® Netopia Firmware User Guide 3300-ENT Enterprise-Series Netopia Firmware Version 8.
Copyright Copyright© 2006, Netopia, Inc. Netopia, the Netopia logo, Broadband Without Boundaries, and 3-D Reach are registered trademarks belonging to Netopia, Inc., registered U.S. Patent and Trademark Office. All other trademarks are the property of their respective owners. All rights reserved. Netopia, Inc. 6001 Shellmound Street Emeryville, CA 94608 U.S.A.
Contents Contents iii Chapter 1 — Introduction..........................................................1-1 What’s New in 8.7 ......................................................... 1-1 Telnet-based Management.............................................. 1-2 Netopia Telnet Menus .................................................... 1-2 Netopia Models ............................................................. 1-3 Screen differences ..............................................
iv Firmware User Guide Adding Port interfaces ....................................... 3-16 Changing or Deleting a VLAN............................... 3-18 Changing or Deleting an Authentication Server Configuration ..................................................... 3-18 Configuring additional Authentication Servers....... 3-20 Date and time ............................................................. 3-22 Wireless configuration ..................................................
Contents Modifying map lists ............................................ Adding Server Lists...................................................... Modifying server lists ......................................... Deleting a server ............................................... Binding Map Lists and Server Lists ............................... IP profile parameters.......................................... IP Parameters (WAN Default Profile) .................... NAT Associations ...........................
vi Firmware User Guide PPTP example.................................................... 5-25 ATMP example ................................................... 5-28 Windows Networking Broadcasts................................... 5-32 Chapter 6 — Internet Key Exchange (IKE) IPsec Key Management for VPNs ...................................6-1 Overview ....................................................................... 6-1 Internet Key Exchange (IKE) Configuration........................
Contents vii Additional LANs ................................................. 7-37 Chapter 8 — Line Backup .........................................................8-1 Configuring Backup ........................................................ 8-1 Connection Profiles ........................................................ 8-2 IP Setup .............................................................. 8-7 WAN Configuration .........................................................
viii Firmware User Guide Limited user configuration .................................. 10-4 Advanced Security Options ........................................... 10-6 RADIUS server authentication ............................. 10-7 TACACS+ server authentication........................... 10-8 Warning alerts ................................................... 10-9 User access password ..................................... 10-12 User menu differences..................................... 10-13 Telnet Access .
Contents Factory Defaults .......................................................... Transferring Configuration and Firmware Files with TFTP.. Updating firmware.............................................. Downloading configuration files ........................... Uploading configuration files ............................... Restarting the System ................................................. ix 11-6 11-6 11-7 11-7 11-8 11-8 Appendix A — Troubleshooting..............................................
x Firmware User Guide
Introduction 1-1 Chapter 1 Introduction This Firmware User Guide covers the advanced features of the Netopia ENT Enterprise-Series Router family. Your Netopia equipment offers advanced configuration features accessed through the Main Menu of the Telnet configuration screen. This Firmware User Guide documents the advanced features, including advanced testing, security, monitoring, and configuration.
1-2 Firmware User Guide Telnet-based Management Telnet-based management is a fast menu-driven interface for the capabilities built into the Netopia Firmware Version 8.7. Telnet-based management provides access to a wide variety of features that the Router supports. You can customize these features for your individual setup. This chapter describes how to access the Telnet-based management screens.
Introduction 1-3 • The WAN Configuration menu displays and permits changing your connection profile(s), Virtual Private Networks (VPNs) and default profile, creating or deleting additional connection profiles, and configuring or reconfiguring the manner in which you may be using the Router to connect to more than one service provider or remote site. See “WAN Configuration,” beginning on page 2-1. See also Chapter 5, “Virtual Private Networks (VPNs).
1-4 Firmware User Guide Connecting through a Telnet Session Features of Netopia Firmware Version 8.7 can be configured through the Telnet screens. Before you can access the console screens through Telnet, you must have: • A network connection locally to the Router or IP access to the Router.
Introduction 1-5 Navigating through the Telnet Screens Use your keyboard to navigate the Netopia Firmware Version 8.7’s configuration screens, enter and edit information, and make choices. The following table lists the keys to use to navigate through the Telnet screens. To... Use These Keys...
1-6 Firmware User Guide
WAN Configuration 2-1 Chapter 2 WAN Configuration This chapter describes how to use the Telnet-based management screens to access and configure advanced features of your equipment. You can customize these features for your individual setup. These menus provide a powerful method for experienced users to set up their Router’s connection profiles configuration.
2-2 Firmware User Guide WAN Ethernet Configuration screen The WAN Ethernet Configuration screen appears as follows: WAN Ethernet Configuration Address Translation Enabled: Obtain WAN address via DHCP: Yes On NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Easy-PAT List Easy-Servers No Filter Set... Remove Filter Set WAN Ethernet Speed Setting... Wan Ethernet MAC Address: Auto-Negotiation 00:0f:cc:0b:9d:ce DHCP Client Mode: Standards-Based RIP Options...
WAN Configuration 2-3 • The WAN Ethernet Speed Setting is configurable via a pop-up menu. Options are: • Auto-Negotiation (the default) • 100 Mbps Full Duplex • 100 Mbps Half Duplex • 10 Mbps Full Duplex • 10 Mbps Half Duplex • 100 Mbps, Full Duplex, Fixed • 100 Mbps, Half Duplex, Fixed • 10 Mbps, Full Duplex, Fixed • 10 Mbps, Half Duplex, Fixed This may be useful in mixed networks, where multiple routers have different ethernet speed capability.
2-4 Firmware User Guide The Transmit RIP pop-up menu is hidden if NAT is enabled. Routing Information Protocol (RIP) is needed if there are IP routers on other segments of your Ethernet network that the Netopia Router needs to recognize. Set to “Both” (the default) Netopia Firmware Version 8.7 will accept information from either RIP v1 or v2 routers. Alternatively, select Receive RIP and select v1, v2, or v2 MD5 Authentication from the popup menu.
WAN Configuration 2-5 Usually, the default AutoSense will detect the type and adjust itself accordingly. If you want to set it yourself, and you know the type of wiring you have, choose either Tip/Ring (Inner Pair) or A/A1 (Outer Pair) from the pop-up menu. 6. Select Data Link Encapsulation and press Return. The pop-up menu will offer you the choice of PPP or RFC1483.
2-6 Firmware User Guide ATM Circuits Configuration Show/Change Circuit... Add Circuit... Delete Circuit... 7. To add a circuit, select Add Circuit and press Return. The Add Circuit screen appears. Add Circuit Circuit Name: Circuit 2 Circuit Enabled: Yes Circuit VPI (0-255): 0 Circuit VCI (32-65535): QoS... Peak Cell Rate (0 = line rate): Use Connection Profile...
WAN Configuration 2-7 Quality of Service (QoS) settings Note: QoS settings are not available on Ethernet-to-Ethernet WAN models. • Select the QoS (Quality of Service) setting from the pop-up menu: UBR. CBR, or VBR. UBR: No configuration is needed for UBR VCs. Leave the default value 0 (maximum line rate). CBR: One parameter is required for CBR VCs. Enter the Peak Cell Rate that applies to the VC. This value should be between 1 and the line rate.
2-8 Firmware User Guide Note: With multiple VCs you must explicitly statically bind the second (and all subsequent) VCs to a profile. The first VC will automatically statically bind according to pre-defined dynamic binding rules when you add the second VC. It will revert back to dynamic binding if the number of VCs is reduced to one; for example, by deleting previously defined VCs.
WAN Configuration 2-9 Creating a New Connection Profile Connection profiles are useful for configuring the connection and authentication settings for negotiating a PPP connection. If you are using the PPP data link encapsulation method, you can store your authentication information in the connection profile so that your user name and password (or host name and secret) are transmitted when you attempt to connect.
2-10 Firmware User Guide Multiple Data Link Encapsulation Settings 4. Select Encapsulation Options and press Return. • If you selected ATMP, PPTP, L2TP, or IPSec, see Chapter 5, “Virtual Private Networks (VPNs).” • If you selected PPP or RFC1483, the screen offers different options: Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... RFC1483 Mode...
WAN Configuration 2-11 Datalink (PPP/MP) Options Datalink (PPP/MP) Options Data Compression... Standard LZS Data Compression... Standard LZS Send Authentication... PAP Send Authentication... PAP Send User Name: Send Password: Receive User Name: Receive Password: • Data Compression defaults to Standard LZS. You • can select Ascend LZS, if you are connecting to compatible equipment, or None from the pop-up menu. • The Send Authentication pop-up menu lets you select PAP, CHAP, or None.
2-12 Firmware User Guide IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Numbered Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: 0.0.0.0 0.0.0.0 No Filter Set... Remove Filter Set RIP Profile Options... Return/Enter to select ... Configure IP requirements for a remote network connection here. 6. Toggle or enter your IP Parameters.
WAN Configuration 2-13 • The Receive RIP pop-up menu controls the reception and transmission of Routing Information Protocol (RIP) packets on the WAN port. The default is Both v1 and v2. A Transmit RIP pop-up menu is hidden if NAT is enabled. Routing Information Protocol (RIP) is needed if there are IP routers on other segments of your Ethernet network that the Netopia Router needs to recognize. Set to “Both” (the default) Netopia Firmware Version 8.
2-14 Firmware User Guide 9. Select COMMIT and press Return. Your new Connection Profile will be added. If you want to view the Connection Profiles in your device, return to the WAN Configuration screen, and select Display/Change Connection Profile. The list of Connection Profiles is displayed in a scrolling pop-up screen. WAN Configuration +-Profile Name---------------------IP Address------+ +--------------------------------------------------+ | Easy Setup Profile 255.225.255.255 | | Profile 1 0.0.0.
WAN Configuration 2-15 Advanced Connection Options Depending on your model, the Advanced Connection Options screen offers a variety of powerful options for advanced users. Screens shown in this section may vary from what your particular model displays. Configuration Changes Reset WAN Connection The menu supports delaying some configuration changes until after the Netopia Router is restarted.
2-16 Firmware User Guide When you toggle Configuration Changes Reset WAN Connection either to Yes or No using the Tab key and press Return, a pop-up window asks you to confirm your choice. Advanced Connection Options +----------------------------------------------------+ +----------------------------------------------------+ | The Router will now be restarted to allow this | | feature to function properly.
WAN Configuration 2-17 Scheduled Connections Display/Change Scheduled Connection... Add Scheduled Connection... Delete Scheduled Connection... Navigate from here to add/modify/change/delete Scheduled Connections. Viewing scheduled connections To display a table of scheduled connections, select Display/Change Scheduled Connection in the Scheduled Connections screen. Each scheduled connection occupies one row of the table. Scheduled Connections +-Days----Begin At---HH:MM---When----Conn. Prof.
2-18 Firmware User Guide • The time of day that the connection will Begin At • The duration of the connection (HH:MM) • Whether it’s a recurring Weekly connection or used Once Only • Which connection profile (Conn. Prof.) is used to connect • Whether the scheduled connection is currently Enabled The Router checks the date and time set in scheduled connections against the system date and time.
WAN Configuration 2-19 • Demand-Blocked, meaning that this schedule will prevent a demand call on the line. • Periodic, meaning that the connection is retried several times during the scheduled time.
2-20 Firmware User Guide • Select Scheduled Window Duration Per Day and enter the maximum duration allowed for this scheduled connection, per call. • Retry interval (minutes) becomes visible if you have selected Random Retry. This option allows you to set the upper limit for the number of minutes to use for the retry time (the attempts after the first three attempts). It accepts values of 1 – 255 minutes; the default setting is 5 minutes.
WAN Configuration 2-21 You are finished configuring the once-only options. Return to the Add Scheduled Connection screen to continue. • In the Add Scheduled Connection screen, select Use Connection Profile and choose from the list of connection profiles you have already created. A scheduled connection must be associated with a connection profile to be useful. The connection profile becomes active during the times specified in the associated scheduled connection, if any exists.
2-22 Firmware User Guide Diffserv Options Netopia Firmware Version 8.7 offers Differentiated Services (Diffserv) enhancements. These enhancements allow your Router to make Quality of Service (QoS) decisions about what path Internet traffic, such as Voice over IP (VoIP), should travel across your network. For example, you may want streaming video conferencing to use high quality, but more restrictive, connections, or, you might want e-mail to use less restrictive, but less reliable, connections.
WAN Configuration 2-23 The Diffserv options are displayed. Diffserv Options Diffserv Enabled: Lo/Hi Ratio: Yes 0 Show/Change Rules... Add Rules... Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. • Enter a value from 60 to 100 (percent) in the Lo/Hi Ratio field. Differentiated Services uses the low-to-high priority queue ratio to regulate traffic flow.
2-24 Firmware User Guide The Diffserv Rule screen appears. Diffserv Rule Name: Protocol... TCP Priority... Direction... Start Port: End Port: Inside Ip Address: Inside Ip Netmask: Outside Ip Address: Outside Ip Netmask: off outbound 0 0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 COMMIT CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. • Name – Enter a name in this field to label the rule.
WAN Configuration 2-25 • Inside IP Address/Netmask – For outbound flows, specify an IP address and subnet mask on your LAN. For inbound flows, this setting is ignored. • Outside IP Address/Netmask – If you want traffic destined for and originating from a certain WAN IP address to be controlled, enter the IP address and subnet mask here. If you leave the default all-zeroes, the outside address check is ignored.
2-26 Firmware User Guide Advanced Connection Options Configuration Changes Reset WAN Connection: Yes Scheduled Connections... Backup Configuration... Prioritize Delay-Sensitive Data: No Diffserv Options... VRRP Options... Return/Enter to configure SA Backup Parameters. The Router will recognize a delay-sensitive packet as having the low-latency bit set in the TOS field of the IP header.
WAN Configuration 2-27 VRRP Options WAN Link Failure Detection: Ping Enable: Off Return/Enter accepts * Tab toggles * ESC cancels. Toggle Ping Enable to On and press Return. The Ping settings options appear.
2-28 Firmware User Guide
System Configuration 3-1 Chapter 3 System Configuration This chapter describes how to use the Telnet-based management screens to access and configure advanced features of your equipment. You can customize these features for your individual setup. These menus provide a powerful method for experienced users to set up their Router’s system configuration. System Configuration Features The Netopia Router’s default settings may be all you need to configure.
3-2 Firmware User Guide The System Configuration menu screen appears: System Configuration IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... Stateful Inspection... VLAN Configuration... Date and Time... Wireless Configuration... Console Configuration SNMP (Simple Network Management Protocol)... Security... Upgrade Feature Set... Router/Bridge Set... Router IGMP (Internet Group Management Protocol)... Logging... Use this screen if you want options beyond Easy Setup.
System Configuration 3-3 Stateful Inspection Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. Stateful inspection can be enabled on a Connection Profile whether NAT is enabled or not. You can configure UDP and TCP “no-activity” periods that will also apply to NAT time-outs if stateful inspection is enabled on the interface. Stateful Inspection parameters are active on a WAN interface only if enabled on your Gateway.
3-4 Firmware User Guide Add Exposed Address List You can specify the IP addresses you want to expose by selecting Add Exposed Address List from the Stateful Inspection menu and pressing Return. Stateful Inspection UDP no-activity timeout (sec): 180 TCP no-activity timeout (sec): 14400 Add Exposed Address List... Exposed Address Associations... Return/Enter goes to new screen. Return/Enter to configure Xposed IP addresses. The Add Exposed Address List screen appears.
