® Netopia Firmware User Guide 3300-ENT Enterprise Series Netopia Firmware Version 8.
Copyright Copyright© 2004, Netopia, Inc. Netopia and the Netopia logo are registered trademarks belonging to Netopia, Inc., registered U.S. Patent and Trademark Office. Broadband Without Boundaries and 3-D Reach are trademarks belonging to Netopia, Inc. All other trademarks are the property of their respective owners. All rights reserved. Netopia, Inc. 6001 Shellmound Street Emeryville, CA 94608 U.S.A.
Contents Contents iii Chapter 1 — Introduction..........................................................1-1 What’s New in 8.4 ......................................................... 1-1 Telnet-based Management.............................................. 1-2 Netopia Telnet Menus .................................................... 1-2 Netopia Models ............................................................. 1-3 Screen differences ..............................................
iv Firmware User Guide Logging ............................................................. 2-38 Chapter 3 — Multiple Network Address Translation ...................3-1 Overview ....................................................................... 3-1 Features ............................................................. 3-2 Supported traffic ................................................. 3-5 Support for AOL Instant Messenger (AIM) File Transfer ......................................................
Contents ATMP configuration ............................................ Encryption Support ...................................................... MS-CHAP V2 and 128-bit strong encryption ......... ATMP/PPTP Default Profile............................................ VPN QuickView ............................................................ Dial-Up Networking for VPN ........................................... Installing Dial-Up Networking...............................
vi Firmware User Guide Authentication configuration................................ Connection Profiles and Default Profile ................ IP Address Serving ...................................................... IP Address Pools................................................ DHCP NetBIOS Options ...................................... More Address Serving Options...................................... Configuring the IP Address Server options ........... DHCP Relay Agent.................................
Contents vii Simple Network Management Protocol (SNMP)............... 8-10 The SNMP Setup screen..................................... 8-11 SNMP traps....................................................... 8-12 Chapter 9 — Security ...............................................................9-1 Suggested Security Measures......................................... 9-1 Telnet Tiered Access – Two Password Levels ................... 9-2 UPnP Support......................................................
viii Firmware User Guide TFTP ................................................................. 9-44 Chapter 10 — Utilities and Diagnostics ...................................10-1 Ping ............................................................................ 10-2 Trace Route................................................................. 10-4 Telnet Client ................................................................ 10-5 Factory Defaults ..........................................................
Contents ix Broadcasts.................................................................. B-14 Packet header types .......................................... B-14 Appendix C — Binary Conversion Table......................................C-1 Appendix D — Technical Specifications and Safety Information ..D-1 Description.................................................................... D-1 Power requirements ............................................. D-1 Environment ......................................
x Firmware User Guide
Introduction 1-1 Chapter 1 Introduction This Firmware User Guide covers the advanced features of the Netopia 3300-Series Router family. Your Netopia equipment offers advanced configuration features accessed through the Main Menu of the Telnet configuration screen. This Firmware User Guide documents the advanced features, including advanced testing, security, monitoring, and configuration. This Firmware User Guide should be used as a companion to the Quickstart Guide and the Getting Started Guide.
1-2 Firmware User Guide Telnet-based Management Telnet-based management is a fast menu-driven interface for the capabilities built into the Netopia Firmware Version 8.4. Telnet-based management provides access to a wide variety of features that the Router supports. You can customize these features for your individual setup. This chapter describes how to access the Telnet-based management screens.
Introduction 1-3 provider or remote site. See “WAN Configuration,” beginning on page 2-1. See also Chapter 4, “Virtual Private Networks (VPNs).” • The System Configuration menus display and permit changing: • IP Setup • Filter Sets • IP Address Serving • Network Address Translation (NAT) • Date and Time • SNMP (Simple Network Management Protocol) • Security • Upgrade Feature Set • Change Device to a Bridge • Logging and more. See “System Configuration Screens,” beginning on page 2-22.
1-4 Firmware User Guide Configuring Telnet software If you are configuring your device using a Telnet session, your computer must be running a Telnet software program. • If you connect a PC with Microsoft Windows, you can use a Windows Telnet application or run Telnet from the Start menu. • If you connect a Macintosh computer running Classic Mac OS, you can use the NCSA Telnet program supplied on the Netopia CD. You install NCSA Telnet by dragging the application from the CD to your hard disk.
Introduction 1-5 To help you find your way to particular screens, some sections in this guide begin with a graphical path guide similar to the following example: Main Menu System Configuration IP Setup This particular path guide shows how to get to the Network Protocols Setup screens. The path guide represents these steps: 1. Beginning in the Main Menu, select System Configuration and press Return. The System Configuration screen appears. 2. Select IP Setup and press Return.
1-6 Firmware User Guide
WAN and System Configuration 2-1 Chapter 2 WAN and System Configuration This chapter describes how to use the Telnet-based management screens to access and configure advanced features of your equipment. You can customize these features for your individual setup. These menus provide a powerful method for experienced users to set up their Router’s connection profiles and system configuration.
2-2 Firmware User Guide WAN Ethernet Configuration screen The WAN Ethernet Configuration screen appears as follows: WAN Ethernet Configuration Address Translation Enabled: Local WAN IP Address: Yes 0.0.0.0 NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Easy-PAT List Easy-Servers No Filter Set... Remove Filter Set Enable PPP over Ethernet: WAN Ethernet Speed Setting...
WAN and System Configuration 2-3 • The WAN Ethernet Speed Setting is now configurable via a pop-up menu. Options are: Auto-Negotiation (the default), 100 Mbps Full Duplex, 100 Mbps Half Duplex, 10 Mbps Full Duplex, and 10 Mbps Half Duplex. This may be useful in mixed networks, where multiple routers have different ethernet speed capability.
2-4 Firmware User Guide If you want the Netopia Router to advertise its routing table to other routers via RIP, select Transmit RIP and select v1, v2 (broadcast), or v2 (multicast) from the popup menu. With Transmit RIP v1 selected, the Netopia Firmware Version 8.4 will generate RIP packets only to other RIP v1 routers. With Transmit RIP v2 (broadcast) selected, the Netopia Firmware Version 8.4 will generate RIP packets to all other hosts on the network.
WAN and System Configuration 2-5 VCs are identified by a Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI). A VPI is an 8-bit value between 0 and 255, inclusive, while a VCI is a 16-bit value between 0 and 65535, inclusive. • Circuits support attributes in addition to their VPI and VCI values. When configuring a circuit, you can specify an optional circuit name of up to 14 characters.
2-6 Firmware User Guide Add Circuit Circuit Name: Circuit 2 Circuit Enabled: Yes Circuit VPI (0-255): 0 Circuit VCI (32-65535): QoS... Peak Cell Rate (0 = line rate): Use Connection Profile... Use Default Profile for Circuit ADD Circuit NOW +-------------+ +-------------+ | UBR | | CBR | | VBR | +-------------+ Default Profile CANCEL • Enter a name for the circuit in the Circuit Name field. • Toggle Circuit Enabled to Yes.
WAN and System Configuration 2-7 Add Circuit Circuit Name: Circuit 2 Circuit Enabled: Yes Circuit VPI (0-255): 0 Circuit VCI (32-65535): 32 QoS... Peak Cell Rate (0 = line rate): Sustained Cell Rate: Maximum Burst Size: Use Connection Profile... Use Default Profile for Circuit ADD Circuit NOW VBR 0 0 0 Default Profile CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.
2-8 Firmware User Guide Note: With multiple VCs you must explicitly statically bind the second (and all subsequent) VCs to a profile. The first VC will automatically statically bind according to pre-defined dynamic binding rules when you add the second VC. It will revert back to dynamic binding if the number of VCs is reduced to one; for example, by deleting previously defined VCs.
WAN and System Configuration 2-9 Creating a New Connection Profile Connection profiles are useful for configuring the connection and authentication settings for negotiating a PPP connection. If you are using the PPP data link encapsulation method, you can store your authentication information in the connection profile so that your user name and password (or host name and secret) are transmitted when you attempt to connect.
2-10 Firmware User Guide Multiple Data Link Encapsulation Settings 4. Select Encapsulation Options and press Return. • If you selected ATMP, PPTP, L2TP, or IPSec, see Chapter 4, “Virtual Private Networks (VPNs).” • If you selected PPP or RFC1483, the screen offers different options: Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... RFC1483 Mode...
WAN and System Configuration 2-11 Datalink (PPP/MP) Options Datalink (PPP/MP) Options Data Compression... Standard LZS Data Compression... Standard LZS Send Authentication... PAP Send Authentication... PAP Send User Name: Send Password: Receive User Name: Receive Password: Send User Name: Send Password: Receive User Name: Receive Password: Dial on Demand: • Data Compression defaults to Standard LZS.
2-12 Firmware User Guide IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Numbered Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: 0.0.0.0 0.0.0.0 No Filter Set... Remove Filter Set RIP Profile Options... Return/Enter to select ... Configure IP requirements for a remote network connection here. 6. Toggle or enter your IP Parameters.
WAN and System Configuration 2-13 • The Receive RIP pop-up menu controls the reception and transmission of Routing Information Protocol (RIP) packets on the WAN port. The default is Both v1 and v2. A Transmit RIP pop-up menu is hidden if NAT is enabled. Routing Information Protocol (RIP) is needed if there are IP routers on other segments of your Ethernet network that the Netopia Router needs to recognize. Set to “Both” (the default) Netopia Firmware Version 8.
2-14 Firmware User Guide Advanced Connection Options Configuration Changes Reset WAN Connection The menu supports delaying some configuration changes until after the Netopia Router is restarted. If your Netopia Router is preconfigured by your service provider, or if you are not remotely configuring the router, you can leave this setting unchanged.
WAN and System Configuration 2-15 When you toggle Configuration Changes Reset WAN Connection either to Yes or No using the Tab key and press Return, a pop-up window asks you to confirm your choice. Advanced Connection Options +----------------------------------------------------+ +----------------------------------------------------+ | The Router will now be restarted to allow this | | feature to function properly.
2-16 Firmware User Guide Scheduled Connections Display/Change Scheduled Connection... Add Scheduled Connection... Delete Scheduled Connection... Navigate from here to add/modify/change/delete Scheduled Connections. Viewing scheduled connections To display a table of scheduled connections, select Display/Change Scheduled Connection in the Scheduled Connections screen. Each scheduled connection occupies one row of the table. Scheduled Connections +-Days----Begin At---HH:MM---When----Conn. Prof.
WAN and System Configuration 2-17 • The time of day that the connection will Begin At • The duration of the connection (HH:MM) • Whether it’s a recurring Weekly connection or used Once Only • Which connection profile (Conn. Prof.) is used to connect • Whether the scheduled connection is currently Enabled The Router checks the date and time set in scheduled connections against the system date and time.
2-18 Firmware User Guide • Demand-Blocked, meaning that this schedule will prevent a demand call on the line. • Periodic, meaning that the connection is retried several times during the scheduled time.
WAN and System Configuration 2-19 • Select Scheduled Window Duration Per Day and enter the maximum duration allowed for this scheduled connection, per call. • Retry interval (minutes) becomes visible if you have selected Random Retry. This option allows you to set the upper limit for the number of minutes to use for the retry time (the attempts after the first three attempts). It accepts values of 1 – 255 minutes; the default setting is 5 minutes.
2-20 Firmware User Guide You are finished configuring the once-only options. Return to the Add Scheduled Connection screen to continue. • In the Add Scheduled Connection screen, select Use Connection Profile and choose from the list of connection profiles you have already created. A scheduled connection must be associated with a connection profile to be useful. The connection profile becomes active during the times specified in the associated scheduled connection, if any exists.
WAN and System Configuration 2-21 Advanced Connection Options Scheduled Connections... Backup Configuration... Prioritize Delay-Sensitive Data: No Return/Enter to configure SA Backup Parameters. The Router will recognize a delay-sensitive packet as having the low-latency bit set in the TOS field of the IP header. If you toggle Prioritize Delay-Sensitive Data to Yes the router will place these packets at the front of the transmission queue to the WAN link, overtaking non-delay-sensitive traffic.
2-22 Firmware User Guide System Configuration Screens System configuration features The Netopia Router’s default settings may be all you need to configure. Some users, however, require advanced settings or prefer manual control over the default selections. For these users, the Netopia Firmware Version 8.4 provides system configuration options.
WAN and System Configuration 2-23 IP Setup These screens allow you to configure your network’s use of the IP networking protocol. • Details are given in “IP Setup” on page 6-2. Filter Sets These screens allow you to configure security on your network by means of filter sets and a basic firewall. • Details are given in “Security” on page 9-1. IP Address Serving These screens allow you to configure IP address serving on your network by means of DHCP, WANIP, and BootP.
2-24 Firmware User Guide • UDP no-activity time-out: The time in seconds after which a UDP session will be terminated, if there is no traffic on the session. • TCP no-activity time-out: The time in seconds after which an TCP session will be terminated, if there is no traffic on the session. • Exposed Addresses: The hosts specified in Exposed addresses will be allowed to receive inbound traffic even if there is no corresponding outbound traffic.
WAN and System Configuration 2-25 IP Profile Parameters Address Translation Enabled: IP Addressing... No Numbered Stateful Inspection Enabled: Stateful Inspection Options... Local WAN IP Address: Local WAN IP Mask: Yes 0.0.0.0 0.0.0.0 Filter Set... Remove Filter Set RIP Profile Options... Configure IP requirements for a remote network connection here. Select Stateful Inspection Options and press Return. The Stateful Inspection Parameters screen appears. Stateful Inspection Parameters Max.
2-26 Firmware User Guide Note: If Stateful Inspection is enabled on a base connection profile (for example, for PPP, RFC1483 bridged/routed, or PPPoE), Enable default mapping to router must be yes to allow inbound VPN terminations. (for example. for PPTP/ATMP client access to the router) • Deny Fragmented Packets: Toggling this option to Yes causes the router to discard fragmented packets on this interface.
