entries table of this page. Click Submit. 6. Click on the Add or Edit more Pinholes link. Click the Add button. Add the next Pinhole. Type the specific data for the second Pinhole.
Configure 7. Click on the Add or Edit more Pinholes link. Click the Add button. Add the next Pinhole. Type the specific data for the third Pinhole. ☛ NOTE: Note the following parameters for the “my-games” Pinhole: 1. The Protocol ID is UDP. 2. The external port is specified as a range. 3. The Internal port is specified as the lower range entry. 8. Click on the Add or Edit more Pinholes link. Review your entries to be sure they are correct. 9. Click the Alert button.
10. Select the Save and Restart link to complete the entire Pinhole creation task and ensure that the parameters are properly saved. ☛ NOTE: REMEMBER: When you have re-assigned the port address for the embedded Web server, you can still access this facility. Use the Gateway’s WAN address plus the new port number. In this example it would be : or, in this case, 210.219.41.20:8100 You can also use the LAN-side address of the Gateway, 192.168.1.
Configure Configure the IPMaps Feature FAQs for the IPMaps Feature Before configuring an example of an IPMaps-enabled network, review these frequently asked questions. What are IPMaps and how are they used? The IPMaps feature allows multiple static WAN IP addresses to be assigned to the Netopia Gateway. Static WAN IP addresses are used to support specific services, like a web server, mail server, or DNS server.
IPMaps Block Diagram The following diagram shows the IPMaps principle in conjunction with existing Netopia NAT operations: Netopia Gateway Static IP Addresses for IPMaps Applications WAN Interface LAN Interface 192.168.1.1 NAT/PAT Table 143.137.50.37 143.137.50.36 143.137.50.37 192.168.1.1 143.137.50.36 192.168.1.2 192.168.1.2 143.137.50.35 ... 192.168.1.3 ... 143.137.50.35 Static IP Addresses or DHCP/PPP Served IP Address for Netopia’s default NAT/PAT Capabilities 192.168.1.
Configure Link: Default Server This feature allows you to: • Direct your Gateway to forward all externally initiated IP traffic (TCP and UDP protocols only) to a default host on the LAN. • Enable it for certain situations: – Where you cannot anticipate what port number or packet protocol an in-bound application might use. For example, some network games select arbitrary port numbers when a connection is opened. – When you want all unsolicited traffic to go to a specific LAN host.
Typical Network Diagram. A typical network using the NAT Default Server looks like this: Internet Gateway LAN STN #3 192.168.1.3 WAN Ethernet Interface 210.219.41.20 LAN Ethernet Interface NAT LAN STN #2 192.168.1.2 NAT protected Embedded Web Server 210.219.41.20 (Port 80 default) NAT Default Server NAT Default Server 192.168.1.1 You can also use the LAN-side address of the Gateway, 192.168.1.x to access the web and telnet server. NAT Combination Application.
Configure With this topology, you configure the embedded administration ports as a first task, followed by the Pinholes and, finally, the NAT Default Server. When using both NAT pinholes and NAT Default Server the Gateway works with the following rules (in sequence) to forward traffic from the Internet to the LAN: 1. 2. 3. If the packet is a response to an existing connection created by outbound traffic from a LAN PC, forward to that station.
The Host Hardware Address field displays. Here you enter the MAC address of the designated IP-Passthrough computer. • If this MAC address is not all zeroes, then it will use DHCP to set the LAN host's address to the (configured or acquired) WAN IP address. The MAC address must be six colon-delimited or dash-delimited sets of hex digits ('0' – 'FF'). • If the MAC address is all zeroes, then the LAN host will have to be configured manually.
Configure Link: Differentiated Services When you click the Differentiated Services link, the Differentiated Services configuration screen appears. Netopia Firmware Version 7.5 offers Differentiated Services (Diffserv) enhancements. These enhancements allow your Gateway to make Quality of Service (QoS) decisions about what path Internet traffic, such as Voice over IP (VoIP), should travel across your network.
You can then define Custom Flows. If your applications do not provide Quality of Service (QoS) control, Custom Flows allows you to define streams for some protocols, port ranges, and between specific end point addresses. • To define a custom flow, click the Add button. The Custom Flow Entry screen appears. • Name – Enter a name in this field to label the flow. • Protocol – Select the protocol from the pull-down menu: TCP (default), UDP, ICMP, or Other.
Configure QoS Setting TOS Bit Value Behavior Off TOS=000 This custom flow is disabled. You can activate it by selecting one of the two settings below. This setting allows you to pre-define flows without actually activating them. Assure TOS=001 Use normal queuing and throughput rules, but do not drop packets if possible. Appropriate for applications with no guaranteed delivery mechanism. Expedite TOS=101 Use minimum delay. Appropriate for VoIP and video applications.
Link: DNS Your Service Provider may maintain a Domain Name server. If you have the information for the DNS servers, enter it on the DNS page. If your Gateway is configured to use DHCP to obtain its WAN IP address, the DNS information is automatically obtained from that same DHCP Server. Link: DHCP Server Your Gateway can provide network configuration information to computers on your LAN, using the Dynamic Host Configuration Protocol (DHCP).
Configure Your Service Provider may, for certain services, want to provide configuration from its DHCP servers to the computers on your LANs. In this case, the Gateway will relay the DHCP requests from your computers to a DHCP server in the Service Provider's network. Click the relay-agent and enter the IP address of the Service Provider's DHCP server in the Server Address field. This address is furnished by the Service Provider.
Link: SNMP When you click the SNMP link, the SNMP configuration page appears. The Simple Network Management Protocol (SNMP) lets a network administrator monitor problems on a network by retrieving settings on remote network devices. The network administrator typically runs an SNMP management station program on a local host to obtain information from an SNMP agent. In this case, the Netopia Gateway is an SNMP agent.
Configure ☛ WARNING: SNMP presents you with a security issue. The community facility of SNMP behaves somewhat like a password. The community “public” is a well-known community name. It could be used to examine the configuration of your Gateway by your service provider or an uninvited reviewer. The information can be read from the Gateway. If you are strongly concerned about security, you may leave the “public” community blank.
The IP Trap Entry screen appears. Enter an IP Trap Entry IP address. This is the destination for SNMP trap messages, the IP address of the host acting as an SNMP console. Click the Submit button. Click the Alert icon, and in the resulting page, click the Save and Restart link.
Configure Link: Access Control Basic Access Controls prevent designated users from accessing certain types of undesirable Internet content. You can define levels of maturity of the users on your network to filter out objectionable web content or communications from potentially undesirable individuals on the Internet. You can also specify the time of day when users may (or may not) access the Internet.
Click the Setup link in Access Control Options. The Manage Users screen appears. Click the here link. The Add New User screen appears. You can create up to a maximum of eight (8) users. Here you can add the names and passwords of authorized users, and set their “Maturity Level” from the pull-down menu. Available maturity levels are Child, Youth, Mature, and Adult. Click the Next button. The Time of Day Settings screen appears. Maturity Level only affects Time of Day Settings.
Configure Here you can specify the time of day, day(s) of the week, and whether this user will be permitted or blocked from accessing the Internet at the specified times and days. If you need to correct the Date and Time settings of your Gateway, you can go directly to the Time Zone screen by clicking the here link at the top of the page. When you have finished setting up the criteria for this user, click the Add User button.
After you have added your users and configured their access control settings, you can return to the Access Control pages at any time to add more users, edit existing ones, or delete them. To edit a user’s access control settings, click the Edit Profile link for that user. The Edit User Profiles screen appears. • Manage Users – returns you to the previous screen.
Configure • Delete User Profile – allows you to delete this user. Web Filter Profile When you click the Web Filter Profile link, the Block/Allow Websites screen appears. The Web Filter Profile allows you to Block or Allow websites by keyword, for example, you can block websites that feature the word “gambling,” while allowing specific websites that pertain to “statistics.” Once this profile for this user is configured, the user will be prevented from accessing any blocked website.
Chat Filter Profile When you click the Chat Filter Profile link, the Chat Filtering screen appears. Chat Filtering allows you to choose whether or not the specified user may engage in Internet instant messaging (chat) by means of the popular instant messaging protocols used by America Online (AOL), Yahoo, Microsoft Network (MSN), or ICQ. If allowed, you can specify a limited number of individuals by “Screen Name” with whom this user can exchange messages.
Configure • Messaging Services – If a chat service is permitted, choose which one(s): AOL, Yahoo!, MSN, or ICQ. You can choose more than one, but you must choose one at a time. See below. • Screen Names List Management – • For each service, enter the screen name of the approved user in the New Screen Name field and click the Add button. The Screen name will be added to the Screen Names List.
Email Filter Profile When you click the Email Filter Profile link, the Email Filtering screen appears. Email Filtering allows you to choose whether or not the specified user may send or receive email. If allowed, you can specify limitations on the sources of email this user can receive. You can limit email sources to an approved list of email servers, such as those used by the family, or further, to an approved list of individuals, such as relatives, with whom this user will be permitted to correspond.
Configure For example, if you want to limit a child to exchanging email only with other family members, you can allow the email server(s), but restrict them to messages only from approved users. • Email Privileges – Choose whether or not this user may use any e-mail service. The default privilege is May not use any e-mail service. Click the appropriate radio button.
Delete User Profile When you click the Delete User Profile link, the Confirm Deletion of User screen appears.
Configure Link: UPnP Universal Plug and Play (UPnP™) is a set of protocols that allows a PC to automatically discover other UPnP devices (anything from an internet gateway device to a light switch), retrieve an XML description of the device and its services, control the device, and subscribe to real-time event notification. By default, UPnP is enabled on the Netopia Gateway.
Link: LAN Management TR-064 is a LAN-side DSL Gateway configuration specification. It is an extension of UPnP. It defines more services to locally manage the Netopia Gateway. While UPnP allows open access to configure the Gateway's features, TR-064 requires a password to execute any command that changes the Gateway's configuration. TR-064 is enabled by default. To disable it: • Uncheck the Enabled checkbox, and click the Submit button.
Configure Link: Advanced -> Ethernet Bridge The Netopia Gateway can be used as a bridge, rather than a router. A bridge is a device that joins two networks. As an Internet access device, a bridge connects the home computer directly to the service provider’s network equipment with no intervening routing functionality, such as Network Address Translation. Your home computer becomes just another address on the service provider’s network.
Configuring for Bridge Mode 1. 2. 3. Browse into the Netopia Gateway’s web interface. Click on the Configure button in the upper Menu bar. Click on the LAN link. The LAN page appears. 4. In the box titled LAN IP Interface (Ethernet 100BT): Make note of the Ethernet IP Address and subnet mask. You can use this address to access the router in the future. 5. 6. 104 Click on the Advanced link in the lefthand links toolbar. Under the heading of Services, click on the Ethernet Bridge link.
Configure The Ethernet Bridge page appears. The appearance of this page varies, depending on your Gateway’s interfaces. 7. If available: a. Check the Enable Bridging on Port selection. (This may be Always On.) b. Click Submit. 8. If you want the Gateway to do both bridging and routing, check the Enable Concurrent Bridging/Routing checkbox. When this mode is enabled, the Gateway will appear to be a router, but also bridge traffic from the LAN if it has a valid LAN-side address. 9.
