Netopia® Software User Guide Firmware Version 7.4.
Copyright Copyright © 2005 Netopia, Inc. V 7.4.2-EIR All rights reserved. Netopia, Inc. Netopia and the Netopia logo are registered trademarks belonging to Netopia, Inc., registered U.S. Patent and Trademark Office. Broadband Without Boundaries and 3-D Reach are trademarks belonging to Netopia, Inc. All other trademarks are the property of their respective owners. All rights reserved. Netopia, Inc.
Table of Contents Table of Contents Copyright Introduction ..........................................2 .................................. 7 Intended Audience ...................................7 About Netopia Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Word About Example Screens . . . . . . . . . . . . . . . . . . . . . . . . Documentation Conventions . . . . . . . . . . . . . . . . . .
Table of Contents Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 CHAPTER 3 Expert Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Access the Expert Web Interface . . . . . . . . . . . . . . . . . . . . . . . 65 Links Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents SHELL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 About CONFIG Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 187 CONFIG Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 CHAPTER 6 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 CHAPTER 7 Technical Specifications and Safety Information . . . . 265 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents 6
Intended Audience Introduction Intended Audience This guide is targeted primarily to residential service subscribers. Advanced sections may also be of use to the support staffs of broadband service providers and advanced residential service subscribers. See “Expert Mode” on page 65. About Netopia Documentation Netopia, Inc. provides a suite of technical information for its 3300-series family of intelligent enterprise and consumer Gateways.
Introduction Organization This guide consists of six chapters, including a glossary, and an index. It is organized as follows: • “Introduction” — Describes the Netopia document suite, the purpose of, the audience for, and structure of this guide. It gives a table of conventions. • Chapter 1, “Overview of Major Capabilities” — Presents a product description sum• • • • • • • mary.
Documentation Conventions Documentation Conventions General This manual uses the following conventions to present information: Convention (Typeface) Description bold italic monospaced Menu commands bold italic sans serif Web GUI page links and button names Computer display text terminal bold terminal Italic User-entered text Italic type indicates the complete titles of manuals.
Introduction curly ({ }) brackets, with values Alternative values for an argument are separated with vertical bars (|). presented in curly ({ }) brackets, with values separated with vertical bars (|).
CHAPTER 1 Overview of Major Capabilities The Netopia Gateway offers simplified setup and management features as well as advanced broadband Gateway capabilities. The following are some of the main features of the Netopia Gateway: • “Wide Area Network Termination” on page 12 The Gateway combines an ADSL modem with an Internet Gateway. It translates protocols used on the Internet to protocols used by home personal computers and eliminates the need for special desktop software (i.e. PPPoE).
and branch offices to safely and affordably connect to a remote business network, for effective communication and collaboration. Wide Area Network Termination PPPoE/PPPoA (Point-to-Point Protocol over Ethernet/ATM) The PPPoE specification, incorporating the PPP and Ethernet standards, allows your computer(s) to connect to your Service Provider’s network through your Ethernet WAN connection. The 3300-series Gateway supports PPPoE, eliminating the need to install PPPoE client software on any LAN computers.
Wide Area Network Termination While an Always On connection is convenient, it does leave your network permanently connected to the Internet, and therefore potentially vulnerable to attacks. Netopia's Instant On technology furnishes almost all the benefits of an Always-On connection while providing two additional security benefits: • Your network cannot be attacked when it is not connected. • Your network may change address with each connection making it more difficult to attack.
Simplified Local Area Network Setup DHCP (Dynamic Host Configuration Protocol) Server DHCP Server functionality enables the Gateway to assign to your LAN computer(s) a “private” IP address and other parameters that allow network communication. The default DHCP Server configuration of the Gateway supports up to 253 LAN IP addresses. This feature simplifies network administration because the Gateway maintains a list of IP address assignments.
Management Management Embedded Web Server There is no specialized software to install on your PC to configure, manage, or maintain your Netopia Gateway.
☛ NOTE: Your Service Provider may request information that you acquire from these various diagnostic tools. Individual tests may be performed at the command line. (See “Command Line Interface” on page 171.).
Security Security Remote Access Control You can determine whether or not an administrator or other authorized person has access to configuring your Gateway. This access (either time-restricted or unlimited until the router is rebooted) can be turned on or off in the Web interface. Additionally, permanent remote access can be configured in the CLI. Password Protection Access to your Netopia device can be controlled through two access control accounts, Admin or User.
• When NAT is OFF, a Netopia Gateway acts as a traditional TCP/IP router, all LAN computers/devices are exposed to the Internet. A diagram of a typical NAT-enabled LAN follows: Netopia Gateway WAN Ethernet Interface Internet LAN Ethernet Interface NAT NAT-protected LAN stations Embedded Admin Services: HTTP-Web Server and Telnet Server Port ☛ NOTE: 1. The default setting for NAT is ON. 2. Netopia uses Port Address Translation (PAT) to implement the NAT facility. 3.
Security Netopia Gateways provide special gaming and other service configuration tools that enable you to establish NAT-protected LAN layouts that still provide flexible by-pass capabilities. Some of these rules require coordination with the unit’s embedded administration services: the internal Web (HTTP) Port (TCP 80) and the internal Telnet Server Port (TCP 23). Internal Servers The internal servers are the embedded Web and Telnet servers of the Gateway.
IP-Passthrough The Netopia Gateway now offers an IP passthrough feature. The IP passthrough feature allows a single PC on the LAN to have the Gateway’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet. VPN IPSec Pass Through This Netopia service supports your independent VPN client software in a transparent manner.
Security A typical VPN IPSec Tunnel pass through is diagrammed below: Netopia Gateway ☛ NOTE: Typically, no special configuration is necessary to use the IPSec pass through feature. In the diagram, VPN PC clients are shown behind the Netopia Gateway and the secure server is at Corporate Headquarters across the WAN. You cannot have your secure server behind the Netopia Gateway.
Dynamic DNS Dynamic DNS support allows you to use the free services of www.dyndns.org. Dynamic DNS automatically directs any public Internet request for your computer's name to your current dynamically-assigned IP address. This allows you to get to the IP address assigned to your Gateway, even though your actual IP address may change as a result of a PPPoE connection to the Internet. See “Dynamic DNS Settings” on page 197.
CHAPTER 2 Basic Mode Setup Most users will find that the basic Quickstart configuration is all that they ever need to use. This section may be all that you ever need to configure and use your Netopia Gateway. The following instructions cover installation in Router Mode.
Important Safety Instructions POWER SUPPLY INSTALLATION Connect the power supply cord to the power jack on the Netopia Gateway. Plug the power supply into an appropriate electrical outlet. ☛ CAUTION: Depending on the power supply provided with the product, either the direct plug-in power supply blades, power supply cord plug or the appliance coupler serves as the mains power disconnect.
Set up the Netopia Gateway Set up the Netopia Gateway Refer to your Quickstart Guide for instructions on how to connect your Netopia Gateway to your power source, PC or local area network, and your Internet access point, whether it is a dedicated DSL outlet or a DSL or cable modem. Different Netopia Gateway models are supplied for any of these connections. Be sure to enable Dynamic Addressing on your PC.
Microsoft Windows: Step 1. Navigate to the TCP/IP Properties Control Panel. a. Windows 98, ME. and 2000 versions follow a path like this: Start menu -> Settings -> Control Panel -> Network (or Network and Dial-up Connections -> Local Area Connection -> Properties) -> TCP/IP [your_network_card] or Internet Protocol [TCP/ IP] -> Properties b.
Set up the Netopia Gateway Macintosh MacOS 9 or higher or Mac OS X: Step 1. Access the TCP/IP or Network control panel. a. Mac OS 9 follows a path like this: Apple Menu -> Control Panels -> TCP/IP Control Panel b. Mac OS X follows a path like this: Apple Menu -> System Preferences -> Network Then go to Step 2. Step 2. Select Built-in Ethernet Step 3. Select Configure Using DHCP Step 4. Close and Save, if prompted. Proceed to “Configure the Netopia Gateway” on page 28.
Configure the Netopia Gateway 1. Run your Web browser application, such as Firefox or Microsoft Internet Explorer, from the computer connected to the Netopia Gateway. Enter http://192.168.1.254 in the URL Address text box. Press Enter or click Go. The browser displays the Internet Login page. 2. 28 Enter the User Name and Password supplied by your Internet Service Provider. Click the Connect button. During Gateway boot-up, the default User Name: eircom@eircom.
Configure the Netopia Gateway 3. Congratulations! Your installation is complete. You can now surf to your favorite Web sites by typing an URL in your browser’s location box or by selecting one of your favorite Internet bookmarks. If you have any questions or encounter problems with your Netopia Gateway, refer to the detailed documentation on the Netopia CD, or contact your service provider’s technical support helpdesk.
Netopia Gateway Status Indicator Lights Colored LEDs on your Netopia Gateway indicate the status of various port activity. Different Gateway models have different ports for your connections and different indicator LEDs. The Quickstart Guide accompanying your Netopia Gateway describes the behavior of the various indicator LEDs. Also, see “Basic Troubleshooting” on page 161 for more information.
Netopia Gateway Status Indicator Lights Netopia Gateway 3342/3352 status indicator lights USB: L DS US B Green, USB link up Off, USB link down Blink, USB activity DSL: Green, DSL link up Off, DSL link down Blink, DSL activity Slow flash (1 second green 1 second off), DSL training ☛ Special patterns: • Both LEDs are off during boot (power on boot or warm reboot). • When the 3342/3352 successfully boots up, both LEDs flash green once. • Both LEDs are off when the Host OS suspends the device, (e.g.
Accessing the Web User Interface After you have performed the basic Quickstart configuration, any time you log in to your Netopia Gateway you will access the Netopia Gateway Home page. You access the Home Page by typing http://192.168.1.254 in your Web browser’s location box. After entering your Administrative password, the Basic Mode Home Page appears. The links in the left-hand column on this page allow you to manage or configure several features of your Gateway.
Links Bar Links Bar The Links Bar is the frame at the left-hand side of the page containing the major navigation links. These links are available from almost every page, allowing you to move freely about the site. The headings in the following table are hyperlinks. You can click on any heading to read about that feature.
Home Home Page Information The Home page displays information about the following categories: • Connection Information • Router Information • Local Network Click the Help link in the left-hand column of links to display a page of explanatory information. Help is available for every page in the Web interface. Home Page Links The links in the left-hand column of the Home page access a series of pages to allow you to monitor, diagnose, and update your router.
Home Link: Firewall When you click the Firewall link, the Firewall selection page appears. The Medium setting is recommended, but for special circumstances, High, Medium, and Low levels of firewall protection are available. You can also turn all firewall protection Off. Consider your security needs carefully before making any changes here. If you select a different level of firewall protection, click the Save Changes button.
Firewall Background The following table gives some tips for Firewall settings: Application Typical Internet usage (browsing, e-mail) Multi-player online gaming Going on vacation Finished online use for the day Chatting online or using instant messaging Select this Level Medium Low High High Off Other Considerations Set up “Gaming” on page 51; once defined, services will be active whenever Off is set. Restore Medium when finished. Protects your connection while you’re away.
Home This table shows how inbound traffic is treated. Inbound means the traffic is coming from the WAN into the WAN side of the Gateway.
☛ NOTES: • The Gateway’s WAN DHCP client port in Medium mode is enabled. This feature allows end users to continue using DHCP-served IP addresses from their Service Providers, while having no identifiable presence on the Internet. • Increased Stateful Firewall features are configurable in the CLI. See “Stateful Inspection” on page 220 for more information.
Home Link: Wireless (supported models only) When you click Wireless, the 3-D Reach Wireless configuration page appears. Enable Wireless The wireless function is automatically enabled by default. If you uncheck the Enable Wireless checkbox, the Wireless Options are disabled, and the Gateway will not provide or broadcast any wireless LAN services. Wireless ID (SSID) The Wireless ID is preset to a number unique to your unit.