WAN and System Configuration 2-27 Exposed Addresses You can specify the IP addresses you want to expose by selecting Add Exposed Address List and pressing Return. The Add Exposed Address List screen appears. Add Exposed Address List Exposed Address List Name: my_xposed_addr_list Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Add, Edit, or delete exposed addresses options are active only if NAT is disabled on an WAN interface.
2-28 Firmware User Guide • Protocol: Select the Protocol of the traffic to be allowed to the host range from the pull-down menu. Options are Any, TCP, UDP, or TCP/UDP. • Start Port: Start port of the range to be allowed to the host range. The acceptable range is from 1 - 65535 • End Port: Protocol of the traffic to be allowed to the host range.
WAN and System Configuration 2-29 Date and time You can set the system’s date and time parameters in the Set Date and Time screen. Select Date and Time in the System Configuration screen and press Return. The Set Date and Time screen appears. Set Date and Time NTP (Network Time Prot.) Enabled: Time Server Host Name/IP Address Time Zone... NTP Update Interval (HHHH:MM) On 204.152.184.
2-30 Firmware User Guide Wireless configuration If your Router is a wireless model (such as a 3347W) you can enable or disable the wireless LAN by selecting Wireless Configuration. The Wireless Configuration screen appears. Wireless LAN Configuration Enable Wireless: Enable Segmentation: SSID: Channel... Closed System... Enable Privacy... Yes No 5247 3521 6 Open Off Wireless MAC Authentication... Return/Enter accepts * Tab toggles * ESC cancels. Enable Wireless is set to Yes by default.
WAN and System Configuration 2-31 region. The widest range available is from 1 to 14. However, in North America only 1 to 11 may be selected. Europe, France, Spain and Japan will differ. Channel selection can have a significant impact on performance, depending on other wireless activity close to this Gateway. Channel selection is not necessary at the client computers; the clients will scan the available channels seeking access points using the same ESSID as the client.
2-32 Firmware User Guide Wireless LAN Configuration Enable Wireless: Enable Segmentation: SSID: Channel... Closed System... Enable Privacy... Yes No 5247 3521 +---------------------------+ +---------------------------+ | Off | | WEP - Manual | | WEP - Automatic | | WPA - PSK (Pre-Shared Key)| +---------------------------+ Wireless MAC Authentication... The Pre Shared Key field becomes visible to allow you to enter a Pre Shared Key.
WAN and System Configuration 2-33 Wireless LAN Configuration Enable Wireless: Yes SSID: Channel... Closed System... Enable WEP... 4405 2605 6 Open On - Automatic Default Key... 1 Passphrase: Well I stand up next to a mountain, Key Key Key Key 1 (40b): 5ad06701b4 2 (128b): 80a6ab74749ea5a251011d8979 3 (128b): e024cb9417a521b0e49e208fef 4 (40b): 46a968d564 Enter a phrase and hit Enter to generate your encryption keys. You select a single key for encryption of outbound traffic.
2-34 Firmware User Guide needs to be done once. Avoid the temptation to enter all the same characters. Wireless LAN Configuration Key Key Key Key Enable Wireless: Yes SSID: Channel... Closed System... Enable WEP... 4405 2605 6 Open On - Manual Default Key...
WAN and System Configuration 2-35 The Wireless MAC Authorization screen appears. Authorized Wireless MAC Addresses Enable MAC Authentication: Yes Display/Change MAC Addresses... Add MAC Address... Delete MAC Address... To enable Wireless Mac Authorization, toggle Enable MAC Authentication to Yes. You can toggle it to No to disable it at any time. Select Add MAC Address and press Return. The Add Wireless MAC Address screen appears.
2-36 Firmware User Guide Your entry will be added to a list of up to 32 authorized addresses. To display the list of authorized MAC addresses, select Display/Change MAC Addresses from the Authorized Wireless MAC Addresses menu. The list is displayed as shown below.
WAN and System Configuration 2-37 Change Device to a Bridge For Netopia DSL Routers, this feature allows you to turn off the routing features and use your device as a bridge. It is not an option for Ethernet WAN models. If you select this option, the device will restart itself, and reset all the settings to factory defaults. Any configurations you have made will be erased. Use this feature with caution. If you decide to reinstate the routing capabilities, you must reconfigure the device from scratch.
2-38 Firmware User Guide Netopia Router WAN Configuration... System Configuration... Utilities & Diagnostics... Statistics & Logs... Quick View... You can reinstate Router mode by returning to the System Configuration menu. System Configuration Management IP Setup... Filter Sets... Date and Time... SNMP (Simple Network Management Protocol)... Security... Upgrade Feature Set... Change Device to a Router... Logging... Use this screen if you want options beyond Easy Setup.
WAN and System Configuration 2-39 The Logging Configuration screen appears. Logging Configuration WAN Log Log Log Log Log Event Log Options Boot and Errors: Line Specific: Connections: PPP, DHCP, CNA: IP: Syslog Parameters Syslog Enabled: Hostname or IP Address: Facility... Yes Yes Yes Yes Yes No Local 0 By default, all events are logged in the event history. • By toggling each event descriptor to either Yes or No, you can determine which ones are logged and which are ignored.
2-40 Firmware User Guide You will need to install a Syslog client daemon program on your PC and configure it to report the WAN events you specified in the Logging Configuration screen. The following screen shows a sample syslog dump of WAN events: May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.
Multiple Network Address Translation 3-1 Chapter 3 Multiple Network Address Translation Netopia Firmware Version 8.4 offers advanced Multiple Network Address Translation functionality. You should read this chapter completely before attempting to configure any of the advanced NAT features.
3-2 Firmware User Guide Features MultiNAT features can be divided into several categories that can be used simultaneously in different combinations on a per-Connection Profile basis. The following is a general description of these features: Port Address Translation The simplest form of classic Network Address Translation is PAT (Port Address Translation). PAT allows a group of computers on a LAN, such as might be found in a home or small office, to share a single Internet connection using one IP address.
Multiple Network Address Translation 3-3 Dynamic mapping Dynamic mapping, often referred to as many-to-few, offers an extension to the advantages provided by static mapping. Instead of requiring a one-to-one association of public addresses and private addresses, as is required in static mapping, dynamic mapping uses a group of public IP addresses to dynamically allocate static mappings to private hosts that are communicating with the public network.
3-4 Firmware User Guide Available for Dynamic NAT Used for Normal NAT 172.16.1.29 172.16.1.28 172.16.1.27 172.16.1.26 172.16.1.25 WAN Network 192.168.1.16 192.168.1.15 192.168.1.14 192.168.1.13 192.168.1.12 192.168.1.11 192.168.1.10 192.168.1.9 192.168.1.8 192.168.1.7 192.168.1.6 192.168.1.5 192.168.1.4 192.168.1.3 LAN Network 192.168.1.
Multiple Network Address Translation 3-5 Complex maps Map lists and server lists are completely independent of each other. A Connection Profile can use one or the other or both. MultiNAT allows complex mapping and requires more complex configuration than in earlier firmware versions. Multiple mapped interior subnets are supported, and the rules for mapping each of the subnets may be different. The figure below illustrates a possible multiNAT configuration. 206.1.1.1 206.1.1.2 206.1.1.3 206.1.1.4 206.1.1.
3-6 Firmware User Guide Support for Yahoo Messenger Netopia Firmware Version 8.4 provides Application Level Gateway (ALG) support for Yahoo Messenger. This allows Yahoo Messenger users to exchange files, even when both users are behind NAT. Previously, the file transfer function would work only if one or neither of the two users were behind NAT. Currently there is a restriction that the remote user must be routed to via the WAN interface, otherwise the connections will fail.
Multiple Network Address Translation 3-7 The two map lists, Easy-PAT List and Easy-Servers, are created by default and NAT configuration becomes effective.This will map all your private addresses (0.0.0.0 through 255.255.255.255) to your public address. These map lists are bound to the Easy Setup Profile. See Binding Map Lists and Server Lists on page 3-21. This is all you need to do if you want to continue to use a single PAT, or 1-to-many, NAT configuration.
3-8 Firmware User Guide IP Setup Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... 192.168.1.1 255.255.255.0 Default IP Gateway: 127.0.0.2 Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 isp.com Receive RIP... Transmit RIP... Both Off Static Routes... Network Address Translation (NAT)... IP Address Serving... Set up the basic IP attributes of your Netopia in this screen. Select Network Address Translation (NAT) and press Return.
Multiple Network Address Translation 3-9 NAT rules The following rules apply to assigning NAT ranges and server lists: • Static public address ranges must not overlap other static, PAT, public addresses, or the public address assigned to the Router’s WAN interface. • A PAT public address must not overlap any static address ranges. It may be the same as another PAT address or server list address, but the port range must not overlap.
3-10 Firmware User Guide Select First Public Address and enter the first exterior IP address in the range you want to assign. Select Last Public Address and enter an IP address at the end of the range. • Select ADD NAT PUBLIC RANGE and press Return. The range will be added to your list and you will be returned to the Network Address Translation screen. Once the public ranges have been assigned, the next step is to bind interior addresses to them.
Multiple Network Address Translation 3-11 Add NAT Map ("my_map") First Private Address: 192.168.1.1 Last Private Address: 192.168.1.254 Use NAT Public Range... ADD NAT MAP CANCEL • Select First and Last Private Address and enter the first and last interior IP addresses you want to assign to this mapping. • Select Use NAT Public Range and press Return. A screen appears displaying the public ranges you have defined.
3-12 Firmware User Guide • The Add NAT Map screen now displays the range you have assigned. Add NAT Map ("my_map") First Private Address: 192.168.1.1 Last Private Address: 192.168.1.254 Use NAT Public Range... my_first_range Public Range Type is: Public Range Start Address is: ADD NAT MAP • pat 206.1.1.6 CANCEL Select ADD NAT MAP and press Return. Your mapping is added to your map list. Modifying map lists You can make changes to an existing map list after you have created it.
Multiple Network Address Translation 3-13 The Show/Change NAT Map List screen appears. Show/Change NAT Map List Map List Name: my_map Add Map... Show/Change Maps... Delete Map... • Add Map allows you to add a new map to the map list. • Show/Change Maps allows you to modify the individual maps within the list. • Delete Map allows you to delete a map from the list. Selecting Show/Change Maps or Delete Map displays the same pop-up menu.
3-14 Firmware User Guide The Change NAT Map screen appears. Change NAT Map ("my_map") First Private Address: 192.168.1.253 Last Private Address: 192.168.1.254 Use NAT Public Range... my_second_range Public Range Type is: Public Range Start Address is: Public Range End Address is: CHANGE NAT MAP static 206.1.1.1 206.1.1.2 CANCEL Make any modifications you need and then select CHANGE NAT MAP and press Return.
Multiple Network Address Translation 3-15 Adding Server Lists Server lists, also known as Exports, are handled similarly to map lists. If you want to make a particular server’s port accessible (and it isn’t accessible through other means, such as a static mapping), you must create a server list. Select Add Server List from the Network Address Translation screen. The Add NAT Server List screen appears. Add NAT Server List Server List Name: my_servers Add Server...
3-16 Firmware User Guide Add NAT Server ("my_servers") Service... • Server Private IP Address: 192.168.1.45 Public IP Address: 206.1.1.1 ADD NAT SERVER CANCEL Select Service and press Return. A pop-up menu appears listing a selection of commonly exported services. Add NAT Server ("my_servers") +-Type------Port(s)-------+ +-------------------------+ Service...
Multiple Network Address Translation 3-17 Other Exported Port First Port Number (1..65535): 31337 Last Port Number (1..65535): 31337 OK • • CANCEL Enter the First and Last Port Number between ports 1 and 65535. Select OK and press Return. You will be returned to the Add NAT Server screen. Enter the Server Private IP Address of the server whose service you are exporting.
3-18 Firmware User Guide • Select the Server List Name you want to modify from the pop-up menu and press Return. Network Address Translation +-NAT Server List Name-+ +----------------------+ A| my_servers | S| |.. D| | | | A| | S| | D| | | | A| | S| |. D| | | | | | | | | | | | +----------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. The Show/Change NAT Server List screen appears. Show/Change NAT Server List Server List Name: my_servers Add Server...
Multiple Network Address Translation 3-19 Show/Change NAT Server List +-Private Address--Public Address----Port------------+ +----------------------------------------------------+ Se| 192.168.1.254 206.1.1.6 smtp | | 192.168.1.254 206.1.1.5 smtp | | 192.168.1.254 206.1.1.4 smtp | Ad| 192.168.1.254 206.1.1.3 smtp | | 192.168.1.254 206.1.1.
3-20 Firmware User Guide A pop-up menu lists your configured servers. Select the one you want to delete and press Return. A dialog box asks you to confirm your choice. Show/Change NAT Server List +-Internal Address-External Address--Port------------+ +----------------------------------------------------+ Se| 192.168.1.254 206.1.1.
Multiple Network Address Translation 3-21 Binding Map Lists and Server Lists Once you have created your map lists and server lists, for most Netopia Router models you must bind them to a profile, either a Connection Profile or the Default Profile.
3-22 Firmware User Guide IP Profile Parameters +--NAT Map List Name---+ +----------------------+ Address Trans| Easy-PAT |s IP Addressing| my_map |mbered | <> | NAT Map List.| |sy PAT NAT Server Li| | | | Local WAN IP | | | | Remote IP Add| |7.0.0.2 Remote IP Mas| |5.255.255.255 | | Filter Set...| |tBIOS Filter Remove Filter| | | | Receive RIP: | |th | | +----------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.
Multiple Network Address Translation 3-23 IP Parameters (WAN Default Profile) The Netopia Firmware Version 8.4 using RFC 1483 supports a WAN default profile that permits several parameters to be configured without an explicitly configured Connection Profile. The procedure is similar to the procedure to bind map lists and server lists to a Connection Profile. From the Main Menu go to the WAN Configuration screen, then the Default Profile screen. Select IP Parameters and press Return.