System Configuration 3-5 Add Exposed Address List Exposed Address List Name: xposed_list_1 Add Exposed Address Range... Return/Enter goes to new screen. Select Add Exposed Address Range and press Return. The Exposed Address Range screen appears. Add Exposed Address Range ("xposed_list_1") First Exposed Address: 0.0.0.0 Last Exposed Address: 0.0.0.0 Protocol... ANY ADD EXPOSED ADDRESS RANGE CANCEL Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx).
3-6 Firmware User Guide The pop-up Protocol menu offers the type of protocols to be assigned to this range. Add Exposed Address Range ("xposed_list_1") First Exposed Address: 192.168.1.10 Last Exposed Address: +-------------+ +-------------+ | TCP and UDP | | TCP | | UDP | | ANY | +-------------+ Protocol... ADD EXPOSED ADDRESS RANGE CANCEL Add Exposed Address Range ("xposed_list_1") First Exposed Address: 192.168.1.10 Last Exposed Address: 192.168.1.12 Protocol...
System Configuration 3-7 You can edit or delete exposed address lists by selecting Show/Change Exposed Address List or Delete Exposed Address List. A list of previously configured exposed addresses appears. This allows you to select an exposed address list for editing or deletion. Add Exposed Address List +------Exposed Address Range---------Protocol-------------------+ +---------------------------------------------------------------+ | 192.168.1.10 192.168.1.
3-8 Firmware User Guide Exposed Address Associations Enable and configure stateful inspection on a WAN interface. IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Numbered Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: 0.0.0.0 0.0.0.0 No Filter Set... Remove Filter Set RIP Profile Options... Return/Enter to select ...
System Configuration 3-9 Select Stateful Inspection Options and press Return. The Stateful Inspection Parameters screen appears. Stateful Inspection Parameters Max. TCP Sequence Number Difference: 0 Enable default mapping to router: No Deny Fragmented Packets: No Exposed Address List... Enter max. allowed TCP sequence number difference (1 - 65535), 0 to disable. • Max. TCP Sequence Number Difference: Enter a value in this field.
3-10 Firmware User Guide Stateful Inspection Parameters +Exposed Address List N+ +----------------------+ Max. TCP Sequ| xposed_list_1 | 0 | <> | Enable defaul| | No | | Deny Fragment| | No | | Exposed Addre| | | | | | | | | | | | | | | | | | | | +----------------------+ Up/Down Arrows to select, then Return/Enter; ESC to cancel.
System Configuration 3-11 VLAN Configuration A Virtual Local Area Network (VLAN) is a network of computers that behave as if they are connected to the same wire even though they may be physically located on different segments of a LAN. You set up VLANs by configuring the Router software rather than hardware. This makes VLANs very flexible. VLANs behave like separate and independent networks. Beginning with Firmware Version 8.6.
3-12 Firmware User Guide The Add VLAN selection appears. VLAN Configuration VLAN Enable: On Add VLAN... Authentication Server Configuration... Return/Enter to select ... Set Up VLAN from this and the following Menus. Select Add VLAN and press Return. The Add VLAN screen appears. Add VLAN... VLAN VLAN VLAN VLAN ID (0-4094): Type... Name: Network: 802.
System Configuration 3-13 • VLAN Type – Beginning with Firmware Version 8.6.1, LAN or WAN Port(s) can be enabled on the VLAN. See “Adding Port interfaces” on page 3-16 for more information. You can choose a type designation as follows: port-based: The ports set up on VLANs for this switch will insert a default VLAN identifier (VID) into any non-802.1q-tagged Ethernet packet received, and they will strip out any 802.1q header within a packet transmitted through the port with a VID matching the VLAN's VID.
3-14 Firmware User Guide Caution!If you enable 802.1x for a VLAN that includes a wireless SSID, you must access the Wireless LAN Configuration menu and set Enable Privacy to WPA-802.1x as well. See “Enable Privacy” on page 3-26. If multiple SSIDs are split across several VLANs, the VLANs must either: • all have 802.1x enabled with WPA-802.1x enabled in Wireless Privacy, or • have the VLANs set to 802.1x disabled and Wireless Privacy set to some other privacy setting.
System Configuration 3-15 The Add Server Profile screen appears. Add Server Profile Profile Name: Authentication Profile 1 Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port: 1812 ADD PROFILE CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new RADIUS or TACACS profile.
3-16 Firmware User Guide Adding Port interfaces Once you have created a VLAN entry you must associate it with a port interface. This interface may be either a physical port, such as USB or Ethernet, or a Network ID (SSID) of a wireless LAN. If you have a Netopia Router model that offers Netopia’s VGx technology, you can also associate a VLAN with each of the physical Ethernet managed switch ports.
System Configuration 3-17 Display/Change VLAN... VLAN VLAN VLAN VLAN ID (1-4094): Type... Name: Network: 10 global Network A Primary LAN 802.1x: No Add Port Interface... Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Select Add Port Interface and press Return. The Add Port Interface screen appears.
3-18 Firmware User Guide • TOS-Priority – Use any 802.1p priority bits in the VLAN header to prioritize packets within the Gateway’s internal queues, according to DiffServ priority mapping rules. See “Diffserv Options” on page 2-22 for more information. • IPTOS-Promote – Write any 802.1p priority bits into the IP-TOS header bit field for received IP packets on this port destined for this VLAN. Write any IP-TOS priority bits into the 802.
System Configuration 3-19 Authentication Server Configuration +----------Profile Name-----------+ +---------------------------------+ Display/Change Server| ATE1 V1 | Add Server Profile...| | Delete Server Profile| | | | +---------------------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. If you are deleting a profile, you will be challenged to be sure that you want to delete the profile that you have selected.
3-20 Firmware User Guide Configuring additional Authentication Servers You can configure additional (or your first) Authentication Server from the main VLAN Configuration screen. VLAN Configuration Display/Change VLAN... Add VLAN... Delete VLAN... Authentication Server Configuration... Set Up VLAN from this and the following Menus. Select Authentication Server Configuration and press Return. Authentication Server Configuration Display/Change Server Profile... Add Server Profile... Delete Server Profile.
System Configuration 3-21 The Add Server Profile screen appears. Add Server Profile Profile Name: Authentication Profile 2 Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port: 1812 ADD PROFILE CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new RADIUS or TACACS profile.
3-22 Firmware User Guide Date and time You can set the system’s date and time parameters in the Set Date and Time screen. Date and Time parameters govern the reporting of system events. These events are recorded in the system logs. Select Date and Time in the System Configuration screen and press Return. The Set Date and Time screen appears. By default, Network Time Protocol (NTP) is enabled, allowing your Router to obtain Date and Time information periodically over the Internet.
System Configuration 3-23 5. Select a System Date Format; the options are MM/DD/YY, DD/MM/YY, and YY/MM/DD, where M is month, D is day, and Y is year. 6. Select a System Time Format, either AM/PM or 24hrs. 7. Press Escape to return to the System Configuration menu. Note: NTP can be blocked by some firewall configurations. To ensure that this feature works, create a filterset rule to allow UDP port 123 to be open.
3-24 Firmware User Guide • Block Wireless Bridging: Toggle this setting to Yes to block wireless clients from communicating with other wireless clients on the LAN side of the Gateway. • Channel: (1 through 11) on which the network will broadcast. This is a frequency range within the 2.4Ghz band. Channel selection depends on government regulated radio frequencies that vary from region to region. The widest range available is from 1 to 14. However, in North America only 1 to 11 may be selected.
System Configuration 3-25 Note: Enabling Closed System Mode on your wireless Gateway provides another level of security, since your wireless LAN will no longer appear as an available access point to client PCs that are casually scanning for one. Your own wireless network clients, however, must log into the wireless LAN by using the exact SSID of the Netopia Gateway.
3-26 Firmware User Guide Wireless LAN Configuration Enable Wireless: SSID: Block Wireless Bridging: Channel... AutoChannel... Closed System... Wireless Multimedia (WMM)... Enable Privacy... Yes 0271 1000 No 6 +------------+ +------------+ | Off | | diffserv | +------------+ Wireless Multiple SSID Setup... MAC Address Authentication... To enable the Wireless Multimedia custom settings, select diffserv from the pull-down menu. Enable Privacy By default, Enable Privacy is set to Off.
System Configuration 3-27 The Pre Shared Key field becomes visible to allow you to enter a Pre Shared Key. The key can be between 8 and 63 characters, but for best security it should be at least 20 characters. Clients wishing to connect must also be configured to use WPA with this same key. Wireless LAN Configuration Enable Wireless: SSID: Block Wireless Bridging: Channel... AutoChannel... Closed System... Enable Privacy...
3-28 Firmware User Guide • WPA Version: If you select either WPA-802.1x or WPA-PSK as your privacy setting, the WPA Version pop-up menu allows you to select the WPA version(s) that will be required for client connections. Choices are: • All, for maximum interoperability, • WPA Version 1, for backward compatibility, • WPA Version 2, for maximum security. All clients must support the version(s) selected in order to successfully connect.
System Configuration 3-29 Wireless LAN Configuration Enable Wireless: SSID: Block Wireless Bridging: Channel... AutoChannel... Closed System... Enable Privacy... Default Key... Passphrase: Well I stand up next Key Key Key Key 1 2 3 4 (40b): (40b): (40b): (40b): Yes 0271 1000 No 6 Off Open WEP - Automatic 1 to a mountain, 5ad06701b4 80a6ab7474 9ea5a25101 1d8979e024 Wireless Multiple SSID Setup... MAC Address Authentication... You select a single key for encryption of outbound traffic.
3-30 Firmware User Guide needs to be done once. Avoid the temptation to enter all the same characters. Wireless LAN Configuration Key Key Key Key Enable Wireless: Yes SSID: Channel... Closed System... Enable WEP... 4405 2605 6 Open On - Manual Default Key...
System Configuration 3-31 Multiple SSID Configuration Enable Multiple SSIDs: No Second SSID: Enable Privacy... 0000 0000 Off Third SSID: Enable Privacy... 0000 0000 Off Fourth SSID: Enable Privacy... 0000 0000 Off Configure additional wireless SSID's that clients can associate with. Toggle Enable Multiple SSIDs to Yes, and enter names or other identifiers for up to three additional SSIDs you want to create. Multiple SSID Configuration Enable Multiple SSIDs: Second SSID: Enable Privacy...
3-32 Firmware User Guide Multiple SSID Configuration Enable Multiple SSIDs: Second SSID: Enable Privacy... WPA Version... Key: Third SSID: Enable Privacy... Fourth SSID: Enable Privacy... On GameRoom +---------------------------+ +---------------------------+ | All | | WPA Version 1 | | WPA Version 2 | +---------------------------+ 0000 0000 Off You can also specify a WPA Version from the pop-up menu in the same way as the primary SSID.
System Configuration 3-33 MAC Address Authentication Enhanced in Firmware Version 8.5, MAC Address Authentication allows you to specify which client PCs are allowed to join the LAN by specific hardware address. Once it is enabled, only entered MAC addresses that have been set to Allow will be accepted onto the LAN. Alternatively, you can prevent access by certain client PCs by specifying only those to be denied. To enable MAC Address Authentication, select MAC Address Authentication, and press Return.
3-34 Firmware User Guide • Allow only specified addresses - limits access to only those addresses that you enter. • Deny only specified addresses - prevents access from only those addresses that you enter. If you want to apply MAC Authentication to addresses on the wired LAN as well as the wireless LAN, toggle Wireless Only to No. Note: The Wireless Only option appears only on models equipped with a wireless interface. Select Add MAC Address and press Return. The Add MAC Address screen appears.
System Configuration 3-35 The list is displayed as shown below. +-MAC Address -------------------- Permission ---------------------+ +------------------------------------------------------------------+ | 00-0a-27-ae-71-a4 Allowed | | 00-0b-28-af-72-b5 Allowed | | 00-0c-29-bd-69-b3 Blocked | | | | | | | | | | | | | | | | | | | | | | | | | | | +------------------------------------------------------------------+ Select an address to modify.
3-36 Firmware User Guide Follow these steps to change a parameter’s value: 1. Select 57600, 38400, 19200, or 9600. Console Configuration +-------+ +-------+ Baud Rate... | 57600 | | 38400 | Hardware Flow Control: | 19200 | | 9600 | +-------+ SET CONFIG NOW 2. CANCEL Select SET CONFIG NOW to save the new parameter settings. Select CANCEL to leave the parameter unchanged and exit the Console Configuration screen.
System Configuration 3-37 Router/Bridge Set For Netopia DSL Routers, this feature allows you to turn off the routing features and use your device as a bridge. It is not an option for Ethernet WAN models. Netopia Firmware Version 8.7 further allows you to choose to have the Router both bridge and route IP traffic. If you select either option, the device will restart itself, and reset all the settings to factory defaults. Any configurations you have made will be erased. Use this feature with caution.
3-38 Firmware User Guide If you chose CONTINUE, the device will reboot and restart in the selected mode. Routing features will be disabled or changed and the Telnet menus corresponding configuration items, such as Easy Setup, will be removed. Example of Bridge-only mode menus Netopia Router WAN Configuration... System Configuration... Utilities & Diagnostics... Statistics & Logs... Quick View... If you decide to return to the previous mode, you can repeat the process.
System Configuration 3-39 IGMP (Internet Group Management Protocol) Multicasting is a method for transmitting large amounts of information to many, but not all, computers over an Internet. One common use is to distribute real time voice, video, and data services to the set of computers which have joined a distributed conference. Other uses include: updating the address books of mobile computer users in the field or sending out company newsletters to a distribution list.
3-40 Firmware User Guide • IGMP Snooping – toggling this option to On enables the Netopia Router to “listen in” to IGMP traffic. The Router discovers multicast group membership for the purpose of restricting multicast transmissions to only those ports which have requested them. This helps to reduce overall network traffic from streaming media and other bandwidth-intensive IP multicast applications. • Robustness – a way of indicating how sensitive to lost packets the network is.
System Configuration 3-41 The IGMP V2/V3 Settings screen appears. IGMP V2/V3 Settings Last Member Query Interval(deci-sec): Last Member Query Count: Fast Leave: 10 2 Off Amount of time in deci-seconds that the IGMP router waits to receive a response You can configure the following parameters: • Last Member Query Interval (deci-sec) – the amount of time in tenths of a second that the IGMP router waits to receive a response to a Group-Specific Query message.
3-42 Firmware User Guide Logging You can configure a UNIX-compatible (BSD syslog protocol - RFC 3164) syslog client to report a number of subsets of the events entered in the Router’s WAN Event History. See “WAN Event History” on page 9-4. Select Logging from the System Configuration menu. The Logging Configuration screen appears.
System Configuration 3-43 You will need to install a Syslog client daemon program on your PC and configure it to report the WAN events you specified in the Logging Configuration screen. The following screen shows a sample syslog dump of WAN events: May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.
3-44 Firmware User Guide 2. attempt 3. administrative access authenticated and allowed 4. administrative access allowed 5. dropped - violation of security policy 6. dropped - invalid checksum 7. dropped - invalid data length 8. dropped - fragmented packet 9. dropped - cannot fragment 10. dropped - no route found 11. dropped - possible land attack 12. dropped - reassembly timeout 13. dropped - illegal size 14. dropped - invalid IP version 15. TCP SYN flood detected 16.