11. If you are satisfied with the changes you have made, click Save and Restart in the Save Database box to Apply changes and restart Gateway. You have now configured your Netopia Gateway for bridging, and it will bridge all traffic across the WAN. You will need to make configurations to your machines on your LAN. These settings must be made in accordance with your ISP.
Configure Link: System The System Name defaults to your Gateway's factory identifier combined with its serial number. Some cable-oriented Service Providers use the System Name as an important identification and support parameter. The System Name can be 1-63 characters long; it can include embedded spaces and special characters. The Log Message Level alters the severity at which messages are collected in the Gateway's system log. Do not alter this field unless instructed by your Support representative.
• Syslog: Enable syslog logging in the system. • Syslog Host Name/IP Address: Enter the name or the IP Address of the host that should receive syslog messages. • Facility: From the pull-down menu, select the Syslog facility to be used by the router when generating syslog messages. Options are local0 through local7. • Log Violations: If you check this checkbox, the Gateway will generate messages whenever a packet is discarded because it violates the router's security policy.
Configure Log Event Messages Administration Related Log Messages 1. administrative access attempted: This log-message is generated whenever the user attempts to access the router's management interface. 2. administrative access authenticated and allowed: This log-message is generated whenever the user attempts to access the router's management interface and is successfully authenticated and allowed access to the management interface. 3.
DSL Log Messages (most common): 1. WAN: Data link activated at Kbps (rx/tx) This log message is generated when the DSL link comes up. 2.WAN: Data link deactivated This log message is generated when the DSL link goes down. 3. RFC1483 up This log message is generated when RFC1483 link comes up. 4. RFC1483-: IP down This log message is generated when RFC1483 link goes down. 5.
Configure Access-related Log Messages 6. dropped - fragmented packet: This log-message is generated whenever a packet, traversing the router, is dropped because it is fragmented, stateful inspection is turned ON on the packet's transmit or receive interface, and denyfragment option is enabled. 7. dropped - cannot fragment: This log-message is generated whenever a packet traversing the router is dropped because the packet cannot be sent without fragmentation, but the do not fragment bit is set. 8.
Link: Internal Servers Your Gateway ships with an embedded Web server and support for a Telnet session, to allow ease of use for configuration and maintenance. The default ports of 80 for HTTP and 23 for Telnet may be reassigned. This is necessary if a pinhole is created to support applications using port 80 or 23. See “Pinholes” on page 70. for more information on Pinhole configuration.
Configure To select the games or software that you want to host for a specific PC, highlight the name(s) in the box on the left side of the screen. Click the Add button to select the software that will be hosted. To remove a game or software from the hosted list, highlight the game or software you want to remove and click the Remove button. List of Supported Games and Software Age of Empires, v.1.0 Age of Empires: The Rise of Rome, v.1.
Buddy Phone Calista IP Phone CART Precision Racing, v 1.0 Citrix Metaframe/ICA Client Close Combat for Windows 1.0 Close Combat: A Bridge Too Far, v 2.0 Close Combat III: The Russian Front, v 1.0 Combat Flight Sim: WWII Europe Series, v 1.0 Combat Flight Sim 2: WWII Pacific Thr, v 1.0 Dark Reign Delta Force (Client and Server) Delta Force 2 Diablo II Server Dialpad DNS Server Dune 2000 eDonkey 2000 eMule F-16, Mig 29 F-22, Lightning 3 Fighter Ace II FTP GNUtella H.
Configure PPTP Quake II Quake III Rainbow Six RealAudio Return to Castle Wolfenstein Roger Wilco Rogue Spear ShoutCast Server SMTP SNMP SSH server StarCraft Starfleet Command StarLancer, v 1.0 Telnet TFTP Tiberian Sun: Command and Conquer Timbuktu Total Annihilation Ultima Online Unreal Tournament Server Urban Assault, v 1.
☛ NOTE: The new name given to a server is only known to Software Hosting. It is not used as an identifier in other network functions, such as DNS or DHCP. Link: Clear Options To restore the factory configuration of the Gateway, choose Clear Options. You may want to upload your configuration to a file before performing this function. You can do this using the upload command via the command-line interface. See the upload command on page 226.
Configure Link: Time Zone When you click the Time Zone link, the Time Zone page appears. You can set your local time zone by selecting the number of hours your time zone is distant from Greenwich Mean Time (GMT +12 – -12) from the pull-down menu. This allows you to set the time zone for access controls and in general.
An example of multiple VLANs is shown below: To create a VLAN, click the Add button. The VLAN Entry page appears. You can create up to 32 VLANs, and you can also restrict any VLAN, and the computers on it, from administering the Gateway.
Configure • • • • VLAN id – This must be a unique identifying number between 1 and 4095. VLAN Name – A descriptive name for the VLAN. VLAN Protocol – This field is not editable; you can only associate ports with a VLAN. Admin Restricted – If you want to prevent administrative access to the Gateway from this VLAN, check the checkbox. Click the Submit button. The VLAN Port Configuration screen appears. • Port interfaces available for this VLAN are listed in the left hand screen.
For Netopia VGx technology models, separate Ethernet switch ports are displayed and may be configured. To enable any of them on this VLAN, select one, and click the Add button. Typically you will choose a physical port, such as an Ethernet port (example: ethernet1) or a wireless SSID (example: ssid1), and make the port routable by specifying lanuplink. • When you are finished, click the Alert icon in the upper right-hand corner of the screen, and in the resulting screen, click the Save link.
Configure You can Add, Edit, or Delete your VLAN entries by returning to the VLANs page, and selecting the appropriate entry from the displayed list.
Security Button: Security The Security features are available by clicking on the Security toolbar button. Some items of this category do not appear when you log on as User.
Security Link: Passwords Access to your Gateway may be controlled through two optional user accounts, Admin and User. When you first power up your Gateway, you create a password for the Admin account. The User account does not exist by default. As the Admin, a password for the User account can be entered or existing passwords changed. Create and Change Passwords. You can establish different levels of access security to protect your Netopia Gateway settings from unauthorized display or modification.
To display the Passwords window, click the Security toolbar button on the Home page. Use the following procedure to change existing passwords or add the User password for your Netopia Gateway: 1. Select the account type from the Username pull-down list. Choose from Admin or User. 2. 3. If you assigned a password to the Netopia Gateway previously, enter your current password in the Old Password field. Enter your new password in the New Password field.
Security Password changes are automatically saved, and take effect immediately. Link: Firewall Use a Netopia Firewall BreakWater Basic Firewall. BreakWater delivers an easily selectable set of preconfigured firewall protection levels. For simple implementation these settings (comprised of three levels) are readily available through Netopia’s embedded web server interface.
3. Click Firewall. 4. Click on the radio button to select the protection level you want. Click Submit. Changing the BreakWater setting does not require a restart to take effect. This makes it easy to change the setting “on the fly,” as your needs change.
Security TIPS for making your BreakWater Basic Firewall Selection Application Select this Level Other Considerations Typical Internet usage (browsing, e-mail) Multi-player online gaming SilentRunning Going on vacation Finished online use for the day Chatting online or using instant messaging LANdLocked LANdLocked ClearSailing ClearSailing Set Pinholes; once defined, pinholes will be active whenever ClearSailing is set. Restore SilentRunning when finished. Protects your connection while your away.
This table shows how inbound traffic is treated. Inbound means the traffic is coming from the WAN into the WAN side of the Gateway.
Security ☛ NOTE: The Gateway’s WAN DHCP client port in SilentRunning mode is enabled. This feature allows end users to continue using DHCP-served IP addresses from their Service Providers, while having no identifiable presence on the Internet.
Link: IPSec When you click on the IPSec link, the IPSec configuration screen appears. Your Gateway can support two mechanisms for IPSec tunnels: • IPSec PassThrough supports Virtual Private Network (VPN) clients running on LANconnected computers. Normally, this feature is enabled. You can disable it if your LAN-side VPN client includes its own NAT interoperability option. Uncheck the Enable IPSec Passthrough checkbox. • SafeHarbour VPN IPSec is a keyed feature that you must purchase.
Security SafeHarbour IPSec VPN SafeHarbour VPN IPSec Tunnel provides a single, encrypted tunnel to be terminated on the Gateway, making a secure tunnel available for all LAN- connected users. This implementation offers the following: • Eliminates the need for VPN client software on individual PCs. • Reduces the complexity of tunnel configuration. • Simplifies the ongoing maintenance for secure remote access.
A typical SafeHarbour configuration is shown below: Configuring a SafeHarbour VPN Use the following procedure to configure your SafeHarbour tunnel. 1. Obtain your configuration information from your network administrator. The tables “Parameter Descriptions” on page 136 describe the various parameters that may be required for your tunnel. Not all of them need to be changed from the defaults for every VPN tunnel. Consult with your network administrator. 2.
Security Table 1: IPSec Tunnel Details Parameter Setup Worksheet Parameter Name Peer Internal Network Peer Internal Netmask NAT Enable PAT Address Negotiation Method Local ID Type Local ID Address/Value Local ID Mask Remote ID Type Remote ID Address/Value Remote ID Mask Pre-Shared Key Type Pre-Shared Key DH Group PFS Enable SA Encrypt Type SA Hash Type Invalid SPI Recovery Soft MBytes Soft Seconds Hard MBytes Hard Seconds IPSec MTU Xauth Enable Xauth Username Xauth Password Netopia Gateway Peer Gateway
3. Be sure that you have SafeHarbour VPN enabled. SafeHarbour is a keyed feature. See “Install Keys” on page 184. for information concerning installing Netopia Software Feature Keys. 4. Check the Enable SafeHarbour IPSec checkbox. Checking this box will automatically display the SafeHarbour IPSec Tunnel Entry parameters. Enter the initial group of tunnel parameters. Refer to your Setup Worksheet and the “Parameter Descriptions” on page 136 as required. 5. Enter the tunnel Name.
Security 10.Make the Tunnel Details entries. Enter or select the required settings. Refer to your “IPSec Tunnel Details Parameter Setup Worksheet” on page 133.) Update. The Alert button appears. 12.Click the Alert button. 13.Click Save and Restart. 11.Click Your SafeHarbour IPSec VPN tunnel is fully configured.
Parameter Descriptions The following tables describe SafeHarbour’s parameters that are used for an IPSec VPN tunnel configuration: Table 2: IPSec Configuration page parameters Field Description Name The Name parameter refers to the name of the configured tunnel. This is mainly used as an identifier for the administrator. The Name parameter is an ASCII value and is limited to 31characters. The tunnel name is the only IPSec parameter that does not need to match the peer gateway.
Security Table 3: IPSec Tunnel Details page parameters PAT Address If NAT is enabled, this field appears. You can specify a Port Address Translation (PAT) address or leave the default all-zeroes (if Xauth is enabled). If you leave the default. the address will be requested from the remote router and dynamically applied to the Gateway. Negotiation Method This parameter refers to the method used during the Phase I key exchange, or IKE process. SafeHarbour supports Main or Aggressive Mode.