Privacy By default, Privacy is set to On - Manual. This setting uses a preconfigured encryption key for your convenience. IT IS STRONGLY RECOMMENDED THAT YOU NOT DISABLE PRIVACY. If you wish other options than the default, you can access Advanced Configuration Options. See Advanced Configuration Options (optional) below. Advanced Configuration Options (optional) When you click the Advanced Configuration Options button, the Advanced 802.11 Wireless screen appears.
Home Enable Multiple Wireless IDs This feature allows you to add additional network identifiers (SSIDs or Network Names) for your wireless network. To enable it, check the checkbox. The screen expands to allow you to add up to two additional Wireless IDs.
These additional Wireless IDs are “Closed System Mode” Wireless IDs (see below) that will not be shown by a client scan, and therefore must be manually configured at the client. In addition, wireless bridging between clients is disabled for all members of these additional network IDs.
Home Wireless ID in Closed System mode, the Router’s wireless LAN will not appear as an available network when scanned for by wireless-enabled computers. Members of the Closed System WLAN must log onto the Router’s wireless network with the identical SSID as that configured in the router. Closed System mode is an ideal way to increase wireless security and to prevent casual detection by unwanted neighbors, office users, or malicious users such as hackers.
Enabling WPA and WEP Encryption WEP Security is a Privacy option that is based on encryption between the Router and any PCs (“clients”) you have with wireless cards. If you are not using WPA-PSK Privacy, you can use WEP Encryption instead. (See “Privacy” on page 40.) For this encryption to work, both your Router and each client must share the same Wireless ID, and both must be using the same encryption keys.
Home sure that the client wireless PC is also using the same matching key. The default is key #1. • WPA-802.1x provides RADIUS server authentication support. See RADIUS Server authentication below. • WPA-PSK provides Wireless Protected Access, the most secure option for your wireless network. See “WPA-PSK” on page 47. This mechanism provides the best data protection and access control. Be sure that your Wi-Fi client adapter supports this option. Not all Wi-Fi clients support WPA-PSK.
• RADIUS Server Addr/Name: The default RADIUS server name or IP address that you want to use. • RADIUS Server Secret: The RADIUS secret key used by this server. The shared secret should have the same characteristics as a normal password. • Alt RADIUS Server Addr/Name: An alternate RADIUS server name or IP address, if available. • Alt RADIUS Server Secret: The RADIUS secret key used by this alternate server. The shared secret should have the same characteristics as a normal password.
Home WPA-PSK One of the easiest ways to enable Privacy on your Wireless network is by selecting WPA-PSK (Wi-Fi Protected Access) from the pull-down menu. The screen expands to allow you to enter a Pre Shared Key. The key can be between 8 and 63 characters, but for best security it should be at least 20 characters. When you have entered your key, click the Save Changes button. Alternatively, you can enable WEP (Wired Equivalent Privacy) encryption by selecting WEP-Automatic from the Privacy pull-down menu.
You can provide a level of data security by enabling WEP (Wired Equivalent Privacy) for encryption of network data. You can enable 40-, 128-, or 256-bit WEP Encryption (depending on the capability of your client wireless card) for IP traffic on your LAN. Enter a Passphrase. The number of characters to use is shown in the pull-down menu. Click the click Save Changes button. This will generate an encryption key automatically.
Home Select Enabled from the pull-down menu. The screen expands to permit you to add MAC addresses. Click the Add button. Once it is enabled, only entered MAC addresses that have been set to Allow will be accepted onto the wireless LAN. All unlisted addresses will be blocked, in addition to the listed addresses with Allow disabled.
Click the Submit button. When you are finished adding MAC addresses click the Done button. You will be returned to the 802.11 Wireless page. You can Add, Edit, or Delete any of your entries later by returning to this page.
Home Link: Gaming When you click Gaming, the NAT (Games and Other Services) page appears. NAT (Games and Other Services) allows you to host internet applications when NAT is enabled. You can host different games and software on different PCs. From the Service Name pull-down menu, you can select any of a large number of predefined games and software. (See “Supported Games and Software” on page 52.) 1. Once you choose a software service or game, click Enable. The Enable Service screen appears.
Each time you enable a software service or game your entry will be added to the list of Service Names displayed on the NAT Configuration page. To remove a game or software from the hosted list, choose the game or software you want to remove and click the Disable button. Supported Games and Software 52 Age of Empires, v.1.0 Age of Empires: The Rise of Rome, v.1.0 Age of Wonders Asheron's Call Baldur's Gate Battlefield Communicator Buddy Phone Calista IP Phone CART Precision Racing, v 1.
Home F-16, Mig 29 F-22, Lightning 3 Fighter Ace II FTP GNUtella H.323 compliant (Netmeeting, CUSeeME) Half Life Hellbender for Windows, v 1.0 Heretic II Hexen II Hotline Server HTTP HTTPS ICQ 2001b ICQ Old IMAP Client IMAP Client v.
Timbuktu Total Annihilation Ultima Online Unreal Tournament Server Urban Assault, v 1.0 VNC, Virtual Network Computing Westwood Online, Command and Conquer Win2000 Terminal Server XBox Live Games Yahoo Messenger Chat Yahoo Messenger Phone ZNES Define Custom Service To configure a Custom Service, choose whether to use Port Forwarding or Trigger Ports. • Port Forwarding forwards a range of WAN ports to an IP address on the LAN.
Home Port Forwarding forwards a range of WAN ports to an IP address on the LAN. Enter the following information: • Service Name: A unique identifier for the Custom Service. • Global Port Range: Range of ports on which incoming traffic will be received. • Base Host Port: The port number at the start of the port range your Router should use when forwarding traffic of the specified type(s) to the internal IP address. • Protocol: Protocol type of Internet traffic, TCP or UDP. Click the Next button.
• Service Name: A unique identifier for the Custom Service. • Global Port Range: Range of ports on which incoming traffic will be received. • Local Trigger Port: Port number of the type of outbound traffic that needs to happen (will be the trigger) to then allow the configured ports for inbound traffic. Example: Set the trigger port to 21 and configure a range of 25 – 110. You would need to do an outbound ftp before you were able to do an inbound smtp. Click the Next button.
Home Link: Expert Mode Expert Mode allows you to configure a wide variety of specific Router and networking settings. Expert Mode is for advanced users and system administrators, and most users will not need to modify these settings. If you need to enter Expert Mode, and click the Expert Mode link, you will be challenged to confirm your choice.
Link: Troubleshoot When you click the Troubleshoot link, the Links Bar expands to offer two troubleshooting sub-headings: Diagnostics and Statistics. Diagnostics This automated multi-layer test examines the functionality of the Router from the physical connections to the data traffic being sent by users through the Router. You enter a web address, such as tftp.netopia.com, or an IP address in the Web Address field and click the Test button.
Home Each test generates one of the following result codes: Result * PASS: Meaning The test was successful. * FAIL: The test was unsuccessful. * SKIPPED: The test was skipped because a test on which it depended failed. * PENDING: The test timed out without producing a result. Try running Diagnostics again. * WARNING: The test was unsuccessful. The Service Provider equipment your Router connects to may not support this test.
ATM When you click ATM, the ATM Statistics page appears. The ATM Statistics page displays detailed statistics about the upstream and downstream data traffic handled by your Router. Displays the Virtual Circuit (VPI/VCI) settings as well as information about your PPPoE session if operating in PPPoE mode. This information is useful for troubleshooting and when seeking technical support. Ethernet (supported models only) When you click Ethernet, the Ethernet Statistics page appears.
Home Network Routing Table and Host Routing Table The Routing tables display all of the IP routes currently known to your Router. LAN When you click LAN, the LAN Statistics page appears. The LAN Statistics page displays detailed information about your LAN IP configuration and names and IP addresses of devices on your LAN.
Logs When you click Logs, the Logs page appears. Select a log from the pull-down menu (the pull-down menu is available from every Log page): • All: Displays the entire system log. • Connection: Displays events logged for the WAN connection. • System: Displays events logged for the Router system configuration. The CURRENT Router STATUS is displayed for all logs. • To clear the individual logs, click the Clear Log button for that page.
Home Link: Access Control Login If you have configured the onboard Access Control feature (see “Access Control” on page 85) your authorized users must log in to be able to use the Internet. If you have not configured Access Control, this link does not appear in the Links Bar. When you click Access Control Login, the Access Control Login page appears. Users must select their Username from the pull-down menu, and enter their Password, then click the Login button.
Link: Help When you click the Help link in the left-hand column of links a page of explanatory information displays. Help (in English only) is available for every page in the Web interface.
Access the Expert Web Interface CHAPTER 3 Expert Mode Using the Web-based user interface for the Netopia 3300-series Gateway you can configure, troubleshoot, and monitor the status of your Gateway. Access the Expert Web Interface Open the Web Connection Once your Gateway is powered up, you can use any recent version of the best-known web browsers such as Netscape Navigator or Microsoft Internet Explorer from any LAN-attached PC or workstation. The procedure is: 1. 2.
3. Click on the Expert Mode link in the left-hand column of links. You are challenged to confirm your choice. Click OK. The Home Page opens in Expert Mode.
Access the Expert Web Interface Home Page - Expert Mode The Expert Mode Home Page is the summary page for your Netopia Gateway. The links bar at the left provides links to controlling, configuring, and monitoring pages. Critical configuration and operational status is displayed in the center section.
Home Page - Information The Home Page contains a summary of the Gateway’s configuration settings and status. Summary Information Field Status and/or Description Connection Information DSL/WAN Status Connection User Name IP Address IP Gateway Primary and Secondary DNS Server Speed Line Attenuation Restart Connection button Connect button Wide Area Network may be Waiting for DSL (or other waiting status), Up or Down Up or Down Your ISP-assigned Username IP address assigned to the WAN port.
Links Bar Links Bar The Links Bar is the frame at the left-hand side of the page containing the major navigation links. These links are available from every page, allowing you to move freely about the site. The headings in the following table are hyperlinks. You can click on any heading to read about that feature.
Link: Configure When you click Configure, the Links bar expands to display the configuration options available. When you click the Advanced button, even more options become available. Advanced options are intended for experienced users and administrators. Exercise great caution when making any changes to Advanced Configuration options.
Links Bar Link: Connection When you click Connection, the Connection Configuration page appears. Here you can set up or change the way you connect to your ISP. You should only change these settings at your ISP's direction, or by agreement with your ISP. • VPI/VCI: These values depend on the way your ISP's equipment is configured. The default setting is 0/0, auto-detection. With this setting, the router will attempt to detect what settings your ISP is using, with no input on your part.
• User ID and Password: Provided by your ISP. • Confirm Password: Repeat your Password entry for confirmation • Static IP Address: Your service provider may tell you that the WAN IP Address for your • • • • • Router is static. In this case, enter the IP Address from your Service Provider in the appropriate field. IP Gateway: The IP Address of the default gateway, or peer address if using PPP. This is normally set to 0.0.0.0 for PPP connections.
Links Bar Link: Wireless (supported models only) When you click Wireless, the 3-D Reach Wireless configuration page appears. Enable Wireless The wireless function is automatically enabled by default. If you uncheck the Enable Wireless checkbox, the Wireless Options are disabled, and the Gateway will not provide or broadcast any wireless LAN services. Wireless ID (SSID) The Wireless ID is preset to a number unique to your unit.
Privacy By default, Privacy is set to On - Manual. This setting uses a preconfigured encryption key for your convenience. IT IS STRONGLY RECOMMENDED THAT YOU NOT DISABLE PRIVACY. If you wish other options than the default, you can access Advanced Configuration Options. See Advanced Configuration Options (optional) below. Advanced Configuration Options (optional) When you click the Advanced Configuration Options button, the Advanced 802.11 Wireless screen appears.
Links Bar Enable Multiple Wireless IDs This feature allows you to add additional network identifiers (SSIDs or Network Names) for your wireless network. To enable it, check the checkbox. The screen expands to allow you to add up to two additional Wireless IDs.