3-24 Firmware User Guide IP Parameters (Default Profile) +--NAT Map List Name---+ +----------------------+ | Easy-PAT List | | my_map | Address Trans| <> |s | | NAT Map List.| | NAT Server Li| | | | Filter Set (F| | Remove Filter| | | | Receive RIP: | |th | | | | | | | | | | +----------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. • Select the map list you want to bind to the default profile and press Return.
Multiple Network Address Translation 3-25 NAT Associations Configuration of map and server lists alone is not sufficient to enable NAT for a WAN connection because map and server lists must be linked to a profile that controls the WAN interface. This can be a Connection Profile, a WAN Ethernet interface, a default profile, or a default answer profile.
3-26 Firmware User Guide NAT Associations +NAT Map List Name-+ Profile/Interface Name-------------Nat+------------------+Server List Name Easy Setup Profile On | Easy-PAT List |my_servers Profile 01 On | my_first_map |my_servers Profile 02 On | my_second_map |my_server_list Profile 03 On | my_map |<> Profile 04 On | <> |<> | | | | | | | | | | | | | | | | | | | | | | Default Answer Profile On +------------------+my_servers Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.
Multiple Network Address Translation 3-27 IP Passthrough Netopia Firmware Version 8.4 offers an IP passthrough feature. The IP passthrough feature allows for a single PC on the LAN to have the router’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet. Using IP passthrough: • The public WAN IP is used to provide IP address translation for private LAN computers.
3-28 Firmware User Guide The IP Profile Parameters screen, found under the WAN Configuration menu, Add/Change Connection Profile screen, appears as shown. IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Numbered Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: 0.0.0.0 0.0.0.0 No Filter Set... Remove Filter Set RIP Profile Options...
Multiple Network Address Translation 3-29 NAT Options IP Passthrough Enabled: IP Passthrough DHCP Enabled: IP Passthrough DHCP MAC address: Yes Yes 00-00-00-00-00-00 Enter MAC addr. of IP passthrough host, or zeroes for first come first serve. Toggling IP Passthrough DHCP Enabled to Yes displays the IP Passthrough DHCP MAC address field. This is an editable field in which you can enter the MAC (hardware) address of the designated PC be used as the DHCP Client Identifier for dynamic address reservation.
3-30 Firmware User Guide A restriction Since both the router and the passthrough host will use same IP address, new sessions that conflict with existing sessions will be rejected by the router. For example, suppose you are a teleworker using an IPSec tunnel from the router and from the passthrough host. Both tunnels go to the same remote endpoint, such as the VPN access concentrator at your employer’s office.
Multiple Network Address Translation 3-31 MultiNAT Configuration Example To help you understand a typical MultiNAT configuration, this section describes an example of the type of configuration you may want to implement on your site. The values shown are for example purposes only. Make your own appropriate substitutions. A typical DSL service from an ISP might include five user addresses. Without PAT, you might be able to attach only five IP hosts.
3-32 Firmware User Guide Enter your ISP-supplied values as shown below. Connection Profile 1: Easy Setup Profile Connection Profile Name: Easy Setup Profile Address Translation Enabled: IP Addressing... Yes Numbered Local WAN IP Address: Local WAN IP Mask: 206.1.1.6 255.255.255.248 PREVIOUS SCREEN NEXT SCREEN Enter a subnet mask in decimal and dot form (xxx.xxx.xxx.xxx). Enter basic information about your WAN connection with this screen. Select NEXT SCREEN and press Return.
Multiple Network Address Translation 3-33 Select Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned for your public address (206.1.1.6, in this example). Toggle Type to pat. Your public address is then mapped to the remaining private IP addresses using PAT. (If you were not using the Easy-PAT Range and Easy-PAT List that are created by default by using Easy Setup, you would have to define a public range and map list.
3-34 Firmware User Guide Select ADD NAT PUBLIC RANGE and press Return. You are returned to the Network Address Translation screen. Next, select Show/Change Map List and choose Easy-PAT List. Select Add Map. The Add NAT Map screen appears. (Now the name Easy-PAT List is a misnomer since it has a static map included in its list.) Enter in 192.168.1.1 for the First Private Address and 192.168.1.5 for the Last Private Address. Add NAT Map ("Easy-PAT List") First Private Address: 192.168.1.
Multiple Network Address Translation 3-35 • First, navigate to the Show/Change Map List screen, select Easy-PAT List and then Show/Change Maps. Choose the Static Map you created and change the First Private Address from 192.168.1.1 to 192.168.1.4. Now the Router, Web, and Mail servers’ IP addresses are no longer included in the range of static mappings and are therefore no longer accessible to the outside world. Users on the Internet will not be able to Telnet, Web, SNMP, or ping to them.
3-36 Firmware User Guide
Virtual Private Networks (VPNs) 4-1 Chapter 4 Virtual Private Networks (VPNs) The Netopia Firmware Version 8.4 offers IPsec, PPTP, and ATMP tunneling support for Virtual Private Networks (VPN).
4-2 Firmware User Guide Netopia Firmware Version 8.4 can be used in VPNs either to initiate the connection or to answer it. When used in this way, the Routers are said to be tunnelling through the public network (Internet). The advantages are that, like your long distance phone call, you don't need a direct line between one computer or LAN and the other, but use the local connections, making it much cheaper; and the information you exchange through your tunnel is private and secure.
Virtual Private Networks (VPNs) 4-3 leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPsec-compliant device decrypts each packet. The Netopia Firmware Version 8.4 supports the more secure Tunnel mode. DES stands for Data Encryption Standard, a popular symmetric-key encryption method. DES uses a 56-bit key. The Netopia Firmware Version 8.4 offers IPsec DES encryption over the VPN tunnel.
4-4 Firmware User Guide About PPTP Tunnels To set up a PPTP tunnel, you create a Connection Profile including the IP address and other relevant information for the remote PPTP partner. You use the same procedure to initiate a PPTP tunnel that terminates at a remote PPTP server or to terminate a tunnel initiated by a remote PPTP client. PPTP configuration To set up the Router as a PPTP Network Server (PNS) capable of answering PPTP tunnel requests you must also configure the VPN Default Answer Profile.
Virtual Private Networks (VPNs) 4-5 When you define a Connection Profile as using PPTP by selecting PPTP as the datalink encapsulation method, and then select Data Link Options, the PPTP Tunnel Options screen appears. PPTP Tunnel Options PPTP Partner IP Address: Tunnel Via Gateway: 173.167.8.134 0.0.0.0 Authentication... Data Compression...
4-6 Firmware User Guide Note: Netopia Firmware Version 8.4 supports 128-bit (“strong”) encryption. Unlike MS-CHAP version 1, which supports one-way authentication, MS-CHAP version 2 supports mutual authentication between connected gateways and is incompatible with MS-CHAP version 1 (MS-CHAP-V1). When you choose MS-CHAP as the authentication method for the PPTP tunnel, the Netopia Router will start negotiating MS-CHAP-V2.
Virtual Private Networks (VPNs) 4-7 The IP Profile Parameters screen appears. IP Profile Parameters Address Translation Enabled: Yes NAT Map List... NAT Server List... Easy-PAT Easy-Servers Local WAN IP Address: 0.0.0.0 Remote IP Address: Remote IP Mask: 173.167.8.10 255.255.0.0 Filter Set... Remove Filter Set RIP Profile Options... • Enter the Remote IP Address and Remote IP Mask for the host to which you want to tunnel.
4-8 Firmware User Guide About L2TP Tunnels L2TP stands for Layer 2 Tunnelling Protocol, an extension to the PPP protocol. L2TP combines features of two other tunneling protocols: PPTP and L2F. Like PPTP, L2TP is a Datalink Encapsulation option in Connection Profiles. It is not an option in device or link configuration screens, as L2TP is not a native encapsulation. Consequently, the Easy Setup Profile does not offer L2TP datalink encapsulation.
Virtual Private Networks (VPNs) 4-9 When you define a Connection Profile as using L2TP by selecting L2TP as the datalink encapsulation method, and then select Encapsulation Options, the L2TP Tunnel Options screen appears. L2TP Tunnel Options L2TP Partner IP Address: 0.0.0.0 L2TP Tunnel Authentication: No PPP Authentication: Data Compression...
4-10 Firmware User Guide • You can specify that this Router will Initiate Connections (acting as a PAC) or only answer them (acting as a PNS). • Tunnels are normally initiated On Demand; however, you can disable this feature. When disabled, the tunnel must be manually established or may be scheduled using the scheduled connections feature. See "Scheduled Connections" on page 2-15. • You can specify the Idle Timeout (in seconds), an inactivity timer, whose expiration will terminate the tunnel.
Virtual Private Networks (VPNs) 4-11 About GRE Tunnels Generic Routing Encapsulation (GRE) protocol is another form of tunneling that Netopia routers support. A GRE tunnel is brought up when a valid GRE profile is installed, and brought down when the profile is disabled, or deleted. GRE tunnels are not connection-based, but rather are installed and simply wait for GRE packets. There is no special startup initiation as with PPPoE or PPTP.
4-12 Firmware User Guide GRE Tunnel Options GRE Partner IP Address: 173.167.8.134 Send Checksums: Sequence Datagrams: No No Key: 0 Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). • Enter a GRE Partner IP Address in standard dotted-quad format to specify the address of the other end of the tunnel. • You can optionally toggle Send Checksums to Yes to verify that no data corruption or loss is incurred in transmission.
Virtual Private Networks (VPNs) 4-13 The IP Profile Parameters screen appears. IP Profile Parameters Address Translation Enabled: IP Addressing... No Unnumbered Remote Remote Filter Remove 173.167.8.134 255.255.0.0 IP Address: IP Mask: Set... Filter Set RIP Profile Options... Toggle to Yes if this is a single IP address ISP account. Configure IP requirements for a remote network connection here. • Enter the Remote IP Address and Remote IP Mask for the host to which you want to tunnel.
4-14 Firmware User Guide VPN force-all GRE tunnelling supports “VPN force-all,” which forces all traffic coming from the LAN onto the GRE tunnel. You accomplish this by setting the default route to go through the GRE tunnel. A secondary host route where all tunneled GRE packets route to the actual WAN interface can be configured as a static route when required.
Virtual Private Networks (VPNs) 4-15 About ATMP Tunnels To set up an ATMP tunnel, you create a Connection Profile including the IP address and other relevant information for the remote ATMP partner. ATMP uses the terminology of a foreign agent that initiates tunnels and a home agent that terminates them. You use the same procedure to initiate or terminate an ATMP tunnel. Used in this way, the terms initiate and terminate mean the beginning and end of the tunnel; they do not mean activate and deactivate.
4-16 Firmware User Guide When you define a Connection Profile as using ATMP by selecting ATMP as the datalink encapsulation method, and then select Data Link Options, the ATMP Tunnel Options screen appears. ATMP Tunnel Options ATMP Partner IP Address: Tunnel Via Gateway: 173.167.8.134 0.0.0.0 Network Name: Password: sam.net **** Data Encryption...
Virtual Private Networks (VPNs) 4-17 • You can specify that this Router will Initiate Connections, acting as a foreign agent (Yes), or only answer them, acting as a home agent (No). • Tunnels are normally initiated On Demand; however, you can disable this feature. When disabled, the tunnel must be manually established through the call management screens. • You can specify the Idle Timeout, an inactivity timer, whose expiration will terminate the tunnel. A value of zero disables the timer.
4-18 Firmware User Guide MS-CHAP V2 and 128-bit strong encryption Notes: • Netopia Firmware Version 8.4 supports 128-bit (“strong”) encryption when using PPTP tunnels. ATMP does not have an option of using 128-bit MPPE. If you are using ATMP between two Netopia Routers you can optionally set 56-bit DES encryption. • When you choose MS-CHAP as the authentication method for a PPTP tunnel, the Netopia Router will start negotiating MS-CHAPv2.
Virtual Private Networks (VPNs) 4-19 ATMP/PPTP Default Profile Answer ATMP/PPTP Connections: No PPTP Configuration Options Receive Authentication... Data Compression... PAP None • Toggle Answer ATMP/PPTP Connections to Yes if you want the Router to accept VPN connections or No (the default) if you do not. • For PPTP tunnel connections only, you must define what type of authentication these connections will use. Select Receive Authentication and press Return.
4-20 Firmware User Guide VPN QuickView You can view the status of your VPN connections in the VPN QuickView screen. From the Main Menu select QuickView and then VPN QuickView. Main Menu QuickView VPN QuickView The VPN QuickView screen appears. VPN Quick View Profile Name----------Type----Rx Pckts---Tx Pckts--RxDiscard--Remote Address-HA <-> FA1 (Jony Fon ATMP 99 99 0 173.166.82.8 HA <-> FA3 (Sleve M. ATMP 13 14 0 173.166.117.
Virtual Private Networks (VPNs) 4-21 Dial-Up Networking for VPN Microsoft Windows Dial-Up Networking software permits a remote standalone workstation to establish a VPN tunnel to a PPTP server such as a Netopia Router located at a central site. Dial-Up Networking also allows a mobile user who may not be connected to a PAC to dial into an intermediate ISP and establish a VPN tunnel to, for example, a corporate headquarters, remotely.
4-22 Firmware User Guide The Communications window appears. 5. In the Communications window, select Dial-Up Networking and click the OK button. This returns you to the Windows Setup screen. Click the OK button. 6. Respond to the prompts to install Dial-Up Networking from the system disks or CDROM. 7. When prompted, reboot your PC.
Virtual Private Networks (VPNs) 4-23 Configuring a Dial-Up Networking profile Once you have created your Dial-Up Networking profile, you configure it for TCP/IP networking to allow you to connect to the Internet through your Internet connection device. Do the following: 1. Double-click the My Computer (or whatever you have named it) icon on your desktop. Open the Dial-Up Networking folder. You will see the icon for the profile you created in the previous section. 2.
4-24 Firmware User Guide 4. 5. Click the TCP/IP Settings button. • If your ISP uses dynamic IP addressing (DHCP), select the Server assigned IP address radio button. • If your ISP uses static IP addressing, select the Specify an IP address radio button and enter your assigned IP address in the fields provided. Also enter the IP address in the Primary and Secondary DNS fields. Click the OK button in this window and the next two windows.