System Configuration 3-45 The following syslog messages may be generated by the router if WAN Event Log Options are enabled: 1. Device Restarted 2. EN: IP up, WAN 1, gateway: local: 3. Received NTP Date and Time [mon][dd][hh][mm][ss][year] 4. NTP configuration has been changed 5. System Date/Time configuration changed 6. PPP: IPCP negotiated, session [sessionID], rem: [IP Address] local: [IP Address] 7. RFC1483-[ID]: IP up, gateway: [IP Address] local: [IP Address] 8.
3-46 Firmware User Guide 33. PPPOE: PADS Received 34. PPPOE: PADT Received 35. PPPOE: PADT Sent 36. PPPOE: Discovery state started profile [Profile Name] 37. PPPOE: Session state started profile [Profile Name] 38. PPPoE: Auth. Failed with Server: [Server] 39. PPTP: IP up, rem: [IP Address], via: [IP Address] tunnel id: [ID] 40. PPTP: IP down, rem: [IP Address] tunnel id: [ID] 41. IPsec: VPN installed:profile: [Name], spi: [SPI], rem sg: [IP Address] 42. IPsec: VPN fail: profile: [Name] 43.
System Configuration 3-47 66. IKE: phase 1 auth failure sg [IP Address] profile [Name], sg [IP Address] code [code] 67. IKE: phase 1 resend timeout sg [IP Address] profile [Name], sg [IP Address] 68. IKE: phase 1 complete sg [IP Address] profile [Name], sg [IP Address] 69. IKE: phase 2 hash failure sg [IP Address] profile [Name] sg [IP Address] 70. IKE: no matching ph2 proposal sg [IP Address] profile [Name] sg [IP Address] 71. IKE: ph2 resend timeout sg [IP Address] profile [Name], sg [IP Address] 72.
3-48 Firmware User Guide Procedure for Default Installation for ICSA firewall certification of Small/Medium Business Category Module (ADSL Routers) Note: The following installation procedure outlines steps needed to enable required features to comply with ICSA firewall certification. For more information please go to the following URLs: http://www.icsalabs.com/icsa/docs/html/communities/firewalls/pdf/4.1/baseline.pdf http://www.icsalabs.com/icsa/docs/html/communities/firewalls/pdf/4.1/smb.
System Configuration 3-49 Setting up an encrypted communication channel: (PPTP with MS-CHAP/MPPE) (See “Virtual Private Networks (VPNs)” on page 5-1 for more information.) 1. From the Main Menu, Go to Quick Menus... 2. Select ATMP/PPTP Default Profile 3. Set Answer ATMP/PPTP Connections: to Yes 4. Under PPTP Configuration Options set Receive Authentication... to MS-CHAP 5. Escape once back to Quick Menus 6. Scroll up to Add Connection Profiles and press Enter 7.
3-50 Firmware User Guide Set up NTP (See “Date and time” on page 3-22 for more information.) 1. NTP is enabled by default. 2. To change NTP Settings, Go to System Configuration and select Date and Time… 3. Set Date and Time parameters, if desired a. NTP Enabled can be set to On/Off b. Time Server 1 Host Name/IP Address and Time Server 2 Host Name/IP Address points to the primary and secondary Time Servers respectively. c. Time Zone… can be changed (defaults to Pacific Standard Time) d.
System Configuration 3-51 2. Go to WAN Configuration… 3. Select Display/Change Connection Profile… 4. Select Easy Setup Profile (if available) or the desired Connection Profile you have created. 5. Go to IP Profile Parameters 6. Under IP Profile Parameters, Set Stateful Inspection Enabled to Yes 7. Select Stateful Inspection Options… a. Under Stateful Inspection Parameters, configure Max. TCP Sequence Number Difference, if desired. b. Set Enable default mapping to router to No c.
3-52 Firmware User Guide
Multiple Network Address Translation 4-1 Chapter 4 Multiple Network Address Translation Netopia Firmware Version 8.7 offers advanced Multiple Network Address Translation functionality. You should read this chapter completely before attempting to configure any of the advanced NAT features.
4-2 Firmware User Guide Features MultiNAT features can be divided into several categories that can be used simultaneously in different combinations on a per-Connection Profile basis. The following is a general description of these features: Port Address Translation The simplest form of classic Network Address Translation is PAT (Port Address Translation). PAT allows a group of computers on a LAN, such as might be found in a home or small office, to share a single Internet connection using one IP address.
Multiple Network Address Translation 4-3 Dynamic mapping Dynamic mapping, often referred to as many-to-few, offers an extension to the advantages provided by static mapping. Instead of requiring a one-to-one association of public addresses and private addresses, as is required in static mapping, dynamic mapping uses a group of public IP addresses to dynamically allocate static mappings to private hosts that are communicating with the public network.
4-4 Firmware User Guide Available for Dynamic NAT Used for Normal NAT 172.16.1.29 172.16.1.28 172.16.1.27 172.16.1.26 172.16.1.25 WAN Network 192.168.1.16 192.168.1.15 192.168.1.14 192.168.1.13 192.168.1.12 192.168.1.11 192.168.1.10 192.168.1.9 192.168.1.8 192.168.1.7 192.168.1.6 192.168.1.5 192.168.1.4 192.168.1.3 LAN Network 192.168.1.
Multiple Network Address Translation 4-5 Complex maps Map lists and server lists are completely independent of each other. A Connection Profile can use one or the other or both. MultiNAT allows complex mapping and requires more complex configuration than in earlier firmware versions. Multiple mapped interior subnets are supported, and the rules for mapping each of the subnets may be different. The figure below illustrates a possible multiNAT configuration. 206.1.1.1 206.1.1.2 206.1.1.3 206.1.1.4 206.1.1.
4-6 Firmware User Guide Support for Yahoo Messenger Netopia Firmware Version 8.7 provides Application Level Gateway (ALG) support for Yahoo Messenger. This allows Yahoo Messenger users to exchange files, even when both users are behind NAT. Previously, the file transfer function would work only if one or neither of the two users were behind NAT. Currently there is a restriction that the remote user must be routed to via the WAN interface, otherwise the connections will fail.
Multiple Network Address Translation 4-7 The two map lists, Easy-PAT List and Easy-Servers, are created by default and NAT configuration becomes effective.This will map all your private addresses (0.0.0.0 through 255.255.255.255) to your public address. These map lists are bound to the Easy Setup Profile. See Binding Map Lists and Server Lists on page 4-22. This is all you need to do if you want to continue to use a single PAT, or 1-to-many, NAT configuration.
4-8 Firmware User Guide System Configuration IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... Stateful Inspection... VLAN Configuration... Date and Time... Wireless Configuration... Console Configuration SNMP (Simple Network Management Protocol)... Security... Upgrade Feature Set... Router/Bridge Set... Router IGMP (Internet Group Management Protocol)... Logging... Use this screen if you want options beyond Easy Setup.
Multiple Network Address Translation 4-9 NAT rules The following rules apply to assigning NAT ranges and server lists: • Static public address ranges must not overlap other static, PAT, public addresses, or the public address assigned to the Router’s WAN interface. • A PAT public address must not overlap any static address ranges. It may be the same as another PAT address or server list address, but the port range must not overlap.
4-10 Firmware User Guide Select First Public Address and enter the first exterior IP address in the range you want to assign. Select Last Public Address and enter an IP address at the end of the range. • Select ADD NAT PUBLIC RANGE and press Return. The range will be added to your list and you will be returned to the Network Address Translation screen. Once the public ranges have been assigned, the next step is to bind interior addresses to them.
Multiple Network Address Translation 4-11 Add NAT Map ("my_map") First Private Address: 192.168.1.1 Last Private Address: 192.168.1.254 Use NAT Public Range... ADD NAT MAP CANCEL • Select First and Last Private Address and enter the first and last interior IP addresses you want to assign to this mapping. • Select Use NAT Public Range and press Return. A screen appears displaying the public ranges you have defined.
4-12 Firmware User Guide • The Add NAT Map screen now displays the range you have assigned. Add NAT Map ("my_map") First Private Address: 192.168.1.1 Last Private Address: 192.168.1.254 Use NAT Public Range... my_first_range Public Range Type is: Public Range Start Address is: ADD NAT MAP • pat 206.1.1.6 CANCEL Select ADD NAT MAP and press Return. Your mapping is added to your map list. Modifying map lists You can make changes to an existing map list after you have created it.
Multiple Network Address Translation 4-13 The Show/Change NAT Map List screen appears. Show/Change NAT Map List Map List Name: my_map Add Map... Show/Change Maps... Delete Map... • Add Map allows you to add a new map to the map list. • Show/Change Maps allows you to modify the individual maps within the list. • Delete Map allows you to delete a map from the list. Selecting Show/Change Maps or Delete Map displays the same pop-up menu.
4-14 Firmware User Guide The Change NAT Map screen appears. Change NAT Map ("my_map") First Private Address: 192.168.1.253 Last Private Address: 192.168.1.254 Use NAT Public Range... my_second_range Public Range Type is: Public Range Start Address is: Public Range End Address is: CHANGE NAT MAP static 206.1.1.1 206.1.1.2 CANCEL Make any modifications you need and then select CHANGE NAT MAP and press Return.
Multiple Network Address Translation 4-15 Adding Server Lists Server lists, also known as Exports, are handled similarly to map lists. If you want to make a particular server’s port accessible (and it isn’t accessible through other means, such as a static mapping), you must create a server list. Select Add Server List from the Network Address Translation screen. The Add NAT Server List screen appears. Add NAT Server List Server List Name: my_servers Add Server...
4-16 Firmware User Guide Add NAT Server ("my_servers") External Service... Server Private IP Address: 0.0.0.0 Public IP Address: 0.0.0.0 Protocol... TCP and UDP Internal Port Start: 0 ADD NAT SERVER CANCEL Return/Enter to select ... • Select External Service and press Return. A pop-up menu appears listing a selection of commonly exported services. Add NAT Server ("my_servers") +-Type------Port(s)-------+ +-------------------------+ External Service...
Multiple Network Address Translation 4-17 Other Exported Port First Port Number (1..65535): 31337 Last Port Number (1..65535): 31337 OK • • CANCEL Enter the First and Last Port Number between ports 1 and 65535. Select OK and press Return. You will be returned to the Add NAT Server screen. Enter the Server Private IP Address of the server whose service you are exporting.
4-18 Firmware User Guide • Choose the protocol from the pop-up menu: TCP and UDP, TCP only, or UDP only. Add NAT Server ("my_servers") External Service... Server Private IP Address: Public IP Address: Protocol... Internal Port Start: ADD NAT SERVER 192.168.1.45 +-------------+ +-------------+ | TCP and UDP | | TCP | | UDP | +-------------+ CANCEL • Enter the Internal Port Start, if different from and not already preselected from the External Service type list.
Multiple Network Address Translation 4-19 Network Address Translation +-NAT Server List Name-+ +----------------------+ A| my_servers | S| |.. D| | | | A| | S| | D| | | | A| | S| |. D| | | | | | | | | | | | +----------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. The Show/Change NAT Server List screen appears. Show/Change NAT Server List Server List Name: my_servers Add Server... Show/Change Server... Delete Server...
4-20 Firmware User Guide Show/Change NAT Server List +Private Address--Public Address---Port------------Protocol------+ +----------------------------------------------------------------+ | 192.168.1.254 206.1.1.1 smtp TCP and UDP | | 192.168.1.254 206.1.1.2 ftp TCP and UDP | | 192.168.1.254 206.1.1.4 tftp TCP | | 192.168.1.254 206.1.1.3 gopher TCP and UDP | | 192.168.1.254 206.1.1.
Multiple Network Address Translation 4-21 A pop-up menu lists your configured servers. Select the one you want to delete and press Return. A dialog box asks you to confirm your choice. Show/Change NAT Server List +Private Address--Public Address---Port------------Protocol------+ +----------------------------------------------------------------+ | 192.168.1.254 206.1.1.1 smtp TCP and UDP | | 192.168.+----------------------------------------------+ UDP | | 192.168.
4-22 Firmware User Guide Binding Map Lists and Server Lists Once you have created your map lists and server lists, for most Netopia Router models you must bind them to a profile, either a Connection Profile or the Default Profile.
Multiple Network Address Translation 4-23 IP Profile Parameters +--NAT Map List Name---+ Address Trans+----------------------+s IP Addressing| Easy-PAT List |mbered NAT Map List.| my_map |sy-PAT List NAT Server Li| <> |sy-Servers NAT Options..| | Stateful Insp| | | | Local WAN IP | |0.0.0 Local WAN IP | |0.0.0 Remote IP Add| |7.0.0.2 Remote IP Mas| |5.255.255.255 Filter Set...
4-24 Firmware User Guide IP Parameters (WAN Default Profile) The Netopia Firmware Version 8.7 using RFC 1483 supports a WAN default profile that permits several parameters to be configured without an explicitly configured Connection Profile. The procedure is similar to the procedure to bind map lists and server lists to a Connection Profile. From the Main Menu go to the WAN Configuration screen, then the Default Profile screen. Select IP Parameters and press Return.
Multiple Network Address Translation 4-25 IP Parameters (Default Profile) +--NAT Map List Name---+ +----------------------+ | Easy-PAT List | | my_map | Address Trans| <> |s | | NAT Map List.| | NAT Server Li| | | | Filter Set (F| | Remove Filter| | | | Rip Options: | |th | | | | | | | | | | +----------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. • Select the map list you want to bind to the default profile and press Return.
4-26 Firmware User Guide NAT Associations Configuration of map and server lists alone is not sufficient to enable NAT for a WAN connection because map and server lists must be linked to a profile that controls the WAN interface. This can be a Connection Profile, a WAN Ethernet interface, a default profile, or a default answer profile. Once you have configured your map and server lists, you may want to reassign them to different interface-controlling profiles, for example, Connection Profiles.
Multiple Network Address Translation 4-27 NAT Associations +NAT Map List Name-+ Profile/Interface Name-------------Nat+------------------+Server List Name Easy Setup Profile On | Easy-PAT List |my_servers Profile 01 On | my_first_map |my_servers Profile 02 On | my_second_map |my_server_list Profile 03 On | my_map |<> Profile 04 On | <> |<> | | | | | | | | | | | | | | | | | | | | | | Default Answer Profile On +------------------+my_servers Up/Down Arrow Keys to select, ESC to dismiss, Retu
4-28 Firmware User Guide IP Passthrough Netopia Firmware Version 8.7 offers an IP passthrough feature. The IP passthrough feature allows for a single PC on the LAN to have the router’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet. Using IP passthrough: • The public WAN IP is used to provide IP address translation for private LAN computers. • The public WAN IP is assigned and reused on a LAN computer.
Multiple Network Address Translation 4-29 The IP Profile Parameters screen, found under the WAN Configuration menu, Add/Change Connection Profile screen, appears as shown. IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Numbered Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: 0.0.0.0 0.0.0.0 No Filter Set... Remove Filter Set RIP Profile Options...
4-30 Firmware User Guide NAT Options IP Passthrough Enabled: IP Passthrough DHCP Enabled: IP Passthrough DHCP MAC address: Yes Yes 00-00-00-00-00-00 Enter MAC addr. of IP passthrough host, or zeroes for first come first serve. Toggling IP Passthrough DHCP Enabled to Yes displays the IP Passthrough DHCP MAC address field. This is an editable field in which you can enter the MAC (hardware) address of the designated PC be used as the DHCP Client Identifier for dynamic address reservation.