Table 3: IPSec Tunnel Details page parameters 138 SA Hash Type SA Hash Type refers to the Authentication Hash algorithm used during SA negotiation. Values supported include MD5 and SHA1. N/A will display if NONE is chosen for Auth Protocol. Invalid SPI Recovery Enabling this allows the Gateway to re-establish the tunnel if either the Netopia Gateway or the peer gateway is rebooted.
Security Table 3: IPSec Tunnel Details page parameters Xauth Enable Extended Authentication (XAuth), an extension to the Internet Key Exchange (IKE) protocol. The Xauth extension provides dual authentication for a remote user’s Netopia Gateway to establish a VPN, authorizing network access to the user’s central office. IKE establishes the tunnel, and Xauth authenticates the specific remote user's Gateway.
Link: Stateful Inspection All computer operating systems are vulnerable to attack from outside sources, typically at the operating system or Internet Protocol (IP) layers. Stateful Inspection firewalls intercept and analyze incoming data packets to determine whether they should be admitted to your private LAN, based on multiple criteria, or blocked. Stateful inspection improves security by tracking data packets over a period of time, examining incoming and outgoing packets.
Security • UDP no-activity time-out: The time in seconds after which a UDP session will be terminated, if there is no traffic on the session. • TCP no-activity time-out: The time in seconds after which an TCP session will be terminated, if there is no traffic on the session. • Exposed Addresses: The hosts specified in Exposed Addresses will be allowed to receive inbound traffic even if there is no corresponding outbound traffic. This is active only if NAT is disabled on a WAN interface.
Add, Edit, or delete exposed addresses options are active only if NAT is disabled on a WAN interface. The hosts specified in exposed addresses will be allowed to receive inbound traffic even if there is no corresponding outbound traffic. • Start Address: Start IP Address of the exposed host range. • End Address: End IP Address of the exposed host range • Protocol: Select the Protocol of the traffic to be allowed to the host range from the pulldown menu. Options are Any, TCP, UDP, or TCP/UDP.
Security Click the Add button to add a new range of exposed addresses. You can edit a previously configured range by clicking the Edit button, or delete the entry entirely by clicking the Delete button. All configuration changes will trigger the Alert Icon. Click on the Alert icon. This allows you to validate the configuration and reboot the Gateway. Click the Save and Restart link. You will be asked to confirm your choice, and the Gateway will reboot with the new configuration.
Stateful Inspection Options Stateful Inspection Parameters are active on a WAN interface only if you enable them on your Gateway. • Stateful Inspection: To enable stateful inspection on this WAN interface, check the checkbox. • Default Mapping to Router: This is disabled by default. This option will allow the router to respond to traffic received on this interface, for example, ICMP Echo requests.
Security Open Ports in Default Stateful Inspection Installation Port LAN (Private) Interface WAN (Public) Interface Protocol Description 23 TCP telnet Yes No 53 UDP DNS Yes No 67 UDP Bootps Yes No 68 UDP Bootpc Yes No 80 TCP HTTP Yes No 137 UDP Netbios-ns Yes No 138 UDP Netbios-dgm Yes No 161 UDP SNMP Yes No 500 UDP ISAKMP Yes No 520 UDP Router Yes No 145
Link: Packet Filter When you click the Packet Filter link the Filter Sets screen appears. Security should be a high priority for anyone administering a network connected to the Internet. Using packet filters to control network communications can greatly improve your network’s security. The Packet Filter engine allows creation of a maximum of eight Filter Sets. Each Filter Set can consist of many rules. There can be a maximum of 32 filter rules in the system.
Security admit or refuse TCP/IP connections from certain remote networks and specific hosts. You will also use filters to screen particular types of connections. This is commonly called firewalling your network. Before creating filter sets, you should read the next few sections to learn more about how these powerful security tools work. What’s a filter and what’s a filter set? A filter is a rule that lets you specify what sort of data can flow in and out of your network.
A filter inspects data packets like a customs inspector scrutinizing packages. TOR INSPEC ED FROM: ROV APP TO: FROM: FROM: TO: TO: Filter priority Continuing the customs inspectors analogy, imagine the inspectors lined up to examine a package. If the package matches the first inspector’s criteria, the package is either rejected or passed on to its destination, depending on the first inspector’s particular orders. In this case, the package is never seen by the remaining inspectors.
Security chance to forward or reject it, and so on. Because of this hierarchical structure, each filter is said to have a priority. The first filter has the highest priority, and the last filter has the lowest priority.
Here is what this rule looks like when implemented as a filter in Netopia Firmware Version 7.5: To understand this particular filter, look at the parts of a filter. Parts of a filter A filter consists of criteria based on packet attributes. A typical filter can match a packet on any one of the following attributes: •The source IP address and subnet mask (where the packet was sent from) •The destination IP address and subnet mask (where the packet is going) •The TOS bit setting of the packet.
Security Internet service FTP TCP port 20/21 Internet service TCP port Finger 79 80 Telnet 23 World Wide Web SMTP (mail) 25 News 144 Gopher 70 rlogin 513 Internet service UDP port Internet service UDP port Who Is 43 TFTP 69 World Wide Web 80 who 513 SNMP 161 Port number comparisons A filter can also use a comparison option to evaluate a packet’s source or destination port number.
Other filter attributes There are three other attributes to each filter: • The filter’s order (i.e., priority) in the filter set • Whether the filter is currently active • Whether the filter is set to forward packets or to block (discard) packets Putting the parts together When you display a filter set, its filters are displayed as rows in a table: The table’s columns correspond to each filter’s attributes: • #: The filter’s priority in the set.
Security Protocol Number to use Full name N/A 0 Ignores protocol type ICMP 1 Internet Control Message Protocol TCP 6 Transmission Control Protocol UDP 17 User Datagram Protocol • Src Port: The source port to match. This is the port on the sending host that originated the packet. • Dst Port: The destination port to match. This is the port on the receiving host for which the packet is intended. • NC: Indicates No Compare, where specified.
• Destination Port = 23 • The filter should be enabled and instructed to block the Telnet packets containing the source address shown in step 2: • Forward = unchecked This four-step process is how we produced the following filter from the original rule: 154
Security Filtering example #2 Suppose a filter is configured to block all incoming IP packets with the source IP address of 200.233.14.0, regardless of the type of connection or its destination. The filter would look like this: This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address signifies any host on the class C IP network 200.233.14.0. If, for example, the filter is applied to a packet with the source IP address 200.233.14.
Design guidelines Careful thought must go into designing a new filter set. You should consider the following guidelines: • Be sure the filter set’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set, and that can actually make your network less secure. • Be sure each individual filter’s purpose is clear. • Determine how filter priority will affect the set’s actions.
Working with IP Filters and Filter Sets Working with IP Filters and Filter Sets To work with filters and filter sets, begin by accessing the filter set pages. ☛ NOTE: Make sure you understand how filters work before attempting to use them. Read the section “Packet Filter” on page 146. The procedure for creating and maintaining filter sets is as follows: 1. Add a new filter set. See Adding a filter set, below. 2. Create the filters for the new filter set. See “Adding filters to a filter set” on page 158.
Enter new name for the filter set, for example Filter Set 1. To save the filter set, click the Submit button. The saved filter set is empty (contains no filters), but you can return to it later to add filters (see “Adding filters to a filter set”). ☛ NOTE: As you begin to build a filter set, and as you add filters, after your first entry, the Alert icon will appear in the upper right corner of the web page. It will remain until all of your changes are entered and validated.
Working with IP Filters and Filter Sets packet WAN input filter LAN packet output filter The Netopia Router Packets in Netopia Firmware Version 7.5 pass through an input filter if they originate from the WAN and through an output filter if they’re being sent out to the WAN. The process for adding input and output filters is exactly the same. The main difference between the two involves their reference to source and destination.
The Filter Set page appears. ☛ Note: There are two Add buttons in this page, one for input filters and one for output filters. In this section, you’ll learn how to add an input filter to a filter set. Adding an output filter works exactly the same way, providing you keep the different source and destination perspectives in mind. 1. To add a filter, click the Add button under Input Rules. The Input Rule Entry page appears.
Working with IP Filters and Filter Sets 2. If you want the filter to forward packets that match its criteria to the destination IP address, check the Forward checkbox. If Forward is unchecked, packets matching the filter’s criteria will be discarded. 3. Enter the Source IP address this filter will match on. You can enter a subnet or a host address. 4. Enter the Source Mask for the source IP address. This allows you to further modify the way the filter will match on the source address. Enter 0.0.0.
If Protocol Type is set to TCP or UDP, the settings for port comparison will appear. These settings only take effect if the Protocol Type is TCP or UDP. 9. From the Source Port Compare pull-down menu, choose a comparison method for the filter to use on a packet’s source port number. Then select Source Port and enter the actual source port number to match on (see the table on page 151). 10.
Working with IP Filters and Filter Sets Modifying filters To modify a filter, select a filter from the table and click the Edit button. The Rule Entry page appears. The parameters in this page are set in the same way as the ones in the original Rule Entry page (see “Adding filters to a filter set” on page 158). Deleting filters To delete a filter, select a filter from the table and click the Delete button.
Associating a Filter Set with an Interface Once you have created a filter set, you must associate it with an interface in order for it to be effective. Depending on its application, you can associate it with either the WAN (usually the Internet) interface or the LAN. To associate an filter set with the LAN, return to the Filter Sets page. Click the Ethernet 100BT link. The Ethernet 100BT page appears. From the pull-down menu, select the filter set to associate with this interface.
Firewall Tutorial You can repeat this process for both the WAN and LAN interfaces, to associate your filter sets. When you return to the Filter Sets page, it will display your interface associations. Firewall Tutorial General firewall terms ☛ Note: Breakwater Basic Firewall (see “BreakWater Basic Firewall” on page 125) does not make use of the packet filter support and can be used in addition to filtersets Filter rule: A filter set is comprised of individual filter rules.
Host: A workstation on the network. Packet: Unit of communication on the Internet. Packet filter: Packet filters allow or deny packets based on source or destination IP addresses, TCP or UDP ports. Port: A number that defines a particular type of service. Basic IP packet components All IP packets contain the same basic header information, as follows: Source IP Address 163.176.132.18 Destination IP Address 163.176.4.
Firewall Tutorial Example TCP/UDP Ports TCP Port Service UDP Port Service 20/21 FTP 161 SNMP 23 Telnet 69 TFTP 25 SMTP 80 WWW 144 News Firewall design rules There are two basic rules to firewall design: • “What is not explicitly allowed is denied.” and • “What is not explicitly denied is allowed.” The first rule is far more secure, and is the best approach to firewall design. It is far easier (and more secure) to allow in or out only certain services and deny anything else.
and a packet goes through these rules destined for FTP, the packet would forward through the first rule (WWW), go through the second rule (FTP), and match this rule; the packet is allowed through. If you had this filter set for example.... Allow WWW access; Allow FTP access; Deny FTP access; Deny all other packets. and a packet goes through these rules destined for FTP, the packet would forward through the first filter rule (WWW), match the second rule (FTP), and the packet is allowed through.
