Network Router - VPN Router User Manual

ManualsBrandsPlanet Technology ManualsThermostatVRT-311S

Broadband VPN Router

VRT-311 / VRT-311S

User’s Manual

Summary of content (147 pages)

PAGE 1
Broadband VPN Router VRT-311 / VRT-311S User’s Manual
PAGE 2
Copyright Copyright (C) 2004 PLANET Technology Corp. All rights reserved. The products and programs described in this User ’s Manual are licensed products of PLANET Technology, This User’s Manual contains proprietary information protected by copyright, and this User’s Manual and all accompanying hardware, software, and documentation are copyrighted.
PAGE 3
Table of Contents CHAPTER 1 INTRODUCTION .......................................................................... 1 VRT-311 /VRT-311S Features............................................................................... 1 Package Contents ................................................................................................. 3 Physical Details..................................................................................................... 4 CHAPTER 2 INSTALLATION .........................
PAGE 4
Services ............................................................................................................... 72 CHAPTER 8 VPN (IPSEC) .............................................................................. 73 Overview .............................................................................................................. 73 Common VPN Situations.................................................................................... 75 VPN Configuration .................................
PAGE 5
Chapter 1 Introduction 1 This Chapter provides an overview of VRT-311 / VRT-311S's features and capabilities. Congratulations on the purchase of your new VRT-311 / VRT-311S . VRT-311 / VRT-311S is a multi-function device providing the following services: • • • Shared Broadband Internet Access for all LAN users. VPN Gateway for IPSec VPN connections to remote PCs or sites. 3-Port Switching Hub for 10BaseT or 100BaseT connections.
PAGE 6
VRT-311 User Guide • Fixed or Dynamic IP Address. On the Internet (WAN port) connection, VRT-311 / VRT-311S supports both Dynamic IP Address (IP Address is allocated on connection) and Fixed IP Address. Advanced Internet Functions • Communication Applications. Support for Internet communication applications, such as interactive Games, Telephony, and Conferencing applications, which are often difficult to use when behind a Firewall, is included. • Special Internet Applications.
PAGE 7
Introduction Security Features • Password - protected Configuration . Optional password protection is provided to prevent unauthorized users from modifying the configuration data and settings. • NAT Protection. An intrinsic side effect of NAT (Network Address Translation) technology is that by allowing all LAN users to share a single IP address, the location and even the existence of each PC is hidden. From the external viewpoint, there is no network, only a single device - VRT-311 / VRT-311S.
PAGE 8
VRT-311 User Guide Physical Details Front-mounted LEDs Figure 2: VRT-311’s Front Panel Figure 3: VRT-311S’s Front Panel Power On - Power on. Off - No power. Status (Red) On - Error condition. Off - Normal operation. Blinking - This LED blinks during start up. LAN Each port has 2 LEDs • • DMZ • • WAN LNK/ACT • On - Corresponding LAN (hub) port is active. • Off - No active connection on the corresponding LAN (hub) port.
PAGE 9
Introduction Off - No connection to a modem on the WAN (Internet) port. Flashing - Data is being transmitted or received via the WAN port. PPPoE (For VRT-311 only) On - PPPoE connection established. Off - No PPPoE connection.
PAGE 10
VRT-311 User Guide Rear Panel Figure 4: VRT-311 Rear Panel Figure 5: VRT-311S Rear Panel Reset Button This button has two (2) functions: • Reboot. When pressed and released, VRT-311 / VRT-311S will reboot (restart). • Clear All Data. This button can also be used to clear ALL data and restore ALL settings to the factory default values. To Clear All Data and restore the factory default values: 1. Power Off. 2. Hold the Reset Button down while you Power On. 3.
PAGE 11
Introduction Using the DMZ Port The DMZ port is intended for connection of a server you wish to make available to the public. To use multiple servers, use a standard LAN cable to connect the DMZ port to a normal port on another hub, and connect your servers to the hub. Please note the following points regarding the DMZ port. • Although physically attached to the hub ports, the DMZ port is not part of the built-in hub. It is a separate single port which is isolated from the hub.
PAGE 12
Chapter 2 Installation 2 This Chapter covers the physical installation of VRT-311 / VRT-311S. Requirements • Network cables. Use standard 10/100BaseT network (UTP) cables with RJ45 connectors. • TCP/IP protocol must be installed on all PCs. • For Internet Access, an Internet Access account with an ISP, and a Broadband modem (usually, DSL or Cable modem). Procedure Figure 6: Installation Diagram 1. Choose an Installation Site Select a suitable place on the network to install VRT-311 / VRT-311S.
PAGE 13