Multiple Network Address Translation 4-31 A restriction Since both the router and the passthrough host will use same IP address, new sessions that conflict with existing sessions will be rejected by the router. For example, suppose you are a teleworker using an IPSec tunnel from the router and from the passthrough host. Both tunnels go to the same remote endpoint, such as the VPN access concentrator at your employer’s office.
4-32 Firmware User Guide MultiNAT Configuration Example To help you understand a typical MultiNAT configuration, this section describes an example of the type of configuration you may want to implement on your site. The values shown are for example purposes only. Make your own appropriate substitutions. A typical DSL service from an ISP might include five user addresses. Without PAT, you might be able to attach only five IP hosts.
Multiple Network Address Translation 4-33 Enter your ISP-supplied values as shown below. Connection Profile 1: Easy Setup Profile Underlying Encapsulation... RFC1483 Mode... None Bridged 1483 Address Translation Enabled: IP Addressing... Yes Numbered Local WAN IP Address: Local WAN IP Mask: 206.1.1.6 255.255.255.248 PREVIOUS SCREEN NEXT SCREEN Return/Enter takes you back to previous screen. Enter basic information about your WAN connection with this screen. Select NEXT SCREEN and press Return.
4-34 Firmware User Guide Select Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned for your public address (206.1.1.6, in this example). Toggle Type to pat. Your public address is then mapped to the remaining private IP addresses using PAT. (If you were not using the Easy-PAT Range and Easy-PAT List that are created by default by using Easy Setup, you would have to define a public range and map list.
Multiple Network Address Translation 4-35 Select ADD NAT PUBLIC RANGE and press Return. You are returned to the Network Address Translation screen. Next, select Show/Change Map List and choose Easy-PAT List. Select Add Map. The Add NAT Map screen appears. (Now the name Easy-PAT List is a misnomer since it has a static map included in its list.) Enter in 192.168.1.1 for the First Private Address and 192.168.1.5 for the Last Private Address. Add NAT Map ("Easy-PAT List") First Private Address: 192.168.1.
4-36 Firmware User Guide • First, navigate to the Show/Change Map List screen, select Easy-PAT List and then Show/Change Maps. Choose the Static Map you created and change the First Private Address from 192.168.1.1 to 192.168.1.4. Now the Router, Web, and Mail servers’ IP addresses are no longer included in the range of static mappings and are therefore no longer accessible to the outside world. Users on the Internet will not be able to Telnet, Web, SNMP, or ping to them.
Virtual Private Networks (VPNs) 5-1 Chapter 5 Virtual Private Networks (VPNs) The Netopia Firmware Version 8.7 offers IPsec, PPTP, and ATMP tunneling support for Virtual Private Networks (VPN).
5-2 Firmware User Guide Netopia Firmware Version 8.7 can be used in VPNs either to initiate the connection or to answer it. When used in this way, the Routers are said to be tunnelling through the public network (Internet). The advantages are that, like your long distance phone call, you don't need a direct line between one computer or LAN and the other, but use the local connections, making it much cheaper; and the information you exchange through your tunnel is private and secure.
Virtual Private Networks (VPNs) 5-3 leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPsec-compliant device decrypts each packet. The Netopia Firmware Version 8.7 supports the more secure Tunnel mode. DES stands for Data Encryption Standard, a popular symmetric-key encryption method. DES uses a 56-bit key. The Netopia Firmware Version 8.7 offers IPsec DES encryption over the VPN tunnel.
5-4 Firmware User Guide About PPTP Tunnels To set up a PPTP tunnel, you create a Connection Profile including the IP address and other relevant information for the remote PPTP partner. You use the same procedure to initiate a PPTP tunnel that terminates at a remote PPTP server or to terminate a tunnel initiated by a remote PPTP client. PPTP configuration To set up the Router as a PPTP Network Server (PNS) capable of answering PPTP tunnel requests you must also configure the VPN Default Answer Profile.
Virtual Private Networks (VPNs) 5-5 When you define a Connection Profile as using PPTP by selecting PPTP as the datalink encapsulation method, and then select Data Link Options, the PPTP Tunnel Options screen appears. PPTP Tunnel Options PPTP Partner IP Address: Tunnel Via Gateway: 173.167.8.134 0.0.0.0 Authentication... Data Compression...
5-6 Firmware User Guide Note: Netopia Firmware Version 8.7 supports 128-bit (“strong”) encryption. Unlike MS-CHAP version 1, which supports one-way authentication, MS-CHAP version 2 supports mutual authentication between connected gateways and is incompatible with MS-CHAP version 1 (MS-CHAP-V1). When you choose MS-CHAP as the authentication method for the PPTP tunnel, the Netopia Router will start negotiating MS-CHAP-V2.
Virtual Private Networks (VPNs) 5-7 The IP Profile Parameters screen appears. IP Profile Parameters Address Translation Enabled: Yes NAT Map List... NAT Server List... Easy-PAT Easy-Servers Local WAN IP Address: 0.0.0.0 Remote IP Address: Remote IP Mask: 173.167.8.10 255.255.0.0 Filter Set... Remove Filter Set RIP Profile Options... • Enter the Remote IP Address and Remote IP Mask for the host to which you want to tunnel.
5-8 Firmware User Guide About L2TP Tunnels L2TP stands for Layer 2 Tunnelling Protocol, an extension to the PPP protocol. L2TP combines features of two other tunneling protocols: PPTP and L2F. Like PPTP, L2TP is a Datalink Encapsulation option in Connection Profiles. It is not an option in device or link configuration screens, as L2TP is not a native encapsulation. Consequently, the Easy Setup Profile does not offer L2TP datalink encapsulation.
Virtual Private Networks (VPNs) 5-9 When you define a Connection Profile as using L2TP by selecting L2TP as the datalink encapsulation method, and then select Encapsulation Options, the L2TP Tunnel Options screen appears. L2TP Tunnel Options L2TP Partner IP Address: 0.0.0.0 L2TP Tunnel Authentication: No PPP Authentication: Data Compression...
5-10 Firmware User Guide • You can specify that this Router will Initiate Connections (acting as a PAC) or only answer them (acting as a PNS). • Tunnels are normally initiated On Demand; however, you can disable this feature. When disabled, the tunnel must be manually established or may be scheduled using the scheduled connections feature. See "Scheduled Connections" on page 2-16. • You can specify the Idle Timeout (in seconds), an inactivity timer, whose expiration will terminate the tunnel.
Virtual Private Networks (VPNs) 5-11 About GRE Tunnels Generic Routing Encapsulation (GRE) protocol is another form of tunneling that Netopia routers support. A GRE tunnel is brought up when a valid GRE profile is installed, and brought down when the profile is disabled, or deleted. GRE tunnels are not connection-based, but rather are installed and simply wait for GRE packets. There is no special startup initiation as with PPPoE or PPTP.
5-12 Firmware User Guide GRE Tunnel Options GRE Partner IP Address: 173.167.8.134 Send Checksums: Sequence Datagrams: No No Key: 0 Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). • Enter a GRE Partner IP Address in standard dotted-quad format to specify the address of the other end of the tunnel. • You can optionally toggle Send Checksums to Yes to verify that no data corruption or loss is incurred in transmission.
Virtual Private Networks (VPNs) 5-13 The IP Profile Parameters screen appears. IP Profile Parameters Address Translation Enabled: IP Addressing... No Unnumbered Remote Remote Filter Remove 173.167.8.134 255.255.0.0 IP Address: IP Mask: Set... Filter Set RIP Profile Options... Toggle to Yes if this is a single IP address ISP account. Configure IP requirements for a remote network connection here. • Enter the Remote IP Address and Remote IP Mask for the host to which you want to tunnel.
5-14 Firmware User Guide VPN force-all GRE tunnelling supports “VPN force-all,” which forces all traffic coming from the LAN onto the GRE tunnel. You accomplish this by setting the default route to go through the GRE tunnel. A secondary host route where all tunneled GRE packets route to the actual WAN interface can be configured as a static route when required.
Virtual Private Networks (VPNs) 5-15 About ATMP Tunnels To set up an ATMP tunnel, you create a Connection Profile including the IP address and other relevant information for the remote ATMP partner. ATMP uses the terminology of a foreign agent that initiates tunnels and a home agent that terminates them. You use the same procedure to initiate or terminate an ATMP tunnel. Used in this way, the terms initiate and terminate mean the beginning and end of the tunnel; they do not mean activate and deactivate.
5-16 Firmware User Guide When you define a Connection Profile as using ATMP by selecting ATMP as the datalink encapsulation method, and then select Data Link Options, the ATMP Tunnel Options screen appears. ATMP Tunnel Options ATMP Partner IP Address: Tunnel Via Gateway: 173.167.8.134 0.0.0.0 Network Name: Password: sam.net **** Data Encryption...
Virtual Private Networks (VPNs) 5-17 • You can specify that this Router will Initiate Connections, acting as a foreign agent (Yes), or only answer them, acting as a home agent (No). • Tunnels are normally initiated On Demand; however, you can disable this feature. When disabled, the tunnel must be manually established through the call management screens. • You can specify the Idle Timeout, an inactivity timer, whose expiration will terminate the tunnel. A value of zero disables the timer.
5-18 Firmware User Guide MS-CHAP V2 and 128-bit strong encryption Notes: • Netopia Firmware Version 8.7 supports 128-bit (“strong”) encryption when using PPTP tunnels. ATMP does not have an option of using 128-bit MPPE. If you are using ATMP between two Netopia Routers you can optionally set 56-bit DES encryption. • When you choose MS-CHAP as the authentication method for a PPTP tunnel, the Netopia Router will start negotiating MS-CHAPv2.
Virtual Private Networks (VPNs) 5-19 ATMP/PPTP Default Profile Answer ATMP/PPTP Connections: No PPTP Configuration Options Receive Authentication... Data Compression... PAP None • Toggle Answer ATMP/PPTP Connections to Yes if you want the Router to accept VPN connections or No (the default) if you do not. • For PPTP tunnel connections only, you must define what type of authentication these connections will use. Select Receive Authentication and press Return.
5-20 Firmware User Guide VPN QuickView You can view the status of your VPN connections in the VPN QuickView screen. From the Main Menu select QuickView and then VPN QuickView. Main Menu QuickView VPN QuickView The VPN QuickView screen appears. VPN Quick View Profile Name----------Type----Rx Pckts---Tx Pckts--RxDiscard--Remote Address-HA <-> FA1 (Jony Fon ATMP 99 99 0 173.166.82.8 HA <-> FA3 (Sleve M. ATMP 13 14 0 173.166.117.
Virtual Private Networks (VPNs) 5-21 Dial-Up Networking for VPN Microsoft Windows Dial-Up Networking software permits a remote standalone workstation to establish a VPN tunnel to a PPTP server such as a Netopia Router located at a central site. Dial-Up Networking also allows a mobile user who may not be connected to a PAC to dial into an intermediate ISP and establish a VPN tunnel to, for example, a corporate headquarters, remotely.
5-22 Firmware User Guide The Communications window appears. 5. In the Communications window, select Dial-Up Networking and click the OK button. This returns you to the Windows Setup screen. Click the OK button. 6. Respond to the prompts to install Dial-Up Networking from the system disks or CDROM. 7. When prompted, reboot your PC.
Virtual Private Networks (VPNs) 5-23 Configuring a Dial-Up Networking profile Once you have created your Dial-Up Networking profile, you configure it for TCP/IP networking to allow you to connect to the Internet through your Internet connection device. Do the following: 1. Double-click the My Computer (or whatever you have named it) icon on your desktop. Open the Dial-Up Networking folder. You will see the icon for the profile you created in the previous section. 2.
5-24 Firmware User Guide 4. 5. Click the TCP/IP Settings button. • If your ISP uses dynamic IP addressing (DHCP), select the Server assigned IP address radio button. • If your ISP uses static IP addressing, select the Specify an IP address radio button and enter your assigned IP address in the fields provided. Also enter the IP address in the Primary and Secondary DNS fields. Click the OK button in this window and the next two windows. Windows XP Client Configuration 1.
Virtual Private Networks (VPNs) 5-25 Connecting using Dial-Up Networking A Dial-Up Networking connection will be automatically launched whenever you run a TCP/IP application, such as a web browser or email client. When you first run the application a Connect To dialog box appears in which you enter your User name and Password. If you check the Save password checkbox, the system will remember your User name and Password, and you won’t be prompted for them again.
5-26 Firmware User Guide Main Menu System Configuration Filter Sets Display/Change Filter Set Basic Firewall Select Display/Change Input Filter. Display/Change Input Filter screen +--#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd--+ +---------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.0 TCP NC =2000 Yes No | | 2 0.0.0.0 0.0.0.
Virtual Private Networks (VPNs) 5-27 Change Input Filter 2 Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: No Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0 0 GRE Return/Enter accepts * Tab toggles * ESC cancels. Enter the packet specific information for this filter. In the Display/Change Filter Set screen select Display/Change Output Filter.
5-28 Firmware User Guide Change Output Filter 1 Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: No Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: Established TCP Conns. Only: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0 0 TCP No Compare 0 Equal 1723 No Return/Enter accepts * Tab toggles * ESC cancels.
Virtual Private Networks (VPNs) 5-29 Main Menu System Configuration Filter Sets Display/Change Filter Set Basic Firewall Select Display/Change Input Filter. Display/Change Input Filter screen +--#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd--+ +---------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.0 TCP NC =2000 Yes No | | 2 0.0.0.0 0.0.0.
5-30 Firmware User Guide Change Input Filter 2 Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: No Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0 0 GRE Return/Enter accepts * Tab toggles * ESC cancels. Enter the packet specific information for this filter. In the Display/Change IP Filter Set screen select Display/Change Output Filter.
Virtual Private Networks (VPNs) 5-31 Select Output Filter 1 and press Return. In the Change Output Filter 1 screen, set the Protocol Type and Destination Port information as shown below. Change Output Filter 1 Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: No Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.
5-32 Firmware User Guide Windows Networking Broadcasts Netopia firmware provides the ability to forward Windows Networking NetBIOS broadcasts. This is useful for, for example, a Virtual Private Network, in which you want to be able to browse the remote network to which you are tunnelling, as part of your Windows Network Neighborhood. Routed connections, such as VPNs, can not use NetBEUI to carry the Network Neighborhood information. They need to use NetBIOS, because NetBEUI cannot be routed.
Virtual Private Networks (VPNs) 5-33 Configuration for Router A IP Profile Parameters Remote Tunnel Endpoint: Add Network... Display/Change Network... Delete Network... 192.168.2.1 Address Translation Enabled: No Stateful Inspection Enabled: No Filter Set... Remove Filter Set NetBIOS Proxy Enabled Advanced IP Profile Options... <> COMMIT Yes CANCEL Configuration for Router B IP Profile Parameters Remote Tunnel Endpoint: Add Network... Display/Change Network... Delete Network... 192.168.1.
5-34 Firmware User Guide Note: Microsoft Network browsing is available with or without a Windows Internet Name Service (WINS) server. Shared volumes on the remote network are accessible with or without a WINS server. Local LAN shared volumes that have Port Address Translation (PAT) applied to them are not available to hosts on the remote LAN. For tunnelled traffic, NAT on the WAN has no effect on the Microsoft Networking traffic.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-1 Chapter 6 Internet Key Exchange (IKE) IPsec Key Management for VPNs IPsec stands for IP Security, a set of protocols that supports secure exchange of IP packets at the IP layer. IPsec is deployed widely to implement Virtual Private Networks (VPNs). See “Virtual Private Networks (VPNs)” on page 5-1 for more information. The Netopia Firmware Version 8.7 supports Internet Key Exchange (IKE) for secure encrypted communication over a VPN tunnel.