Firewall Tutorial Example filter set page This is an example of the Netopia filter set page: 169
Filter basics In the source or destination IP address fields, the IP address that is entered must be the network address of the subnet. A host address can be entered, but the applied subnet mask must be 32 bits (255.255.255.255). Netopia Firmware Version 7.5 has the ability to compare source and destination TCP or UDP ports.
Firewall Tutorial Example filters Example 1 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.128 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.28 This incoming IP packet has a source IP address that matches the network address in the Source IP Address field in Netopia Firmware Version 7.5. This will not forward this packet. Example 2 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.
Example 4 Filter Rule: 200.1.1.96 (Source IP Network Address) 255.255.255.240 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.104. This rule does match and this packet will not be forwarded. Example 5 Filter Rule: 200.1.1.96 (Source IP Network Address) 255.255.255.255 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.96. This rule does match and this packet will not be forwarded.
Policy-based Routing using Filtersets Policy-based Routing using Filtersets Netopia Firmware Version 7.5 offers the ability to route IP packets using criteria other than the destination IP address. This is called policy-based routing. You specify the routing criteria and routing information by using IP filtersets to determine the forwarding action of a particular filter.
If you check the Idle Reset checkbox, a match on this rule will keep the WAN connection alive by resetting the idle-timeout status. The Idle Reset setting is used to determine if a packet which matches the filter will cause an "instant-on" link to connect, if it is down; or reset its idle timer, if it is already up. For example, if you wanted ping traffic not to keep the link up, you would create a filter which forwards a ping, but with the Idle Reset checkbox unchecked.
Policy-based Routing using Filtersets subsequent filter is required to match and forward all other packets. Management IP traffic If the Force Routing filter is applied to source IP addresses, it may inadvertently block communication with the router itself. You can avoid this by preceding the Force Routing filter with a filter that matches the destination IP address of the Gateway itself.
Link: Security Log Security Monitoring is a keyed feature. See page 184 for information concerning installing Netopia Software Feature Keys. Security Monitoring detects security-related events, including common types of malicious attacks, and writes them to the security log file. Using the Security Monitoring Log You can view the Security Log at any time. Use the following steps: 1. 2. 3. 4. 5. Click the Security toolbar button. Click the Security Log link.
Policy-based Routing using Filtersets The capacity of the security log is 100 security alert messages. When the log reaches capacity, subsequent messages are not captured, but they are noted in the log entry count.
To reset this log, select Reset from the Security Monitor tool bar. The following message is displayed. When the Security Log contains no entries, this is the response: Timestamp Background During bootup, to provide better log information and to support improved troubleshooting, a Netopia Gateway acquires the National Institute of Standards and Technology (NIST) Universal Coordinated Time (UTC) reference signal, and then adjusts it for your local time zone.
Install Install Button: Install From the Install toolbar button you can Install new Operating System Software and Feature Keys as updates become available.
Link: Install Software (This link is not available on the 3342/3352 models, since firmware updates must be upgraded via the USB host driver.) This page allows you to install an updated release of the Netopia Firmware. Updating Your Gateway’s Netopia Firmware Version. You install a new operating system image in your unit from the Install Operating System Software page.
Install Background Firmware upgrade image files are posted periodically on the Netopia website. You can download the latest operating system software for your Gateway by accessing the following URL: http://www.netopia.com/support/resources/hdwr_option.html Be sure to download the correct file for your particular Gateway. Different Gateway models have different firmware files. Also, be sure your ISP supports the version of firmware you want to use.
a. Click the Browse button, select the file you want, and click Open. -orb. Enter the name and path of the software image you want to install in the text field. 4. Click the Install Software button. The Netopia Gateway copies the image file from your computer and installs it into its memory storage. You see a progress bar appear on your screen as the image is copied and installed. When the image has been installed, a success message displays. 5.
Install Verify the Netopia Firmware Release To verify that the Netopia firmware image has loaded successfully, use the following steps: 1. 2. Open a web connection to your Netopia Gateway from the computer on your LAN and return to the Home page. Verify your Netopia firmware release, as shown on the Home Page. This completes the upgrade process.
Link: Install Keys You can obtain advanced product functionality by employing a software Feature Key. Software feature keys are specific to a Gateway's serial number. Once the feature key is installed and the Gateway is restarted, the new feature's functionality becomes enabled. Use Netopia Software Feature Keys Netopia Gateway users obtain advanced product functionality by installing a software feature key.
Install 4. Click the Install Key button. 5. Click the Restart toolbar button. The Confirmation screen appears.
6. Click the Restart the Gateway link to confirm. To check your installed features: 7. 8. 186 Click the Install toolbar button. Click the list of features link.
Install The System Status page appears with the information from the features link displayed below. You can check that the feature you just installed is enabled.
CHAPTER 4 Basic Troubleshooting This section gives some simple suggestions for troubleshooting problems with your Gateway’s initial configuration. Before troubleshooting, make sure you have • read the Quickstart Guide; • plugged in all the necessary cables; and • set your PC’s TCP/IP controls to obtain an IP address automatically.
Status Indicator Lights The first step in troubleshooting is to check the status indicator lights (LEDs) in the order outlined below.
Status Indicator Lights Netopia Gateway 3341, 3351 status indicator lights Ethernet Link: Solid green when connected Ethernet Traffic: Flashes green when there is activity on the LAN DSL Traffic: D SL Po w er A ct iv e U SB c c ffi ffi Tr a D SL nk Li Tr a et et rn rn he he Et Et Sy nc Blinks green when traffic is sent/received over the WAN Power: Solid green when the power is on USB Active: Solid green when USB is connected otherwise, not lit DSL Sync: Blinking green with no lin
Netopia Gateway 3342, 3352 status indicator lights USB: L DS US B Solid green when USB is connected otherwise, not lit DSL: Blinking green with no line attached or training, solid green when trained with the DSL line. ☛ Special patterns: • Both LEDs are off during boot (power on boot or warm reboot). • When the 3342/3352 successfully boots up, both LEDs flash green once. • Both LEDs are off when the Host OS suspends the device, (e.g. Windows standby/reboot, device disabled, driver uninstalled, etc.
Status Indicator Lights Po w er 4 SY N C D SL 3 LA N LA N 1 LA N LA N 2 Netopia Gateway 3346, 3356 status indicator lights Power: Solid green when the power is on DSL Sync: Blinks green with no line attached or training, Solid green when trained with the DSL line LAN 1, 2, 3, 4: Solid green when Ethernet link is established Blinks green when traffic is sent or received over the Ethernet 193
Netopia Gateway 3347W, 3347WG status indicator lights Power - Green when power is applied DSL SYNC Flashes green when training Solid green when trained Flashes green for DSL traffic LAN 1, 2, 3, 4 Solid green when connected to each port on the LAN. Flash green when there is activity on each port. Wireless Link - Flashes green when there is activity on the wireless LAN.
Status Indicator Lights If a status indicator light does not look correct, look for these possible problems: LED State 1. 2. Power Unlit 3. 4. 1. 2. DSL Sync Unlit 3. 4. 5. Possible problems Make sure the power switch is in the ON position. Make sure the power adapter is plugged into the 3300series DSL Gateway properly. Try a known good wall outlet. Replace the power supply and/or unit. Make sure the you are using the correct cable. The DSL cable is the thinner standard telephone cable.
1. 2. 3. EN Traffic Unlit 4. 5. Make sure you have Ethernet drivers installed on the PC. Make sure the PC’s TCP/IP Properties for the Ethernet Network Control Panel is set to obtain an IP address via DHCP. Make sure the PC has obtained an address in the 192.168.1.x range. (You may have changed the subnet addressing.) Make sure the PC is configured to access the Internet over a LAN.
Factory Reset Switch Factory Reset Switch (optional on some models; 3342/3352 models do not have a reset switch) Lose your password? This section shows how to reset the Netopia Gateway so that you can access the configuration screens once again. ☛ NOTE: Keep in mind that all of your settings will need to be reconfigured. If you don't have a password, the only way to access the Netopia Gateway is the following: 1. Referring to the diagram below, find the round Reset Switch opening.
2. Carefully insert the point of a pen or an unwound paperclip into the opening. • If you press the factory default button for less than 1/2 a second, the unit will continue to run as normal. • If you press the factory default button for more than 3 seconds, when you release it, the Gateway will perform a factory reset, clear all settings and configurations, and reboot.
CHAPTER 5 Advanced Troubleshooting Advanced Troubleshooting can be accessed from the Gateway’s Web UI. Point your browser to http://192.168.1.254. The main page displays the device status. (If this does not make the Web UI appear, then do a release and renew in Windows networking to see what the Gateway address really is.
Home Page The home page displays basic information about the Gateway. This includes the ISP Username, Connection Status, Device Address, Remote Gateway Address, DNS-1, and DNS-2. If you are not able to connect to the Internet, verify the following: Item Description Local WAN IP Address This is the negotiated address of the Gateway’s WAN interface. This address is usually dynamically assigned. Remote Gateway Address This is the negotiated address of the remote router to which this Gateway is connected.
Item Description ISP Username This should be the valid PPPoE username. If not, go to Expert Mode and change to the correct username. Device Address This is the negotiated address of the Gateway’s WAN interface. This address is often dynamically assigned. Make sure this is a valid address. If this is not the correct assigned address, go to Expert Mode and verify the PPPoE address has not been manually assigned. Device Gateway This is the negotiated address of the remote router.
Button: Troubleshoot Expert Mode Expert Mode has advanced troubleshooting tools that are used to pinpoint the exact source of a problem. Clicking the Troubleshoot tab displays a page with links to System Status, Network Tools, and Diagnostics. • System Status: Displays an overall view of the system and its condition. • Network Tools: Includes NSLookup, Ping and TraceRoute. • Diagnostics: Runs a multi-layer diagnostic test that checks the LAN, WAN, PPPoE, and other connection issues.
Link: Ports: Ethernet The Ethernet port selection shows the traffic sent and received on the Ethernet interface. There should be frames and bytes on both the upstream and downstream sides. If there are not, this could indicate a bad Ethernet cable or no Ethernet connection.
Link: Ports: DSL The DSL port selection shows the state of the DSL line, whether it is up or down and how many times the Gateway attempted to train. The state should indicate ‘up’ for a working configuration. If it is not, check the DSL cable and make sure it is plugged in correctly and not connected to a micro filter.
Link: DSL: Circuit Configuration The DSL Circuit Configuration screen shows the traffic sent and received over the DSL line as well as the trained rate (upstream and downstream) and the VPI/VCI. Verify traffic is being sent over the DSL line. If not, check the cabling and make sure the Gateway is not connected to a micro filter. Also verify the correct PVC is listed, which should be 0/35 (some providers use other values, such as 8/35. Check with your provider).