These additional Wireless IDs are “Closed System Mode” Wireless IDs (see below) that will not be shown by a client scan, and therefore must be manually configured at the client. In addition, wireless bridging between clients is disabled for all members of these additional network IDs.
Links Bar Wireless ID in Closed System mode, the Router’s wireless LAN will not appear as an available network when scanned for by wireless-enabled computers. Members of the Closed System WLAN must log onto the Router’s wireless network with the identical SSID as that configured in the router. Closed System mode is an ideal way to increase wireless security and to prevent casual detection by unwanted neighbors, office users, or malicious users such as hackers.
Enabling WPA and WEP Encryption WEP Security is a Privacy option that is based on encryption between the Router and any PCs (“clients”) you have with wireless cards. If you are not using WPA-PSK Privacy, you can use WEP Encryption instead. (See “Privacy” on page 74.) For this encryption to work, both your Router and each client must share the same Wireless ID, and both must be using the same encryption keys.
Links Bar sure that the client wireless PC is also using the same matching key. The default is key #1. • WPA-802.1x provides RADIUS server authentication support. See RADIUS Server authentication below. • WPA-PSK provides Wireless Protected Access, the most secure option for your wireless network. See “WPA-PSK” on page 81. This mechanism provides the best data protection and access control. Be sure that your Wi-Fi client adapter supports this option. Not all Wi-Fi clients support WPA-PSK.
• RADIUS Server Addr/Name: The default RADIUS server name or IP address that you want to use. • RADIUS Server Secret: The RADIUS secret key used by this server. The shared secret should have the same characteristics as a normal password. • Alt RADIUS Server Addr/Name: An alternate RADIUS server name or IP address, if available. • Alt RADIUS Server Secret: The RADIUS secret key used by this alternate server. The shared secret should have the same characteristics as a normal password.
Links Bar WPA-PSK One of the easiest ways to enable Privacy on your Wireless network is by selecting WPA-PSK (Wi-Fi Protected Access) from the pull-down menu. The screen expands to allow you to enter a Pre Shared Key. The key can be between 8 and 63 characters, but for best security it should be at least 20 characters. When you have entered your key, click the Save Changes button.
You can provide a level of data security by enabling WEP (Wired Equivalent Privacy) for encryption of network data. You can enable 40-, 128-, or 256-bit WEP Encryption (depending on the capability of your client wireless card) for IP traffic on your LAN. Enter a Passphrase. The number of characters to use is shown in the pull-down menu. Click the click Save Changes button. This will generate an encryption key automatically.
Links Bar Select Enabled from the pull-down menu. The screen expands to permit you to add MAC addresses. Click the Add button. Once it is enabled, only entered MAC addresses that have been set to Allow will be accepted onto the wireless LAN. All unlisted addresses will be blocked, in addition to the listed addresses with Allow disabled.
Click the Submit button. When you are finished adding MAC addresses click the Done button. You will be returned to the 802.11 Wireless page. You can Add, Edit, or Delete any of your entries later by returning to this page.
Links Bar Link: Access Control Basic Access Controls prevent designated users from accessing certain types of undesirable Internet content. You can define levels of maturity of the users on your network to filter out objectionable web content or communications from potentially undesirable individuals on the Internet. You can also specify the time of day when users may (or may not) access the Internet.
Check the Enable Access Control checkbox and click the Submit button. Return to the Access Control configuration page. Click the Setup link in Access Control Options. The Access Control - User Manager screen appears. Click the here link. The Add New User screen appears.
Links Bar Here you can add the names and passwords of authorized users, and set their “Maturity Level” from the pull-down menu. Available maturity levels are Child, Youth, Mature, and Adult. Click the Next button. The Time of Day Settings screen appears. Maturity Level only affects Time of Day Settings. You can create up to a maximum of eight (8) users.
After you have added your users and configured their access control settings, you can return to the Access Control pages at any time to add more users, edit existing ones, or delete them. To edit a user’s access control settings, click the Edit Profile link for that user.
Links Bar The Edit User Profiles screen appears. • Manage Users – returns you to the previous screen. • User Profile – takes you to the User Profile screen where you can change the user’s password or maturity level setting, and time of day usage settings. • Web Filter Profile – takes you to the Web Filter Profile screen where you can filter the websites accessible to this user. • Chat Filter Profile – takes you to the Chat Filter Profile screen where you can specify allowable chat partners for this user.
Web Filter Profile When you click the Web Filter Profile link, the Block/Allow Websites screen appears. The Web Filter Profile allows you to Block or Allow websites by keyword, for example, you can block websites that feature the word “gambling,” while allowing specific websites that pertain to “statistics.” Once this profile for this user is configured, the user will be prevented from accessing any blocked website. You can set separate Web Filter Profiles for each of your configured users.
Links Bar Chat Filter Profile When you click the Chat Filter Profile link, the Chat Filtering screen appears. Chat Filtering allows you to choose whether or not the specified user may engage in Internet instant messaging (chat) by means of the popular instant messaging protocols used by America Online (AOL), Yahoo, Microsoft Network (MSN), or ICQ. If allowed, you can specify a limited number of individuals by “Screen Name” with whom this user can exchange messages.
• Messaging Privileges Selection – Choose whether or not this user may use any instant messaging (chat) service. The default privilege is May not use any instant Messaging service. Click the appropriate radio button. • Messaging Services – If a chat service is permitted, choose which one(s): AOL, Yahoo!, MSN, or ICQ. You can choose more than one, but you must choose one at a time. See below.
Links Bar Email Filter Profile When you click the Email Filter Profile link, the Email Filtering screen appears. Email Filtering allows you to choose whether or not the specified user may send or receive email. If allowed, you can specify limitations on the sources of email this user can receive.
You can limit email sources to an approved list of email servers, such as those used by the family, or further, to an approved list of individuals, such as relatives, with whom this user will be permitted to correspond. For example, if you want to limit a child to exchanging email only with other family members, you can allow the email server(s), but restrict them to messages only from approved users. • Email Privileges – Choose whether or not this user may use any e-mail service.
Links Bar Delete User Profile When you click the Delete User Profile link, the Confirm Deletion of User screen appears.
Link: DHCP Server When you click DHCP Server, the DHCP Server Configuration page appears. This feature simplifies network administration because the Router maintains a list of IP address assignments. Additional computers can be added to your LAN without the hassle of configuring an IP address. This is the default mode for your Router. The Server configuration determines the functionality of your DHCP Settings.
Links Bar • DHCP Lease: Specifies the default length for DHCP leases issued by the Router. Enter lease time in dd:hh:mm:ss (days/hours/minutes/seconds) format. • DHCP Server Enable: Uncheck this setting if you already have a DHCP server on your LAN. This enables the DHCP server in this Router. If you make any changes, click the Save Changes button.
Link: IP Passthrough When you click IP Passthrough, the IP Passthrough Configuration page appears. The IP passthrough feature allows a single PC on the LAN to have the Router’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet. Using IP passthrough: • The public WAN IP is used to provide IP address translation for private LAN computers. • The public WAN IP is assigned and reused on a LAN computer.
Links Bar If you select “User Configured PC”, you must then configure a local PC to have the public WAN IP address. 2. Click Enable. You will be reminded to restart the Router. 3. Click the Restart Router link and confirm the restart when prompted. Once configured, the passthrough host's DHCP leases will be shortened to two minutes. This allows for timely updates of the host's IP address, which will be a private IP address before the WAN connection is established.
Link: NAT When you click NAT, the NAT (Games and Other Services) page appears. NAT (Games and Other Services) allows you to host internet applications when NAT is enabled. You can host different games and software on different PCs. From the Service Name pull-down menu, you can select any of a large number of predefined games and software. (See “Supported Games and Software” on page 101.) 1. Once you choose a software service or game, click Enable. The Enable Service screen appears.
Links Bar Each time you enable a software service or game your entry will be added to the list of Service Names displayed on the NAT Configuration page. To remove a game or software from the hosted list, choose the game or software you want to remove and click the Disable button. Supported Games and Software Age of Empires, v.1.0 Age of Empires: The Rise of Rome, v.1.0 Age of Wonders Asheron's Call Baldur's Gate Battlefield Communicator Buddy Phone Calista IP Phone CART Precision Racing, v 1.
F-16, Mig 29 F-22, Lightning 3 Fighter Ace II FTP GNUtella H.323 compliant (Netmeeting, CUSeeME) Half Life Hellbender for Windows, v 1.0 Heretic II Hexen II Hotline Server HTTP HTTPS ICQ 2001b ICQ Old IMAP Client IMAP Client v.
Links Bar Timbuktu Total Annihilation Ultima Online Unreal Tournament Server Urban Assault, v 1.0 VNC, Virtual Network Computing Westwood Online, Command and Conquer Win2000 Terminal Server XBox Live Games Yahoo Messenger Chat Yahoo Messenger Phone ZNES Define Custom Service To configure a Custom Service, choose whether to use Port Forwarding or Trigger Ports. • Port Forwarding forwards a range of WAN ports to an IP address on the LAN.
Port Forwarding forwards a range of WAN ports to an IP address on the LAN. Enter the following information: • Service Name: A unique identifier for the Custom Service. • Global Port Range: Range of ports on which incoming traffic will be received. • Base Host Port: The port number at the start of the port range your Router should use when forwarding traffic of the specified type(s) to the internal IP address. • Protocol: Protocol type of Internet traffic, TCP or UDP. Click the Next button.
Links Bar • Service Name: A unique identifier for the Custom Service. • Global Port Range: Range of ports on which incoming traffic will be received. • Local Trigger Port: Port number of the type of outbound traffic that needs to happen (will be the trigger) to then allow the configured ports for inbound traffic. Example: Set the trigger port to 21 and configure a range of 25 – 110. You would need to do an outbound ftp before you were able to do an inbound smtp. Click the Next button.
Link: Packet Filter When you click Packet Filter, the Filter Sets screen appears. Security should be a high priority for anyone administering a network connected to the Internet. Using packet filters to control network communications can greatly improve your network’s security. The Packet Filter engine allows creation of a maximum of eight Filter Sets. Each Filter Set can consist of many rules. There can be a maximum of 32 filter rules in the system.
Links Bar Netopia’s packet filters are designed to provide security for the Internet connections made to and from your network. You can customize the Gateway’s filter sets for a variety of packet filtering applications. Typically, you use filters to selectively admit or refuse TCP/IP connections from certain remote networks and specific hosts. You will also use filters to screen particular types of connections. This is commonly called firewalling your network.
A filter inspects data packets like a customs inspector scrutinizing packages. TOR INSPEC ED FROM: ROV APP TO: FROM: FROM: TO: TO: Filter priority Continuing the customs inspectors analogy, imagine the inspectors lined up to examine a package. If the package matches the first inspector’s criteria, the package is either rejected or passed on to its destination, depending on the first inspector’s particular orders. In this case, the package is never seen by the remaining inspectors.
Links Bar chance to forward or reject it, and so on. Because of this hierarchical structure, each filter is said to have a priority. The first filter has the highest priority, and the last filter has the lowest priority.
Here is what this rule looks like when implemented as a filter in your Gateway: To understand this particular filter, look at the parts of a filter. Parts of a filter A filter consists of criteria based on packet attributes. A typical filter can match a packet on any one of the following attributes: •The source IP address and subnet mask (where the packet was sent from) •The destination IP address and subnet mask (where the packet is going) • The TOS bit setting of the packet.
Links Bar Internet service FTP TCP port 20/21 Internet service TCP port Finger 79 80 Telnet 23 World Wide Web SMTP (mail) 25 News 144 Gopher 70 rlogin 513 Internet service UDP port Internet service UDP port Who Is 43 AppleTalk Routing Maintenance (at-rtmp) 202 World Wide Web 80 AppleTalk Name Binding (at-nbp) 202 SNMP 161 AURP (AppleTalk) 387 TFTP 69 who 513 Port number comparisons A filter can also use a comparison option to evaluate a packet’s source or destination po
• Greater Than or Equal: For the filter to match, the packet’s port number must be greater than or equal to the port number specified in the filter. Other filter attributes There are three other attributes to each filter: • The filter’s order (i.e.