6-2 Firmware User Guide The advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec secure communications without having to manually enter the lengthy encryption keys at both ends of the connection. You enter a human-readable pass phrase or shared secret English sentence, like “my dog has fleas” on each end once. This pass phrase is used to authenticate each end to the other.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-3 The Add Connection Profile screen appears. Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... RFC1483 Mode... IP Profile Parameters... COMMIT Profile 1 +-------------+ +-------------+ | PPP | | RFC1483 | | ATMP | | PPTP | | IPsec | | L2TP | +-------------+ CANCEL • From the Encapsulation Type pop-up menu select IPsec. • Then select Encapsulation Options. The IPsec Tunnel Options screen appears.
6-4 Firmware User Guide +-IKE Phase1 Profile--+ +---------------------+ | <> | | <> | Key Management... | | IKE Phase 1 Profile| | | | Encapsulation... | | | | | | | | ESP Encryption Tran| | ESP Authentication | |5-96 | | Compression Type...| | | | | | | | Advanced IPsec Opti| | | | COMMIT +---------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. • A pop-up window displays a list of IKE Phase 1 Profiles that you have configured.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-5 • The Profile Name field accepts any name of up to 16 characters. Sixteen IKE Phase 1 profiles are supported, since each of the potential sixteen Connection Profiles may be associated with a separate IKE Phase 1 profile. • The Mode pop-up menu allows you to choose between Main Mode (the default) and Aggressive Mode.
6-6 Firmware User Guide • If you select Xauth Options the Xauth Options screen appears. Xauth Options XAuth Xauth XAuth XAuth mode of operation: Recipient Auth Check: Local Username: Local Password: VPN concentrator Local John Doe ******************** Extended Authentication (Xauth), is an extension to the IKE protocol, for IPSec tunnelling. The Xauth extension provides dual authentication for a remote user’s Netopia Gateway to establish a VPN, authorizing network access to the user’s central office.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-7 • VPN concentrator – This configures Xauth to expect to receive authentication credentials, and to possibly serve VPN IP parameters.
6-8 Firmware User Guide Normally it is not necessary to change the settings of the items on the Advanced IKE Phase 1 Options screen. Most of these settings exist for ensuring compatibility with remote IKE implementations that may have certain limitations. • The Negotiation pop-up menu allows you to specify the way the device will respond to a connection attempt. Normal (the default) is a two-way mode; Initiate Only or Respond Only permit limiting the connection to one-way only.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-9 • Traffic based Dead Peer Detection The default is No. Toggling this option to Yes allows IKE to negotiate RFC3706-based IKE “keepalives” with a remote security gateway (IKE peer) that supports them.
6-10 Firmware User Guide Selecting Display/Change IKE Phase 1 Profile or Delete IKE Phase 1 Profile displays an IKE Phase 1 Profile pop-up menu listing the names of all currently defined IKE Phase 1 profiles: IPsec Configuration +--IKE Phase1 Profile--+ +----------------------+ D| IKE Profile 2 |1 Profile... A| Arthropods |. D| Anthropoids |e...
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-11 Key Management You specify your IKE key management on a per-Connection Profile basis.
6-12 Firmware User Guide Note: The Change Connection Profile screen will offer different options, depending on the model of gateway you are using. You can associate an IPsec profile with the Primary, the Backup, or choose to apply it to Any Port of the WAN interface by choosing the interface from the Interface Group pop-up menu as shown below. Example #2: Add Connection Profile menu, showing Interface Group pop-up: Add Connection Profile Profile Name: Profile Enabled: Profile 1 Yes Encapsulation Type...
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-13 IPsec Tunnel Options Key Management... IKE Phase 1 Profile... IKE Encapsulation... ESP ESP Encryption Transform... ESP Authentication Transform... DES HMAC-MD5-96 Advanced IPsec Options... COMMIT CANCEL The Key Management pop-up menu at the top of the IPsec Tunnel Options screen allows you to choose between IKE key management (the default for a new IPsec profile) and Manual key management.
6-14 Firmware User Guide • The ESP Authentication Transform pop-up menu (which is visible only if you have selected ESP or AH+ESP encapsulation) allows you to specify the type of ESP authentication: None, HMAC-MD5-96, or HMAC-SHA1–96. Advanced IPsec Options If you select Advanced IPsec Options, the Advanced IPsec Options screen appears.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-15 • Dead Peer Detection toggles whether or not the Router will detect a remote peer being offline. Enhanced Dead Peer Detection Netopia Firmware Version 8.7 adds a new Dead Peer Detection mechanism. In previous firmware versions, when Dead Peer Detection was enabled, a counter would begin in the router when any traffic was sent through the tunnel. Determination of a dead peer could take up to eight minutes. Netopia Firmware Version 8.
6-16 Firmware User Guide Note: • ICMP Dead Peer Detection is not available when using manual re-keying. • ICMP Dead Peer Detection does not initiate a series of phase 2 exchanges upon detecting a dead peer; it instead initiates a new phase 1 negotiation, followed by a new phase 2 negotiation once contact with the peer has been re-established.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-17 This feature allows you to define many local and remote network ranges for a given IPsec VPN profile. Each of these ranges has its own IPsec tunnel. However, each tunnel has a common tunneling endpoint and encryption policy. This is useful, for example, for branch office management of multiple IP subnets over an encrypted VPN tunnel.
6-18 Firmware User Guide • • If you choose Subnet, you must enter the Remote Member Address and the subnet mask that is the Remote Member Mask. Enter the Local Member Address and the Local Member Mask in their respective fields. • If you choose Range, the next two fields become Remote Member 1st Address and Remote Member Last Address. You supply these values. Complete the Local Member 1st Address and Local Member Last Address fields.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-19 Display/Change Network Configuration --------------Local-Members-------------------------Remote-Members-------------Net #---Type----Start-Address---Size----------Type----Start-Address---Size---------------------------------------SCROLL UP----------------------------------1 SUBNET 192.168.2.1 /24 SUBNET 192.168.1.0 /24 2 SUBNET 10.0.1.1 /8 SUBNET 10.0.0.1 /8 3 HOST 163.176.91.101 HOST 163.176.91.100 4 RANGE 163.176.30.222 21 RANGE 163.176.91.
6-20 Firmware User Guide • Specifying IKE key management alters the Advanced IP Profile Options screen as follows: Advanced IP Profile Options Local Tunnel Endpoint Address: Next Hop Gateway: 0.0.0.0 0.0.0.0 Idle Timeout (seconds): 300 Maximum Packet Size: 1500 Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). • You can specify a Local Tunnel Endpoint Address. If not 0.0.0.0, this value must be one of the assigned interface addresses, either WAN or LAN.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-21 IPsec WAN Configuration Screens You can also configure IKE Phase 1 Profiles in the WAN Configuration menus. Main Menu WAN Configuration IKE Phase 1 Configuration The WAN Configuration screen now includes IKE Phase 1 Configuration as shown: WAN Configuration WAN (Wide Area Network) Setup... ATM Circuits Configuration... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... WAN Default Profile...
6-22 Firmware User Guide IKE Phase 1 Configuration Display/Change IKE Phase 1 Profile... Add IKE Phase 1 Profile... Delete IKE Phase 1 Profile... The IKE Phase 1 Configuration screen allows configuration of global (non-connection-profile-specific) IPsec parameters. This screen allows you to Display, Change, Add, or Delete an IKE Phase 1 profile. IPsec Manual Key Entry The Version 8.6 firmware has a redesigned layout and additional options for manual key entry.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-23 Select IPsec Manual Keys and press Return. IPsec Manual Keys SHA1 ESP Auth. Key: SHA1 AH Auth. Key: Depending on your selections of Encapsulation, Encryption Transform, and Authentication Transform in the IPsec Tunnel Options screen, the IPsec Manual Keys screen will display differing entry fields to enter authorization keys and encryption keys.
6-24 Firmware User Guide VPN Quick View Profile Name----------Type--Rx Pckts--Tx Pckts--Discard--Remote Address-HA <-> FA1 (Jony Fon ATMP 99 99 173.166.82.8 HA <-> FA3 (Sleve M. ATMP 13 14 63.193.117.91 My IPsec Tunnel IPsec 23 12 0.0.0.0 Bangalore PPTP 45 35 1.1.1.1 If the remote tunnel end point is a hostname (or “0.0.0.0”) 0.0.0.0 is displayed until a Security Association is established. Previously the remote members network was displayed.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-25 Event message: Meaning: IKE: no matching ph2 proposal Either the local Router rejected the proposals of the remote or the remote rejected the local Router’s. IKE: ph2 resend timeout The attempt to resend the phase 2 authentication timed out. IKE: phase 2 complete The phase 2 negotiation completed successfully.
6-26 Firmware User Guide
IP Setup 7-1 Chapter 7 IP Setup Netopia Firmware Version 8.7 uses Internet Protocol (IP) to communicate both locally and with remote networks. This chapter shows you how to configure the gateway to route IP traffic. You also learn how to configure the gateway to serve IP addresses to hosts on your local network. Netopia’s IP routing features Network Address Translation and IP address serving.
7-2 Firmware User Guide IP Setup Main Menu System Configuration IP Setup The IP Setup options screen is where you configure the Ethernet side of the Router. The information you enter here controls how the gateway routes IP traffic. Consult your network administrator or ISP to obtain the IP setup information (such as the Ethernet IP address, Ethernet subnet mask, default IP gateway, and Primary Domain Name Server IP address) you will need before changing any of the settings in this screen.
IP Setup 7-3 The Netopia Firmware Version 8.7 supports multiple IP subnets on the Ethernet interface. You may want to configure multiple IP subnets to service more hosts than are possible with your primary subnet. It is not always possible to obtain a larger subnet from your ISP. For example, if you already have a full Class C subnet, your only option is multiple Class C subnets, since it is virtually impossible to justify a Class A or Class B assignment.
7-4 Firmware User Guide • If you select IP Address Serving you will be taken to the IP Address Serving screen (see “IP Address Serving” on page 7-17). Since no two hosts can use the same IP address at the same time, make sure that the addresses distributed by the Router and those that are manually configured are not the same. Each method of distribution must have its own exclusive range of addresses to draw from.
IP Setup 7-5 For example: IP Subnets #1: IP Address ---------------192.128.117.162 Subnet Mask --------------255.255.255.0 #2: 192.128.152.162 255.255.0.0 #3: 0.0.0.0 0.0.0.0 #4: #5: #6: #7: #8: • To delete a configured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly or by clearing each field and pressing Return to commit the change. When a configured subnet is deleted, the values in subsequent rows adjust up to fill the vacant fields.
7-6 Firmware User Guide If you have configured multiple Ethernet IP subnets, the IP Setup screen changes slightly: IP Setup Subnet Configuration... Default IP Gateway: Backup IP Gateway: Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Rip Options... Proxy Arp Enabled: Multicast Forwarding... No None VRRP Options... Static Routes... Additional LANs... IP Address Serving... Return/Select to view/configure IP Subnets.
IP Setup 7-7 The Static Routes screen will appear. Static Routes Display/Change Static Route... Add Static Route... Delete Static Route... Configure/View/Delete Static Routes from this and the following Screens. Viewing static routes To display a view-only table of static routes, select Display/Change Static Route. The table shown below will appear. +-Dest. Network---Subnet Mask-----Next Gateway----Priority-Enabled-+ +------------------------------------------------------------------+ | 0.0.0.0 0.0.0.
7-8 Firmware User Guide Subnet Mask: The subnet mask associated with the destination network. Next Gateway: The IP address of the gateway that will be used to reach the destination network. Priority: An indication of whether the Router will use the static route when it conflicts with information received from RIP packets. Enabled: An indication of whether the static route should be installed in the IP routing table. To return to the Static Routes screen, press Escape.
IP Setup 7-9 • To make sure that the static route is known only to the Router, select Advertise Route Via RIP and toggle it to No. To allow other RIP-capable gateways to know about the static route, select Advertise Route Via RIP and toggle it to Yes. When Advertise Route Via RIP is toggled to Yes, a new item called RIP Metric appears below Advertise Route Via RIP. With RIP Metric you set the number of gateways, from 1 to 15, between the sending gateway and the destination gateway.
7-10 Firmware User Guide RIP Options Netopia Firmware Version 8.7 supports RIP-2 MD5 Authentication (RFC2082 Routing Internet Protocol Version 2, Message Digest 5). The purpose of MD5 authentication is to provide an additional level of confidence that a RIP packet received was generated by a reliable source. In other words, MD5 authentication provides an enhanced level of security that information that your PC receives does not originate from a malicious source posing as part of your network.
IP Setup 7-11 IP Setup Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... 192.168.1.1 255.255.255.0 Default IP Gateway: Backup IP Gateway: Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Rip Options... Proxy Arp Enabled: Multicast Forwarding... No None VRRP Options... Static Routes... Additional LANs... IP Address Serving... Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx).
7-12 Firmware User Guide Ethernet LAN RIP Options Receive RIP... v2 MD5 Authentication Transmit RIP... Off RIP v2 Authentication Keys... • You can also select Transmit RIP, and choose v2 MD5 (broadcast) or v2 MD5 (multicast) from the pop-up menu. Ethernet LAN RIP Options Receive RIP... Transmit RIP... RIP v2 Authentication Keys...
IP Setup 7-13 Note: • All of the changes on this menu require a reboot. This is unique to the Ethernet LAN. RIP changes on all other interfaces are immediately effective. • If you set the RIP Receive option to Both v1 and v2, the interface will ignore authenticated RIP packets since authenticated v1 packets do not exist. Only v2 packets can be authenticated. • Select RIP v2 Authentication Keys. The RIP v2 Authentication Keys screen appears. RIP v2 Authentication Keys Display/Change Key... Add Key...
7-14 Firmware User Guide Add Key Key ID: 0 Authentication Key: Start Date (MM/DD/YY): Start Time (hh:mm): AM or PM: 10/10/2002 12:00 AM End Time Mode: End Date (MM/DD/YY): End Time (hh/mm): AM or PM: Date 10/10/2002 12:00 AM COMMIT CANCEL • The key identifier Key ID can be any numeric value from 0 – 255, and must be unique per interface. You can not have two keys with the same key ID on an interface. • The Authentication Key may consist of from 1 – 16 ASCII characters.
IP Setup 7-15 RIP v2 Authentication Keys +-Key ID--Start Date--Start Time--End Date--End Time--Valid-+ +-----------------------------------------------------------+ | 1 10/10/2002 12:00 AM Infinite yes | | 255 3/11/2000 3:17 PM 8/6/2002 1:24 AM no | | | +-----------------------------------------------------------+ Delete Key... Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. Note: The date and time formats are determined by the system date and time formats.
7-16 Firmware User Guide Connection Profiles and Default Profile RIP-2 MD5 authentication may be configured in Connection Profiles, as well. If you are not using NAT, your public Internet connection can benefit from sending authenticated RIP packets as well as receiving them. To configure RIP-2 MD5 authentication for a Connection Profile, you can either change an existing Connection Profile, or create a new one.
IP Setup 7-17 • If either Receive RIP or Transmit RIP is set to v2 MD5 Authentication, RIP v2 Authentication Keys is visible. Selecting RIP v2 Authentication Keys takes you to the RIP v2 Authentication Keys screen, where you can configure your keys in the same manner as in “Adding a key,” on page 13. After configuring your key, press COMMIT in the Add or Change Key screen, then press Escape three times to return to the Add or Change Connection Profile screen.