Installation • If desired, connect a PC (server) to the DMZ port. To use multiple servers, use a standard LAN cable to connect the DMZ port to a normal port on another hub, and connect your servers to the hub. PCs connected to the DMZ port are isolated from your LAN. 3. Connect WAN Cable Connect the Broadband modem to the WAN port on VRT-311 / VRT-311S. Use the cable supplied with your Broadband modem. If no cable was supplied, use a standard LAN cable. 4. Power Up • Power on the Broadband modem.
PAGE 14
3 Chapter 3 Setup This Chapter provides Setup details of VRT-311 / VRT-311S. Overview This chapter describes the setup procedure for: • Internet Access • LAN configuration PCs on your local LAN may also require configuration. For details, see Chapter 4 - PC Configuration. Other configuration may also be required, depending on which features and functions of VRT311 / VRT-311S you wish to use. Use the table below to locate detailed instructions for the required functions.
PAGE 15
Setup Use the Microsoft VPN feature: • PPTP Server in VRT-311 / VRT-311S. • User and Client setup. • Checking VPN connection Status. Configure or use any of the following: • Configuration File backup and restore.
PAGE 16
VRT-311 User Guide • Double - click the icon for VRT-311 / VRT-311S (either on the Desktop, or in My Network Places) to start the configuration. Refer to the following section Setup Wizard for details of the initial configuration process. Using your Web Browser To establish a connection from your PC to VRT-311 / VRT-311S: 1. After installing VRT-311 / VRT-311S in your LAN, start your PC. If your PC is already running, restart it. 2. Start your WEB browser. 3.
PAGE 17
Setup • These are the default values. Both the name and password can (and should) be changed, using the Admin Login screen. Once you have changed either the name or the password, you must use the current values.
PAGE 18
VRT-311 User Guide Setup Wizard The first time you connect to VRT-311 / VRT-311S, the Setup Wizard will run automatically. (The Setup Wizard will also run if VRT-311 / VRT-311S 's default setting are restored.) 1. Step through the Wizard until finished. • 2. 3. You need to know the type of Internet connection service used by your ISP. Check the data supplied by your ISP. • The common connection types are explained in the tables below.
PAGE 19
Setup PPTP Mainly used in Europe. You connect to the ISP only when required. The IP address is usually allocated automatically, but may be Static (Fixed). • PPTP Server IP Address. • User name and password. • IP Address allocated to you, if Static (Fixed). Other Modems (e.g. Broadband Wireless) Type Details ISP Data required Dynamic IP Address Your IP Address is allocated automatically, when you connect to you ISP. Usually, none.
PAGE 20
VRT-311 User Guide Home Screen After finishing or exiting the Setup Wizard, you will see the Home screen. When you connect in future, you will see this screen when you connect. An example screen is shown below. Figure 8: Home Screen Navigation & Data Input • Use the menu bar on the top of the screen, and the "Back" button on your Browser, for navigation. • Changing to another screen without clicking "Save" does NOT save any changes you may have made.
PAGE 21
Setup LAN Screen Use the LAN link on the main menu to reach the LAN screen An example screen is shown below. Figure 9: LAN Screen Data - LAN Screen TCP/IP IP Address IP address for VRT-311 / VRT-311S, as seen from the local LAN. Use the default value unless the address is already in use or your LAN is using a different IP address range. In the latter case, enter an unused IP Address from within the range used by your LAN. Subnet Mask The default value 255.255.255.
PAGE 22
VRT-311 User Guide DHCP What DHCP Does A DHCP (Dynamic Host Configuration Protocol) Server allocates a valid IP address to a DHCP Client (PC or device) upon request. • The client request is made when the client device starts up (boots). • The DHCP Server provides the Gateway and DNS addresses to the client, as well as allocating an IP Address. • VRT-311 / VRT-311S can act as a DHCP server. • Windows 95/98/ME and other non-Server versions of Windows will act as a DHCP client.
PAGE 23
Chapter 4 PC Configuration 4 This Chapter details the PC Configuration required on the local ("Internal") LAN. Overview For each PC, the following may need to be configured: • TCP/IP network settings • Internet Access configuration Windows Clients This section describes how to configure Windows clients for Internet access via VRT-311 / VRT-311S. The first step is to check the PC's TCP/IP settings.
PAGE 24
Broadband VPN Router User’s Manual Checking TCP/IP Settings - Windows 9x/ME: 1. Select Control Panel - Network. You should see a screen like the following: Figure 10: Network Configuration 2. 3. Select the TCP/IP protocol for your network card. Click on the Properties button. You should then see a screen like the following. Figure 11: IP Address (Win 95) Ensure your TCP/IP settings are correct, as follows: Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically.
PAGE 25
PC Configuration • On the Gateway tab, enter VRT-311 / VRT-311S 's IP address in the New Gateway field and click Add, as shown below. Your LAN administrator can advise you of the IP Address they assigned to VRT-311 / VRT-311S. Figure 32: Gateway Tab (Win 95/98) • On the DNS Configuration tab, ensure Enable DNS is selected. If the DNS Server Search Order list is empty, enter the DNS address provided by your ISP in the fields beside the Add button, then click Add.