Virtual Private Networks (VPNs) 4-25 For PPTP negotiation to work, TCP packets inbound and outbound destined for port 1723 must be allowed. Likewise, for ATMP negotiation to work, UDP packets inbound and outbound destined for port 5150 must be allowed. Source ports are dynamic, so, if possible, make this flexible, too. Additionally, PPTP and ATMP both require a firewall to allow GRE bi-directionally.
4-26 Firmware User Guide PPTP example To enable a firewall to allow PPTP traffic, you must provision the firewall to allow inbound and outbound TCP packets specifically destined for port 1723. The source port may be dynamic, so often it is not useful to apply a compare function upon this portion of the control/negotiation packets. You must also set the firewall to allow inbound and outbound GRE packets, enabling transport of the tunnel payload.
Virtual Private Networks (VPNs) 4-27 Change Input Filter 2 Enabled: Forward: Yes Yes Source IP Address: Source IP Address Mask: 0.0.0.0 0.0.0.0 Dest. IP Address: Dest. IP Address Mask: 0.0.0.0 0.0.0.0 Protocol Type: GRE In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.
4-28 Firmware User Guide Select Output Filter 2 and press Return. In the Change Output Filter 2 screen, set the Protocol Type to allow GRE as shown below. Change Output Filter 2 Enabled: Forward: Yes Yes Source IP Address: Source IP Address Mask: 0.0.0.0 0.0.0.0 Dest. IP Address: Dest. IP Address Mask: 0.0.0.0 0.0.0.
Virtual Private Networks (VPNs) 4-29 Select Input Filter 1 and press Return. In the Change Input Filter 1 screen, set the Destination Port information as shown below. Change Input Filter 1 Enabled: Forward: Yes Yes Source IP Address: Source IP Address Mask: 0.0.0.0 0.0.0.0 Dest. IP Address: Dest. IP Address Mask: 0.0.0.0 0.0.0.0 Protocol Type: Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: Established TCP Conns.
4-30 Firmware User Guide In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.0 TCP NC =1723 Yes Yes | | 2 0.0.0.0 0.0.0.0 GRE --Yes Yes | | | +-------------------------------------------------------------------------+ Select Output Filter 1 and press Return.
Virtual Private Networks (VPNs) 4-31 Windows Networking Broadcasts Netopia firmware provides the ability to forward Windows Networking NetBIOS broadcasts. This is useful for, for example, a Virtual Private Network, in which you want to be able to browse the remote network to which you are tunnelling, as part of your Windows Network Neighborhood. Routed connections, such as VPNs, can not use NetBEUI to carry the Network Neighborhood information. They need to use NetBIOS, because NetBEUI cannot be routed.
4-32 Firmware User Guide Configuration for Router A IP Profile Parameters Address Translation Enabled: No Remote IP Address: Remote IP Mask: 192.168.2.1 255.255.255.0 Filter Set... Remove Filter Set NetBIOS Proxy Enabled Yes RIP Profile Options... Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). Configure IP requirements for a remote network connection here. Configuration for Router B IP Profile Parameters Address Translation Enabled: No Remote IP Address: Remote IP Mask: 192.168.
Virtual Private Networks (VPNs) 4-33 Note: Microsoft Network browsing is available with or without a Windows Internet Name Service (WINS) server. Shared volumes on the remote network are accessible with or without a WINS server. Local LAN shared volumes that have Port Address Translation (PAT) applied to them are not available to hosts on the remote LAN. For tunnelled traffic, NAT on the WAN has no effect on the Microsoft Networking traffic.
4-34 Firmware User Guide
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-1 Chapter 5 Internet Key Exchange (IKE) IPsec Key Management for VPNs IPsec stands for IP Security, a set of protocols that supports secure exchange of IP packets at the IP layer. IPsec is deployed widely to implement Virtual Private Networks (VPNs). See “Virtual Private Networks (VPNs)” on page 4-1 for more information. The Netopia Firmware Version 8.4 supports Internet Key Exchange (IKE) for secure encrypted communication over a VPN tunnel.
5-2 Firmware User Guide The advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec secure communications without having to manually enter the lengthy encryption keys at both ends of the connection. You enter a human-readable pass phrase or shared secret English sentence, like “my dog has fleas” on each end once. This pass phrase is used to authenticate each end to the other.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-3 The Add Connection Profile screen appears. Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... RFC1483 Mode... IP Profile Parameters... COMMIT Profile 1 +-------------+ +-------------+ | PPP | | RFC1483 | | ATMP | | PPTP | | IPsec | | L2TP | +-------------+ CANCEL • From the Encapsulation Type pop-up menu select IPsec. • Then select Encapsulation Options. The IPsec Tunnel Options screen appears.
5-4 Firmware User Guide +-IKE Phase1 Profile--+ +---------------------+ | <> | | <> | Key Management... | | IKE Phase 1 Profile| | | | Encapsulation... | | | | | | | | ESP Encryption Tran| | ESP Authentication | |5-96 | | Compression Type...| | | | | | | | Advanced IPsec Opti| | | | COMMIT +---------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. • A pop-up window displays a list of IKE Phase 1 Profiles that you have configured.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-5 • The Profile Name field accepts any name of up to 16 characters. Sixteen IKE Phase 1 profiles are supported, since each of the potential sixteen Connection Profiles may be associated with a separate IKE Phase 1 profile. • The Mode pop-up menu allows you to choose between Main Mode (the default) and Aggressive Mode.
5-6 Firmware User Guide Advanced IKE Phase 1 Options Negotiation... Normal SA Use Policy... Allow Dangling Phase 2 SAs: Phase 1 SA Lifetime (seconds): Newest SAs Immediately Yes 28800 Send Initial Contact Message: Include Vendor ID Payload: Independent Phase 2 Re-keys: Strict Port Policy: Yes Yes Yes No Return/Enter accepts * Tab toggles * ESC cancels. Normally it is not necessary to change the settings of the items on the Advanced IKE Phase 1 Options screen.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-7 • Include Vendor-ID Payload toggles whether or not the Router includes the vendor-ID payload in its IKE Phase 1 messages. • Independent Phase 2 Re-keys toggles whether or not a Phase 2 re-keys requires a Phase 1 re-key. If this item is set to Yes (the default), Phase 2 re-keys will be performed independently when necessary without requiring a Phase 1 re-key. If this item is set to No, each Phase 2 re-key will be preceded by a Phase 1 re-key.
5-8 Firmware User Guide Selecting Delete IKE Phase 1 Profile and choosing an IKE phase 1 profile name from the pop-up list displays a confirmation alert asking you to confirm that you really want to delete the specified IKE phase 1 profile: IPsec Configuration +--IKE Phase1 Profile--+ Display+----------------------+ Add IKE| Netopia | +------------------------------------------------------------+ | | | Are you sure you want to delete this IKE Phase 1 Profile? | | | | CANCEL CONTINUE | | | +----------------
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-9 A Change Connection Profile screen is shown below. Change Connection Profile Profile Name: Profile Enabled: Encapsulation Type... Encapsulation Options... IP Profile Parameters... Easy Setup Profile +-------------+ +-------------+ | PPP | | ATMP | | PPTP | | IPsec | +-------------+ Telco Options... COMMIT CANCEL Note: The Change Connection Profile screen will offer different options, depending on the model of gateway you are using.
5-10 Firmware User Guide IPsec Tunnel Options Key Management... IKE Phase 1 Profile... IKE Encapsulation... ESP ESP Encryption Transform... ESP Authentication Transform... DES HMAC-MD5-96 Advanced IPsec Options... COMMIT CANCEL The Key Management pop-up menu at the top of the IPsec Tunnel Options screen allows you to choose between IKE key management (the default for a new IPsec profile) and Manual key management.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-11 • The ESP Authentication Transform pop-up menu (which is visible only if you have selected ESP or AH+ESP encapsulation) allows you to specify the type of ESP authentication: None, HMAC-MD5-96, or HMAC-SHA1–96. Advanced IPsec Options If you select Advanced IPsec Options, the Advanced IPsec Options screen appears.
5-12 Firmware User Guide • Maximum Packet Size permits you to modify the MTU setting for the tunnel. Some ISPs require a setting of e.g. 1492 (or other value). The default 1500 is the most common and you usually don’t need to change this unless otherwise instructed. Accepted values are from 100 – 1500. This is the starting value that is used for the MTU when the IPSec tunnel is installed. It specifies the maximum IP packet length for the encapsulated AH or ESP packets sent by the router.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-13 The defaults are 5 seconds and 90 seconds, respectively. You may adjust these to suit your network’s tolerances. Note: • ICMP Dead Peer Detection is not available when using manual re-keying. • ICMP Dead Peer Detection does not initiate a series of phase 2 exchanges upon detecting a dead peer; it instead initiates a new phase 1 negotiation, followed by a new phase 2 negotiation once contact with the peer has been re-established.
5-14 Firmware User Guide Advantages of Multiple Network IPsec are: • • scalability • flexibility, by adding any combination of remote/local network ranges • support for sub-netting, host and network range addressing modes • works with manual keying and Internet Key Exchange (IKE) • each IPsec network works under the same local/remote tunnel endpoints Select Add Network and press Return. The Add Network Configuration screen appears.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-15 Last Address. You supply these values. Complete the Local Member 1st Address and Local Member Last Address fields. • • If you choose Host Address, you need only supply the Remote Member Address and the Local Member Address; the other fields are hidden. Select COMMIT and press Return to add the configuration. This returns you to the IP Profile Parameters screen. Select COMMIT and press Return in the IP Profile Parameters screen.
5-16 Firmware User Guide Display/Change Network Configuration --------------Local-Members-------------------------Remote-Members-------------Net #---Type----Start-Address---Size----------Type----Start-Address---Size---------------------------------------SCROLL UP----------------------------------1 SUBNET 192.168.2.1 /24 SUBNET 192.168.1.0 /24 2 SUBNET 10.0.1.1 /8 SUBNET 10.0.0.1 /8 3 HOST 163.176.91.101 HOST 163.176.91.100 4 RANGE 163.176.30.222 21 RANGE 163.176.91.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-17 • Specifying IKE key management alters the Advanced IP Profile Options screen as follows: Advanced IP Profile Options Local Tunnel Endpoint Address: Next Hop Gateway: 0.0.0.0 0.0.0.0 Idle Timeout (seconds): 300 • You can specify a Local Tunnel Endpoint Address. If not 0.0.0.0, this value must be one of the assigned interface addresses, either WAN or LAN. This is used as the source address of all IPsec traffic.
5-18 Firmware User Guide IPsec WAN Configuration Screens You can also configure IKE Phase 1 Profiles in the WAN Configuration menus. Main Menu WAN Configuration IKE Phase 1 Configuration The WAN Configuration screen now includes IKE Phase 1 Configuration as shown: WAN Configuration WAN (Wide Area Network) Setup... ATM Circuits Configuration... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... WAN Default Profile... ATMP/PPTP Default Profile...
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-19 IKE Phase 1 Configuration Display/Change IKE Phase 1 Profile... Add IKE Phase 1 Profile... Delete IKE Phase 1 Profile... The IKE Phase 1 Configuration screen allows configuration of global (non-connection-profile-specific) IPsec parameters. This screen allows you to Display, Change, Add, or Delete an IKE Phase 1 profile. IPsec Manual Key Entry The Version 7.0.2 firmware has a redesigned layout and additional options for manual key entry.
5-20 Firmware User Guide Select IPsec Manual Keys and press Return. IPsec Manual Keys SHA1 ESP Auth. Key: SHA1 AH Auth. Key: Depending on your selections of Encapsulation, Encryption Transform, and Authentication Transform in the IPsec Tunnel Options screen, the IPsec Manual Keys screen will display differing entry fields to enter authorization keys and encryption keys. With Manual Keys, you must manually configure identical authentication and encryption keys at both ends of the tunnel.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-21 VPN Quick View Profile Name----------Type--Rx Pckts--Tx Pckts--Discard--Remote Address-HA <-> FA1 (Jony Fon ATMP 99 99 173.166.82.8 HA <-> FA3 (Sleve M. ATMP 13 14 63.193.117.91 My IPsec Tunnel IPsec 23 12 0.0.0.0 Bangalore PPTP 45 35 1.1.1.1 If the remote tunnel end point is a hostname (or “0.0.0.0”) 0.0.0.0 is displayed until a Security Association is established. Previously the remote members network was displayed.
5-22 Firmware User Guide Event message: Meaning: IKE: no matching ph2 proposal Either the local Router rejected the proposals of the remote or the remote rejected the local Router’s. IKE: ph2 resend timeout The attempt to resend the phase 2 authentication timed out. IKE: phase 2 complete The phase 2 negotiation completed successfully.
IP Setup 6-1 Chapter 6 IP Setup The Netopia Firmware Version 8.4 uses Internet Protocol (IP) to communicate both locally and with remote networks. This chapter shows you how to configure the gateway to route IP traffic. You also learn how to configure the gateway to serve IP addresses to hosts on your local network. Netopia’s IP routing features Network Address Translation and IP address serving.
6-2 Firmware User Guide IP Setup Main Menu System Configuration IP Setup The IP Setup options screen is where you configure the Ethernet side of the Router. The information you enter here controls how the gateway routes IP traffic. Consult your network administrator or ISP to obtain the IP setup information (such as the Ethernet IP address, Ethernet subnet mask, default IP gateway, and Primary Domain Name Server IP address) you will need before changing any of the settings in this screen.
IP Setup 6-3 The Netopia Firmware Version 8.4 supports multiple IP subnets on the Ethernet interface. You may want to configure multiple IP subnets to service more hosts than are possible with your primary subnet. It is not always possible to obtain a larger subnet from your ISP. For example, if you already have a full Class C subnet, your only option is multiple Class C subnets, since it is virtually impossible to justify a Class A or Class B assignment.