Links Bar • Protocol: The protocol to match. This can be entered as a number (see the table below) or as TCP or UDP if those protocols are used. Protocol Number to use Full name N/A 0 Ignores protocol type ICMP 1 Internet Control Message Protocol TCP 6 Transmission Control Protocol UDP 17 User Datagram Protocol • Src Port: The source port to match. This is the port on the sending host that originated the packet. • Dst Port: The destination port to match.
• Using the tables on page 111, find the destination port and protocol numbers (the local Telnet port): • Protocol = TCP (or 6) • Destination Port = 23 • The filter should be enabled and instructed to block the Telnet packets containing the source address shown in step 2: • Forward = unchecked This four-step process is how we produced the following filter from the original rule: 114
Links Bar Filtering example #2 Suppose a filter is configured to block all incoming IP packets with the source IP address of 200.233.14.0, regardless of the type of connection or its destination. The filter would look like this: This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address signifies any host on the class C IP network 200.233.14.0. If, for example, the filter is applied to a packet with the source IP address 200.233.
Design guidelines Careful thought must go into designing a new filter set. You should consider the following guidelines: • Be sure the filter set’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set, and that can actually make your network less secure. • Be sure each individual filter’s purpose is clear. • Determine how filter priority will affect the set’s actions.
Links Bar Working with IP Filters and Filter Sets To work with filters and filter sets, begin by accessing the filter set pages. ☛ NOTE: Make sure you understand how filters work before attempting to use them. Read the section “Packet Filter” on page 106. The procedure for creating and maintaining filter sets is as follows: 1. Add a new filter set. See Adding a filter set, below. 2. Create the filters for the new filter set. See “Adding filters to a filter set” on page 119. 3.
Adding a filter set You can create up to eight different custom filter sets. Each filter set can contain up to 16 output filters and up to 16 input filters. There can be a maximum of 32 filter rules in the system. To add a new filter set, click the Add button in the Filter Sets page. The Add Filter Set page appears. Enter new name for the filter set, for example Filter Set 1. To save the filter set, click the Submit button.
Links Bar Adding filters to a filter set There are two kinds of filters you can add to a filter set: input and output. Input filters check packets received from the Internet, destined for your network. Output filters check packets transmitted from your network to the Internet. packet WAN input filter LAN packet output filter The Netopia Gateway Packets in a Netopia Gateway pass through an input filter if they originate from the WAN and through an output filter if they’re being sent out to the WAN.
To add a filter, select the Filter Set Name to which you will add a filter, and click the Edit button. The Filter Set page appears.
Links Bar ☛ Note: There are two Add buttons in this page, one for input filters and one for output filters. In this section, you’ll learn how to add an input filter to a filter set. Adding an output filter works exactly the same way, providing you keep the different source and destination perspectives in mind. 1. To add a filter, click the Add button under Input Rules. The Input Rule Entry page appears. 2.
This allows you to further modify the way the filter will match on the source address. Enter 0.0.0.0 to force the filter to match on all source IP addresses, or enter 255.255.255.255 to match the source IP address exclusively. 5. Enter the Destination IP Address this filter will match on. You can enter a subnet or a host address. 6. Enter the Destination Mask for the destination IP address. This allows you to further modify the way the filter will match on the destination address. Enter 0.0.0.
Links Bar Viewing filters To display the table of input or output filters, select the Filter Set Name in the Filter Set page and click the Add or Edit button. The table of filters in the filterset appears. Modifying filters To modify a filter, select a filter from the table and click the Edit button. The Rule Entry page appears. The parameters in this page are set in the same way as the ones in the original Rule Entry page (see “Adding filters to a filter set” on page 119).
Moving filters To reorganize the filters in a filter set, select a filter from the table and click the Move Up or Move Down button to place the filter in the desired priority position. Deleting a filter set If you delete a filter set, all of the filters it contains are deleted as well. To reuse any of these filters in another set, before deleting the current filter set you’ll have to note their configuration and then recreate them.
Links Bar Click the Ethernet 100BT link. The Ethernet 100BT page appears. From the pull-down menu, select the filter set to associate with this interface. Click the Submit button. You can repeat this process for both the WAN and LAN interfaces, to associate your filter sets. When you return to the Filter Sets page, it will display your interface associations.
Firewall Tutorial General firewall terms ☛ Note: The basic Firewall (see “Firewall” on page 35) does not make use of the packet filter support and can be used in addition to filtersets Filter rule: A filter set is comprised of individual filter rules. Filter set: A grouping of individual filter rules. Firewall: A component or set of components that restrict access between a protected network and the Internet, or between two networks. Host: A workstation on the network.
Links Bar Protocol TCP DATA User Data This header information is what the packet filter uses to make filtering decisions. It is important to note that a packet filter does not look into the IP data stream (the User Data from above) to make filtering decisions. Basic protocol types TCP: Transmission Control Protocol. TCP provides reliable packet delivery and has a retransmission mechanism (so packets are not lost). RFC 793 is the specification for TCP. UDP: User Datagram Protocol.
Example TCP/UDP Ports TCP Port Service UDP Port Service 20/21 FTP 161 SNMP 23 Telnet 69 TFTP 25 SMTP 387 AURP 80 WWW 144 News Firewall design rules There are two basic rules to firewall design: • “What is not explicitly allowed is denied.” and • “What is not explicitly denied is allowed.” The first rule is far more secure, and is the best approach to firewall design. It is far easier (and more secure) to allow in or out only certain services and deny anything else.
Links Bar and a packet goes through these rules destined for FTP, the packet would forward through the first rule (WWW), go through the second rule (FTP), and match this rule; the packet is allowed through. If you had this filter set for example.... Allow WWW access; Allow FTP access; Deny FTP access; Deny all other packets. and a packet goes through these rules destined for FTP, the packet would forward through the first filter rule (WWW), match the second rule (FTP), and the packet is allowed through.
Item What it means No Compare Does not compare TCP or UDP port Not Equal To Matches any port other than what is defined Less Than Anything less than the port defined Less Than or Equal Any port less than or equal to the port defined Equal Matches only the port defined Greater Than or Equal Matches the port or any port greater Greater Than Matches anything greater than the port defined Example network Input Packet Filter Internet IP 200.1.1.
Links Bar Example filters Example 1 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.128 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.28 This incoming IP packet has a source IP address that matches the network address in the Source IP Address field in the Netopia Gateway. This will not forward this packet. Example 2 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.
Example 4 Filter Rule: 200.1.1.96 (Source IP Network Address) 255.255.255.240 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.104. This rule does match and this packet will not be forwarded. Example 5 Filter Rule: 200.1.1.96 (Source IP Network Address) 255.255.255.255 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.96. This rule does match and this packet will not be forwarded.
Links Bar Policy-based Routing using Filtersets The Netopia Gateway offers the ability to route IP packets using criteria other than the destination IP address. This is called policy-based routing. You specify the routing criteria and routing information by using IP filtersets to determine the forwarding action of a particular filter. You specify a gateway IP address, and each packet matching the filter is routed according to that gateway address, rather than by means of the global routing table.
Example: You want packets with the TOS low latency bit to go through VC 2 (via gateway 127.0.0.3) instead of your normal gateway. You would set up the filter as shown: ☛ NOTE: Default Forwarding Filter If you create one or more filters that have a matching action of forward, then action on a packet matching none of the filters is to block any traffic.
Links Bar Link: QoS When you click QoS, the QoS screen appears. Your Gateway offers Differentiated Services (Diffserv). This feature allows your Gateway to make Quality of Service (QoS) decisions about what path Internet traffic, such as Voice over IP (VoIP), should travel across your network. For example, you may want streaming video conferencing to use high quality, but more restrictive, connections, or, you might want e-mail to use less restrictive, but less reliable, connections.
You can then define Custom Flows. If your applications do not provide Quality of Service (QoS) control, Custom Flows allows you to define streams for some protocols, port ranges, and between specific end point addresses. • To define a custom flow, click the Add button. The Custom Flow Entry screen appears. • Name – Enter a name in this field to label the flow. • Protocol – Select the protocol from the pull-down menu: TCP (default), UDP, ICMP, or Other.
Links Bar QoS Setting TOS Bit Value Behavior Off TOS=000 This custom flow is disabled. You can activate it by selecting one of the two settings below. This setting allows you to pre-define flows without actually activating them. Assure TOS=001 Use normal queuing and throughput rules, but do not drop packets if possible. Appropriate for applications with no guaranteed delivery mechanism. Expedite TOS=101 Use minimum delay. Appropriate for VoIP and video applications.
Link: Router Password When you click Router Password, the Router Password page appears. By default, your Gateway requires no password to access the administrative web-based user interface. If you wish to secure administrative access to your Gateway, you can optionally enable a password challenge by enabling a local Admin password login. Check the Enable Local Admin Login checkbox.
Links Bar Link: Time Zone When you click the Time Zone link, the Time Zone page appears. You can set your local time zone by selecting the number of hours your time zone is distant from Greenwich Mean Time (GMT +12 – -12) from the pull-down menu. This allows you to set the time zone for access controls (and in general).
Link: VLAN When you click VLAN, the VLANs page appears. A Virtual Local Area Network (VLAN) is a network of computers that behave as if they are connected to the same wire even though they may be physically located on different segments of a LAN. You set up VLANs by configuring the Gateway software rather than hardware. This makes VLANs very flexible.
Links Bar An example of multiple VLANs, using a Netopia Gateway with VGx managed switch technology, is shown below: To create a VLAN, click the Add button. The VLAN Entry page appears.
You can create up to 32 VLANs, and you can also restrict any VLAN, and the computers on it, from administering the Gateway. • • • • VLAN ID – This must be a unique identifying number between 1 and 4095. VLAN Name – A descriptive name for the VLAN. VLAN Protocol – This field is not editable; you can only associate ports with a VLAN. Admin Restricted – If you want to prevent administrative access to the Gateway from this VLAN, check the checkbox. Click the Submit button.
Links Bar For Netopia VGx technology models, separate Ethernet switch ports are displayed and may be configured. To enable any of them on this VLAN, select one, and click the Add button. Typically you will choose a physical port, such as an Ethernet port (example: ethernet1) or a wireless SSID (example: ssid1), and make the port routable by specifying lanuplink. • When you are finished, click the Submit button. • If you want to create more VLANs, click the VLAN link, and repeat the process.
You can Add, Edit, or Delete your VLAN entries by returning to the VLANs page, and selecting the appropriate entry from the displayed list.
Links Bar Link: Statistics DSL When you click DSL, the DSL Statistics page appears. The DSL Statistics page displays information about the Router's WAN connection to the Internet. • Line State: May be Up (connected) or Down (disconnected). • Modulation: Method of regulating the DSL signal. DMT (Discrete MultiTone) allows connections to work better when certain radio transmitters are present. • Data Path: Type of path used by the device's processor.
IP When you click IP, the IP Statistics page appears. The IP Statistics page displays the IP interfaces and routing table information about your network. General • IP WAN Address: The public IP address of your Router, whether dynamically or statically assigned.
Links Bar Devices on LAN Displays the IP Address, MAC (hardware) Address, and network Name for each device on your LAN connected to the Router. Wireless (supported models only) When you click Wireless, the Wireless Statistics page appears. The Wireless Statistics page: • displays your Router's unique hardware Wireless (MAC) address. • displays detailed statistics about your Wireless LAN data traffic, upstream and downstream.
Select a log from the pull-down menu (the pull-down menu is available from every Log page): • • • • All: Displays the entire system log. Connection: Displays events logged for the WAN connection. System: Displays events logged for the Router system configuration. Security: Displays events logged for potential security compromise attempts. See Security Monitor below. The CURRENT Router STATUS is displayed for all logs. • To clear the individual logs, click the Clear Log button for that page.