7-18 Firmware User Guide Go to the System Configuration screen. Select IP Address Serving and press Return. The IP Address Serving screen will appear. IP Address Serving +------------------+ +------------------+ IP Address Serving Mode... | Disabled | | DHCP Server | Number of Client IP Addresses: | DHCP Relay Agent | 1st Client Address: +------------------+ Client Default Gateway... 192.168.1.1 Serve DHCP Clients: DHCP Next-Server: DHCP Lease Time (Hours): DHCP NetBIOS Options...
IP Setup 7-19 • The DHCP Next-Server field allows you to enter the IP address of the next server in the boot process, which is typically a Trivial File Transfer Protocol (TFTP) server. • The default DHCP Lease time is one hour. This may be unnecessarily brief in your network environment. Consequently, the DHCP lease time is configurable. The DHCP Lease Time (Hours) setting allows you to modify the gateway’s default lease time of one hour.
7-20 Firmware User Guide IP Address Pools The IP Address Pools screen allows you to configure a separate IP address serving pool for each of up to eight configured Ethernet IP subnets: IP Address Pools Subnet (# host addrs) --------------------192.128.117.0 (253) 1st Client Addr --------------192.128.117.196 Clients ------16 Client Gateway -------------192.128.117.162 192.129.117.0 192.129.117.110 8 192.129.117.4 (253) This screen consists of between two and eight rows of four columns each.
IP Setup 7-21 Numerous factors influence the choice of served address. It is difficult to specify the address that will be served to a particular client in all circumstances. However, when the address server has been configured, and the clients involved have no prior address serving interactions, the Router will generally serve the first unused address from the first address pool with an available address.
7-22 Firmware User Guide DHCP NetBIOS Options Serve NetBIOS Type: NetBIOS Type... Yes Type B Serve NetBIOS Scope: NetBIOS Scope: No Serve NetBIOS Name Server: NetBIOS Name Server IP Addr: No 0.0.0.0 Configure DHCP-served NetBIOS options here. • To serve DHCP clients with the type of NetBIOS used on your network, select Serve NetBIOS Type and toggle it to Yes. • From the NetBIOS Type pop-up menu, select the type of NetBIOS used on your network.
IP Setup 7-23 Select NetBIOS Name Server IP Addr and enter the IP address for the NetBIOS name server. You are now finished setting up DHCP NetBIOS Options. To return to the IP Address Serving screen, press Escape. • To enable BootP’s address serving capability, select Serve BOOTP Clients and toggle to Yes. Note: Addresses assigned through BootP are permanently allocated from the IP Address Serving pool until you release them.
7-24 Firmware User Guide • The ability to view the host name associated with a client to which the gateway has leased an IP address. • The ability for the gateway’s Ethernet IP address(es) to overlap the DHCP address serving pool(s). • The ability to serve as a DHCP Relay Agent. The Netopia Firmware Version 8.7 supports reserving an IP address only for a type 1 client identifier (i.e., an Ethernet hardware address). It does not support reserving an IP address for an arbitrary client identifier.
IP Setup 7-25 You can select the entries in the Served IP Addresses screen. Use the up and down arrow keys to move the selection to one of the entries in the list of served IP addresses. Served IP Addresses -IP Address------Type----Expires—-Host Name/Client Identifier--------------------------------------------------SCROLL UP----------------------------------192.168.1.100 192.168.1.101 192.168.1.102 192.168.1.103 192.168.1.104 192.168.1.105 192.168.1.106 +------------+ 192.168.1.107 +------------+ 192.168.
7-26 Firmware User Guide Selecting Details… displays a pop-up menu that provides additional information associated with the IP address. The pop-up menu includes the IP address as well as the host name and client identifier supplied by the client to which the address is leased. Served IP Addresses -IP Address------Type----Expires—-Host Name/Client Identifier--------------------------------------------------SCROLL UP----------------------------------192.168.1.100 192.168.1.
IP Setup 7-27 An IP address is marked declined when a client to whom the DHCP server offers the address declines the address. A client declines an address if it determines that a leased address is already in use by another device. Selecting Include restores the selected IP address to the address serving pool so that the IP address is once again eligible to be served to a client. • Release is displayed if the entry is currently offered, leased, or reserved.
7-28 Firmware User Guide Served IP Addresses -IP Address------Type----Expires--Host Name/Client Identifier--------------------------------------------------SCROLL UP----------------------------------192.168.1.1 Excluded for the gateway's IP address 192.168.1.2 Excluded 192.168.1.3 DHCP 00:24 Barr's XPi 120 192.168.1.4 192.168.1.5 192.168.1.6 192.168.1.7 192.168.1.8 192.168.1.9 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.
IP Setup 7-29 Main Menu System Configuration IP Address Serving Select IP Address Serving and press Return. The IP Address Serving screen appears. IP Address Serving +------------------+ +------------------+ IP Address Serving Mode... | Disabled | | DHCP Server | Number of Client IP Addresses: | DHCP Relay Agent | 1st Client Address: +------------------+ Client Default Gateway... 192.168.1.1 Serve DHCP Clients: DHCP NetBIOS Options... Yes Serve BOOTP Clients: Yes Select IP Address Serving Mode.
7-30 Firmware User Guide IP Address Serving IP Address Serving Mode... DHCP Relay Agent Relay Relay Relay Relay 10.1.1.1 20.1.1.1 30.1.1.1 40.1.1.1 Server Server Server Server #1: #2: #3: #4: Configure Address Serving (DHCP, BOOTP, etc.) here. Now you can enter the IP address(es) of your remote DHCP server(s), such as might be located in your company’s corporate headquarters. Each time you enter an IP address and press Return, an additional field appears.
IP Setup 7-31 Main Menu WAN Configuration Add Connection Profile The Add Connection Profile screen appears. Add Connection Profile Profile Name: Profile Enabled: Profile 1 Yes Data Link Encapsulation... Data Link Options... PPP IP Profile Parameters... COMMIT Configure a new Conn. Profile. Finished? CANCEL COMMIT or CANCEL to exit. On a Router you can add up to 15 more connection profiles, for a total of 16, although only one can be used at a time, unless you are using VPNs. 1.
7-32 Firmware User Guide IP Profile Parameters Address Translation Enabled: Yes NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Easy-PAT List Easy-Servers Local WAN IP Address: 0.0.0.0 No Filter Set... Remove Filter Set RIP Profile Options... Toggle to Yes if this is a single IP address ISP account. Configure IP requirements for a remote network connection here. 4.
IP Setup 7-33 Multicast Forwarding Multicasting is a method for transmitting large amounts of information to many, but not all, computers over an Internet. One common use is to distribute real time audio and video to the set of computers which have joined a distributed conference. Multicasting is similar to radio or TV broadcasts in the sense that only those who have tuned in to a particular frequency receive the information. You see and hear the channel you are interested in, but not the others.
7-34 Firmware User Guide Navigate to the IP Profile Parameters screen. Main Menu Add/Display/Change Connection Profile WAN Configuration IP Profile Parameters Address Translation Enabled: IP Addressing... Yes Numbered NAT Map List... NAT Server List... Easy-PAT List Easy-Servers Local WAN Local WAN Remote IP Remote IP 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 IP Address: IP Mask: Address: Mask: Filter Set... Remove Filter Set +----------------+ +----------------+ | None | | Rx.
IP Setup 7-35 Ethernet LAN VRRP Options Display/Change Virtual Routers... Add Virtual Router... Delete Virtual Router... Monitor WAN: Yes Serve/Relay DHCP only if Virtual Router in Master state: No DHCP Gateway IP Address: 0.0.0.0 Select Add Virtual Router and press Return. The Add Virtual Router screen appears. Add Virtual Router VRID: Virtual IP Address: Priority: Preempt Mode: Advertisement-Interval: Enable: 0 0.0.0.0 100 Yes 1 No ADD VIRTUAL ROUTER NOW CANCEL Enter a value between 1 and 255.
7-36 Firmware User Guide If it matches the local IP address of that interface or the subnets, the Virtual Router will be defaulted to have a priority of 255. See below. Note: A router currently in VRRP Master mode is the only device which will respond on the Virtual IP address. Consequently, a router using the Virtual IP address as its Ethernet address will be non-responsive when not in VRRP Master mode.
IP Setup 7-37 • Monitor WAN – Toggle this option to Yes (the default) to enable VRRP routers on the interface to relinquish Master status if the WAN connection is down. If you do not want the VRRP routers to relinquish Master status, toggle this option to No. Also see “VRRP Options (WAN Link Failure Detection)” on page 2-26 for more information.
7-38 Firmware User Guide Multiple logical IP LAN support allows you to create additional IP routed LAN interfaces (ALANs). You can add, edit, or delete Additional LANs similarly to Connection Profiles on the WAN connection. You then associate physical or logical Ethernet-encapsulated interfaces, such as wired Ethernet ports, wireless SSIDs, and ATM RFC 1483 bridged VCs, to these interfaces on platforms with more than one Ethernet-encapsulated interface.
IP Setup 7-39 The Add Additional LAN screen appears. Add Additional LAN Name: Enabled: Additional LAN 1 Yes MAC Address: 00:00:00:00:00:00 Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... IP Address Serving... Rip Options... Proxy Arp Enabled: Multicast Forwarding... VRRP Options... Filter Set... Remove Filter Set 0.0.0.0 0.0.0.0 COMMIT CANCEL No None Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.
7-40 Firmware User Guide Editing or Deleting ALANs You can manage or edit your ALANs at any time. To modify or delete a configured ALAN, return to the IP Setup screen and select Additional LANs. The Additional LAN Configuration screen appears. Additional LAN Configuration Show/Change ALAN... Add ALAN... Delete ALAN... If you select either Show/Change ALAN or Delete ALAN, a pop-up window allows you to choose the ALAN you want to modify or delete.
Line Backup 8-1 Chapter 8 Line Backup Netopia Firmware Version 8.7 offers line backup functionality in the event of a line failure on the primary WAN link: • to an internal V.92 modem (supported models) or • to a backup default gateway.
8-2 Firmware User Guide • the Backup IP Gateway menu item in the IP Setup screen under the System Configuration menu Here you enter a Backup Gateway IP address. See “IP Setup” on page 8-7. Alternatively, you can choose a different backup gateway device; see “Backup Default Gateway” on page 8-14. Detailed descriptions follow. Connection Profiles The dial backup feature allows you to configure a complete Connection Profile for the modem backup, just as you do for your primary WAN connection.
Line Backup 8-3 Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... Encapsulation Options... IP Profile Parameters... Profile 1 +-------------+ +-------------+ | PPP | | RFC1483 | | ATMP | | PPTP | | IPsec | | L2TP | +-------------+ COMMIT CANCEL Assuming you selected PPP, new fields appear. Add Connection Profile Profile Name: Profile Enabled: Modem Backup Yes Encapsulation Type... PPP Encapsulation Options... IP Profile Parameters... Interface Group... Telco Options...
8-4 Firmware User Guide The Datalink (PPP/MP) Options screen appears. Datalink (PPP/MP) Options Data Compression... +------+rd LZS +------+ | None | | PAP | | CHAP | +------+ Send Authentication... Send User Name: Send Password: Receive User Name: Receive Password: Dial on Demand: PAP-- Yes Password protection is used. Passwords are exchanged in clear text. • Data Compression should remain set to Standard LZS.
Line Backup 8-5 • Select IP Profile Parameters. The IP Profile Parameters screen appears. IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Unnumbered Easy-PAT List Easy-Servers Local WAN IP Address: 0.0.0.0 Remote Remote Filter Remove 0.0.0.0 0.0.0.0 IP Address: IP Mask: Set... Filter Set No RIP Profile Options... Toggle to Yes if this is a single IP address ISP account.
8-6 Firmware User Guide Telco Options Dial... Dial In/Out Dialing Prefix: Number to Dial: Alternate Site to Dial: Dial on Demand: Idle Timeout (seconds): Yes 300 Callback: No CompuServe Login Enabled: No • From the Dial pop-up menu, you can choose whether to Dial Out Only, Dial In Only, or Dial In/Out (default). • Dialing Prefix: If you are connected to a Centrex or PBX phone system that requires you to dial a prefix number (such as “9” for an outside line), enter it here.
Line Backup 8-7 IP Setup Here, you set the IP address of the alternate gateway. Navigate to the IP Setup screen under the System Configuration menu. Main Menu IP Setup System Configuration IP Setup Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... 192.168.1.1 255.255.255.0 Default IP Gateway: Backup IP Gateway: Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RIP Options... Multicast Forwarding... Static Routes...
8-8 Firmware User Guide WAN Configuration To configure the modem characteristics, from the Main Menu select WAN Configuration and then WAN Setup. Main Menu WAN Configuration WAN Setup WAN Configuration WAN (Wide Area Network) Setup... ATM Circuits Configuration... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... WAN Default Profile... ATMP/PPTP Default Profile... IKE Phase 1 Configuration... Advanced Connection Options...
Line Backup 8-9 Choose the interface to configure for backup, MODEM (Wan Module 2) Setup. The Internal Modem Setup screen appears. Internal Modem Setup Modem Dialing Prefix: PBX Dialing Prefix: Line Directory Number: Speaker On... Speaker Volume... Answer Incoming calls... Country... ATDT Until Carrier 2-Medium Always United States Enter the dialing prefix to be sent to all modems. • Modem Dialing Prefix: ATDT is the standard Hayes-compatible code for alerting the modem itself.
8-10 Firmware User Guide Main Menu WAN Configuration Advanced Connection Options Backup Configuration This screen is used to configure the conditions under which backup will occur, if it will recover, and how the modem is configured. For the internal V.92 modem, the Backup Configuration screen appears as follows, when all options are enabled (default screen shows fewer menu items until some are enabled): Backup Configuration Backup Parameters Backup is...
Line Backup 8-11 Should this address become unreachable the router will treat this as a loss of connectivity and begin the backup timer. This loss is a Layer 2 loss. Note: For best results, enter an IP address and not a host name. If a host name is used it may not be resolvable, and may keep the interface down. Set the Ping Host Name or IP Address to the router's Default Gateway, or other reliable IP address elsewhere on the backbone – for example, a DNS server.
8-12 Firmware User Guide • Data Link Encapsulation is Async PPP – if it appears (not on all models) this field is not editable. When you are finished, press Escape. Using Scheduled Connections with Backup The backup link is a PPP dial-up connection and only connects to the Internet service provider when traffic is initiated from the LAN.
Line Backup 8-13 Add Scheduled Connection Scheduled Connection Enable: On How Often... Weekly Schedule Type... Forced Up Set Weekly Schedule... Use Connection Profile... ADD SCHEDULED CONNECTION CANCEL Return/Enter accepts * Tab toggles * ESC cancels. Scheduled Connections dial remote Networks on a Weekly or Once-Only basis. • Toggle Scheduled Connection Enable to On. • From the How Often pop-up menu, select Weekly and press Return.
8-14 Firmware User Guide • Select Use Connection Profile, and press Return. A screen displays all of your Connection Profiles. Select the one you want to apply this scheduled connection to and press Return. Your selection becomes effective. Now, if your primary WAN link fails, the backup link will become active and remain active until the primary link recovers.