6-4 Firmware User Guide that the addresses distributed by the Router and those that are manually configured are not the same. Each method of distribution must have its own exclusive range of addresses to draw from. IP subnets The IP Subnets screen allows you to configure up to eight Ethernet IP subnets on unlimited-user models, one “primary” subnet and up to seven secondary subnets, by entering IP address/subnet mask pairs: IP Subnets #1: IP Address ---------------192.128.117.
IP Setup 6-5 For example: IP Subnets #1: IP Address ---------------192.128.117.162 Subnet Mask --------------255.255.255.0 #2: 192.128.152.162 255.255.0.0 #3: 0.0.0.0 0.0.0.0 #4: #5: #6: #7: #8: • To delete a configured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly or by clearing each field and pressing Return to commit the change. When a configured subnet is deleted, the values in subsequent rows adjust up to fill the vacant fields.
6-6 Firmware User Guide If you have configured multiple Ethernet IP subnets, the IP Setup screen changes slightly: IP Setup Subnet Configuration... Default IP Gateway: 192.128.117.163 Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 Receive RIP... Transmit RIP... Both v2 (multicast) Static Routes... Network Address Translation (NAT)... IP Address Serving... Set up the basic IP attributes of your Netopia in this screen.
IP Setup 6-7 The Static Routes screen will appear. Static Routes Display/Change Static Route... Add Static Route... Delete Static Route... Configure/View/Delete Static Routes from this and the following Screens. Viewing static routes To display a view-only table of static routes, select Display/Change Static Route. The table shown below will appear. +-Dest. Network---Subnet Mask-----Next Gateway----Priority-Enabled-+ +------------------------------------------------------------------+ | 0.0.0.0 0.0.0.
6-8 Firmware User Guide Subnet Mask: The subnet mask associated with the destination network. Next Gateway: The IP address of the gateway that will be used to reach the destination network. Priority: An indication of whether the Router will use the static route when it conflicts with information received from RIP packets. Enabled: An indication of whether the static route should be installed in the IP routing table. To return to the Static Routes screen, press Escape.
IP Setup 6-9 • To make sure that the static route is known only to the Router, select Advertise Route Via RIP and toggle it to No. To allow other RIP-capable gateways to know about the static route, select Advertise Route Via RIP and toggle it to Yes. When Advertise Route Via RIP is toggled to Yes, a new item called RIP Metric appears below Advertise Route Via RIP. With RIP Metric you set the number of gateways, from 1 to 15, between the sending gateway and the destination gateway.
6-10 Firmware User Guide RIP-2 MD5 Authentication Firmware version 5.3.7 supports RIP-2 MD5 Authentication (RFC2082 Routing Internet Protocol Version 2, Message Digest 5). The purpose of MD5 authentication is to provide an additional level of confidence that a RIP packet received was generated by a reliable source. In other words, MD5 authentication provides an enhanced level of security that information that your PC receives does not originate from a malicious source posing as part of your network.
IP Setup 6-11 IP Setup Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... 192.168.1.1 255.255.255.0 Default IP Gateway: Backup IP Gateway: Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RIP Options... Multicast Forwarding... Static Routes... • None IP Address Serving... Select RIP Options. The Ethernet LAN RIP Options screen appears.
6-12 Firmware User Guide Ethernet LAN RIP Options Receive RIP... v2 MD5 Authentication Transmit RIP... Off RIP v2 Authentication Keys... • You can also select Transmit RIP, and choose v2 MD5 (broadcast) or v2 MD5 (multicast) from the pull-down menu. Ethernet LAN RIP Options Receive RIP... Transmit RIP... RIP v2 Authentication Keys...
IP Setup 6-13 • Select RIP v2 Authentication Keys. The RIP v2 Authentication Keys screen appears. RIP v2 Authentication Keys Display/Change Key... Add Key... Delete Key... Adding a key Select Add Key. The Add Key Screen appears.
6-14 Firmware User Guide • The Start Date and End Date formats are determined by the System Date Format, set on the Set Date and Time menu under the System Configuration menus. • The Start Time and End Time formats are determined by the System Time Format. The AM or PM pull-down menus do not appear if the time format is 24 hour time. • The End Time Mode pull-down menu allows you to select either Date or Infinite.
IP Setup 6-15 +----------------------------------------------------------+ +----------------------------------------------------------+ | Are you sure you want to delete this RIP MD5 Key? | | | | CANCEL CONTINUE | | | | | +----------------------------------------------------------+ Connection Profiles and Default Profile RIP-2 MD5 authentication may be configured in Connection Profiles, as well.
6-16 Firmware User Guide RIP Profile Parameters Receive RIP: v2 MD5 Authentication Transmit RIP: TX RIP Policy... v2 MD5 (multicast) Poison Reverse RIP v2 Authentication Keys... • Receive RIP is always visible. Here you select Off, v1, v2, Both v1 and v2, or v2 MD5 Authentication from the pull-down menu. For MD5 authentication, you must select v2 MD5 Authentication. • If NAT is disabled, Transmit RIP is visible.
IP Setup 6-17 IP Address Serving Main Menu System Configuration IP Address Serving • Serve DHCP Clients • Serve BootP Clients • Serve Dynamic WAN Clients In addition to being a gateway, the Router is also an IP address server. There are three protocols it can use to distribute IP addresses. • The first, called Dynamic Host Configuration Protocol (DHCP), is widely supported on PC networks, as well as Apple Macintosh computers using Open Transport and computers using the UNIX operating system.
6-18 Firmware User Guide Follow these steps to configure IP Address Serving: • If you enabled IP Address Serving, then DHCP, BootP clients and Dynamic WAN clients are automatically enabled. • The IP Address Serving Mode pop-up menu allows you to choose the way in which the Router will serve IP addresses. The device can act as either a DHCP Server or a DHCP Relay Agent. (See “DHCP Relay Agent” on page 6-28 for more information.
IP Setup 6-19 If you have configured multiple Ethernet IP subnets, the appearance of the IP Address Serving screen is altered slightly: IP Address Serving IP Address Serving Mode... DHCP Server Configure Address Pools... Serve DHCP Clients: DHCP Lease Time (Hours): DHCP NetBIOS Options... Yes 1 Serve BOOTP Clients: Yes Serve Dynamic WAN Clients Yes Three menu items are hidden, and Configure Address Pools... appears instead. If you select Configure Address Pools...
6-20 Firmware User Guide IP Address Pools The IP Address Pools screen allows you to configure a separate IP address serving pool for each of up to eight configured Ethernet IP subnets: IP Address Pools Subnet (# host addrs) --------------------192.128.117.0 (253) 1st Client Addr --------------192.128.117.196 Clients ------16 Client Gateway -------------192.128.117.162 192.129.117.0 192.129.117.110 8 192.129.117.4 (253) This screen consists of between two and eight rows of four columns each.
IP Setup 6-21 Numerous factors influence the choice of served address. It is difficult to specify the address that will be served to a particular client in all circumstances. However, when the address server has been configured, and the clients involved have no prior address serving interactions, the Router will generally serve the first unused address from the first address pool with an available address.
6-22 Firmware User Guide DHCP NetBIOS Options Serve NetBIOS Type: NetBIOS Type... Yes Type B Serve NetBIOS Scope: NetBIOS Scope: No Serve NetBIOS Name Server: NetBIOS Name Server IP Addr: No 0.0.0.0 Configure DHCP-served NetBIOS options here. • To serve DHCP clients with the type of NetBIOS used on your network, select Serve NetBIOS Type and toggle it to Yes. • From the NetBIOS Type pop-up menu, select the type of NetBIOS used on your network.
IP Setup 6-23 Select NetBIOS Name Server IP Addr and enter the IP address for the NetBIOS name server. You are now finished setting up DHCP NetBIOS Options. To return to the IP Address Serving screen, press Escape. • To enable BootP’s address serving capability, select Serve BOOTP Clients and toggle to Yes. Note: Addresses assigned through BootP are permanently allocated from the IP Address Serving pool until you release them.
6-24 Firmware User Guide • The ability to view the host name associated with a client to which the gateway has leased an IP address. • The ability for the gateway’s Ethernet IP address(es) to overlap the DHCP address serving pool(s). • The ability to serve as a DHCP Relay Agent. The Netopia Firmware Version 8.4 supports reserving an IP address only for a type 1 client identifier (i.e., an Ethernet hardware address). It does not support reserving an IP address for an arbitrary client identifier.
IP Setup 6-25 You can select the entries in the Served IP Addresses screen. Use the up and down arrow keys to move the selection to one of the entries in the list of served IP addresses. Served IP Addresses -IP Address------Type----Expires—-Host Name/Client Identifier--------------------------------------------------SCROLL UP----------------------------------192.168.1.100 192.168.1.101 192.168.1.102 192.168.1.103 192.168.1.104 192.168.1.105 192.168.1.106 +------------+ 192.168.1.107 +------------+ 192.168.
6-26 Firmware User Guide Selecting Details… displays a pop-up menu that provides additional information associated with the IP address. The pop-up menu includes the IP address as well as the host name and client identifier supplied by the client to which the address is leased. Served IP Addresses -IP Address------Type----Expires—-Host Name/Client Identifier--------------------------------------------------SCROLL UP----------------------------------192.168.1.100 192.168.1.
IP Setup 6-27 An IP address is marked declined when a client to whom the DHCP server offers the address declines the address. A client declines an address if it determines that a leased address is already in use by another device. Selecting Include restores the selected IP address to the address serving pool so that the IP address is once again eligible to be served to a client. • Release is displayed if the entry is currently offered, leased, or reserved.
6-28 Firmware User Guide Served IP Addresses -IP Address------Type----Expires--Host Name/Client Identifier--------------------------------------------------SCROLL UP----------------------------------192.168.1.1 Excluded for the gateway's IP address 192.168.1.2 Excluded 192.168.1.3 DHCP 00:24 Barr's XPi 120 192.168.1.4 192.168.1.5 192.168.1.6 192.168.1.7 192.168.1.8 192.168.1.9 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.
IP Setup 6-29 Main Menu System Configuration IP Address Serving Select IP Address Serving and press Return. The IP Address Serving screen appears. IP Address Serving +------------------+ +------------------+ IP Address Serving Mode... | Disabled | | DHCP Server | Number of Client IP Addresses: | DHCP Relay Agent | 1st Client Address: +------------------+ Client Default Gateway... 192.168.1.1 Serve DHCP Clients: DHCP NetBIOS Options... Yes Serve BOOTP Clients: Yes Select IP Address Serving Mode.
6-30 Firmware User Guide IP Address Serving IP Address Serving Mode... DHCP Relay Agent Relay Server #1: Relay Server #2: Relay Server #3: 10.1.1.1 20.1.1.1 30.1.1.1 Configure Address Serving (DHCP, BOOTP, etc.) here. Now you can enter the IP address(es) of your remote DHCP server(s), such as might be located in your company’s corporate headquarters. Each time you enter an IP address and press Return, an additional field appears. You can enter up to four DHCP server addresses.
IP Setup 6-31 Main Menu WAN Configuration Add Connection Profile The Add Connection Profile screen appears. Add Connection Profile Profile Name: Profile Enabled: Profile 1 Yes Data Link Encapsulation... Data Link Options... PPP IP Profile Parameters... COMMIT Configure a new Conn. Profile. Finished? CANCEL COMMIT or CANCEL to exit. On a Router you can add up to 15 more connection profiles, for a total of 16, although only one can be used at a time, unless you are using VPNs. 1.
6-32 Firmware User Guide IP Profile Parameters Address Translation Enabled: IP Addressing... Yes Numbered NAT Map List... NAT Server List... Easy-PAT List Easy-Servers Local WAN Local WAN Remote IP Remote IP 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 IP Address: IP Mask: Address: Mask: Filter Set... Remove Filter Set RIP Profile Options... Configure IP requirements for a remote network connection here. 4.
IP Setup 6-33 Multicast Forwarding Multicast is a method for transmitting large amounts of information to many, but not all, hosts over an Internet. One common use is to distribute real time audio and video to the set of hosts which have joined a distributed conference. Multicast is similar to radio or TV broadcasts in the sense that only those who have tuned in to a particular frequency receive the information. You see and hear the channel you are interested in, but not the others.
6-34 Firmware User Guide Main Menu Add/Display/Change Connection Profile WAN Configuration IP Profile Parameters Address Translation Enabled: IP Addressing... Yes Numbered NAT Map List... NAT Server List... Easy-PAT List Easy-Servers Local WAN Local WAN Remote IP Remote IP 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 IP Address: IP Mask: Address: Mask: Filter Set... Remove Filter Set +----------------+ +----------------+ | None | | Rx. | +----------------+ Multicast Forwarding... RIP Profile Options...
Line Backup 7-1 Chapter 7 Line Backup Netopia Firmware Version 8.4 offers line backup functionality in the event of a line failure on the primary WAN link: • to an internal V.92 modem (supported models) or • to a backup default gateway.
7-2 Firmware User Guide • the Backup IP Gateway menu item in the IP Setup screen under the System Configuration menu Here you enter a Backup Gateway IP address. See “IP Setup” on page 7-7. Alternatively, you can choose a different backup gateway device; see “Backup Default Gateway” on page 7-14. Detailed descriptions follow. Connection Profiles The dial backup feature allows you to configure a complete Connection Profile for the modem backup, just as you do for your primary WAN connection.
Line Backup 7-3 Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... Encapsulation Options... IP Profile Parameters... COMMIT Profile 1 +-------------+ +-------------+ | PPP | | RFC1483 | | ATMP | | PPTP | | IPsec | | L2TP | +-------------+ CANCEL Assuming you selected PPP, new fields appear. Add Connection Profile Profile Name: Profile Enabled: Modem Backup Yes Encapsulation Type... PPP Encapsulation Options... IP Profile Parameters... Interface Group... Telco Options...
7-4 Firmware User Guide The Datalink (PPP/MP) Options screen appears. Datalink (PPP/MP) Options Data Compression... +------+rd LZS +------+ | None | | PAP | | CHAP | +------+ Send Authentication... Send User Name: Send Password: Receive User Name: Receive Password: Dial on Demand: PAP-- Yes Password protection is used. Passwords are exchanged in clear text. • Data Compression should remain set to Standard LZS.