Links Bar Your Netopia Gateway reports the following eight event types: • IP Source Address Spoofing • Source Routing • Subnet Broadcast Amplification • Illegal Packet Size (Ping of Death) • Port Scan (TCP/UDP) • Excessive Pings • Login Failures • MAC Address Spoofing Event Details Details on the eight specific event types and the information logged are: IP Source Address Spoofing.
would otherwise be transmitted to a subnet broadcast address. The Security Monitoring logs the event. Logged information includes: • IP source address • IP destination address • Number of attempts • Time at last attempt • IP broadcast address Illegal Packet Size (Ping of Death). The maximum size of an IP packet is 64K bytes, but large packets must usually be fragmented into smaller pieces to travel across a network.
Links Bar • Highest port • Lowest port • Port numbers of first 10 ports scanned Excessive Pings. The PING (Packet InterNet Groper) Utility is used by hackers to identify prospective targets that can be attacked. The Security Monitoring software will record instances where the router itself is pinged by the same host more than ten times. Logged information includes: • IP source address • IP destination address • Number of attempts • Time at last attempt Login Failures.
Link: Diagnostics When you click Diagnostics, the Diagnostics page appears. This automated multi-layer test examines the functionality of the Router from the physical connections to the data traffic being sent by users through the Router. You enter a web address, such as tftp.netopia.com, or a known IP address, in the Web Address field and click the Test button. Results will be displayed in the Progress Window as they are generated. This sequence of tests takes approximately one minute to generate results.
Links Bar Result Meaning * PENDING: The test timed out without producing a result. Try running Diagnostics again. * WARNING: The test was unsuccessful. The Service Provider equipment your Router connects to may not support this test.
Link: Remote Access When you click Remote Access, the Enable Remote Access page appears. This link allows you to authorize a remotely-located person, such as a support technician, to directly access your Netopia Gateway. This is useful for fixing configuration problems when you need expert help. You can limit the amount of time such a person will have access to your Gateway. This will prevent unauthorized individuals from gaining access after the time limit has expired.
Links Bar Link: Update Router ☛ This link is not available on the 3342/3352 models, since firmware updates must be upgraded via the USB host driver. When you click Update Router, the Software Upgrade page appears. Operating System Software is what makes your Router run and occasionally it needs to be updated. Your Current Software Version is displayed at the top of the page.
You can update your software in either of two ways: From a Server • If an updated version exists, click the Update Software from Server button, and a new version will automatically be downloaded to your Router. • When the download and installation is complete, you will be prompted to restart the Router. From your PC To update your software from a file on your PC, you must first download the software from the link that appears on your screen: http://www.netopia.
Links Bar Link: Reset Router You might need to reset your Router to its factory default state, and clear all of your previous settings. The Reset Router link allows you to do that. When you click the link, you will be challenged to confirm that this is what you want to do. If you want to clear your settings, click the Yes, reset to factory settings button. The Router configuration will be reset to the factory default.
Link: Restart Router When the Gateway is restarted, it will disconnect all users, initialize all its interfaces, and copy the Operating System Software and feature keys from its internal storage.
Basic Mode Basic Mode When you click Basic Mode, you will be returned to the Basic Mode Home Page.
Help When you click the Help link in the left-hand column of links a page of explanatory information displays. Help (in English only) is available for every page in the Web interface.
CHAPTER 4 Basic Troubleshooting This section gives some simple suggestions for troubleshooting problems with your Gateway’s initial configuration. Before troubleshooting, make sure you have • read the Quickstart Guide; • plugged in all the necessary cables; and • set your PC’s TCP/IP controls to obtain an IP address automatically.
Status Indicator Lights The first step in troubleshooting is to check the status indicator lights (LEDs) in the order outlined in the following section. Netopia Gateway 3347W or WG/3357W or WG Wi-Fi Gateway series status indicator lights 3347W/3357W Front View Power - Green when power is applied DSL SYNC Flashes green when training Solid green when trained LAN 1, 2, 3, 4 Solid green when connected to each port on the LAN. Flash green when there is activity on each port.
Status Indicator Lights Netopia Gateway 3341/3351 series status indicator lights Ethernet Link: Solid green when connected Ethernet Traffic: Flashes green when there is activity on the LAN DSL Traffic: D SL Po w er A ct iv e U SB c c ffi ffi Tr a D SL nk Li Tr a et et rn rn he he Et Et Sy nc Blinks green when traffic is sent/received over the WAN Power: Solid green when the power is on USB Active: Solid green when USB is connected otherwise, not lit DSL Sync: Blinking green with
Netopia Gateway 3346/3356 series status indicator lights er C w Po 4 N SY D SL 3 N LA N LA 1 N LA LA N 2 3346/3356 Front View Power Green when power is applied DSL SYNC Flashes green when training Solid green when trained Flashes green for DSL traffic LAN 1, 2, 3, 4 Solid green when connected to each port on the LAN. Flash green when there is activity on each port.
Status Indicator Lights Netopia Gateway 3342/3352 status indicator lights USB: L DS US B Green, USB link up Off, USB link down Blink, USB activity DSL: Green, DSL link up Off, DSL link down Blink, DSL activity Slow flash (1 second green 1 second off), DSL training ☛ Special patterns: • Both LEDs are off during boot (power on boot or warm reboot). • When the 3342/3352 successfully boots up, both LEDs flash green once. • Both LEDs are off when the Host OS suspends the device, (e.g.
LED Function Summary Matrix Power USB Active DSL Sync DSL Traffic Ethernet Traffic Ethernet Link Unlit No power No signal No signal No signal No signal No signal Solid Green Power on USB port connected to PC DSL line synched with the DSLAM N/A N/A Synched with Ethernet card Flashing Green N/A Activity on the USB cable Attempting to train with DSLAM Activity on the DSL cable Activity on the Ethernet cable N/A If a status indicator light does not look correct, look for these possible
Status Indicator Lights EN Link Unlit EN Traffic Unlit USB Active Unlit DSL Traffic Unlit Note: EN Link light is inactive if only using USB. • Make sure the you are using the Ethernet cable, not the DSL cable. The Ethernet cable is thicker than the standard telephone cable. • Make sure the Ethernet cable is securely plugged into the Ethernet jack on the PC.
Wireless Link 168 Unlit • Make sure your client PC(s) have their wireless cards correctly installed and configured. • Check your client PC(s) TCP/IP settings to make sure they are receiving an IP address from the wireless Router.
Factory Reset Switch Factory Reset Switch (optional on some models; 3342/3352 models do not have a reset switch) Lose your password? This section shows how to reset the Netopia Gateway so that you can access the configuration screens once again. ☛ NOTE: Keep in mind that all of your settings will need to be reconfigured. If you don't have a password, the only way to access the Netopia Gateway is the following: 1. Referring to the diagram below, find the round Reset Switch opening.
2. 3. 4. 170 Carefully insert the point of a pen or an unwound paperclip into the opening. Hold the button in until the “Power” LED turns RED and then hold it in until it turns GREEN again. If you don't hold it this long, the normal configuration will be cleared, but not all the configuration info (default settings, etc.).
CHAPTER 5 Command Line Interface The Netopia Gateway operating software includes a command line interface (CLI) that lets you access your Netopia Gateway over a telnet connection. You can use the command line interface to enter and update the unit’s configuration settings, monitor its performance, and restart it.
Overview The CLI has two major command modes: SHELL and CONFIG. Summary tables that list the commands are provided below. Details of the entire command set follow in this section.
Overview CONFIG Commands Command Verbs delete help save script set view Status and/or Description Delete configuration list data Help command option Save configuration data Print configuration data Set configuration data View configuration data Keywords atm bridge dhcp dmt dns ip ethernet ip-maps nat-default pinhole ppp pppoe preferences radius security servers snmp system upnp validate vlan wireless ATM options (DSL only) Bridge options Dynamic Host Configuration Protocol options DMT ADSL options Domain Name
Command Utilities top quit exit Go to top level of configuration mode Exit from configuration mode; return to shell mode Exit from configuration mode; return to shell mode Starting and Ending a CLI Session Open a telnet connection from a workstation on your network. You initiate a telnet connection by issuing the following command from an IP host that supports telnet, for example, a personal computer running a telnet application such as NCSA Telnet.
Using the CLI Help Facility Saving Settings In CONFIG mode, the save command saves the working copy of the settings to the Gateway. The Gateway automatically validates its settings when you save and displays a warning message if the configuration is not correct. Using the CLI Help Facility The help command lets you display on-line help for SHELL and CONFIG commands. To display a list of the commands available to you from your current location within the command line interface hierarchy, enter help.
The only commands you cannot truncate are restart and clear. To prevent accidental interruption of communications, you must enter the restart and clear commands in their entirety. You can use the Up and Down arrow keys to scroll backward and forward through recent commands you have entered. Alternatively, you can use the !! command to repeat the last command you entered. SHELL Commands Common Commands arp nnn.nnn.nnn.nnn Sends an Address Resolution Protocol (ARP) request to match the nnn.nnn.nnn.
SHELL Commands Each test generates one of the following result codes: CODE PASS FAIL SKIPPED PENDING Description The test was successful. The test was unsuccessful. The test was skipped because a test on which it depended failed, or because the test did not apply to your particular setup or model. The test timed out without producing a result. Try running the test again.
license [key] This command installs a software upgrade key. An upgrade key is a purchased item, based on the serial number of the gateway. Software Feature Keys You can obtain advanced product functionality by employing a Software Feature Key. Software feature keys are specific to a Gateway's serial number, and will not work on any other device other than the intended one. Once the feature key is installed and the Gateway is restarted, the new feature's functionality becomes enabled.
SHELL Commands Example: Netopia-3000/11171732> license Xf94J84bX The Gateway will respond with: 3. Feature Key Successfully stored, ready to restart. Restart the Gateway. Type restart. The Gateway will restart and your feature key will be enabled. Using the Web interface or the Command Line Interface, you can then configure your new feature’s parameters. For details of CLI settings for the respective feature keys, refer to the section describing the particular feature key commands in this chapter.
☛ NOTE: The new Enterprise Class operating system software changes the IP address of your Gateway. It also removes the Web-based user interface and replaces it with a menu-based UI that you access via telnet. You must then reconfigure all of your Netopia Router settings. Previous settings are erased. To access the Gateway’s menu interface from a terminal window, type: telnet 192.168.1.
SHELL Commands • 4 or warning – Warnings or greater; includes recoverable error conditions and useful operator information. • 5 or failure – Failures; includes messages describing error conditions that may not be recoverable. netstat -i Displays the IP interfaces for your Netopia Gateway. netstat -r Displays the IP routes stored in your Netopia Gateway. nslookup { hostname | ip_address } Performs a domain name system lookup for a specified host.
quit Exits the Netopia Gateway command line interface. reset arp Clears the Address Resolution Protocol (ARP) cache on your unit. reset crash Clears crash-dump information, which identifies the contents of the Netopia Gateway registers at the point of system malfunction. reset dhcp server Clears the DHCP lease table in the Netopia Gateway. reset enet Resets Ethernet statistics to zero reset ipmap Clears the IPMap table (NAT).
SHELL Commands reset wan-users [all | ip-address] This function disconnects the specified WAN User to allow for other users to access the WAN. This function is only available if the number of WAN Users is restricted and NAT is on. Use the all parameter to disconnect all users. If you logon as Admin you can disconnect any or all users. If you logon as User, you can only disconnect yourself. restart [seconds] Restarts your Netopia Gateway.
show ip interfaces Displays the IP interfaces for your Netopia Gateway. show ip ipsec Displays IPSec Tunnel statistics. show ip firewall Displays firewall statistics. show ip routes Displays the IP routes stored in your Netopia Gateway. show ip state-insp Displays whether stateful inspection is enabled on an interface or not, exposed addresses and blocked packet statistics because of stateful inspection. show log Displays blocks of information from the Netopia Gateway diagnostic log.