Line Backup 8-15 The Backup Configuration screen appears. Backup Configuration +-----------+ Backup Parameters +-----------+ Backup is... | Disabled | Requires Failure of (minutes): | Manual | Ping Host Name or IP Address #1: | Automatic | Ping Host Name or IP Address #2: +-----------+ Recovery to ADSL... Automatic Requires Recovery of (minutes): 1 Auto-Recovery on loss of Layer 2: No Automatically switches to Backup Port on loss of Layer 1 or 2.
8-16 Firmware User Guide • • If you chose Automatic Recovery, select Requires Recovery of. Enter the number of minutes you want the system to wait before attempting to switch back to the WAN connection. This allows you to be sure that the WAN connection is well re-established before the gateway switches back to it from the backup mode. Press Escape twice to return to the Main Menu. IP Setup screen To configure the backup gateway, from the Main Menu select System Configuration then IP Setup.
Line Backup 8-17 Backup Management/Statistics If backup is enabled, the Statistics & Logs menu offers a Backup Management/Statistics option. To view Backup Management/Statistics, from the Main Menu select Statistics & Logs then Backup Management/Statistics and press Return. Main Menu Backup Management/ Statistics Statistics & Logs The Backup Management/Statistics screen appears.
8-18 Firmware User Guide During recovery, the following reasons may appear: Recovery of Layer 1 Indicates sync restored on the Primary link Layer 2 Override Indicates the backup occurred on layer 2, and ‘Auto-Recovery on loss of Layer 2’ was set to YES Layer 2 Recovery Indicates that backup was on Layer 2 and the interface is fully restored (including Backup Ping) • Time Since Detection is a display-only field that is only visible if backup or recovery is in progress.
Monitoring Tools 9-1 Chapter 9 Monitoring Tools This chapter discusses the Router’s device and network monitoring tools. These tools can provide statistical information, report on current network status, record events, and help in diagnosing and locating problems.
9-2 Firmware User Guide General status Quick View Default IP Gateway: 0.0.0.0 Primary DNS Server: 0.0.0.0 Secondary DNS Server: 0.0.0.0 10/11/2005 07:31:26 AM Gateway installed -- Backup Domain Name: netopia.com ----------------MAC Address--------IP Address-------Status-------------------Ethernet LAN: 00-00-c5-ff-70-00 192.168.1.1 100Mbps Full Duplex ATM ADSL WAN: 00-00-c5-ff-70-02 0.0.0.0 USB LAN: 00-00-c5-9a-09-a9 192.168.1.
Monitoring Tools 9-3 Rate: Shows the line rate for this connection. %Use: Indicates the average percent utilization of the maximum capacity of the channels in use for the connection. Remote Address: Shows the IP address of the connected remote gateway. Est: Indicates whether the connection was locally (“Lcl”) or remotely (“Rmt”) established. More Info: Indicates the NAT address in use for this connection. Status lights This section shows the current real-time status of the Router’s status lights (LEDs).
9-4 Firmware User Guide Event Histories Main Menu Statistics & Logs • WAN Event History • Device Event History Netopia Firmware Version 8.7 records certain relevant occurrences in event histories. Event histories are useful for diagnosing problems because they list what happened before, during, and after a problem occurs. You can view two different event histories: one for the gateway’s system and one for the WAN.
Monitoring Tools 9-5 The first event in each call sequence is marked with double arrows (>>). Failures are marked with an asterisk (*). If the event history exceeds the size of the screen, you can scroll through it by using the SCROLL UP and SCROLL DOWN items. To scroll up, select SCROLL UP at the top of the list and press Return. To scroll down, select SCROLL DOWN at the bottom of the list and press Return.
9-6 Firmware User Guide IP Routing Table Main Menu Statistics & Logs • IP Routing Table The IP routing table displays all of the IP routes currently known to the Router. IP Routing Table Network Address-Subnet Mask-----via Gateway------Port------------------Type-------------------------------------SCROLL UP----------------------------------0.0.0.0 255.0.0.0 0.0.0.0 -Other 127.0.0.1 255.255.255.255 127.0.0.1 Loopback Local 192.168.1.0 255.255.255.240 192.168.1.1 Ethernet Local 192.168.1.1 255.255.255.
Monitoring Tools 9-7 General Statistics Physical I/F-----Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err Ethernet Hub 1234567 123456 123456 123456 123456 12345 ATM ADSL 1 1234567 123456 123456 123456 123456 12345 Network----------Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err IP 1234567 123456 123456 123456 123456 12345 VC Traffic Statistics...
9-8 Firmware User Guide System Information The System Information screen gives a summary view of the general system level values in the Router. From the Statistics & Logs menu select System Information. The System Information screen appears. System Information Serial Number Firmware Version ModelNumber Processor Speed (Mhz) Flash Rom Capacity (MBytes) DRAM Capacity (MBytes) 00-aa-77-94 (11171732) 8.
Monitoring Tools 9-9 Simple Network Management Protocol (SNMP) Netopia Firmware Version 8.7 includes a Simple Network Management Protocol (SNMP) agent, allowing monitoring and configuration by a standard SNMP manager. • Netopia Routers support SNMP-V1 and SNMP-V2c. • Beginning with Netopia Firmware Version 8.
9-10 Firmware User Guide SNMP Setup System Name: System Location: System Contact: Read-Only Community String: Read/Write Community String: Notification Type: Authentication Traps Enable: IP Trap Receivers... public +---------+ +---------+ | v1 Trap | | v2 Trap | | Inform | +---------+ Follow these steps to configure the first three items in the screen: 1. Select System Name and enter a descriptive name for the Router’s SNMP agent. 2.
Monitoring Tools 9-11 Setting the Read-Only and Read-Write community strings to the empty string will block all SNMP requests to the gateway. (The gateway may still send SNMP Traps if those are properly enabled.) Previously, if either community string was the empty string, SNMP Requests specifying an empty community string were accepted and processed.
9-12 Firmware User Guide IP Trap Receivers Display/Change IP Trap Receiver... Add IP Trap Receiver... Delete IP Trap Receiver... Return/Enter to modify an existing Trap Receiver. Navigate from here to view, add, modify and delete IP Trap Receivers. Setting the IP trap receivers 1. Select Add IP Trap Receiver. Add IP Trap Receiver Receiver IP Address or Domain Name: Community String: Send Heartbeat Trap: Yes ADD TRAP RECEIVER NOW CANCEL 2. Select Receiver IP Address or Domain Name.
Monitoring Tools 9-13 4. Toggle Send Heartbeat Trap on (Yes) or off (No). The heartbeat setting is used to broadcast contact and location information about your Router. 5. Select ADD TRAP RECEIVER NOW and press Return. You can add up to seven more receivers. Viewing IP trap receivers To display a view-only table of IP trap receivers, select Display/Change IP Trap Receiver in the IP Trap Receivers screen. Modifying IP trap receivers 1.
9-14 Firmware User Guide
Security 10-1 Chapter 10 Security Netopia Firmware Version 8.7 provides a number of security features to help protect its configuration screens and your local network from unauthorized access. Although these features are optional, it is strongly recommended that you use them.
10-2 Firmware User Guide Telnet Tiered Access – Two Password Levels Netopia Firmware Version 8.7 offers tiered access control for greater security and protection against accidental or malicious misconfiguration. Service providers and network administrators can now limit the access of other users to the various configuration screens to prevent misconfigurations. The access privileges of various users that may be assigned are governed by a Superuser administrative account.
Security 10-3 PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This means that applications that support UPnP, and are used with a UPnP-enabled Netopia Gateway, will not need application layer gateway support on the Netopia Gateway to work through NAT. You can disable UPnP, if you are not using any UPnP devices or applications. You must reboot the Netopia device for this setting to take effect.
10-4 Firmware User Guide Limited user configuration The Add Access Name/Password and Show/Change Access Name/Passwords screens allow you to select which configuration features a limited (non-Superuser) user can access. From the Security Options screen, select Add Access Name/Password. The Add Access Name/Password screen appears. Add Access Name/Password Name (19 characters max): Password: Telnet Access Enabled: Access Privileges...
Security 10-5 Access Privileges (Custom) WAN Data Configuration: Connection Profile Configuration: Circuit (PVC/DLCI) Configuration: No No No LAN Data Configuration: LAN Subnet Configuration: NAT/Filters Configuration: Yes Yes Yes Preferences (Global) Configuration:Yes OK CANCEL You can toggle the default user privileges for each user. The defaults are set to minimize the possibility of an individual user inadvertently damaging the WAN connection.
10-6 Firmware User Guide Advanced Security Options The Advanced Security Options screen allows you to configure the global access privileges of users authenticated via a RADIUS server or a TACACS+ server. From the Security Options screen, select Advanced Security Options. The Advanced Security Options screen appears. Advanced Security Options +---------------------------+ +---------------------------+ Remote Authentication... | RADIUS | Security Databases...
Security 10-7 RADIUS server authentication Advanced Security Options +---------------------------+ +---------------------------+ Remote Authentication... | Local only | Security Databases... | Remote only | Remote Server Addr/Name: | Remote then Local | Remote Server Secret: | Remote then Lcl/Ser. Only | Alt Remote Server Addr/Name: | Local then Remote | Alt Remote Server Secret: +---------------------------+ RADIUS Identifier: RADIUS Server Authentication Port: 1812 Remote Access Privileges...
10-8 Firmware User Guide Note: In the latter two modes that involve both RADIUS and the local database, if the local database includes no username/password pairs, authentication will succeed only if the RADIUS server authenticates the user. This differs from the Local Only mode where no authentication is performed when the local database is empty. If the primary RADIUS server responds with an access rejection or an access challenge, the alternate RADIUS server is not contacted.
Security 10-9 Advanced Security Options Remote Authentication... Security Databases... Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: TACACS+ Local only TACACS+ Accounting: Remote Access Privileges... No Custom Telnet Server Port: 23 MAC Address Authentication... LAN (Ethernet) IP Filter Set... Remove Filter Set Configuration is similar to RADIUS server configuration.
10-10 Firmware User Guide Advanced Security Options +---------------------------------------------------------------+ +---------------------------------------------------------------+ | | | You have no local passwords defined. If you continue you will | | be unable to configure this device unless a Remote Server is | | available to authenticate you.
Security 10-11 Advanced Security Options Remote Authentication... RADIUS Security Databases... Local only Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port+-----------+ +-----------+ Remote Access Privileges... | All | | LAN | Telnet Server Port: | WAN | | Custom... | MAC Address Authentication... +-----------+ LAN (Ethernet) IP Filter Set...
10-12 Firmware User Guide User access password Users must be able to change their names and passwords, regardless of other security access restrictions. If a user does not have security access, then they will only be able to modify the password for their account. When a limited-access user logs into the gateway. and accesses the System Configuration menus, the only Security option displayed is Change Access Password. System Configuration IP Setup... Filter Sets... IP Address Serving...
Security 10-13 User menu differences Menus reflect the security access level of the user. Consequently, configuration menus will display differing options based upon the parameters a particular user is allowed to change. Some differences include: • Limited users (non-Superusers) do not have access to Easy Setup. • All users have access to System Configuration, Quick Menus, and Quick View, but limited users have only limited access to configuration elements in their descendant menus.
10-14 Firmware User Guide Based on access level, the Main Menu displays its configuration options according to the following diagram: User Access Level Netopia Router Superuser WAN, Conn. Profiles, PVC All All Global, Voice Easy Setup... WAN Configuration... System Configuration... Utilities & Diagnostics... Statistics & Logs... All Quick Menus... All Quick View... Return/Enter goes to Easy Setup -- minimal configuration. You always start from this main screen.
Security 10-15 Advanced Connection Options User Access Level Configuration Changes Reset WAN Connection: WAN No Scheduled Connections... Connection Profiles Backup Configuration... WAN Connection Profiles Prioritize Delay-Sensitive Data: No Connection Profiles The Superuser can disallow limited user access to a particular Connection Profile. When adding a Connection Profile in the Add Connection Profile screen the Superuser can toggle the Superuser Accessible Only option to Yes or No.
10-16 Firmware User Guide System Configuration menu The System Configuration menu is always available to all users. Based on access level, the System Configuration menu displays its configuration options according to the following diagram: System Configuration User Access Level LAN NAT LAN NAT Global All Superuser Superuser, All All Superuser All IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... Date and Time... Console Configuration...
Security 10-17 IP Setup LAN IP Subnet is... . . . 192.168.1.1/24 Utilities & Diagnostics menu Based on access level, the Utilities & Diagnostics menu displays its configuration options according to the following diagram: Utilities & Diagnostics User Access Level Global Global Global All Global All Ping... Trace Route... Telnet... Log off Serial Console Session... Trivial File Transfer Protocol (TFTP)... Restart System... Revert to Factory Defaults...
10-18 Firmware User Guide User Access Level Statistics & Logs Global Global WAN Event History... Device Event History... Global IP Routing Table... Global Served IP Addresses... Global Served IP Addresses... Global Global Global Backup Management/Statistics... General Statistics... System Information...
Security 10-19 Quick Menus Quick Menus vary considerably between models, features, and access levels. The following is an example comparison of the Quick Menu as seen by the Superuser and by a Limited user.
10-20 Firmware User Guide The ATM Circuits Configuration menu screen appears as follows: ATM Circuits Configuration Display/Change WAN 1 Circuit... Add WAN 1 Circuit... Delete WAN 1 Circuit... Display/Change WAN 2 Circuit... Add WAN 2 Circuit... Delete WAN 2 Circuit... Note: Multiple ATM circuit configuration is supported on multiple ATM-capable gateways.
Security 10-21 About Filters and Filter Sets Security should be a high priority for anyone administering a network connected to the Internet. Using packet filters to control network communications can greatly improve your network’s security. The Netopia Firmware Version 8.7’s packet filters are designed to provide security for the Internet connections made to and from your network. You can customize the gateway’s filter sets for a variety of packet filtering applications.
10-22 Firmware User Guide Filter priority Continuing the customs inspectors analogy, imagine the inspectors lined up to examine a package. If the package matches the first inspector’s criteria, the package is either rejected or passed on to its destination, depending on the first inspector’s particular orders. In this case, the package is never seen by the remaining inspectors.
Security 10-23 • Blocks (discards) the packet • Ignores the packet A filter forwards or blocks a packet only if it finds a match after applying its criteria. When no match occurs, the filter ignores the packet. A filtering rule The criteria are based on information contained in the packets. A filter is simply a rule that prescribes certain actions based on certain conditions. For example, the following rule qualifies as a filter: Block all Telnet attempts that originate from the remote host 199.211.211.
10-24 Firmware User Guide Internet service TCP port Internet service TCP port Telnet 23 World Wide Web SMTP (mail) 25 News 144 Gopher 70 rlogin 513 Internet service UDP port Internet service 80 UDP port Who Is 43 TFTP 69 World Wide Web 80 who 513 SNMP 161 Port number comparisons A filter can also use a comparison option to evaluate a packet’s source or destination port number.
Security 10-25 Putting the parts together When you display a filter set, its filters are displayed as rows in a table: +-#---Source IP Addr---Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+ +----------------------------------------------------------------------+ | 1 192.211.211.17 0.0.0.0 TCP 0 23 Yes No | | 2 0.0.0.0 0.0.0.0 TCP NC =6000 Yes No | | 3 0.0.0.0 0.0.0.0 ICMP --Yes Yes | | 4 0.0.0.0 0.0.0.0 TCP NC >1023 Yes Yes | | 5 0.0.0.0 0.0.0.