Line Backup 7-5 • Select IP Profile Parameters. The IP Profile Parameters screen appears. IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Unnumbered Easy-PAT List Easy-Servers Local WAN IP Address: 0.0.0.0 Remote Remote Filter Remove 0.0.0.0 0.0.0.0 IP Address: IP Mask: Set... Filter Set No RIP Profile Options... Toggle to Yes if this is a single IP address ISP account.
7-6 Firmware User Guide Telco Options Dial... Dial In/Out Dialing Prefix: Number to Dial: Alternate Site to Dial: Dial on Demand: Idle Timeout (seconds): Yes 300 Callback: No CompuServe Login Enabled: No • From the Dial pop-up menu, you can choose whether to Dial Out Only, Dial In Only, or Dial In/Out (default). • Dialing Prefix: If you are connected to a Centrex or PBX phone system that requires you to dial a prefix number (such as “9” for an outside line), enter it here.
Line Backup 7-7 IP Setup Here, you set the IP address of the alternate gateway. Navigate to the IP Setup screen under the System Configuration menu. Main Menu IP Setup System Configuration IP Setup Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... 192.168.1.1 255.255.255.0 Default IP Gateway: Backup IP Gateway: Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Rip Options... Multicast Forwarding... Static Routes...
7-8 Firmware User Guide WAN Configuration To configure the modem characteristics, from the Main Menu select WAN Configuration and then WAN Setup. Main Menu WAN Configuration WAN Setup WAN Configuration WAN (Wide Area Network) Setup... ATM Circuits Configuration... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... WAN Default Profile... ATMP/PPTP Default Profile... IKE Phase 1 Configuration... Advanced Connection Options...
Line Backup 7-9 Choose the interface to configure for backup, MODEM (Wan Module 2) Setup. The Internal Modem Setup screen appears. Internal Modem Setup Modem Dialing Prefix: PBX Dialing Prefix: Line Directory Number: Speaker On... Speaker Volume... Answer Incoming calls... Country... ATDT Until Carrier 2-Medium Always United States Enter the dialing prefix to be sent to all modems. • Modem Dialing Prefix: ATDT is the standard Hayes-compatible code for alerting the modem itself.
7-10 Firmware User Guide Backup Configuration screen Navigate to the Backup Configuration screen. Main Menu WAN Configuration Advanced Connection Options Backup Configuration This screen is used to configure the conditions under which backup will occur, if it will recover, and how the modem is configured. For the internal V.
Line Backup 7-11 has gone down. Should this address become unreachable the router will treat this as a loss of connectivity and begin the backup timer. This loss is a Layer 2 loss. Note: For best results, enter an IP address and not a host name. If a host name is used it may not be resolvable, and may keep the interface down. Set the Ping Host Name or IP Address to the router's Default Gateway, or other reliable IP address elsewhere on the backbone – for example, a DNS server.
7-12 Firmware User Guide Using Scheduled Connections with Backup The backup link is a PPP dial-up connection and only connects to the Internet service provider when traffic is initiated from the LAN. If you want to use the backup link to provide redundancy for services, such as a Web service that you provide to the outside world, you must force the connection to stay up. You do this by creating a scheduled connection entry that will be a permanent “forced up” connection for the backup modem.
Line Backup 7-13 Add Scheduled Connection Scheduled Connection Enable: On How Often... Weekly Schedule Type... Forced Up Set Weekly Schedule... Use Connection Profile... ADD SCHEDULED CONNECTION CANCEL Return/Enter accepts * Tab toggles * ESC cancels. Scheduled Connections dial remote Networks on a Weekly or Once-Only basis. • Toggle Scheduled Connection Enable to On. • From the How Often pop-up menu, select Weekly and press Return.
7-14 Firmware User Guide • Select Use Connection Profile, and press Return. A screen displays all of your Connection Profiles. Select the one you want to apply this scheduled connection to and press Return. Your selection becomes effective. Now, if your primary WAN link fails, the backup link will become active and remain active until the primary link recovers.
Line Backup 7-15 The Backup Configuration screen appears. Backup Configuration +-----------+ +-----------+ | Disabled | | Manual | | Automatic | +-----------+ Recovery to ADSL... Automatic Requires Recovery of (minutes): 1 Auto-Recovery on loss of Layer 2: No Backup Parameters Backup is... Requires Failure of (minutes): Ping Host Name or IP Address: Automatically switches to Backup Port on loss of Layer 1 or 2.
7-16 Firmware User Guide IP Setup screen To configure the backup gateway, from the Main Menu select System Configuration then IP Setup. Main Menu System Configuration IP Setup The IP Setup screen appears. The IP Setup screen permits entry of a backup IP gateway address. This field is always visible, even if the Default IP Gateway field is not filled out, as in the case of a DHCP-acquired IP address and default gateway on the WAN interface.
Line Backup 7-17 Backup Management/Statistics If backup is enabled, the Statistics & Logs menu offers a Backup Management/Statistics option. To view Backup Management/Statistics, from the Main Menu select Statistics & Logs then Backup Management/Statistics and press Return. Main Menu Backup Management/ Statistics Statistics & Logs The Backup Management/Statistics screen appears.
7-18 Firmware User Guide During recovery, the following reasons may appear: Recovery of Layer 1 Indicates sync restored on the Primary link Layer 2 Override Indicates the backup occurred on layer 2, and ‘Auto-Recovery on loss of Layer 2’ was set to YES Layer 2 Recovery Indicates that backup was on Layer 2 and the interface is fully restored (including Backup Ping) • Time Since Detection is a display-only field that is only visible if backup or recovery is in progress.
Monitoring Tools 8-1 Chapter 8 Monitoring Tools This chapter discusses the Router’s device and network monitoring tools. These tools can provide statistical information, report on current network status, record events, and help in diagnosing and locating problems.
8-2 Firmware User Guide General status Quick View Default IP Gateway: 0.0.0.0 Primary DNS Server: 0.0.0.0 Secondary DNS Server: 0.0.0.0 10/11/2002 07:31:26 AM CPU Load: 4% Unused Memory: 6044 KB Gateway installed -- Backup Domain Name: netopia.com ----------------MAC Address--------IP Address-------Status-------------------Ethernet LAN: 00-00-c5-ff-70-00 192.168.1.1 100Mbps Full Duplex ATM ADSL WAN: 00-00-c5-ff-70-02 0.0.0.0 USB LAN: 00-00-c5-9a-09-a9 192.168.1.
Monitoring Tools 8-3 Current status The current status section is a table showing the current status of the DSL connection. For example: Current WAN Connection Status Profile Name----------Rate--%Use-Remote Address-----Est.-More Info-----------ISP 1536 10 IP 92.163.4.1 Lcl NAT 192.163.100.6 Profile Name: Lists the name of the connection profile being used, if any. Rate: Shows the line rate for this connection.
8-4 Firmware User Guide Statistics & Logs Main Menu Statistics & Logs When you are troubleshooting your Router, the Statistics & Logs screens provide insight into the recent event activities of the gateway. From the Main Menu go to Statistics & Logs and select one of the options described in the sections below. Event Histories Main Menu Statistics & Logs • WAN Event History • Device Event History The Netopia Firmware Version 8.4 records certain relevant occurrences in event histories.
Monitoring Tools 8-5 WAN Event History The WAN Event History screen lists a total of 128 events on the WAN. The most recent events appear at the top. WAN Event History Current Date -- 10/11/2003 03:02:23 PM -Date-----Time-----Event---------------------------------------------------------------------------------------SCROLL UP----------------------------------07/03/03 13:59:06 DSL: IP up, channel 1, gateway: 173.166.107.
8-6 Firmware User Guide In the Statistics & Logs screen, select Device Event History. The Device Event History screen appears. Device Event History Current Date -- 10/11/2003 03:02:23 PM -Date-----Time-----Event---------------------------------------------------------------------------------------SCROLL UP----------------------------------01/22/03 02:03:11 IP address server initialization complete 01/22/03 02:03:11 --BOOT: Warm start v8.
Monitoring Tools 8-7 IP Routing Table Main Menu Statistics & Logs • IP Routing Table The IP routing table displays all of the IP routes currently known to the Router. IP Routing Table Network Address-Subnet Mask-----via Gateway------Port------------------Type-------------------------------------SCROLL UP----------------------------------0.0.0.0 255.0.0.0 0.0.0.0 -Other 127.0.0.1 255.255.255.255 127.0.0.1 Loopback Local 192.168.1.0 255.255.255.240 192.168.1.1 Ethernet Local 192.168.1.1 255.255.255.
8-8 Firmware User Guide General Statistics Physical I/F-----Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err Ethernet Hub 1234567 123456 123456 123456 123456 12345 ATM ADSL 1 1234567 123456 123456 123456 123456 12345 Network----------Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err IP 1234567 123456 123456 123456 123456 12345 VC Traffic Statistics...
Monitoring Tools 8-9 System Information The System Information screen gives a summary view of the general system level values in the Router. From the Statistics & Logs menu select System Information. The System Information screen appears. System Information Serial Number Firmware Version ModelNumber Processor Speed (Mhz) Flash Rom Capacity (MBytes) DRAM Capacity (MBytes) Hardware Acceleration ff-70-00 (16740352) 8.
8-10 Firmware User Guide Simple Network Management Protocol (SNMP) The Netopia Firmware Version 8.4 includes a Simple Network Management Protocol (SNMP) agent, allowing monitoring and configuration by a standard SNMP manager. Netopia Routers now support SNMP-V1 and SNMP-V2c. SNMP Heartbeat Trap Netopia Firmware Version 8.4 implements a new enterprise-specific SNMP trap, called the heartbeat trap. This has been added to the SNMP MIB file npaV2trap.mib.
Monitoring Tools 8-11 The SNMP Setup screen From the Main Menu, select SNMP in the System Configuration screen and press Return. The SNMP Setup screen appears. Main Menu System Configuration SNMP SNMP Setup System System System System Name: Location: Contact: Trap Version: Read-Only Community String: Read/Write Community String: Authentication Traps Enable: +----------+ +----------+ | SNMP-V1 | | SNMP-V2c | +----------+ Off IP Trap Receivers... SNMP V3 Setup...
8-12 Firmware User Guide Community strings The Read-Only Community String and the Read/Write Community String are like passwords that must be used by an SNMP manager querying or configuring the Netopia Firmware Version 8.4. An SNMP manager using the Read-Only Community String can examine statistics and configuration information from the gateway, but cannot modify the gateway’s configuration. An SNMP manager using the Read/Write Community String can both examine and modify configuration parameters.
Monitoring Tools 8-13 To go to the IP Trap Receivers screen, select IP Trap Receivers. The IP Trap Receivers screen appears. IP Trap Receivers Display/Change IP Trap Receiver... Add IP Trap Receiver... Delete IP Trap Receiver... Return/Enter to modify an existing Trap Receiver. Navigate from here to view, add, modify and delete IP Trap Receivers. Setting the IP trap receivers 1. Select Add IP Trap Receiver. 2. Select Receiver IP Address or Domain Name.
8-14 Firmware User Guide
Security 9-1 Chapter 9 Security The Netopia Firmware Version 8.4 provides a number of security features to help protect its configuration screens and your local network from unauthorized access. Although these features are optional, it is strongly recommended that you use them.
9-2 Firmware User Guide Telnet Tiered Access – Two Password Levels Netopia Firmware Version 8.4 offers tiered access control for greater security and protection against accidental or malicious misconfiguration. Service providers and network administrators can now limit the access of other users to the various configuration screens to prevent misconfigurations. The access privileges of various users that may be assigned are governed by a Superuser administrative account.
Security 9-3 PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This means that applications that support UPnP, and are used with a UPnP-enabled Netopia Gateway, will not need application layer gateway support on the Netopia Gateway to work through NAT. You can disable UPnP, if you are not using any UPnP devices or applications. You must reboot the Netopia device for this setting to take effect.
9-4 Firmware User Guide Limited user configuration The Add Access Name/Password and Show/Change Access Name/Passwords screens allow you to select which configuration features a limited (non-Superuser) user can access. From the Security Options screen, select Add Access Name/Password. The Add Access Name/Password screen appears. Add Access Name/Password Name (19 characters max): Password: Telnet Access Enabled: Web Access Enabled: Access Privileges...
Security 9-5 Access Privileges (Custom) WAN Data Configuration: Connection Profile Configuration: Circuit (PVC/DLCI) Configuration: No No No LAN Data Configuration: LAN Subnet Configuration: NAT/Filters Configuration: Yes Yes Yes Preferences (Global) Configuration:Yes Voice Configuration: Yes OK CANCEL You can toggle the default user privileges for each user. The defaults are set to minimize the possibility of an individual user inadvertently damaging the WAN connection.
9-6 Firmware User Guide Advanced Security Options The Advanced Security Options screen allows you to configure the global access privileges of users authenticated via a RADIUS server or a TACACS+ server. From the Security Options screen, select Advanced Security Options. The Advanced Security Options screen appears. RADIUS server authentication Advanced Security Options Remote Authentication... RADIUS Security Databases...
Security 9-7 Access Privileges (Custom) WAN Data Configuration: Connection Profile Configuration: Circuit (PVC/DLCI) Configuration: Yes Yes Yes LAN Data Configuration: LAN Subnet Configuration: NAT/Filters Configuration: Yes Yes Yes Preferences (Global) Configuration:Yes OK CANCEL Return/Enter accepts * Tab toggles * ESC cancels. Since authentication via RADIUS server is, by definition, authentication of remote users, the WAN-related defaults are preset to Yes. Toggle any that should be changed.
9-8 Firmware User Guide TACACS+ server authentication Netopia Firmware Version 8.4 supports TACACS+ server authentication. Its application to a Netopia Router is to control access to the Router’s management interface, and to audit commands submitted by a user. TACACS (Terminal Access Controller Access Control System) protocol provides access control for Netopia Routers via a centralized server. TACACS+ provides separate authentication, authorization and accounting services.