SHELL Commands show status Displays the current status of a Netopia Gateway, the device's hardware and software revision levels, a summary of errors encountered, and the length of time the Netopia Gateway has been running since it was last restarted. Identical to the status command. show wireless [all] Shows wireless status and statistics. telnet { hostname | ip_address } [port] Lets you open a telnet connection to the specified host through your Netopia Gateway.
WAN Commands atmping vccn [ segment | end-to-end ] Lets you check the ATM connection reachability and network connectivity. This command sends five Operations, Administration, and Maintenance (OAM) loopback calls to the specified vpi/vci destination. There is a five second total timeout interval. Use the segment argument to ping a neighbor switch. Use the end-to-end argument to ping a remote end node.
About CONFIG Commands show dsl Displays DSL port statistics, such as upstream and downstream connection rates and noise levels. show ppp [{ stats | lcp | ipcp }] Displays information about open PPP links. You can display a subset of the PPP statistics by including an optional stats, lcp, or ipcp argument for the show ppp command. start ppp vccn Opens a PPP link on the specified virtual circuit.
Netopia-3000/9437188 (top)>> quit Netopia-3000/9437188 > • Moving from top to a subnode — You can navigate from the top node to a subnode by entering the node name (or the significant letters of the node name) at the CONFIG prompt and pressing RETURN. For example, you move to the IP subnode by entering ip and pressing RETURN. Netopia-3000/9437188 (top)>> ip Netopia-3000/9437188 (ip)>> As a shortcut, you can enter the significant letters of the node name in place of the full node name at the CONFIG prompt.
About CONFIG Commands Entering Commands in CONFIG Mode CONFIG commands consist of keywords and arguments. Keywords in a CONFIG command specify the action you want to take or the entity on which you want to act. Arguments in a CONFIG command specify the values appropriate to your site. For example, the CONFIG command set ip ethernet A ip_address consists of two keywords (ip, and ethernet A) and one argument (ip_address).
If a command is ambiguous or miskeyed, the CLI prompts you to enter additional information. For example, you must specify which virtual circuit you are configuring when you are setting up a Netopia Gateway. Displaying Current Gateway Settings You can use the view command to display the current CONFIG settings for your Netopia Gateway. If you enter the view command at the top level of the CONFIG hierarchy, the CLI displays the settings for all enabled functions.
CONFIG Commands Netopia-3000/9437188 (top)>> set system ... system name (“Netopia-3000/9437188”): Mycroft Diagnostic Level (High): medium Stepping mode ended. Validating Your Configuration You can use the validate CONFIG command to make sure that your configuration settings have been entered correctly. If you use the validate command, the Netopia Gateway verifies that all required settings for all services are present and that settings are consistent.
set atm [vcc n] option {on | off } Selects the virtual circuit for which further parameters are set. Up to eight VCCs are supported; the maximum number is dependent on your Netopia Operating System tier and the capabilities that your Service Provider offers. set atm [vcc n] qos service-class { cbr | ubr | vbr } Sets the Quality of Service class for the specified virtual circuit – Constant (cbr), Unspecified (ubr), or Variable (vbr) Bit Rate. • ubr: No configuration is needed for UBR VCs.
CONFIG Commands the Peak Cell Rate after which the ATM VC transmission rate must drop to the Sustained Cell Rate. set atm [vcc n] vpi { 0 ... 255 } Select the virtual path identifier (vpi) for VCC n. Your Service Provider will indicate the required vpi number. set atm [vcc n] vci { 0 ... 65535 } Select the virtual channel identifier (vci) for VCC n. Your Service Provider will indicate the required vci number.
set atm [vccn] pppoe-sessions { 1 ... 8 } Select the number of PPPoE sessions to be configured for VCC 1, up to a total of eight. The total number of pppoe-sessions and PPPoE VCCs configured must be less than or equal to eight. ☛ NOTE: The maximum number of PPPoE sessions default is 1 without a license to allow for support of 8. Bridging Settings Bridging lets the Netopia Gateway use MAC (Ethernet hardware) addresses to forward nonTCP/IP traffic from one network to another.
CONFIG Commands set bridge ethernet option { on | off } Enables or disables bridging services for the specified virtual circuit using Ethernet framing. set bridge dsl vccn option { on | off } Enables or disables bridging services for the specified DSL virtual circuit. DHCP Settings As a Dynamic Host Control Protocol (DHCP) server, your Netopia Gateway can assign IP addresses and provide configuration information to other devices on your network dynamically.
set dhcp lease-time lease-time If you selected server, specifies the default length for DHCP leases issued by the Netopia Gateway. Enter lease time in dd:hh:mm:ss (day/hour/minute/second) format. set dhcp server-address ip_address If you selected relay-agent, specifies the IP address of the relay agent server. DMT Settings DSL Commands set dmt type [ lite | dmt | ansi | multi ] Selects the type of Discrete Multitone (DMT) asynchronous digital subscriber line (ADSL) protocol to use for the WAN interface.
CONFIG Commands Domain Name System Settings Domain Name System (DNS) is an information service for TCP/IP networks that uses a hierarchical naming system to identify network domains and the hosts associated with them. You can identify a primary DNS server and one secondary server. Common Commands set dns domain-name domain-name Specifies the default domain name for your network.
set dynamic-dns ddns-user-password myuserpassword Enables or disables dynamic DNS services. The default is off. If you specify dyndns.org, you must supply your hostname, username for the service, and password. Because different dynamic DNS vendors use different proprietary protocols, currently only www.dyndns.org is supported.
CONFIG Commands set ip dsl vccn broadcast broadcast_address Specifies the broadcast address for the TCP/IP network connected to the virtual circuit. IP hosts use the broadcast address to send messages to every host on your network simultaneously. The broadcast address for most networks is the network number followed by 255. For example, the broadcast address for the 192.168.1.0 network would be 192.168.1.255.
an extension of RIP-2 that increases security by requiring an authentication key when routes are advertised. Depending on your network needs, you can configure your Netopia Gateway to support RIP1, RIP-2, or RIP-2MD5. If you specify v2-MD5, you must also specify a rip-send-key. Keys are ASCII strings with a maximum of 31 characters, and must match the other router(s) keys for proper operation of MD5 support.
CONFIG Commands The broadcast address for most networks is the network number followed by 255. For example, the broadcast address for the 192.168.1.0 network would be 192.168.1.255. set ip ethernet A netmask netmask Specifies the subnet mask for the local Ethernet interface. The subnet mask specifies which bits of the 32-bit binary IP address represent network information. The default subnet mask for most networks is 255.255.255.0 (Class C subnet mask).
set ip ethernet A rip-send { off | v1 | v2 | v1-compat | v2-MD5 } Specifies whether the Netopia Gateway should use Routing Information Protocol (RIP) broadcasts to advertise its routing tables to other routers on your network. RIP Version 2 (RIP-2) is an extension of the original Routing Information Protocol (RIP-1) that expands the amount of useful information in the RIP packets.
CONFIG Commands set ip gateway interface { ip-address | ppp-vccn } Specifies how the Netopia Gateway should route information to the default Gateway. If you select ip-address, you must enter the IP address of a host on a local or remote network. If you specify ppp, the Netopia unit uses the default gateway being used by the remote PPP peer. IP-over-PPP Settings. Use the following commands to configure settings for routing IP over a virtual PPP interface.
set ip ip-ppp [vccn] peer-address ip_address Specifies the IP address of the peer on the other end of the PPP link. If you specify an IP address other than 0.0.0.0, your Netopia Gateway will not negotiate the remote peer's IP address. If the remote peer does not accept the address in the ip_address argument as its IP address (typically because it has been configured with another IP address), the link will not come up. The default value for the ip_address argument is 0.0.0.
CONFIG Commands If you specify v2-MD5, you must also specify a rip-send-key. Keys are ASCII strings with a maximum of 31 characters, and must match the other router(s) keys for proper operation of MD5 support. set ip ip-ppp [vccn] rip-receive { off | v1 | v2 | v1-compat | v2-MD5 } Specifies whether the Netopia Gateway should use Routing Information Protocol (RIP) broadcasts to update its routing tables with information received from other routers on the other side of the PPP link.
IGMP Forwarding set ip igmp-forwarding [ off | on ] Turns IP IGMP forwarding off or on. The default is off. IPsec Passthrough set ip ipsec-passthrough [ off | on ] Turns IPsec client passthrough off or on. The default is on. IP Prioritization set ip prioritize [ off | on ] Allows you to support traffic that has the TOS bit set. This defaults to off. Differentiated Services (DiffServ) The commands in this section are supported beginning with Firmware Version 7.4.2.
CONFIG Commands set diffserv lohi-assymetry [ 60 - 100 percent ] Sets a percentage between 60 and 100 used to regulate the level of packets allowed to be pending in the low priority queue. The default is 92. It can be used in some degree to adjust the relative throughput bandwidth for low- versus high-priority traffic.
set diffserv custom-flows name name protocol [ TCP | UDP | ICMP | other ] direction [ outbound | inbound | both ] start-port [ 0 - 49151 ] end-port [ 0 - 49151 ] inside-ip inside-ip-addr outside-ip outside-ip-addr qos [ off | assure | expedite ] Defines or edits a custom flow. Select a name for the custom-flow from the set command. The CLI will step into the newly-named or previously-defined flow for editing.
CONFIG Commands SIP Passthrough set ip sip-passthrough [ on | off ] Turns Session Initiation Protocol application layer gateway client passthrough on or off. The default is on. Session Initiation Protocol, is a signaling protocol for Internet conferencing, telephony, presence, events notification and instant messaging. Static Route Settings A static route identifies a manually configured pathway to a remote network.
set ip static-routes destination-network net_address gateway-address gate_address Specifies the IP address of the Gateway for the static route. The default Gateway must be located on a network connected to the Netopia Gateway configured interface. set ip static-routes destination-network net_address metric integer Specifies the metric (hop count) for the static route. The default metric is 1.
CONFIG Commands set ip static-routes destination-network net_address rip-advertise [ SplitHorizon | Always | Never ] Specifies whether the gateway should use Routing Information Protocol (RIP) broadcasts to advertise to other routers on your network and which mode to use. The default is SplitHorizon. delete ip static-routes destination-network net_address Deletes a static route. Deleting a static route removes all information associated with that route.
Network Address Translation (NAT) Default Settings NAT default settings let you specify whether you want your Netopia Gateway to forward NAT traffic to a default server when it doesn’t know what else to do with it. The NAT default host function is useful in situations where you cannot create a specific NAT pinhole for a traffic stream because you cannot anticipate what port number an application might use. For example, some network games select arbitrary port numbers when a connection is being opened.
CONFIG Commands Network Address Translation (NAT) Pinhole Settings NAT pinholes let you pass specific types of network traffic through the NAT interfaces on the Netopia Gateway. NAT pinholes allow you to route selected types of network traffic, such as FTP requests or HTTP (Web) connections, to a specific host behind the Netopia Gateway transparently.
set pinhole name name internal-ip internal-ip Specifies the IP address of the internal host to which traffic of the specified type should be transferred. set pinhole name name internal-port internal-port Specifies the port number your Netopia Gateway should use when forwarding traffic of the specified type. Under most circumstances, you would use the same number for the external and internal port.
CONFIG Commands set PPP module [vccn] magic-number { on | off } Enables or disables LCP magic number negotiation. set PPP module [vccn] protocol-compression { on | off } Specifies whether you want the Netopia Gateway to compress the PPP Protocol field when it transmits datagrams over the PPP link. set PPP module [vccn] lcp-echo-requests { on | off } Specifies whether you want your Netopia Gateway to send LCP echo requests.
set PPP module [vccn] connection-type { instant-on | always-on } Specifies whether a PPP connection is maintained by the Netopia Gateway when it is unused for extended periods. If you specify always-on, the Netopia Gateway never shuts down the PPP link. If you specify instant-on, the Netopia Gateway shuts down the PPP link after the number of seconds specified in the time-out setting (below) if no traffic is moving over the circuit.