10-26 Firmware User Guide Filtering example #1 Returning to our filtering rule example from above (see page 10-23), look at how a rule is translated into a filter. Start with the rule, then fill in the filter’s attributes: 1. The rule you want to implement as a filter is: Block all Telnet attempts that originate from the remote host 199.211.211.17. 2. 3. 4. The host 199.211.211.17 is the source of the Telnet packets you want to block, while the destination address is any IP address.
Security 10-27 This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address signifies any host on the class C IP network 200.233.14.0. If, for example, the filter is applied to a packet with the source IP address 200.233.14.5, it will block it. In this case, the mask, which does not appear in the table, must be set to 255.255.255.0. This way, all packets with a source address of 200.233.14.
10-28 Firmware User Guide • That which is not expressly prohibited is permitted. • That which is not expressly permitted is prohibited. It is strongly recommended that you take the latter, and safer, approach to all of your filter set designs. Working with IP Filters and Filter Sets This section covers IP filters and filter sets. System Configuration Main Menu Filter Sets To work with filters and filter sets, begin by accessing the filter set screens.
Security 10-29 Adding a filter set You can create up to eight different custom filter sets. Each filter set can contain up to 16 output filters and up to 16 input filters. To add a new filter set, select Add Filter Set in the Filter Sets screen and press Return. The Add Filter Set screen appears. Add Filter Set... Filter Set Name: Filter Set 3 ADD FILTER SET CANCEL Naming a new filter set All new filter sets have a default name.
10-30 Firmware User Guide Adding filters to a filter set There are two kinds of filters you can add to a filter set: input and output. Input filters check packets received from the Internet, destined for your network. Output filters check packets transmitted from your network to the Internet. packet WAN input filter LAN packet output filter The Netopia Router Packets in the Netopia Firmware Version 8.
Security 10-31 Display/Change Filter Set... Filter Set Name: Filter Set 3 Add Input Filter to Filter Set... Display/Change Input Filter... Delete Input Filter... Move Input Filter... Add Output Filter to Filter Set... Display/Change Output Filter... Delete Output Filter... Move Output Filter... Note: There are two groups of items in this screen, one for input filters and one for output filters. In this section, you’ll learn how to add an input filter to a filter set.
10-32 Firmware User Guide 3. If you want the filter to forward packets that match its criteria to the destination IP address, select Forward and toggle it to Yes. If Forward is toggled to No, packets matching the filter’s criteria will be discarded. 4. Select Source IP Address and enter the source IP address this filter will match on. You can enter a subnet or a host address. 5. Select Source IP Address Mask and enter a mask for the source IP address.
Security 10-33 Change Filter Enabled: Forward: No No Source IP Address: Source IP Address Mask: 0.0.0.0 0.0.0.0 Dest. IP Address: Dest. IP Address Mask: 0.0.0.0 0.0.0.0 Protocol Type: 0 Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: No Compare 0 No Compare 0 Enter the IP specific information for this filter. Deleting filters To delete a filter, select Delete Input Filter or Delete Output Filter in the Display/Change Filter Set screen to display a table of filters.
10-34 Firmware User Guide Basic Firewall blocks undesirable traffic originating from the WAN (in most cases, the Internet), but forwards all traffic originating from the LAN. It follows the conservative “that which is not expressly permitted is prohibited” approach: unless an incoming packet expressly matches one of the constituent input filters, it will not be forwarded to the LAN. The five input filters and one output filter that make up Basic Firewall are shown in the table below.
Security 10-35 Output filter 1: This filter forwards all outgoing traffic to make sure that no outgoing connections from the LAN are blocked. Basic Firewall is suitable for a LAN containing only client hosts that want to access servers on the WAN, but not for a LAN containing servers providing services to clients on the WAN. Basic Firewall’s general strategy is to explicitly forward WAN-originated TCP and UDP traffic to ports greater than 1023.
10-36 Firmware User Guide FTP sessions. To allow WAN-originated FTP sessions to a LAN-based FTP server with the IP address a.b.c.d (corresponding to a numbered IP address such as 163.176.8.243), insert the following input filter ahead of the current input filter 1: • Enabled: Yes • Forward: Yes • Source IP Address: 0.0.0.0 • Source IP Address Mask: 0.0.0.0 • Dest. IP Address: a.b.c.d • Dest. IP Address Mask: 255.255.255.
Security 10-37 In addition, the TOS field has been added to the classifier list in a filter. This allows you to filter on TOS field settings in the IP packet, if you desire. The new filterset screen appears as follows: Change Input Filter 1 Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: Yes Gateway IP Address: 163.176.8.134 Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: Source Port Compare...
10-38 Firmware User Guide Certain types of IP packets, such as voice or multimedia packets, are sensitive to latency introduced by the network. A delay-sensitive packet is one that has the low-latency bit set in the TOS field of the IP header. This means that if such packets are not received rapidly, the quality of service degrades.
Security 10-39 Firewall Tutorial General firewall terms Filter rule: A filter set is comprised of individual filter rules. Filter set: A grouping of individual filter rules. Firewall: A component or set of components that restrict access between a protected network and the Internet, or between two networks. Host: A workstation on the network. Packet: Unit of communication on the Internet.
10-40 Firmware User Guide Example TCP/UDP Ports TCP Port Service UDP Port Service 20/21 FTP 161 SNMP 23 Telnet 69 TFTP 25 SMTP 387 AURP 80 WWW 144 News Firewall design rules There are two basic rules to firewall design: • “What is not explicitly allowed is denied.” and • “What is not explicitly denied is allowed.” The first rule is far more secure, and is the best approach to firewall design.
Security 10-41 and a packet goes through these rules destined for FTP, the packet would forward through the first filter rule (WWW), match the second rule (FTP), and the packet is allowed through. Even though the next rule is to deny all FTP traffic, the FTP packet will never make it to this rule. Binary representation It is easiest when doing filtering to convert the IP address and mask in question to binary.
10-42 Firmware User Guide Established connections The TCP header contains one bit called the ACK bit (or TCP Ack bit). This ACK bit appears only with TCP, not UDP. The ACK bit is part of the TCP mechanism that guarantees the delivery of data. The ACK bit is set whenever one side of a connection has received data from the other side. Only the first TCP packet will not have the ACK bit set; once the TCP connection is in place, the remainder of the TCP packets with have the ACK bit set.
Security 10-43 Less Than or Equal Any port less than or equal to the port defined Equal Matches only the port defined Greater Than or Equal Matches the port or any port greater Greater Than Matches anything greater than the port defined Example network Input Packet Filter Internet IP 200.1.1.?? Data Example filters Example 1 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.128 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.
10-44 Firmware User Guide 00000000 (Logical AND result) This incoming IP packet has a source IP address that matches the network address in the Source IP Address field (00000000) in the Netopia Firmware Version 8.7. This will not forward this packet. Example 2 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.128 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.184. IP Address 200.1.1.
Security 10-45 255.255.255.240 11110000 (Perform the logical AND) 10110000 (Logical AND result) Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 1011000, this rule does not match and this packet will be forwarded. Example 4 Filter Rule: 200.1.1.96 (Source IP Network Address) 255.255.255.240 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.104. IP Address 200.1.1.
10-46 Firmware User Guide 255.255.255.255 11111111 (Perform the logical AND) 01100000 (Logical AND result) Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 01100000, this rule does match and this packet will not be forwarded. This rule masks off a single IP address. Configuration Management Netopia Firmware Version 8.7 offers a Configuration Management feature.
Security 10-47 Configuration Management Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... Factory Default from Configuration: Remove Factory Default Configuration Return/Enter to select Factory Default Configuration. Select Save Current Configuration as, and press Return. The Save Current Configuration screen appears.
10-48 Firmware User Guide Configuration Management Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... +-Configuration Name---Type---+ +-----------------------------+ | HappyInternet Binary | | Config1 Binary | | LesMizz Binary | +-----------------------------+ Factory Default from Configuration: Remove Factory Default Configuration A warning screen will ask you to confirm your choice.
Security 10-49 Once you make the selection, if you factory Default the Router, it will reboot with the saved configuration you have selected. Configuration Management Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... Factory Default from Configuration: Remove Factory Default Configuration HappyInternet Return/Enter to select Factory Default Configuration.
10-50 Firmware User Guide
Utilities and Diagnostics 11-1 Chapter 11 Utilities and Diagnostics A number of utilities and tests are available for system diagnostic and control purposes.
11-2 Firmware User Guide Ping The Netopia Firmware Version 8.7 includes a standard Ping test utility. A Ping test generates IP packets destined for a particular (Ping-capable) IP host. Each time the target host receives a Ping packet, it returns a packet to the original sender. Ping allows you to see whether a particular IP destination is reachable from the Router. You can also ascertain the quality and reliability of the connection to the desired destination by studying the Ping test’s statistics.
Utilities and Diagnostics 11-3 Status: The current status of the Ping test. This item can display the status messages shown in the able below: Message Description Resolving host name Finding the IP address for the domain name-style address Can’t resolve host name IP address can’t be found for the domain name–style address Pinging Ping test is in progress Complete Ping test was completed Cancelled by user Ping test was cancelled manually Destination unreachable from w.x.y.
11-4 Firmware User Guide Packets Lost: The number of packets unaccounted for, shown in total and as a percentage of total packets sent. This statistic may be updated during the Ping test, and may not be accurate until after the test is over. However, if an escalating one-to-one correspondence is seen between Packets Out and Packets Lost, and Packets In is noticeably lagging behind Packets Out, the destination is probably unreachable. In this case, use STOP PING.
Utilities and Diagnostics 11-5 3. Select Timeout (seconds) to set when the trace will timeout for each hop, up to 10 seconds. The default is 3 seconds. 4. Select Use Reverse DNS to learn the names of the gateways between the Netopia Router and the destination gateway. The default is Yes. 5. Select START TRACE ROUTE and press Return. A scrolling screen will appear that lists the destination, number of hops, IP addresses of each hop, and DNS names, if selected. 6. Cancel the trace by pressing Escape.
11-6 Firmware User Guide • To end a suspended session, select Terminate Suspended Session. Select a session from the pop-up menu and press Return. Factory Defaults You can reset the Router to its factory default settings. In the Utilities & Diagnostics screen, select Revert to Factory Defaults and press Return. Select CONTINUE in the dialog box and press Return. The Router will reboot and its settings will return to the factory defaults, deleting your configurations.
Utilities and Diagnostics 11-7 The sections below describe how to update the Router’s firmware and how to download and upload configuration files. Updating firmware Firmware updates may be available periodically from Netopia or from a site maintained by your organization’s network administrator. The Router ships with an embedded operating system referred to as firmware. The firmware governs how the device communicates with your network and the WAN or remote site.
11-8 Firmware User Guide • Select TFTP Server Name and enter the server name or IP address of the TFTP server you will use. The server name or IP address is available from the site where the server is located. • Select Config File Name and enter the name of the file you will download. The name of the file is available from the site where the server is located. You may need to enter a file path along with the file name (for example, bigroot/config/myfile).
Utilities and Diagnostics 11-9 You must restart the system whenever you reconfigure the Router and want the new parameter values to take effect. Under certain circumstances, restarting the system may also clear up system or network malfunctions. Some configuration processes automatically restart the system to apply the changes you have made.
11-10 Firmware User Guide
Troubleshooting A-1 Appendix A Troubleshooting This appendix is intended to help you troubleshoot problems you may encounter while setting up and using Netopia Firmware Version 8.7. It also includes information on how to contact Netopia Technical Support. Important information on these problems can be found in the event histories kept by the Router. These event histories can be accessed in the Statistics & Logs screen.
A-2 Firmware User Guide Note: If you are attempting to modify the IP address or subnet mask from a previous, successful configuration attempt, you will need to clear the IP address or reset your Router to the factory default before reinitiating the configuration process. For further information on resetting your Router to factory default, see “How to Reset the Router to Factory Defaults” on page A-3.
Troubleshooting A-3 How to Reset the Router to Factory Defaults Lose your password? This section shows how to reset the Netopia Router so that you can access the configuration screens once again. Note: Keep in mind that all of your settings may need to be reconfigured. If you don't have a password, the only way to access the Netopia Router is the following: 1. Referring to the diagram below, find the round Reset Switch opening.
A-4 Firmware User Guide Before contacting Netopia Look in this guide for a solution to your problem. You may find a solution in this troubleshooting appendix or in other sections. Check the index for a reference to the topic of concern. If you cannot find a solution, complete the environment profile below before contacting Netopia Technical Support. Environment profile • Locate the Router’s model number, product serial number, and firmware version.
Index-1 Index A add static route 7-8 Additional LANs 7-4, 7-38 ADSL Line Configuration 2-4 advanced configuration features 3-1 ALANs 7-38 ATMP 5-17 tunnel options 5-15 AutoChannel Wireless 3-24 B backup default gateway 8-14 backup, line 8-1 basic firewall 10-34 BootP 7-17 clients 7-23 C change static route 7-9 community strings 9-10 configuration troubleshooting PC A-1 configuration files downloading with TFTP 11-7 uploading with TFTP 11-8 Configuration Management 10-46 configuring with console-based manag
Index-2 navigating 1-5 encryption 5-2, 5-7, 5-17, 6-1 event history device 9-5 WAN 9-4 Exposed Addresses 3-4 Extended Authentication 6-6 F factory default A-3 Factory Default from Configuration 10-48 filter parts 10-23 parts of 10-23 filter priority 10-22 filter sets adding 10-29 defined 10-21 deleting 10-33 disadvantages 10-27 display 10-25 sample (Basic Firewall) 10-33 using 10-28 filtering example #1 10-26 filters actions a filter can take 10-22 adding to a filter set 10-30 defined 10-21 deleting 10-33
Index-3 line backup 8-1 backup IP gateway 8-16 connection profiles 8-2 management and statistics 8-17 scheduled connections 8-12 WAN configuration 8-8 Logging 3-42 M MAC Address Authentication 3-33 MIBs supported 9-9 Mixed-bridging-routing 3-37 model numbers 1-3 MPPE 5-17 MS-CHAPv2 5-18 Multicast Forwarding 7-33 Multiple SSIDs 3-30 multiple subnets 7-4 N NAT adding server lists 4-15 defined 7-1 Easy Setup Profile 4-6 IP profile parameters 4-22 map lists 4-8 modifying map lists 4-12 outside ranges 4-8 serve
Index-4 router to serve IP addresses to hosts 71 routing tables IP 7-6, 9-6 S scheduled connections 2-16 adding 2-18 deleting 2-21 modifying 2-21 once-only 2-20 viewing 2-17 weekly 2-19 security filters 10-21–10-36 measures to increase 10-1 telnet 10-20 Security Policy Database (SPD) 6-2 Simple Network Management Protocol, see SNMP SNMP community strings 9-10 MIBs supported 9-9 setup screen 9-9 traps 9-11 SNMP-V2c 9-9 src.
Index-5 updating Netopia’s firmware 11-7 upgrade 1-3 uploading configuration files 11-8 with TFTP 11-8 utilities and diagnostics 11-1 V Variable Bit Rate (VBR) 2-6 viewing scheduled connections 2-17 Virtual Local Area Network 3-11 Virtual Private Networks (VPN) 5-1 Virtual Redundant Routers 7-3 Virtual Router Redundancy Protocol 7-34 VLAN 3-11 VPN 5-1 allowing through a firewall 5-25 ATMP tunnel options 5-15 default answer profile 5-18 encryption support 5-17 PPTP tunnel options 5-4 VRID 7-35 VRRP 7-34 VRR
Index-6