Security 9-9 System Configuration IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... Date and Time... Console Configuration... Change Access Password... Upgrade Feature Set... Logging... Use this screen if you want options beyond Easy Setup. Selecting this option displays the Change Access Password screen. Change Access Password New Password: CHANGE PASSWORD NOW CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.
9-10 Firmware User Guide • All users have access to System Configuration, Quick Menus, and Quick View, but limited users have only limited access to configuration elements in their descendant menus. • Configuration screen elements to which configuration access is forbidden are usually hidden. • The Quick Menus screen reflects the security access level of the user. Menus to which configuration access is forbidden are hidden.
Security 9-11 WAN Configuration screens If a limited user is allowed WAN, Connection Profile, or PVC configuration access, the WAN Configuration option in the Main Menu is visible.
9-12 Firmware User Guide Connection Profiles The Superuser can disallow limited user access to a particular Connection Profile. When adding a Connection Profile in the Add Connection Profile screen the Superuser can toggle the Superuser Accessible Only option to Yes or No. Add Connection Profile Profile Name: Profile Enabled: Profile 1 Yes Encapsulation Type... Encapsulation Options... PPP IP Profile Parameters... Superuser Accessible Only: No COMMIT CANCEL Return/Enter to accept the profile.
Security 9-13 System Configuration User Access Level IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... LAN NAT LAN NAT Global Date and Time... All Superuser Console Configuration... SNMP (Simple Network Management Protocol)... Security... Superuser, All Upgrade Feature Set... All Superuser Change Device to a Bridge... All Logging... Use this screen if you want options beyond Easy Setup.
9-14 Firmware User Guide Utilities & Diagnostics menu Based on access level, the Utilities & Diagnostics menu displays its configuration options according to the following diagram: Utilities & Diagnostics User Access Level Global Global Global All Global All Ping... Trace Route... Telnet... Log off Serial Console Session... Trivial File Transfer Protocol (TFTP)... Restart System... Revert to Factory Defaults... Superuser Send ICMP Echo Requests to a network host.
Security 9-15 Quick Menus Quick Menus vary considerably between models, features, and access levels. The following is an example comparison of the Quick Menu as seen by the Superuser and by a Limited user.
9-16 Firmware User Guide The ATM Circuits Configuration menu screen appears as follows: ATM Circuits Configuration Display/Change WAN 1 Circuit... Add WAN 1 Circuit... Delete WAN 1 Circuit... Display/Change WAN 2 Circuit... Add WAN 2 Circuit... Delete WAN 2 Circuit... Note: Multiple ATM circuit configuration is supported on multiple ATM-capable gateways.
Security 9-17 About Filters and Filter Sets Security should be a high priority for anyone administering a network connected to the Internet. Using packet filters to control network communications can greatly improve your network’s security. The Netopia Firmware Version 8.4’s packet filters are designed to provide security for the Internet connections made to and from your network. You can customize the gateway’s filter sets for a variety of packet filtering applications.
9-18 Firmware User Guide Filter priority Continuing the customs inspectors analogy, imagine the inspectors lined up to examine a package. If the package matches the first inspector’s criteria, the package is either rejected or passed on to its destination, depending on the first inspector’s particular orders. In this case, the package is never seen by the remaining inspectors.
Security 9-19 • Blocks (discards) the packet • Ignores the packet A filter forwards or blocks a packet only if it finds a match after applying its criteria. When no match occurs, the filter ignores the packet. A filtering rule The criteria are based on information contained in the packets. A filter is simply a rule that prescribes certain actions based on certain conditions. For example, the following rule qualifies as a filter: Block all Telnet attempts that originate from the remote host 199.211.211.
9-20 Firmware User Guide Internet service TCP port Internet service TCP port SMTP (mail) 25 News 144 Gopher 70 rlogin 513 Internet service UDP port Internet service UDP port Who Is 43 AppleTalk Routing Maintenance (at-rtmp) 202 World Wide Web 80 AppleTalk Name Binding (at-nbp) 202 SNMP 161 AURP (AppleTalk) 387 TFTP 69 who 513 Port number comparisons A filter can also use a comparison option to evaluate a packet’s source or destination port number.
Security 9-21 Putting the parts together When you display a filter set, its filters are displayed as rows in a table: +-#---Source IP Addr---Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+ +----------------------------------------------------------------------+ | 1 192.211.211.17 0.0.0.0 TCP 0 23 Yes No | | 2 0.0.0.0 0.0.0.0 TCP NC =6000 Yes No | | 3 0.0.0.0 0.0.0.0 ICMP --Yes Yes | | 4 0.0.0.0 0.0.0.0 TCP NC >1023 Yes Yes | | 5 0.0.0.0 0.0.0.
9-22 Firmware User Guide Filtering example #1 Returning to our filtering rule example from above (see page 9-19), look at how a rule is translated into a filter. Start with the rule, then fill in the filter’s attributes: 1. The rule you want to implement as a filter is: Block all Telnet attempts that originate from the remote host 199.211.211.17. 2. 3. 4. The host 199.211.211.17 is the source of the Telnet packets you want to block, while the destination address is any IP address.
Security 9-23 This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address signifies any host on the class C IP network 200.233.14.0. If, for example, the filter is applied to a packet with the source IP address 200.233.14.5, it will block it. In this case, the mask, which does not appear in the table, must be set to 255.255.255.0. This way, all packets with a source address of 200.233.14.
9-24 Firmware User Guide • That which is not expressly permitted is prohibited. It is strongly recommended that you take the latter, and safer, approach to all of your filter set designs. Working with IP Filters and Filter Sets This section covers IP filters and filter sets. System Configuration Main Menu Filter Sets To work with filters and filter sets, begin by accessing the filter set screens. Note: Make sure you understand how filters work before attempting to use them.
Security 9-25 Adding a filter set You can create up to eight different custom filter sets. Each filter set can contain up to 16 output filters and up to 16 input filters. To add a new filter set, select Add Filter Set in the Filter Sets screen and press Return. The Add Filter Set screen appears. Add Filter Set... Filter Set Name: Filter Set 3 ADD FILTER SET CANCEL Naming a new filter set All new filter sets have a default name.
9-26 Firmware User Guide Adding filters to a filter set There are two kinds of filters you can add to a filter set: input and output. Input filters check packets received from the Internet, destined for your network. Output filters check packets transmitted from your network to the Internet. packet WAN input filter LAN packet output filter The Netopia Router Packets in the Netopia Firmware Version 8.
Security 9-27 Display/Change Filter Set... Filter Set Name: Filter Set 3 Add Input Filter to Filter Set... Display/Change Input Filter... Delete Input Filter... Move Input Filter... Add Output Filter to Filter Set... Display/Change Output Filter... Delete Output Filter... Move Output Filter... Note: There are two groups of items in this screen, one for input filters and one for output filters. In this section, you’ll learn how to add an input filter to a filter set.
9-28 Firmware User Guide 3. If you want the filter to forward packets that match its criteria to the destination IP address, select Forward and toggle it to Yes. If Forward is toggled to No, packets matching the filter’s criteria will be discarded. 4. Select Source IP Address and enter the source IP address this filter will match on. You can enter a subnet or a host address. 5. Select Source IP Address Mask and enter a mask for the source IP address.
Security 9-29 Change Filter Enabled: Forward: No No Source IP Address: Source IP Address Mask: 0.0.0.0 0.0.0.0 Dest. IP Address: Dest. IP Address Mask: 0.0.0.0 0.0.0.0 Protocol Type: 0 Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: No Compare 0 No Compare 0 Enter the IP specific information for this filter. Deleting filters To delete a filter, select Delete Input Filter or Delete Output Filter in the Display/Change Filter Set screen to display a table of filters.
9-30 Firmware User Guide Basic Firewall blocks undesirable traffic originating from the WAN (in most cases, the Internet), but forwards all traffic originating from the LAN. It follows the conservative “that which is not expressly permitted is prohibited” approach: unless an incoming packet expressly matches one of the constituent input filters, it will not be forwarded to the LAN. The five input filters and one output filter that make up Basic Firewall are shown in the table below.
Security 9-31 Output filter 1: This filter forwards all outgoing traffic to make sure that no outgoing connections from the LAN are blocked. Basic Firewall is suitable for a LAN containing only client hosts that want to access servers on the WAN, but not for a LAN containing servers providing services to clients on the WAN. Basic Firewall’s general strategy is to explicitly forward WAN-originated TCP and UDP traffic to ports greater than 1023.
9-32 Firmware User Guide FTP sessions. To allow WAN-originated FTP sessions to a LAN-based FTP server with the IP address a.b.c.d (corresponding to a numbered IP address such as 163.176.8.243), insert the following input filter ahead of the current input filter 1: • Enabled: Yes • Forward: Yes • Source IP Address: 0.0.0.0 • Source IP Address Mask: 0.0.0.0 • Dest. IP Address: a.b.c.d • Dest. IP Address Mask: 255.255.255.
Security 9-33 The new filterset screen appears as follows: Change Input Filter 1 Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: Yes Gateway IP Address: 163.176.8.134 Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.
9-34 Firmware User Guide Add Input Filter Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: Yes Gateway IP Address: 127.0.0.3 Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 16 16 ANY ADD THIS FILTER NOW CANCEL Return/Enter to add this Filter to the Filter Set. Enter the packet specific information for this filter.
Security 9-35 Firewall Tutorial General firewall terms Filter rule: A filter set is comprised of individual filter rules. Filter set: A grouping of individual filter rules. Firewall: A component or set of components that restrict access between a protected network and the Internet, or between two networks. Host: A workstation on the network. Packet: Unit of communication on the Internet.
9-36 Firmware User Guide Example TCP/UDP Ports TCP Port Service UDP Port Service 20/21 FTP 161 SNMP 23 Telnet 69 TFTP 25 SMTP 387 AURP 80 WWW 144 News Firewall design rules There are two basic rules to firewall design: • “What is not explicitly allowed is denied.” and • “What is not explicitly denied is allowed.” The first rule is far more secure, and is the best approach to firewall design.
Security 9-37 and a packet goes through these rules destined for FTP, the packet would forward through the first filter rule (WWW), match the second rule (FTP), and the packet is allowed through. Even though the next rule is to deny all FTP traffic, the FTP packet will never make it to this rule. Binary representation It is easiest when doing filtering to convert the IP address and mask in question to binary. This will allow you to perform the logical AND to determine whether a packet matches a filter rule.
9-38 Firmware User Guide Established connections The TCP header contains one bit called the ACK bit (or TCP Ack bit). This ACK bit appears only with TCP, not UDP. The ACK bit is part of the TCP mechanism that guarantees the delivery of data. The ACK bit is set whenever one side of a connection has received data from the other side. Only the first TCP packet will not have the ACK bit set; once the TCP connection is in place, the remainder of the TCP packets with have the ACK bit set.
Security 9-39 Less Than or Equal Any port less than or equal to the port defined Equal Matches only the port defined Greater Than or Equal Matches the port or any port greater Greater Than Matches anything greater than the port defined Example network Input Packet Filter Internet IP 200.1.1.?? Data Example filters Example 1 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.128 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.
9-40 Firmware User Guide 00000000 (Logical AND result) This incoming IP packet has a source IP address that matches the network address in the Source IP Address field (00000000) in the Netopia Firmware Version 8.4. This will not forward this packet. Example 2 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.128 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.184. IP Address 200.1.1.
Security 9-41 10110000 (Logical AND result) Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 1011000, this rule does not match and this packet will be forwarded. Example 4 Filter Rule: 200.1.1.96 (Source IP Network Address) 255.255.255.240 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.104. IP Address 200.1.1.
9-42 Firmware User Guide 01100000 (Logical AND result) Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 01100000, this rule does match and this packet will not be forwarded. This rule masks off a single IP address. Configuration Management Netopia Firmware Version 8.4 offers a Configuration Management feature. Configuration Management provides a way to store several gateway configurations in a single device for use at different times.
Security 9-43 Configuration Management Save Current Configuration as... Replace Existing Conifiguration... Boot from a Configuration... Delete a Configuration... Select Save Current Configuration as, and press Return. The Save Current Configuration screen appears. Save Current Configuration Configuration Name: HappyInternet SAVE CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Enter a descriptive name for your current configuration, select SAVE, and press Return.
9-44 Firmware User Guide Configuration Management Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... +-Configuration Name---Type---+ +-----------------------------+ | Backup Config Binary | | HappyInternet Binary | | | +-----------------------------+ A warning screen will ask you to confirm your choice. TFTP You can also send or receive your stored configuration files via TFTP.
Utilities and Diagnostics 10-1 Chapter 10 Utilities and Diagnostics A number of utilities and tests are available for system diagnostic and control purposes.
10-2 Firmware User Guide Ping The Netopia Firmware Version 8.4 includes a standard Ping test utility. A Ping test generates IP packets destined for a particular (Ping-capable) IP host. Each time the target host receives a Ping packet, it returns a packet to the original sender. Ping allows you to see whether a particular IP destination is reachable from the Router. You can also ascertain the quality and reliability of the connection to the desired destination by studying the Ping test’s statistics.
Utilities and Diagnostics 10-3 Status: The current status of the Ping test. This item can display the status messages shown in the able below: Message Description Resolving host name Finding the IP address for the domain name-style address Can’t resolve host name IP address can’t be found for the domain name–style address Pinging Ping test is in progress Complete Ping test was completed Cancelled by user Ping test was cancelled manually Destination unreachable from w.x.y.
10-4 Firmware User Guide Packets Lost: The number of packets unaccounted for, shown in total and as a percentage of total packets sent. This statistic may be updated during the Ping test, and may not be accurate until after the test is over. However, if an escalating one-to-one correspondence is seen between Packets Out and Packets Lost, and Packets In is noticeably lagging behind Packets Out, the destination is probably unreachable. In this case, use STOP PING.