CONFIG Commands The username argument is 1- 255 alphanumeric characters. The information you enter must match the username configured in the PPP peer's authentication database. The password argument is 1-32 alphanumeric characters. The information you enter must match the password used by the PPP peer. Authentication must be enabled before you can enter other information.
Port Renumbering Settings If you use NAT pinholes to forward HTTP or telnet traffic through your Netopia Gateway to an internal host, you must change the port numbers the Netopia Gateway uses for its own configuration traffic. For example, if you set up a NAT pinhole to forward network traffic on Port 80 (HTTP) to another host, you would have to tell the Netopia Gateway to listen for configuration connection requests on a port number other than 80, such as 6080.
CONFIG Commands Security Settings Security settings include the Firewall, Stateful Inspection, and IPSec parameters. IPSec security functionality is keyed. See “Software Feature Keys” on page 178. Basic Firewall Settings The Netopia Firewall delivers an easily selectable set of pre-configured firewall protection levels. For simple implementation these settings (comprised of three levels) are readily available.
Stateful Inspection Stateful inspection options are accessed by the security state-insp tag. Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. The Netopia Gateway monitors and maintains the state of any network transaction. In terms of network request-and-reply, state consists of the source IP address, destination IP address, communication ports, and data sequence.
CONFIG Commands set security state-insp [ ip-ppp | dsl ] vccn tcp-seq-diff [ 0 - 65535 ] set security state-insp ethernet [ A | B ] tcp-seq-diff [ 0 - 65535 ] Sets the acceptable TCP sequence difference on the specified interface. The TCP sequence number difference maximum allowed value is 65535. If the value of tcp-seq-diff is 0, it means that this check is disabled.
set security state-insp [ ip-ppp | dsl ] vccn deny-fragments [ off | on ] set security state-insp ethernet [ A | B ] deny-fragments [ off | on ] Sets whether fragmented packets are allowed to be received or not on the specified interface. set security state-insp tcp-timeout [ 30 - 65535 ] Sets the stateful inspection TCP timeout interval, in seconds. set security state-insp udp-timeout [ 30 - 65535 ] Sets the stateful inspection UDP timeout interval, in seconds.
CONFIG Commands 32 exposed addresses can be created. The range for exposed address numbers are from 1 through 32. set security state-insp xposed-addr exposed-address# "n" protocol [ tcp | udp | both | any ] Sets the protocol for the stateful inspection feature for the exposed address list. Accepted values for protocol are tcp, udp, both, or any.
router-accessdefault-mapping (onoff) [ off | on ]: tcp-seq-diff (0) [ 0 - 65535 ]: deny-fragments (off) [ off | on ]: For RFC1483 encapsulation the commands would be: Netopia-3000/10114104 (state-insp)>> set state-insp udp-timeout (182) [ 30 - 65535 ]: tcp-timeout (14400) [ 30 - 65535 ]: dsl vcc1 option (on) [ off | on ]: router-accessdefault-mapping (onoff) [ off | on ]: tcp-seq-diff (0) [ 0 - 65535 ]: deny-fragments (off) [ off | on ]: For an Ethernet WAN Gateway, the commands would be: Netopia-3000/10114
CONFIG Commands Netopia-3000/10114104 (xposed-addr)>> set xposed-addr (xposed-addr) node list ... "1" "3" Select (exposed-address#) node to modify from the list, or enter a new (exposed-address#) to create one. xposed-addr exposed-address# (?): 32 (32) has been added to the (xposed-addr) list exposed-address# "32" start-ip (0.0.0.0): end-ip (0.0.0.
IPSec Settings IPSec VPN is a tunnel between the local network and another geographically dispersed network that is interconnected over the Internet. This VPN tunnel provides a secure, costeffective alternative to dedicated leased lines. Internet Protocol Security (IPsec) is a series of services including encryption, authentication, integrity, and replay protection. Internet Key Exchange (IKE) is the key management protocol of IPsec that establishes keys for encryption and decryption.
CONFIG Commands set security ipsec tunnels name "123" dest-int-network ip-address Specifies the IP address of the destination computer or internal network. set security ipsec tunnels name "123" dest-int-netmask netmask Specifies the subnet mask of the destination computer or internal network. The subnet mask specifies which bits of the 32-bit IP address represents network information. The default subnet mask for most networks is 255.255.255.0 (class C subnet mask).
Peer Internal IP Netmask The Peer Internal IP Netmask is the subnet mask of the Peer Internal IP Network. PFS Enable Perfect Forward Secrecy (PFS) is used during SA renegotiation. When PFS is selected, a Diffie-Hellman key exchange is required. If enabled, the PFS DH group follows the IKE phase 1 DH group. Pre-Shared Key The Pre-Shared Key is a parameter used for authenticating each side. The value can be an ASCII or Hex and a maximum of 64 characters. ASCII is case-sensitive.
CONFIG Commands IPSec MTU Some ISPs require a setting of e.g. 1492 (or other value). The default 1500 is the most common and you usually don’t need to change this unless otherwise instructed. Accepted values are from 100 – 1500. This is the starting value that is used for the MTU when the IPSec tunnel is installed. It specifies the maximum IP packet length for the encapsulated AH or ESP packets sent by the router.
set security ipsec tunnels name "123" IKE-mode pre-shared-key-type (hex) {ascii | hex} Sets the IKE mode pre-shared key type for the specified tunnel. set security ipsec tunnels name "123" IKE-mode pre-shared-key ("") {hex string} Sets the IKE mode pre-shared key for the specified tunnel. Example: 0x1234 set security ipsec tunnels name "123" IKE-mode neg-method (main) {main | aggressive} Sets the IKE mode negotiation method for the specified tunnel.
CONFIG Commands set security ipsec tunnels name "123" IKE-mode isakmp-SA-hash (MD5) {MD5 | SHA1} Sets the IKE mode ISAKMP Security Association hash for the specified tunnel. set security ipsec tunnels name "123" IKE-mode PFS-enable { off | on } Enables Perfect Forward Secrecy for the specified tunnel. Xauth set security ipsec tunnels name "123" xauth enable {off | on } Enables or disables Xauth extensions to IPsec, when IKE-mode neg-method is set to aggressive. Default is off.
set security ipsec tunnels name "123" local-id id_value Specifies the NAT local ID value as specified in the local-id-type for the specified IPsec tunnel.
CONFIG Commands ipsec-soft-seconds (82800) {60-1000000} set security ipsec tunnels name "123" IKE-mode ipsec-hard-mbytes (1200) {1-1000000} set security ipsec tunnels name "123" IKE-mode ipsec-hard-seconds (86400) {60-1000000} • The soft parameters designate when the system negotiates a new key. For example, after 82800 seconds (23 hours) or 1 Gbyte has been transferred (whichever comes first) the key will be renegotiated.
SNMP Settings The Simple Network Management Protocol (SNMP) lets a network administrator monitor problems on a network by retrieving settings on remote network devices. The network administrator typically runs an SNMP management station program on a local host to obtain information from an SNMP agent such as the Netopia Gateway. SNMP V3 is supported beginning with Version 7.4. set snmp community read name Adds the specified name to the list of communities associated with the Netopia Gateway.
CONFIG Commands SNMP Notify Type Settings SNMP Notify Type is supported beginning with Firmware Version 7.4.2.
{ off | low | medium | high | alerts | failures } Specifies the types of log messages you want the Netopia Gateway to record. All messages with a level equal to or greater than the level you specify are recorded. For example, if you specify set system diagnostic-level medium, the diagnostic log will retain medium-level informational messages, alerts, and failure messages. Specifying off turns off logging.
CONFIG Commands url-server ("server_name") interval (00:00:00:20) contact-email ("string@domain_name") location ("string"): The heartbeat setting is used in conjunction with the configuration server to broadcast contact and location information about your Gateway. You can specify the protocol, port, IP-, port-, and URL-server. The interval setting specifies the broadcast update frequency. The contact-email setting is a quote-enclosed text string giving an email address for the Gateway’s administrator.
set system syslog log-violations [ off | on ] Specifies whether violations are logged or ignored. set system syslog log-accepted [ off | on ] Specifies whether acceptances are logged or ignored. set system syslog log-attempts [ off | on ] Specifies whether connection attempts are logged or ignored. Default syslog installation procedure 1. 2. Access the router via telnet to the product from the private LAN. DHCP server is enabled on the LAN by default.
CONFIG Commands 4. set system syslog log-violations on set system syslog log-accepted on set system syslog log-attempts on Set NTP parameters • Type config • Set the time-zone – Default is 0 or GMT set system ntp time-zone (example: set system ntp time-zone –8) • Set NTP server-address if necessary (default is 204.152.184.72) set system ntp server-address (example: set system ntp server-address 204.152.184.73) • Set alternate server address 5.
Wireless Settings (supported models) set wireless option ( on | off ) Administratively enables or disables the wireless interface. set wireless ssid { network_name } Specifies the wireless network id for the Gateway. A unique ssid is generated for each Gateway. You must set your wireless clients to connect to this exact id, which can be changed to any 32-character string. set wireless default-channel { 1...14 } Specifies the wireless 2.4GHz sub channel on which the wireless Gateway will operate.
CONFIG Commands set wireless no-bridging [ off | on ] When set to on, this will block wireless clients from communicating with other wireless clients on the LAN side of the Gateway. set wireless privacy option { off | WEP | WPA-PSK | WPA-802.1x } Specifies the type of privacy enabled on the wireless LAN. off = no privacy; WEP = WEP encryption; WPA-PSK = Wireless Protected Access/Pre-Shared Key; WPA-802.1x = Wireless Protected Access/802.1x authentication.
cessfully decode. Note that a client allows you to choose which of its keys it will use to transmit. Therefore, you must have an identical key in the same numeric slot on the Gateway. For simplicity, it is easiest to have both the Gateway and the client transmit with the same key. The default is 1.
CONFIG Commands Wireless MAC Address Authorization Settings set wireless mac-auth option { on | off } Enabling this feature limits the MAC addresses that are allowed to access the LAN as well as the WAN to specified MAC (hardware) addresses. set wireless mac-auth wrlss-MAC-list mac-address MAC-address_string Enters a new MAC address into the MAC address authorization table. The format for an Ethernet MAC address is six hexadecimal values between 00 and FF inclusive separated by colons or dashes (e.g.
☛ Note: To make a set of VLANs non-routable, the lan-uplink port must be included in at least one VLAN and must be excluded from any VLANs that are nonroutable. UPnP settings set upnp option [ on | off ] PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This means that applications that support UPnP, and are used with a UPnPenabled Netopia Gateway, will not need application layer gateway support on the Netopia Gateway to work through NAT. The default is on.
CONFIG Commands DSL Forum settings TR-064 is a LAN-side DSL CPE configuration specification and TR-069 is a WAN-side DSL CPE Management specification. set dslf-lanmgmt option [ off | on ] Turns TR-064 LAN side management services on or off. The default is on. TR-064. DSL Forum LAN Side CPE Configuration (TR-064) is an extension of UPnP. It defines more services to locally manage the Netopia Gateway.
CHAPTER 6 Glossary 10Base-T. IEEE 802.3 specification for Ethernet that uses unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor plugs at each end. Runs at 10 Mbps. 100Base-T. IEEE 802.3 specification for Ethernet that uses unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor plugs at each end. Runs at 100 Mbps. -----A----ACK. Acknowledgment. Message sent from one network device to another to indicate that some event has occurred. See NAK. access rate.
adapter. Board installed in a computer system to provide network communication capability to and from that computer system. address mask. See subnet mask. ADSL. Asymmetric Digital Subscriber Line. Modems attached to twisted pair copper wiring that transmit 1.5-9 Mbps downstream (to the subscriber) and 16 -640 kbps upstream, depending on line distance. (Downstream rates are usually lower that 1.5Mbps in practice.) AH.