Link: System Log: Entire The system log shows the state of the WAN connection as well as the PPPoE session. Verify that the PPPoE session has been correctly established and there are no failures. If there are error messages, go to the WAN configuration and verify the settings. The following is an example of a successful connection: Message Log: 00:00:00:00 L3 KS: Using configured options found in flash 00:00:00:00 L3 BOOT: Warm start v7.
Link: Diagnostics The diagnostics section tests a number of different things at the same time, including the DSL line, the Ethernet interface and the PPPoE session.
Link: Network Tools Three test tools are available from this page. • NSLookup - converts a domain name to its IP address and vice versa. • Ping - tests the “reachability” of a particular network destination by sending an ICMP echo request and waiting for a reply. • TraceRoute - displays the path to a destination by showing the number of hops and the router addresses of these hops. 1.
PING: The network tools section sends a PING from the Gateway to either the LAN or WAN to verify connectivity. A PING could be either an IP address (163.176.4.32) or Domain Name (www.netopia.com). 2. To use the Ping capability, type a destination address (domain name or IP address) in the text box and click the Ping button. Example: Ping to grosso.com. Result: The host was reachable with four out of five packets sent.
Below are some specific tests: Action If PING is not successful, possible causes are: From the Gateway's Network Tools page: Ping the internet default gateway IP address DSL is down, DSL or ATM settings are incorrect; Gateway’s IP address or subnet mask are wrong; gateway router is down. Ping an internet site by IP address Gateway’s default gateway is incorrect, Gateway’s subnet mask is incorrect, site is down.
Example: Show the path to the grosso.com site. Result: It took 20 hops to get to the grosso.com web site.
CHAPTER 6 Command Line Interface The Netopia Gateway operating software includes a command line interface (CLI) that lets you access your Netopia Gateway over a telnet connection. You can use the command line interface to enter and update the unit’s configuration settings, monitor its performance, and restart it.
Overview The CLI has two major command modes: SHELL and CONFIG. Summary tables that list the commands are provided below. Details of the entire command set follow in this section.
Overview CONFIG Commands Command Verbs delete help save script set validate view Status and/or Description Delete configuration list data Help command option Save configuration data Print configuration data Set configuration data Validate configuration settings View configuration data Keywords atm bridge dhcp dmt diffserv dns dslf-cpewan dslf-lanmgnt dynamic_dns ip ethernet ip-maps nat-default pinhole ppp pppoe preferences radius security servers snmp system upnp vlan wireless ATM options (DSL only) Bridge op
Command Utilities top quit exit Go to top level of configuration mode Exit from configuration mode; return to shell mode Exit from configuration mode; return to shell mode Starting and Ending a CLI Session Open a telnet connection from a workstation on your network. You initiate a telnet connection by issuing the following command from an IP host that supports telnet, for example, a personal computer running a telnet application such as NCSA Telnet.
Using the CLI Help Facility Saving Settings In CONFIG mode, the save command saves the working copy of the settings to the Gateway. The Gateway automatically validates its settings when you save and displays a warning message if the configuration is not correct. Using the CLI Help Facility The help command lets you display on-line help for SHELL and CONFIG commands. To display a list of the commands available to you from your current location within the command line interface hierarchy, enter help.
The only commands you cannot truncate are restart and clear. To prevent accidental interruption of communications, you must enter the restart and clear commands in their entirety. You can use the Up and Down arrow keys to scroll backward and forward through recent commands you have entered. Alternatively, you can use the !! command to repeat the last command you entered. SHELL Commands Common Commands arp nnn.nnn.nnn.nnn Sends an Address Resolution Protocol (ARP) request to match the nnn.nnn.nnn.
SHELL Commands the diagnostic utility indents its entry in the console window. For example, the diagnostic utility indents the Check IP connect to Ethernet (LAN) entry, since that test will not run if the Check Ethernet LAN Connect test fails. Each test generates one of the following result codes: CODE PASS FAIL SKIPPED PENDING Description The test was successful. The test was unsuccessful.
If you include the optional keyword confirm, you will not be prompted to confirm whether or not you want to perform the operation. license [key] This command installs a software upgrade key. An upgrade key is a purchased item, based on the serial number of the gateway. log message_string Adds the message in the message_string argument to the Netopia Gateway diagnostic log. loglevel [level] Displays or modifies the types of log messages you want the Netopia Gateway to record.
SHELL Commands netstat -i Displays the IP interfaces for your Netopia Gateway. netstat -r Displays the IP routes stored in your Netopia Gateway. nslookup { hostname | ip_address } Performs a domain name system lookup for a specified host. • The hostname argument is the name of the host for which you want DNS information; for example, nslookup klaatu. • The ip_address argument is the IP address, in dotted decimal notation, of the device for which you want DNS information.
reset arp Clears the Address Resolution Protocol (ARP) cache on your unit. reset atm Resets the Asynchronous Transfer Mode (ATM) statistics. reset crash Clears crash-dump information, which identifies the contents of the Netopia Gateway registers at the point of system malfunction. reset dhcp server Clears the DHCP lease table in the Netopia Gateway. reset diffserv Resets the Differentiated Services (diffserv) statistics.
SHELL Commands reset security-log Clears the security monitoring log to make room to capture new entries. reset wan-users [all | ip-address] This function disconnects the specified WAN User to allow for other users to access the WAN. This function is only available if the number of WAN Users is restricted and NAT is on. Use the all parameter to disconnect all users. If you logon as Admin you can disconnect any or all users. If you logon as User, you can only disconnect yourself.
show bridge interfaces Displays bridge interfaces maintained by the Netopia Gateway. show bridge table Displays the bridging table maintained by the Netopia Gateway. show crash Displays the most recent crash information, if any, for your Netopia Gateway. show dhcp server leases Displays the DHCP leases stored in RAM by your Netopia Gateway. show ip arp Displays the Ethernet address resolution table stored in your Netopia Gateway.
SHELL Commands show ip lan-discovery Displays the LAN Host Discovery Table of hosts on the wired or wireless LAN, and whether or not they are currently online. show ip routes Displays the IP routes stored in your Netopia Gateway. show ip state-insp Displays whether stateful inspection is enabled on an interface or not, exposed addresses and blocked packet statistics because of stateful inspection. show log Displays blocks of information from the Netopia Gateway diagnostic log.
show wireless [all] Shows wireless status and statistics. show wireless clients [ MAC_address ] Displays details on connected clients, or more details on a particular client if the MAC address is added as an argument. telnet { hostname | ip_address } [port] Lets you open a telnet connection to the specified host through your Netopia Gateway. • The hostname argument is the name of the device to which you want to connect; for example, telnet ftp.netopia.com.
SHELL Commands WAN Commands atmping vccn [ segment | end-to-end ] Lets you check the ATM connection reachability and network connectivity. This command sends five Operations, Administration, and Maintenance (OAM) loopback calls to the specified vpi/vci destination. There is a five second total timeout interval. Use the segment argument to ping a neighbor switch. Use the end-to-end argument to ping a remote end node.
show config Dumps the Netopia Gateway’s configuration script just as the script command does in config mode. show dsl Displays DSL port statistics, such as upstream and downstream connection rates and noise levels. show ppp [{ stats | lcp | ipcp }] Displays information about open PPP links. You can display a subset of the PPP statistics by including an optional stats, lcp, or ipcp argument for the show ppp command. start ppp vccn Opens a PPP link on the specified virtual circuit.
About CONFIG Commands Some CLI commands are not available until certain conditions are met. For example, you must enable IP for an interface before you can enter IP settings for that interface. Navigating the CONFIG Hierarchy • Moving from CONFIG to SHELL — You can navigate from anywhere in the CONFIG hierarchy back to the SHELL level by entering quit at the CONFIG prompt and pressing RETURN.
Entering Commands in CONFIG Mode CONFIG commands consist of keywords and arguments. Keywords in a CONFIG command specify the action you want to take or the entity on which you want to act. Arguments in a CONFIG command specify the values appropriate to your site. For example, the CONFIG command set ip ethernet A ip_address consists of two keywords (ip, and ethernet A) and one argument (ip_address).
About CONFIG Commands Guidelines: CONFIG Commands The following table provides guidelines for entering and formatting CONFIG commands. Command component Command verbs Keywords Argument Text Numbers IP addresses Rules for entering CONFIG commands CONFIG commands must start with a command verb (set, view, delete). You can truncate CONFIG verbs to three characters (set, vie, del). CONFIG verbs are case-insensitive. You can enter “SET,” “Set,” or “set.” Keywords are case-insensitive.
Step Mode: A CLI Configuration Technique The Netopia Gateway command line interface includes a step mode to automate the process of entering configuration settings. When you use the CONFIG step mode, the command line interface prompts you for all required and optional information. You can then enter the configuration values appropriate for your site without having to enter complete CLI commands. When you are in step mode, the command line interface prompts you to enter required and optional settings.
CONFIG Commands Dogzilla (top)>> validate Error: Subnet mask is incorrect Global Validation did not pass inspection! You can use the validate command to verify your configuration settings at any time. Your Netopia Gateway automatically validates your configuration any time you save a modified configuration. CONFIG Commands This section describes the keywords and arguments for the various CONFIG commands. DSL Commands ATM Settings. You can use the CLI to set up each ATM virtual circuit.
• cbr: One parameter is required for CBR VCs. Enter the Peak Cell Rate that applies to the VC. This value should be between 1 and the line rate. You set this value according to specifications defined by your service provider. • vbr: Three parameters are required for VBR VCs. Enter the Peak Cell Rate, the Sustained Cell Rate, and the Maximum Burst Size that apply to the VC. You set these values according to specifications defined by your service provider. set atm [vcc n] qos peak-cell-rate { 1 ...
CONFIG Commands set atm [vccn] encap { ppp-vcmux | ppp-llc | ether-llc | ip-llc | ppoe-vcmux | pppoe-llc } Select the encapsulation mode for VCC n. The options are: ppp-vcmux PPP over ATM, VC-muxed ppp-llc PPP over ATM, LLC-SNAP ether-llc RFC-1483, bridged Ethernet, LLC-SNAP ip-llc RFC-1483, routed IP, LLC-SNAP pppoe-vcmux PPP over Ethernet, VC-muxed pppoe-llc PPP over Ethernet, LLC-SNAP Your Service Provider will indicate the required encapsulation mode. set atm [vccn] pppoe-sessions { 1 ...
☛ NOTE: For bridging in the 3341 (or any model with a USB port), you cannot set the bridge option off, or bridge ethernet option off; these are on by default because of the USB port. Common Commands set bridge sys-bridge {on | off } Enables or disables bridging services in the Netopia Gateway. You must enable bridging services within the Netopia Gateway before you can enable bridging for a specific interface.
CONFIG Commands DHCP Settings As a Dynamic Host Control Protocol (DHCP) server, your Netopia Gateway can assign IP addresses and provide configuration information to other devices on your network dynamically. A device that acquires its IP address and other TCP/IP configuration settings from the Netopia Gateway can use the information for a fixed period of time (called the DHCP lease). Common Commands set dhcp option { off | server | relay-agent } Enables or disables DHCP services in the Netopia Gateway.