Utilities and Diagnostics 10-5 4. Select Use Reverse DNS to learn the names of the gateways between the Netopia Router and the destination gateway. The default is Yes. 5. Select START TRACE ROUTE and press Return. A scrolling screen will appear that lists the destination, number of hops, IP addresses of each hop, and DNS names, if selected. 6. Cancel the trace by pressing Escape. Return to the Trace Route screen by pressing Escape twice.
10-6 Firmware User Guide Factory Defaults You can reset the Router to its factory default settings. In the Utilities & Diagnostics screen, select Revert to Factory Defaults and press Return. Select CONTINUE in the dialog box and press Return. The Router will reboot and its settings will return to the factory defaults, deleting your configurations. In an emergency, you can also use the Reset switch to return the gateway to its factory default settings.
Utilities and Diagnostics 10-7 Updating firmware Firmware updates may be available periodically from Netopia or from a site maintained by your organization’s network administrator. The Router ships with an embedded operating system referred to as firmware. The firmware governs how the device communicates with your network and the WAN or remote site. Firmware updates are periodically posted on the Netopia website.
10-8 Firmware User Guide • Select Config File Name and enter the name of the file you will download. The name of the file is available from the site where the server is located. You may need to enter a file path along with the file name (for example, bigroot/config/myfile). • Select GET CONFIG FROM SERVER and press Return.
Troubleshooting A-1 Appendix A Troubleshooting This appendix is intended to help you troubleshoot problems you may encounter while setting up and using Netopia Firmware Version 8.4. It also includes information on how to contact Netopia Technical Support. Important information on these problems can be found in the event histories kept by the Router. These event histories can be accessed in the Statistics & Logs screen.
A-2 Firmware User Guide Note: If you are attempting to modify the IP address or subnet mask from a previous, successful configuration attempt, you will need to clear the IP address or reset your Router to the factory default before reinitiating the configuration process. For further information on resetting your Router to factory default, see “How to Reset the Router to Factory Defaults” on page A-3.
Troubleshooting A-3 How to Reset the Router to Factory Defaults Lose your password? This section shows how to reset the Netopia Router so that you can access the configuration screens once again. Note: Keep in mind that all of your settings will need to be reconfigured. If you don't have a password, the only way to access the Netopia Router is the following: 1. Referring to the diagram below, find the round Reset Switch opening.
A-4 Firmware User Guide Environment profile • Locate the Router’s model number, product serial number, and firmware version. The serial number is on the bottom of the gateway, along with the model number. The firmware version appears in the Netopia Netopia Router’s Main Menu screen.
Understanding IP Addressing B-1 Appendix B Understanding IP Addressing This appendix is a brief general introduction to IP addressing. A basic understanding of IP will help you in configuring the Netopia Firmware Version 8.4 and using some of its powerful features, such as static routes and packet filtering.
B-2 Firmware User Guide IP addresses are maintained and assigned by the InterNIC, a quasi-governmental organization now increasingly under the auspices of private industry. Note: It’s very common for an organization to obtain an IP address from a third party, usually an Internet service provider (ISP). ISPs usually issue an IP address when they are contracted to provide Internet access services. The InterNIC (the NIC stands for Network Information Center) divides IP addresses into several classes.
Understanding IP Addressing B-3 Subnet masks To create subnets, the network manager must define a subnet mask, a 32-bit number that indicates which bits in an IP address are used for network and subnetwork addresses and which are used for host addresses. One subnet mask should apply to all IP networks that are physically connected together and share a single assigned network number. Subnet masks are often written in decimal notation like IP addresses, but they are most easily understood in binary notation.
B-4 Firmware User Guide Network configuration Below is a diagram of a simple network configuration. The ISP is providing a Class C address to the customer site, and both networks A and B want to gain Internet access through this address. Router B connects to Router A and is provided Internet access through Routers A and B. Customer Site A PC 1: IP Address: 192.168.1.3 Subnet Mask: 255.255.255.128 Gateway: 192.168.1.1 Router B: ISP Network Router A: IP Address: 10.0.0.1 Subnet Mask: 255.255.255.
Understanding IP Addressing B-5 Background The IP addresses and routing configurations for the devices shown in the diagram are outlined below. In addition, each individual field and its meaning are described. The IP Address and Subnet Mask fields define the IP address and subnet mask of the device's Ethernet connection to the network while the Remote IP and Remote Sub fields describe the IP address and subnet mask of the remote gateway. This information is entered in the connection profile of the Router.
B-6 Firmware User Guide These two methods are not mutually exclusive; you can manually issue some of the addresses while the rest are distributed by the Router. Using the gateway in this way allows it to function as an address server. One reason to use the Router as an address server is that it takes less time than manually distributing the addresses. This is particularly true if you have many addresses to distribute.
Understanding IP Addressing B-7 Configuration This section describes the specific IP address lease, renew, and release mechanisms for both the Mac and PC, with either DHCP or MacIP address serving. DHCP address serving Windows 95 workstation: • The Win95 workstation requests and renews its lease every half hour. • The Win95 workstation does NOT relinquish its DHCP address lease when the machine is shut down.
B-8 Firmware User Guide • For a dynamic address, the Router releases the address back to the address pool after it has lost contact with the Mac workstation for over 2 minutes. • For a static address, the Router releases the address back to the address pool after it has lost contact with the Mac workstation for over 20 minutes. Netopia Firmware Version 8.4 MacIP server characteristics The Mac workstation uses ATP to both request and receive an address from the Router's MacIP server.
Understanding IP Addressing B-9 • define the address that you want to serve in the Connection Profile's IP Setup screen. This method requires a static value to be used. Thus any user dialing in can obtain the same IP address for every connection to the profile. If you want to serve addresses statically, define the address in the Connection Profile. Notes: • The addresses that are to be served cannot be used elsewhere.
B-10 Firmware User Guide 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Block of IP host addresses (derived from network IP address + mask issued by ISP) 1 Distributed to the Router (Ethernet IP address) 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Manually distributed (static) Pool of addresses distributed by MacIP and DHCP The figure above shows an example of a block of IP addresses being distributed correctly.
Understanding IP Addressing B-11 Nested IP Subnets Under certain circumstances, you may want to create remote subnets from the limited number of IP addresses issued by your ISP or other authority. You can do this using connection profiles. These subnets can be nested within the range of IP addresses available to your network. For example, suppose that you obtain the Class C network address a.b.c.0 to be distributed among three networks.
B-12 Firmware User Guide Internet a.b.c.16 a.b.c.1 Router A a.b.c.0 a.b.c.2 Router B Router C a.b.c.128 a.b.c.248 a.b.c.129 a.b.c.249 Routers B and C (which could also be Routers) serve the two remote networks that are subnets of a.b.c.0. The subnetting is accomplished by configuring the Router with connection profiles for Routers B and C (see the following table). Connection profile Remote IP address Remote IP mask Bits available for host address For Router B a.b.c.128 255.255.255.
Understanding IP Addressing B-13 IP Routing Table Network Address-Subnet Mask-----via Gateway------Port------------------Type-------------------------------------SCROLL UP----------------------------------0.0.0.0 0.0.0.0 a.b.c.1 -Other 127.0.0.1 255.255.255.255 127.0.0.1 Loopback Local a.b.c.128 255.255.255.192 a.b.c.128 WAN Local a.b.c.248 255.255.255.248 a.b.c.
B-14 Firmware User Guide The following diagram illustrates the IP address space taken up by the two remote IP subnets. You can see from the diagram why the term nested is appropriate for describing these subnets. 1 Address range available to a.b.c.0, less the two nested subnets 129 valid addresses used by a.b.c.128 190 valid addresses used by a.b.c.248 249 254 Broadcasts As mentioned earlier, binary IP host or subnet addresses composed entirely of ones or zeros are reserved for broadcasting.
Binary Conversion Table C-1 Appendix C Binary Conversion Table This table is provided to help you choose subnet numbers and host numbers for IP and MacIP networks that use subnetting for IP addresses.
C-2 Firmware User Guide Decimal Binary Decimal Binary Decimal Binary Decimal Binary 30 11110 62 111110 94 1011110 126 1111110 31 11111 63 111111 95 1011111 127 1111111 Decimal Binary Decimal Binary Decimal Binary Decimal Binary 128 10000000 160 10100000 192 11000000 224 11100000 129 10000001 161 10100001 193 11000001 225 11100001 130 10000010 162 10100010 194 11000010 226 11100010 131 10000011 163 10100011 195 11000011 227 11100011 132 1000010
Binary Conversion Table C-3 Decimal 159 Binary 10011111 Decimal 191 Binary 10111111 Decimal 223 Binary 11011111 Decimal 255 Binary 11111111
C-4 Firmware User Guide
Technical Specifications and Safety Information D-1 Appendix D Technical Specifications and Safety Information Description Dimensions: 13.5 cm (w) x 13.5 cm (d) x 3.5 cm (h); 5.25” (w) x 5.25” (d) x 1.5” (h) Communications interfaces: The Netopia 3300 Series Routers have an RJ-11 jack for DSL line connections or an RJ-45 jack for Ethernet WAN line connections and 1 or 4–port 10/100Base-T Ethernet switch for your LAN connections.
D-2 Firmware User Guide Agency approvals North America Safety Approvals: • United States – UL 60950 Third Edition • Canada – CSA: CAN/CSA-C22.2 No. 60950-00 EMC: • United States – FCC Part 15 Class B • Canada – ICES-003 Telecom: • United States – FCC Part 68 • Canada – CS-03 International Safety Approvals: • Low Voltage (European directive) 73/23 • EN60950 (Europe) EMI Compatibility: • 89/336/EEC (European directive) • EN55022:1994 • EN300 386 V1.2.
Technical Specifications and Safety Information D-3 Manufacturer’s Declaration of Conformance Note: Warnings: This is a Class B product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. Adequate measures include increasing the physical distance between this product and other electrical devices.
D-4 Firmware User Guide Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company. The equipment must also be installed using an acceptable method of connection. In some cases, the company’s inside wiring associated with a single line individual service may be extended by means of a certified connector assembly (telephone extension cord).
Technical Specifications and Safety Information D-5 • USB-powered models: For Use with Listed I.T.E. Only. Telecommunication installation cautions • Never install telephone wiring during a lightning storm. • Never install telephone jacks in wet locations unless the jack is specifically designed for wet locations. • Never touch uninsulated telephone wires or terminals unless the telephone line has been disconnected at the network interface. • Use caution when installing or modifying telephone lines.
D-6 Firmware User Guide b) List all applicable certification jack Universal Service Order Codes (“USOC”) for the equipment: RJ11. c) A plug and jack used to connect this equipment to the premises wiring and telephone network must comply with the applicable FCC Part 68 rules and requirements adopted by the ACTA. A compliant telephone cord and modular plug is provided with this product. It is designed to be connected to a compatible modular jack that is also compliant.
Technical Specifications and Safety Information D-7 Electrical Safety Advisory Telephone companies report that electrical surges, typically lightning transients, are very destructive to customer terminal equipment connected to AC power sources. This has been identified as a major nationwide problem. Therefore it is advised that this equipment be connected to AC power through the use of a surge arrestor or similar protection device.
D-8 Firmware User Guide
Index-1 Index A add static route 6-8 ADSL Line Configuration 2-4 advanced configuration features 2-22 ATMP 4-17 tunnel options 4-15 B backup default gateway 7-14 backup, line 7-1 basic firewall 9-30 BootP 6-17 clients 6-23 broadcasts B-14 C change static route 6-9 community strings 8-12 configuration troubleshooting PC A-1 configuration files downloading with TFTP 10-7 uploading with TFTP 10-8 Configuration Management 9-42 configuring with console-based management 12, 2-1 configuring terminal emulation sof
Index-2 F filter parts 9-19 parts of 9-19 filter priority 9-18 filter set adding 9-25 display 9-21 filter sets adding 9-25 defined 9-17 deleting 9-29 disadvantages 9-23 sample (Basic Firewall) 9-29 using 9-24 filtering example #1 9-22 filters actions a filter can take 9-18 adding to a filter set 9-26 defined 9-17 deleting 9-29 disadvantages of 9-23 input 9-26 modifying 9-28 output 9-26 using 9-23, 9-24 viewing 9-28 firewall 9-29 firmware files updating with TFTP 10-7 FTP sessions 9-32 G general statistics
Index-3 management and statistics 7-17 scheduled connections 7-12 WAN configuration 7-8 M MIBs supported 8-10 model numbers 1-3 MPPE 4-17 MS-CHAPv2 4-18 Multicast Forwarding 6-33 multiple subnets 6-4 N NAT adding server lists 3-15 defined 6-1 Easy Setup Profile 3-6 IP profile parameters 3-21 IP setup 3-7 map lists 3-8 modifying map lists 3-12 outside ranges 3-8 server lists 3-8 navigating Easy Setup 1-4 NCSA Telnet 1-4 nested IP subnets B-11 NetBIOS 6-21 NetBIOS scope 6-22 Netopia distributing IP addresses
Index-4 S scheduled connections 2-15 adding 2-17 deleting 2-20 modifying 2-20 once-only 2-19 viewing 2-16 weekly 2-18 security filters 9-17–9-32 measures to increase 9-1 telnet 9-16 Security Policy Database (SPD) 5-2 Simple Network Management Protocol, see SNMP SNMP community strings 8-12 MIBs supported 8-10 setup screen 8-11 traps 8-12 SNMP-V2c 8-10 src.
Index-5 upgrade 1-3 uploading configuration files 10-8 with TFTP 10-8 utilities and diagnostics 10-1 V Variable Bit Rate (VBR) 2-6 viewing scheduled connections 2-16 Virtual Private Networks (VPN) 4-1 VPN 4-1 allowing through a firewall 4-24 ATMP tunnel options 4-15 default answer profile 4-18 encryption support 4-17 PPTP tunnel options 4-4 W WAN event history 8-5 WAN Ethernet Configuration 2-2 WAN event history 8-5 WEP (Wired Equivalent Privacy) 2-32 Wi-Fi Protected Access 2-31 Windows NT Domain Name 4-6
Index-6