-----B----backbone. The segment of the network used as the primary path for transporting traffic between network segments. baud rate. Unit of signaling speed equal to the number of number of times per second a signal in a communications channel varies between states. Baud is synonymous with bits per second (bps) if each signal represents one bit. binary. Numbering system that uses only zeros and ones. bps. Bits per second. A measure of data transmission speed. BRI. Basic Rate Interface.
graph and Telephone. An international organization responsible for developing telecommunication standards. CD. Carrier Detect. CHAP. Challenge-Handshake Authentication Protocol. Security protocol in PPP that prevents unauthorized access to network services. See RFC 1334 for PAP specifications Compare PAP. client. Network node that requests services from a server. CPE. Customer Premises Equipment.
DCE. Digital Communication Equipment. Device that connects the communication circuit to the network end node (DTE). A modem and a CSU/DSU are examples of a DCE. dedicated line. Communication circuit that is used exclusively to connect two network devices. Compare dial on demand. DES. Data Encryption Standard is a 56-bit encryption algorithm developed by the U.S. National Bureau of Standards (now the National Institute of Standards and Technology). 3DES.
organization (.GOV, .COM, .EDU) or geographical location (.US, .SE). domain name server. Network computer that matches host names to IP addresses in response to Domain Name System (DNS) requests. Domain Name System (DNS). Standard method of identifying computers by name rather than by numeric IP address. DSL. Digital Subscriber Line. Modems on either end of a single twisted pair wire that delivers ISDN Basic Rate Access. DTE. Data Terminal Equipment.
Parameter values supported include NONE or ESP. encryption. The application of a specific algorithm to a data set so that anyone without the encryption key cannot understand the information. ESP. Encapsulation Security Payload (ESP) header provides confidentiality, data origin authentication, connectionless integrity, anti-replay protection, and limited traffic flow confidentiality. It encrypts the contents of the datagram as specified by the Security Association.
frame. Logical grouping of information sent as a link-layer unit. Compare datagram, packet. FTP. File Transfer Protocol. Application protocol that lets one IP node transfer files to and from another node. FTP server. Host on network from which clients can transfer files. -----H----Hard MBytes. Setting the Hard MBytes parameter forces the renegotiation of the IPSec Security Associations (SAs) at the configured Hard MByte value.
HMAC. Hash-based Message Authentication Code hop. A unit for measuring the number of routers a packet has passed through when traveling from one network to another. hop count. Distance, measured in the number of routers to be traversed, from a local router to a remote network. See metric. hub. Another name for a repeater. The hub is a critical network element that connects everything to one centralized point. A hub is simply a box with multiple ports for network connections.
internet address. IP address. A 32-bit address used to route packets on a TCP/IP network. In dotted decimal notation, each eight bits of the 32-bit number are presented as a decimal number, with the four octets separated by periods. IPCP. Internet Protocol Control Protocol. A network control protocol in PPP specifying how IP communications will be configured and operated over a PPP link. IPSEC. A protocol suite defined by the Internet Engineering Task Force to protect IP traffic at packet level.
LQM Link Quality Monitoring. Optional facility that lets PPP make policy decisions based on the observed quality of the link between peers. Documented in RFC 1333. loopback test. Diagnostic procedure in which data is sent from a devices's output channel and directed back to its input channel so that what was sent can be compared to what was received. -----M----magic number. Random number generated by a router and included in packets it sends to other routers.
MTU. Maximum Transmission Unit. The maximum packet size, in bytes, that can be sent over a network interface. MULTI-LAYER. The Open System Interconnection (OSI) model divides network traffic into seven distinct levels, from the Physical (hardware) layer to the Application (software) layer. Those in between are the Presentation, Session, Transport, Network, and Data Link layers.
-----P----packet. Logical grouping of information that includes a header and data. Compare frame, datagram. PAP. Password Authentication Protocol. Security protocol within the PPP protocol suite that prevents unauthorized access to network services. See RFC 1334 for PAP specifications. Compare CHAP. parity. Method of checking the integrity of each character received over a communication channel. Peer External IP Address.
PING. Packet INternet Groper. Utility program that uses an ICMP echo message and its reply to verify that one network node can reach another. Often used to verify that two hosts can communicate over a network. PPP. Point-to-Point Protocol. Provides a method for transmitting datagrams over serial router-to-router or host-to-network connections using synchronous or asynchronous circuits. Pre-Shared Key. The Pre-Shared Key is a parameter used for authenticating each side.
RJ-45. Eight-pin connector used for 10BaseT (twisted pair Ethernet) networks. route. Path through a network from one node to another. A large internetwork can have several alternate routes from a source to a destination. routing table. Table stored in a router or other networking device that records available routes and distances for remote network destinations. -----S----SA Encrypt Type. SA Encryption Type refers to the symmetric encryption type.
An arbitrary 32-bit number called a Security Parameters Index (SPI), as well as the destination host’s address and the IPSEC protocol identifier, identify each SA. An SPI is assigned to an SA when the SA is negotiated. The SA can be referred to by using an SPI in AH and ESP transformations. SA is unidirectional. SAs are commonly setup as bundles, because typically two SAs are required for communications. SA management is always done on bundles (setup, delete, relay). serial communication.
STATEFUL. The Netopia Gateway monitors and maintains the state of any network transaction. In terms of network requestand-reply, state consists of the source IP address, destination IP address, communication ports, and data sequence. The Netopia Gateway processes the stream of a network conversation, rather than just individual packets.
-----U----UTP. Unshielded twisted pair cable. -----V----VJ. Van Jacobson. Abbreviation for a compression standard documented in RFC 1144. -----W----WAN. Wide Area Network. Private network facilities, usually offered by public telephone companies but increasingly available from alternative access providers (sometimes called Competitive Access Providers, or CAPs), that link business network nodes. WWW. World Wide Web.
Description CHAPTER 7 Technical Specifications and Safety Information Description Dimensions: Smart Modems: 13.5 cm (w) x 13.5 cm (d) x 3.5 cm (h); 5.25” (w) x 5.25” (d) x 1.375” (h) Wireless Models: 19.5 cm (w) x 17.0 cm (d) x 4.0 cm (h); 7.6” (w) x 6.75” (d) x 1.5” (h) 3342/3352 Pocket Modems: 8.5 cm (w) x 4.5 cm (d) x 2 cm (h); 3.375” (w) x 1.75” (d) x .
Relative storage humidity: 20 to 80% noncondensing Software and protocols Software media: Software preloaded on internal flash memory; field upgrades done via download to internal flash memory via TFTP or web upload.
Agency approvals Agency approvals North America Safety Approvals: ■ United States – UL 60950, Third Edition ■ Canada – CSA: CAN/CSA-C22.2 No. 60950-00 EMC: ■ United States – FCC Part 15 Class B ■ Canada – ICES-003 Telecom: ■ United States – 47 CFR Part 68 ■ Canada – CS-03 International Safety Approvals: ■ Low Voltage (European directive) 73/23 ■ EN60950 (Europe) EMI Compatibility: ■ 89/336/EEC (European directive) ■ EN55022:1994 ■ EN300 386 V1.2.
The Netopia 3300 Series complies with the following EU directives: ■ Low Voltage, 73/23/EEC ■ EMC Compatibility, 89/336/EEC, conforming to EN 55 022 Manufacturer’s Declaration of Conformance ☛ Warnings: This is a Class B product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. Adequate measures include increasing the physical distance between this product and other electrical devices.
Manufacturer’s Declaration of Conformance ☛ Important This product was tested for FCC compliance under conditions that included the use of shielded cables and connectors between system components. Changes or modifications to this product not authorized by the manufacturer could void your authority to operate the equipment. Canada. This Class B digital apparatus meets all requirements of the Canadian Interference Causing Equipment Regulations.
Important Safety Instructions Australian Safety Information The following safety information is provided in conformance with Australian safety requirements: Caution DO NOT USE BEFORE READING THE INSTRUCTIONS: Do not connect the Ethernet ports to a carrier or carriage service provider’s telecommunications network or facility unless: a) you have the written consent of the network or facility manager, or b) the connection is in accordance with a connection permit or connection rules.
47 CFR Part 68 Information 47 CFR Part 68 Information FCC Requirements 1. The Federal Communications Commission (FCC) has established Rules which permit this device to be directly connected to the telephone network. Standardized jacks are used for these connections. This equipment should not be used on party lines or coin phones. 2.
d) The REN is used to determine the number of devices that may be connected to a telephone line. Excessive RENs on a telephone line may result in the devices not ringing in response to an incoming call. In most but not all areas, the sum of RENs should not exceed five (5.0). To be certain of the number of devices that may be connected to a line, as determined by the total RENs, contact the local telephone company.
Index Symbols !! command 176 Numerics 3-D Reach Wireless Configuration 39, 73 A Access Control Login 63 Access Controls 85 Access the GUI 65 Address resolution table 183 Admin Login Failures 151 Administrative restrictions 204 Administrator password 65, 174 Arguments, CLI 189 ARP Command 176, 186 ATM 60, 145 Authentication 216 Authentication trap 234 B Bridging 194 Broadcast address 199, 200 C CLI 171 !! command 176 Arguments 189 Command shortcuts 175 Command truncation 188 Configuration mode 187 Keywo
Level 235 Diagnostics 15 DNS 197 DNS Proxy 14 Documentation conventions 9 Domain Name System (DNS) 197 DSL 59, 145 DSL Forum settings 245 Dynamic Addressing 25 E Echo request 215 Embedded Web Server 15 Ethernet 60, 145 Ethernet address 194 Ethernet statistics 182 Excessive Pings 151 Expert Mode 57 defined 107 deleting 124 disadvantages 106 using 117 filtering example #1 113 filters actions a filter can take 109 adding to a filter set 120 defined 107 deleting 123 input 119 modifying 123 output 119 using 11
IP 60, 146 IP address 198, 200 Default 65 IP interfaces 184 IP Passthrough 98 IP routes 184 IP Source Address Spoofing 149 IPSec Tunnel 184 IPSec VPN 226 Multiple Wireless IDs 41, 75 N Nameserver 197 NAT 17, 51, 204, 212 NAT Default Server 19 Netmask 201 Network Address Translation 17 Network Test Tools 15 NSLookup 15 K Keywords, CLI 189 O set upnp option 244 L LAN 61, 146 latency 133 LCP echo request 215 LEDs 30, 162 Limit Wireless Access by MAC Address 48, 82 Links Bar 33, 69 Local Area Network 14 Lo
PPPoE 12 Primary nameserver 197 Prompt, CLI 175, 187 Protocol compression 215 Q QoS 135 qos max-burst-size 192 qos peak-cell-rate 192 qos service-class 192 qos sustained-cell-rate 192 quality of service 110, 133 R Restart 183 Restart command 176 Restart timer 215 Restrictions 204 RIP 199, 202 Router Password 138 Routing Information Protocol (RIP) 199, 202 S Safety Instructions 24 Secondary nameserver 197 security filters 106–?? Security Monitoring 148 Set bncp command 191, 192, 193, 194 Set bridge comman
SHELL level 187 SHELL mode 175 Show ppp 187 Simple Network Management Protocol (SNMP) 234 SIP Passthrough 209 SMTP 212 SNMP 212, 234 SNMP Notify Type settings 235 Source Routing 149 src.
Netopia 3300 series Netopia, Inc. 6001 Shellmound Street Emeryville, CA 94608 www.netopia.com Netopia Europe 2 rue du Docteur Lombard 92130 Issy Les Moulineaux FRANCE Netopia Europe’s technical support: > in English +44 (0)20 7295 00 36 support@netopia.co.uk > in French From France: 0825 06 2424 (0,125 Euros HT/min) From Overseas:+33 (0)1 41 83 44 71 support@netopia.