DMT Settings DSL Commands set dmt type [ lite | dmt | ansi | multi ] Selects the type of Discrete Multitone (DMT) asynchronous digital subscriber line (ADSL) protocol to use for the WAN interface. ☛ NOTE: dmt type is not supported for Annex B (335x) platforms. set dmt autoConfig [ off | on ] Enables support for automatic VPI/VCI detection and configuration. When set to on (the default), a pre-defined list of VPI/VCI pairs are searched to find a valid configuration for your ADSL line.
CONFIG Commands Common Commands set dns domain-name domain-name Specifies the default domain name for your network. When an application needs to resolve a host name, it appends the default domain name to the host name and asks the DNS server if it has an address for the “fully qualified host name.” set dns primary-address ip_address Specifies the IP address of the primary DNS name server. set dns proxy-enable This allows you to disable the default behavior of acting as a DNS proxy. The default is on.
Because different dynamic DNS vendors use different proprietary protocols, currently only www.dyndns.org is supported. IP Settings You can use the command line interface to specify whether TCP/IP is enabled, identify a default Gateway, and to enter TCP/IP settings for the Netopia Gateway LAN and WAN ports. ☛ NOTE: For the DSL platform you must identify the virtual PPP interface [vccn], a number from 1 to 8.
CONFIG Commands set ip dsl vccn broadcast broadcast_address Specifies the broadcast address for the TCP/IP network connected to the virtual circuit. IP hosts use the broadcast address to send messages to every host on your network simultaneously. The broadcast address for most networks is the network number followed by 255. For example, the broadcast address for the 192.168.1.0 network would be 192.168.1.255.
an extension of RIP-2 that increases security by requiring an authentication key when routes are advertised. Depending on your network needs, you can configure your Netopia Gateway to support RIP1, RIP-2, or RIP-2MD5. If you specify v2-MD5, you must also specify a rip-send-key. Keys are ASCII strings with a maximum of 31 characters, and must match the other router(s) keys for proper operation of MD5 support.
CONFIG Commands The broadcast address for most networks is the network number followed by 255. For example, the broadcast address for the 192.168.1.0 network would be 192.168.1.255. set ip ethernet A netmask netmask Specifies the subnet mask for the local Ethernet interface. The subnet mask specifies which bits of the 32-bit binary IP address represent network information. The default subnet mask for most networks is 255.255.255.0 (Class C subnet mask).
set ip ethernet A rip-receive { off | v1 | v2 | v1-compat | v2-MD5 } Specifies whether the Netopia Gateway should use Routing Information Protocol (RIP) broadcasts to update its routing tables with information received from other routers on your network. If you specify v2-MD5, you must also specify a rip-receive-key. Keys are ASCII strings with a maximum of 31 characters, and must match the other router(s) keys for proper operation of MD5 support.
CONFIG Commands set ip ip-ppp [vccn] address ip_address Assigns an IP address to the virtual PPP interface. If you specify an IP address other than 0.0.0.0, your Netopia Gateway will not negotiate its IP address with the remote peer. If the remote peer does not accept the IP address specified in the ip_address argument as valid, the link will not come up. The default value for the ip_address argument is 0.0.0.
set ip ip-ppp [vccn] rip-send { off | v1 | v2 | v1-compat | v2-MD5 } Specifies whether the Netopia Gateway unit should use Routing Information Protocol (RIP) broadcasts to advertise its routing tables to routers on the other side of the PPP link. An extension of the original Routing Information Protocol (RIP-1), RIP Version 2 (RIP-2) expands the amount of useful information in the packets. While RIP-1 and RIP-2 share the same basic algorithms, RIP-2 supports several new features.
CONFIG Commands Static ARP Settings Your Netopia Gateway maintains a dynamic Address Resolution Protocol (ARP) table to map IP addresses to Ethernet (MAC) addresses. Your Netopia Gateway populates this ARP table dynamically, by retrieving IP address/MAC address pairs only when it needs them. Optionally, you can define static ARP entries to map IP addresses to their corresponding Ethernet MAC addresses. Unlike dynamic ARP table entries, static ARP table entries do not time out.
IP Prioritization set ip prioritize [ off | on ] Allows you to support traffic that has the TOS bit set. This defaults to off. Differentiated Services (DiffServ) The commands in this section are supported beginning with Firmware Version 7.4.2. set diffserv option [ off | on ] Turns the DiffServ option off (default) or on. on enables the service and IP TOS bits are used, even if no flows are defined.
CONFIG Commands set diffserv custom-flows name name protocol [ TCP | UDP | ICMP | other ] direction [ outbound | inbound | both ] start-port [ 0 - 49151 ] end-port [ 0 - 49151 ] inside-ip inside-ip-addr outside-ip outside-ip-addr qos [ off | assure | expedite ] Defines or edits a custom flow. Select a name for the custom-flow from the set command. The CLI will step into the newly-named or previously-defined flow for editing.
SIP Passthrough set ip sip-passthrough [ on | off ] Turns Session Initiation Protocol application layer gateway client passthrough on or off. The default is on. Session Initiation Protocol, is a signaling protocol for Internet conferencing, telephony, presence, events notification and instant messaging. Static Route Settings A static route identifies a manually configured pathway to a remote network.
CONFIG Commands set ip static-routes destination-network net_address gateway-address gate_address Specifies the IP address of the Gateway for the static route. The default Gateway must be located on a network connected to the Netopia Gateway configured interface. set ip static-routes destination-network net_address metric integer Specifies the metric (hop count) for the static route. The default metric is 1.
set ip-maps name external-ip Specifies the name and static ip address of the WAN device to be mapped. Up to 8 mapped static IP addresses are supported. Network Address Translation (NAT) Default Settings NAT default settings let you specify whether you want your Netopia Gateway to forward NAT traffic to a default server when it doesn’t know what else to do with it.
CONFIG Commands Network Address Translation (NAT) Pinhole Settings NAT pinholes let you pass specific types of network traffic through the NAT interfaces on the Netopia Gateway. NAT pinholes allow you to route selected types of network traffic, such as FTP requests or HTTP (Web) connections, to a specific host behind the Netopia Gateway transparently.
set pinhole name name internal-ip internal-ip Specifies the IP address of the internal host to which traffic of the specified type should be transferred. set pinhole name name internal-port internal-port Specifies the port number your Netopia Gateway should use when forwarding traffic of the specified type. Under most circumstances, you would use the same number for the external and internal port.
CONFIG Commands set ppp module [vccn] magic-number { on | off } Enables or disables LCP magic number negotiation. set ppp module [vccn] protocol-compression { on | off } Specifies whether you want the Netopia Gateway to compress the PPP Protocol field when it transmits datagrams over the PPP link. set ppp module [vccn] lcp-echo-requests { on | off } Specifies whether you want your Netopia Gateway to send LCP echo requests.
set ppp module [vccn] terminate-max integer Specifies the maximum number of unacknowledged termination requests that your Netopia Gateway will send before terminating the PPP link. The integer argument can be any number between 1 and 10. set ppp module [vccn] restart-timer integer Specifies the number of seconds the Netopia Gateway should wait before retransmitting a configuration or termination request. The integer argument can be any number between 1 and 30.
CONFIG Commands option [ off | on | pap-only | chap-only ] Specifying on turns both PAP and CHAP on, or you can select PAP or CHAP. Specify the username and password when port authentication is turned on (both CHAP and PAP, CHAP or PAP.) Authentication must be enabled before you can enter other information. set ppp module [vccn] port-authentication username username The username argument is 1- 255 alphanumeric characters.
set preference more lines Specifies how many lines of information you want the command line interface to display at one time. The lines argument specifies the number of lines you want to see at one time. The range is 1-65535. By default, the command line interface shows you 22 lines of text before displaying the prompt: More …[y|n] ?. If you enter 100 for the lines argument, the command line interface displays information as an uninterrupted stream (which is useful for capturing information to a text file).
CONFIG Commands Port Renumbering Settings If you use NAT pinholes to forward HTTP or telnet traffic through your Netopia Gateway to an internal host, you must change the port numbers the Netopia Gateway uses for its own configuration traffic. For example, if you set up a NAT pinhole to forward network traffic on Port 80 (HTTP) to another host, you would have to tell the Netopia Gateway to listen for configuration connection requests on a port number other than 80, such as 6080.
Security Settings Security settings include the Firewall and IPSec parameters. All of the security functionality is keyed. Firewall Settings (for BreakWater Firewall) set security firewall option [ ClearSailing | SilentRunning | LANdLocked ] The 3 settings for BreakWater are discussed in detail on page page 125. SafeHarbour IPSec Settings SafeHarbour VPN is a tunnel between the local network and another geographically dispersed network that is interconnected over the Internet.
CONFIG Commands set security ipsec tunnels name "123" tun-enable (on) {on | off} This enables this particular tunnel. Currently, one tunnel is supported. set security ipsec tunnels name "123" dest-ext-address ip-address Specifies the IP address of the destination gateway. set security ipsec tunnels name "123" dest-int-network ip-address Specifies the IP address of the destination computer or internal network.
set security ipsec tunnels name "123" IKE-mode pre-shared-key ("") {hex string} See page 130 for details about SafeHarbour IPsec tunnel capability. Example: 0x1234 set security ipsec tunnels name "123" IKE-mode neg-method {main | aggressive} See page 130 for details about SafeHarbour IPsec tunnel capability. Note: Aggressive Mode is a little faster, but it does not provide identity protection for negotiations nodes.
CONFIG Commands set security ipsec tunnels name "123" IKE-mode PFS-enable { off | on } See page 130 for details about SafeHarbour IPsec tunnel capability. set security ipsec tunnels name "123" IKE-mode invalid-spi-recovery { off | on } Enables the Gateway to re-establish the tunnel if either the Netopia Gateway or the peer gateway is rebooted. set security ipsec tunnels name "123" xauth enable {off | on } Enables or disables Xauth extensions to IPsec, when IKE-mode neg-method is set to aggressive.
set security ipsec tunnels name "123" local-id id_value Specifies the NAT local ID value as specified in the local-id-type for the specified IPsec tunnel.
CONFIG Commands Internet Key Exchange (IKE) Settings The following four IPsec parameters configure the rekeying event.
Stateful Inspection Stateful inspection options are accessed by the security state-insp tag. set security state-insp [ ip-ppp | dsl ] vccn option [ off | on ] set security state-insp ethernet [ A | B ] option [ off | on ] Sets the stateful inspection option off or on on the specified interface. This option is disabled by default. Stateful inspection prevents unsolicited inbound access when NAT is disabled.
CONFIG Commands set security state-insp udp-timeout [ 30 - 65535 ] Sets the stateful inspection UDP timeout interval, in seconds. set security state-insp xposed-addr exposed-address# "n" Allows you to add an entry to the specified list, or, if the list does not exist, creates the list for the stateful inspection feature. xposed-addr settings only apply if NAT is off. Example: set security state-insp xposed-addr exposed-address# (?): 32 32 has been added to the xposed-addr list.
set security state-insp xposed-addr exposed-address# "n" start-port [ 1 - 65535 ] set security state-insp xposed-addr exposed-address# "n" end-port [ 1 - 65535 ] Packet Filtering Settings Packet Filtering settings are supported beginning with Firmware Version 7.4. Packet Filtering has two parts: • Create/Edit/Delete Filter Sets, create/edit/delete rules to a Filter Set. • Associate a created Filter Set with an WAN or LAN interface See “Packet Filter” on page 146 for more information.
CONFIG Commands set security pkt-filter filterset filterset-name in index frc-rte [ on | off ] Turns forced routing on or off for the specified filter rule. A match on this rule will force a route for packets. The default is off. set security pkt-filter filterset filterset-name in index gateway ip_addr Specifies the gateway IP address for forced routed packets, if forced routing is enabled.
set security pkt-filter filterset filterset-name in index protocol value Specifies the protocol value to match packets, the type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP. The value for protocol can be from 0 – 255. set security pkt-filter filterset filterset-name in index src-compare [ nc | ne | lt | le | eq | gt | ge ] Sets the source compare operator action for the specified filter rule.
CONFIG Commands set security pkt-filter filterset filterset-name in index src-port value Specifies the source IP port to match packets (the port on the sending host that originated the packet, if the underlying protocol is TCP or UDP). set security pkt-filter filterset filterset-name in index dst-port value Specifies the destination IP port to match packets (the port on the receiving host that the packet is destined for, if the underlying protocol is TCP or UDP).
set snmp sysgroup contact contact_info Identifies the system contact, such as the name, phone number, beeper number, or email address of the person responsible for the Netopia Gateway. You can enter up to 255 characters for the contact_info argument. You must put the contact_info argument in double-quotes if it contains embedded spaces. set snmp sysgroup location location_info Identifies the location, such as the building, floor, or room number, of the Netopia Gateway.
CONFIG Commands assigned a name to your Netopia Gateway, you can enter that name in the Address text field of your browser to open a connection to your Netopia Gateway. ☛ NOTE: Some broadband cable-oriented Service Providers use the System Name as an important identification and support parameter. If your Gateway is part of this type of network, do NOT alter the System Name unless specifically instructed by your Service Provider.
set system idle-timeout { telnet [ 1...120 ] | http [ 1... 120 ] } Specifies a timeout period of inactivity for telnet or HTTP access to the Gateway, after which a user must re-login to the Gateway. Defaults are 5 minutes for HTTP and 15 minutes for telnet. set system username { administrator name | user name } Specifies the usernames for the administrative user – the default is admin; and a nonadministrative user – the default is user.
CONFIG Commands location ("string"): The heartbeat setting is used in conjunction with the configuration server to broadcast contact and location information about your Gateway. You can specify the protocol, port, IP-, port-, and URL-server. • The interval setting specifies the broadcast update frequency. Part of sequence con• • • • trol. The interval is the spacing between heartbeats, in d:h:m:s.
set system ntp option [ off | on ]: server-address (204.152.184.72) alt-server-address (""): time-zone [ -12 - 12 ] update-period (60) [ 1 - 65535 ]: daylight-savings [ off | on ] Specifies the NTP server address, time zone, and how often the Gateway should check the time from the NTP server. NTP time-zone of 0 is GMT time; options are -12 through 12 (+/1 hour increments from GMT time). update-period specifies how often, in minutes, the Gateway should update the clock.
CONFIG Commands Syslog set system syslog option [ off | on ] Enables or disables system syslog feature. If syslog option is on, the following commands are available: set system syslog host-nameip [ ip_address | hostname ] Specifies the syslog server’s address either in dotted decimal format or as a DNS name up to 64 characters. set system syslog log-facility [ local0 ... local7 ] Sets the UNIX syslog Facility. Acceptable values are local0 through local7.
set security state-insp eth B option on • Type the command to enable the router to drop fragmented packets 3. set security state-insp eth B deny-fragments on Enabling syslog: • Type config • Type the command to enable syslog set system syslog option on • Set the IP Address of the syslog host set system syslog host-nameip (example: set system syslog host-nameip 10.3.1.1) • Enable/change the options you require 4.
CONFIG Commands Wireless Settings (supported models) set wireless option ( on | off ) Administratively enables or disables the wireless interface. set wireless ssid { network_name } Specifies the wireless network id for the Gateway. A unique ssid is generated for each Gateway. You must set your wireless clients to connect to this exact id, which can be changed to any 32-character string. set wireless auto-channel mode { off | at-startup | continuous } Specifies the wireless AutoChannel Setting for 802.
set wireless privacy option { off | WEP | WPA-PSK | WPA-802.1x } Specifies the type of privacy enabled on the wireless LAN. off = no privacy; WEP = WEP encryption; WPA-PSK = Wireless Protected Access/Pre-Shared Key; WPA-802.1x = Wireless Protected Access/802.1x authentication. See “Wireless” on page 52 for a discussion of these options. WPA provides Wireless Protected Access, the most secure option for your wireless network. This mechanism provides the best data protection and access control.
CONFIG Commands For simplicity, it is easiest to have both the Gateway and the client transmit with the same key. The default is 1.
set wireless privacy encryption-key1-length {40/64bit, 128bit, 256bit} set wireless privacy encryption-key2-length {40/64bit, 128bit, 256bit} set wireless privacy encryption-key3-length {40/64bit, 128bit, 256bit} set wireless privacy encryption-key4-length {40/64bit, 128bit, 256bit} Selects the length of each encryption key. 40bit encryption is equivalent to 64bit encryption. The longer the key, the stronger the encryption and the more difficult it is to break the encryption.
CONFIG Commands Wireless MAC Address Authorization Settings set wireless mac-auth option { on | off } Enabling this feature limits the MAC addresses that are allowed to access the LAN as well as the WAN to specified MAC (hardware) addresses. set wireless mac-auth wrlss-MAC-list mac-address MAC-address_string Enters a new MAC address into the MAC address authorization table. The format for an Ethernet MAC address is six hexadecimal values between 00 and FF inclusive separated by colons or dashes (e.g.
set radius radius-port port_number Specifies the port on which the RADIUS server is listening. The default value is 1812. VLAN Settings These settings are supported beginning with Firmware Version 7.4.2. You can create up to 32 VLANs, and you can also restrict any VLAN, and the computers on it, from administering the Gateway. See “VLAN” on page 117 for more information. set vlan name string Sets the descriptive name for the VLAN.
CONFIG Commands enabled Netopia Gateway, will not need application layer gateway support on the Netopia Gateway to work through NAT. The default is on. You can disable UPnP, if you are not using any UPnP devices or applications. DSL Forum settings TR-064 is a LAN-side DSL CPE configuration specification and TR-069 is a WAN-side DSL CPE Management specification. TR-064. DSL Forum LAN Side CPE Configuration (TR-064) is an extension of UPnP. It defines more services to locally manage the Netopia Gateway.
TR-069. DSL Forum CPE WAN Management Protocol (TR-069) provides services similar to UPnP and TR-064. The communication between the Netopia Gateway and management agent in UPnP and TR-064 is strictly over the LAN, whereas the communication in TR-069 is over the WAN link for some features and over the LAN for others. TR-069 allows a remote Auto-Config Server (ACS) to provision and manage the Netopia Gateway.
CHAPTER 7 Glossary 10Base-T. IEEE 802.3 specification for Ethernet that uses unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor plugs at each end. Runs at 10 Mbps. 100Base-T. IEEE 802.3 specification for Ethernet that uses unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor plugs at each end. Runs at 100 Mbps. -----A----ACK. Acknowledgment. Message sent from one network device to another to indicate that some event has occurred. See NAK. access rate.
ADSL. Asymmetric Digital Subscriber Line. Modems attached to twisted pair copper wiring that transmit 1.5-9 Mbps downstream (to the subscriber) and 16 -640 kbps upstream, depending on line distance. (Downstream rates are usually lower that 1.5Mbps in practice.) AH. The Authentication Header provides data origin authentication, connectionless integrity, and anti-replay protection services. It protects all data in a datagram from tampering, including the fields in the header that do not change in transit.
BRI. Basic Rate Interface. ISDN standard for provision of low-speed ISDN services (two B channels (64 kbps each) and one D channel (16 kbps)) over a single wire pair. bridge. Device that passes packets between two network segments according to the packets' destination address. broadcast. Message sent to all nodes on a network. broadcast address. Special IP address reserved for simultaneous broadcast to all network nodes. buffer. Storage area used to hold data until it can be forwarded. -----C----carrier.
crossover cable. Cable that lets you connect a port on one Ethernet hub to a port on another Ethernet hub. You can order an Ethernet crossover cable from Netopia, if needed. CSU/DSU. Channel Service Unit/Data Service Unit. Device responsible for connecting a digital circuit, such as a T1 link, with a terminal or data communications device. -----D----data bits. Number of bits used to make up a character. datagram. Logical grouping of information sent as a network-layer unit. Compare frame, packet. DCE.
Diffie-Hellman. A group of key-agreement algorithms that let two computers compute a key independently without exchanging the actual key. It can generate an unbiased secret key over an insecure medium. diffserv. Differentiated Services. A method for controlling Quality of Service (QoS) queue priority settings. It allows a Gateway to make Quality of Service (QoS) decisions about what path Internet traffic, such as Voice over IP (VoIP), should travel across your network. domain name.
encapsulation. Technique used to enclose information formatted for one protocol, such as AppleTalk, within a packet formatted for a different protocol, such as TCP/IP. Encrypt Protocol. Encryption protocol for the tunnel session. Parameter values supported include NONE or ESP. encryption. The application of a specific algorithm to a data set so that anyone without the encryption key cannot understand the information. ESP.
FTP. File Transfer Protocol. Application protocol that lets one IP node transfer files to and from another node. FTP server. Host on network from which clients can transfer files. -----H----Hard MBytes. Setting the Hard MBytes parameter forces the renegotiation of the IPSec Security Associations (SAs) at the configured Hard MByte value. The value can be configured between 1 and 1,000,000 MB and refers to data traffic passed. Hard Seconds.
-----I----IKE. Internet Key Exchange protocol provides automated key management and is a preferred alternative to manual key management as it provides better security. Manual key management is practical in a small, static environment of two or three sites. Exchanging the key is done through manual means. Because IKE provides automated key exchange, it is good for larger, more dynamic environments. INSPECTION.
-----K----Key Management . The Key Management algorithm manages the exchange of security keys in the IPSec protocol architecture. SafeHarbour supports the standard Internet Key Exchange (IKE) -----L----LCP. Link Control Protocol. Protocol responsible for negotiating connection configuration parameters, authenticating peers on the link, determining whether a link is functioning properly, and terminating the link. Documented in RFC 1331. LQM Link Quality Monitoring.
at the other end of the connection converts the analog signal back to a digital signal. MRU. Maximum Receive Unit. The maximum packet size, in bytes, that a network interface will accept. MTU. Maximum Transmission Unit. The maximum packet size, in bytes, that can be sent over a network interface. MULTI-LAYER. The Open System Interconnection (OSI) model divides network traffic into seven distinct levels, from the Physical (hardware) layer to the Application (software) layer.
PAP. Password Authentication Protocol. Security protocol within the PPP protocol suite that prevents unauthorized access to network services. See RFC 1334 for PAP specifications. Compare CHAP. parity. Method of checking the integrity of each character received over a communication channel. Peer External IP Address. The Peer External IP Address is the public, or routable IP address of the remote gateway or VPN server you are establishing the tunnel with. Peer Internal IP Network.
protocol. Formal set of rules and conventions that specify how information can be exchanged over a network. PSTN. Public Switched Telephone Network. -----R----repeater. Device that regenerates and propagates electrical signals between two network segments. Also known as a hub. RFC. Request for Comment. Set of documents that specify the conventions and standards for TCP/IP networking. RIP. Routing Information Protocol.
• • • • • • The authentication algorithm for AH and ESP The encryption algorithm for ESP The encryption and authentication keys Lifetime of encryption keys The lifetime of the SA Replay prevention sequence number and the replay bit table An arbitrary 32-bit number called a Security Parameters Index (SPI), as well as the destination host’s address and the IPSEC protocol identifier, identify each SA. An SPI is assigned to an SA when the SA is negotiated.
conversation, rather than just individual packets. It verifies that packets are sent from and received by the proper IP addresses along the proper communication ports in the correct order and that no imposter packets interrupt the packet flow. Packet filtering monitors only the ports involved, while the Netopia Gateway analyzes the continuous conversation stream, preventing session hijacking and denial of service attacks. static route. Route entered manually in a routing table. subnet mask.
-----V----VJ. Van Jacobson. Abbreviation for a compression standard documented in RFC 1144. VLAN. Virtual Local Area Network. A network of computers that behave as if they are connected to the same wire even though they may be physically located on different segments of a LAN. VLANs are configured in software rather than hardware. -----W----WAN. Wide Area Network.
Description CHAPTER 8 Technical Specifications and Safety Information Description Dimensions: Smart Modems: 13.5 cm (w) x 13.5 cm (d) x 3.5 cm (h); 5.25” (w) x 5.25” (d) x 1.375” (h) Wireless Models: 19.5 cm (w) x 17.0 cm (d) x 4.0 cm (h); 7.6” (w) x 6.75” (d) x 1.5” (h) 3342/3352: 8.5 cm (w) x 4.5 cm (d) x 2 cm (h); 3.375” (w) x 1.75” (d) x .875” (h) Communications interfaces: The Netopia Firmware Version 7.4.
Software and protocols Software media: Software preloaded on internal flash memory; field upgrades done via download to internal flash memory via TFTP or web upload.
Agency approvals Agency approvals North America Safety Approvals: ■ United States – UL 60950, Third Edition ■ Canada – CSA: CAN/CSA-C22.2 No. 60950-00 EMC: ■ United States – FCC Part 15 Class B ■ Canada – ICES-003 Telecom: ■ United States – 47 CFR Part 68 ■ Canada – CS-03 International Safety Approvals: ■ Low Voltage (European directive) 73/23 ■ EN60950 (Europe) EMI Compatibility: ■ 89/336/EEC (European directive) ■ EN55022:1994 ■ EN300 386 V1.2.
The Netopia Firmware Version 7.4.2 complies with the following EU directives: ■ Low Voltage, 73/23/EEC ■ EMC Compatibility, 89/336/EEC, conforming to EN 55 022 Manufacturer’s Declaration of Conformance ☛ Warnings: This is a Class B product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. Adequate measures include increasing the physical distance between this product and other electrical devices.
Manufacturer’s Declaration of Conformance ☛ Important This product was tested for FCC compliance under conditions that included the use of shielded cables and connectors between system components. Changes or modifications to this product not authorized by the manufacturer could void your authority to operate the equipment. Canada. This Class B digital apparatus meets all requirements of the Canadian Interference Causing Equipment Regulations.
Important Safety Instructions Australian Safety Information The following safety information is provided in conformance with Australian safety requirements: Caution DO NOT USE BEFORE READING THE INSTRUCTIONS: Do not connect the Ethernet ports to a carrier or carriage service provider’s telecommunications network or facility unless: a) you have the written consent of the network or facility manager, or b) the connection is in accordance with a connection permit or connection rules.
47 CFR Part 68 Information 47 CFR Part 68 Information FCC Requirements 1. The Federal Communications Commission (FCC) has established Rules which permit this device to be directly connected to the telephone network. Standardized jacks are used for these connections. This equipment should not be used on party lines or coin phones. 2.
d) The REN is used to determine the number of devices that may be connected to a telephone line. Excessive RENs on a telephone line may result in the devices not ringing in response to an incoming call. In most but not all areas, the sum of RENs should not exceed five (5.0). To be certain of the number of devices that may be connected to a line, as determined by the total RENs, contact the local telephone company.
CHAPTER 9 Overview of Major Capabilities The Netopia Gateway offers simplified setup and management features as well as advanced broadband router capabilities. The following are some of the main features of the Netopia Gateway: • “Wide Area Network Termination” on page 312 The Gateway combines an ADSL modem with an Internet router. It translates protocols used on the Internet to protocols used by home personal computers and eliminates the need for special desktop software (i.e. PPPoE).
Wide Area Network Termination PPPoE/PPPoA (Point-to-Point Protocol over Ethernet/ATM) The PPPoE specification, incorporating the PPP and Ethernet standards, allows your computer(s) to connect to your Service Provider’s network through your Ethernet WAN connection. The Netopia-series Gateway supports PPPoE, eliminating the need to install PPPoE client software on any LAN computers.
Simplified Local Area Network Setup • Your network may change address with each connection making it more difficult to attack. When you configure Instant On access, you can also configure an idle time-out value. Your Gateway monitors traffic over the Internet link and when there has been no traffic for the configured number of seconds, it disconnects the link. When new traffic that is destined for the Internet arrives at the Gateway, the Gateway will instantly re-establish the link.
☛ NOTE: The Netopia DNS Proxy only proxies UDP DNS queries, not TCP DNS queries. Management Embedded Web Server There is no specialized software to install on your PC to configure, manage, or maintain your Netopia Gateway.
Security TraceRoute - displays the path to a destination by showing the number of hops and the router addresses of these hops. The system log also provides diagnostic information. ☛ NOTE: Your Service Provider may request information that you acquire from these various diagnostic tools. Individual tests may be performed at the command line. (See “Command Line Interface” on page 213.).
from routers on networks connected to its WAN interface. In other words, the end computer stations on your LAN are invisible from the Internet. Only a single WAN IP address is required to provide this security support for your entire LAN. LAN sites that communicate through an Internet Service Provider typically enable NAT, since they usually purchase only one IP address from the ISP.
Security ☛ NOTE: 1. The default setting for NAT is ON. 2. Netopia uses Port Address Translation (PAT) to implement the NAT facility. 3. NAT Pinhole traffic (discussed below) is always initiated from the WAN side. Netopia Advanced Features for NAT Using the NAT facility provides effective LAN security. However, there are user applications that require methods to selectively by-pass this security function for certain types of Internet traffic.
Common TCP/IP protocols and ports are: FTP (TCP 21) SMTP (TCP 25) SNMP (TCP 161, UDP 161) telnet (TCP 23) HTTP (TCP 80) See page 70 for How To instructions. Default Server This feature allows you to: • Direct your Gateway to forward all externally initiated IP traffic (TCP and UDP protocols only) to a default host on the LAN. • Enable it for certain situations: Where you cannot anticipate what port number or packet protocol an in-bound application might use.
Security IP-Passthrough Netopia OS now offers an IP passthrough feature. The IP passthrough feature allows a single PC on the LAN to have the Gateway’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet. VPN IPSec Pass Through This Netopia service supports your independent VPN client software in a transparent manner.
☛ NOTE: Typically, no special configuration is necessary to use the IPSec pass through feature. In the diagram, VPN PC clients are shown behind the Netopia Gateway and the secure server is at Corporate Headquarters across the WAN. You cannot have your secure server behind the Netopia Gateway. When multiple PCs are starting IPSec sessions, they must be started one at a time to allow the associations to be created and mapped.
Index Symbols !! command 218 A Access Controls 91 Access the GUI 39 Address resolution table 224 Administrative restrictions 245 Administrator password 39, 123, 216 Arguments, CLI 230 ARP Command 218, 227 Authentication 256 Authentication trap 271 auto-channel mode 279 AutoChannel Setting 56, 279 B Bridging 235 Broadcast address 241, 242 C CLI 213 !! command 218 Arguments 230 Command shortcuts 217 Command truncation 229 Configuration mode 228 Keywords 230 Navigating 229 Prompt 217, 228 Restart command 2
(DNS) 238 DSL Forum settings 285 E Echo request 255 echo-period 255 Embedded Web Server 314 Ethernet address 235 Ethernet statistics 222 F Feature Keys Obtaining 184 filter parts 150 parts of 150 filter priority 148 filter set adding 157 display 152 filter sets adding 157 defined 147 deleting 163 disadvantages 146 using 157 filtering example #1 153 filters actions a filter can take 149 adding to a filter set 159 defined 147 deleting 163 input 158 322 modifying 163 output 158 using 156, 157 viewing 162 f
Local Area Network 313 Location, SNMP 271, 272 Log 225 Logging in 216 lost echoes 255 M Magic number 255 Maturity Level 92 Memory 225 Metric 251 Multiple Wireless IDs 56 N Nameserver 238 NAT 245, 252, 315 Traffic rules 81 NAT Default Server 318 Netmask 243 Network Address Translation 315 Network Test Tools 314 NSLookup 314 O set upnp option 284 P PAP 312 Password 123 Administrator 39, 123, 216 User 39, 123, 216 persistent-log 273 Ping 314 Ping command 221 Pinholes 252, 317 Planning 70 policy-based rout
S Secondary nameserver 238 security filters 146–?? Security log 177 Set bncp command 233, 234, 235 Set bridge commands 236 Set dns commands 239 Set ip static-routes commands 250 Set ppp module port authentication command 256 Set preference more command 258 Set preference verbose command 257 set security state-insp 266 Set servers command 259 Set servers telnet-tcp command 259 Set snmp sysgroup location command 272 Set snmp traps authentification-traps ip-address command 271 Set system diagnostic-level comma
Telnet command 226 Telnet traffic 259 TFTP 252 TFTP server 219 Toolbar 43 TOS bit 150, 173 TraceRoute 208, 315 Trap 271 Trivial File Transfer Protocol 219 Truncation 229 U UPnP 101 User name 216 User password 39, 123, 216 V set atm 233, 234 View command 231 view config 228 VLAN Settings 284 VPN IPSec Pass Through 319 IPSec Tunnel Termination 320 W Wide Area Network 312 Wireless 52 Z Zero Touch 276 325
Netopia 3300 series by Netopia Netopia, Inc.