PAGE 26
Broadband VPN Router User’s Manual Checking TCP/IP Settings - Windows NT4.0 1. Select Control Panel - Network, and, on the Protocols tab, select the TCP/IP protocol, as shown below. Figure 14: Windows NT4.0 - TCP/IP 2. Click the Properties button to see a screen like the one below. Figure 15: Windows NT4.0 - IP Address 3. Select the network card for your LAN.
PAGE 27
PC Configuration 4. Select the appropriate radio button - Obtain an IP address from a DHCP Server or Specify an IP Address, as explained below. Obtain an IP address from a DHCP Server This is the default Windows setting. Using this is recommended. By default, VRT-311 / VRT311S will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from VRT-311 / VRT-311S.
PAGE 28
Broadband VPN Router User’s Manual Figure17: Windows NT4.
PAGE 29
PC Configuration Checking TCP/IP Settings - Windows 2000: 1. 2. Select Control Panel - Network and Dial-up Connection . Right - click the Local Area Connection icon and select Properties. You should see a screen like the following: Figure18: Network Configuration (Win 2000) 3. 4. Select the TCP/IP protocol for your network card. Click on the Properties button. You should then see a screen like the following.
PAGE 30
Broadband VPN Router User’s Manual 5. Ensure your TCP/IP settings are correct, as described below. Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, VRT-311 / VRT-311S will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from VRT-311 / VRT-311S.
PAGE 31
PC Configuration Checking TCP/IP Settings - Windows XP 1. 2. Select Control Panel - Network Connection. Right click the Local Area Connection and choose Properties. You should see a screen like the following: Figure20: Network Configuration (Windows XP) 3. 4. Select the TCP/IP protocol for your network card. Click on the Properties button. You should then see a screen like the following.
PAGE 32
Broadband VPN Router User’s Manual Figure21: TCP/IP Properties (Windows XP) 5. Ensure your TCP/IP settings are correct. Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, VRT-311 / VRT-311S will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from VRT-311 / VRT-311S.
PAGE 33
PC Configuration Internet Access To configure your PCs to use VRT-311 / VRT-311S for Internet access: • Ensure that the DSL modem, Cable modem, or other permanent connection is functional. • Use the following procedure to configure your Browser to access the Internet via the LAN, rather than by a Dial-up connection. For Windows 9x/ME/2000 1. 2. 3. 4. 5. 6. 7. Select Start Menu - Settings - Control Panel - Internet Options . Select the Connection tab, and click the Setup button.
PAGE 34
Broadband VPN Router User’s Manual Macintosh Clients From your Macintosh, you can access the Internet via VRT-311 / VRT-311S. The procedure is as follows. 1. Open the TCP/IP Control Panel. 2. Select Ethernet from the Connect via pop-up menu. 3. Select Using DHCP Server from the Configure pop-up menu. The DHCP Client ID field can be left blank. 4. Close the TCP/IP panel, saving your settings.
PAGE 35
Chapter 5 Operation and Status 5 This Chapter details the operation of VRT-311 / VRT-311S and the status screens. Operation Once both VRT-311 / VRT-311S and the PCs are configured, operation is automatic. However, there are some situations where additional Internet configuration may be required: • If using Internet-based Communication Applications, it may be necessary to specify which PC receives an incoming connection. Refer to Chapter 6 - Internet Features for further details.
PAGE 36
Broadband VPN Router User’s Manual Data - Status Screen Internet Connection Method This indicates the current connection method, as set in the Setup Wizard. Broadband Modem This shows the connection status of the modem. Internet Connection Current connection status: • Active • Idle • Unknown • Failed If there is an error, you can click the "Connection Details" button to find out more information. Internet IP Address This IP Address is allocated by the ISP (Internet Service Provider).
PAGE 37
Operation and Status Connection Status - PPPoE If using PPPoE (PPP over Ethernet), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure23: PPPoE Status Screen Data - PPPoE Screen Connection Physical Address The hardware address of this device, as seen by remote devices on the Internet. (This is different to the hardware address seen by devices on the local LAN.) IP Address The IP Address of this device, as seen by Internet users.
PAGE 38
Broadband VPN Router User’s Manual fresh button will update the messages shown on screen. Buttons Connect If not connected, establish a connection to your ISP. Disconnect If connected to your ISP, hang up the connection. Clear Log Delete all data currently in the Log. This will make it easier to read new messages. Refresh Update the data on screen.
PAGE 39
Operation and Status Connection Status - PPTP If using PPTP (Peer-to-Peer Tunneling Protocol), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure24: PPTP Status Screen Data - PPTP Screen Connection Physical Address The hardware address of this device, as seen by remote devices on the Internet. (This is different to the hardware address seen by devices on the local LAN.) IP Address The IP Address of this device, as seen by Internet users.
PAGE 40
Broadband VPN Router User’s Manual Disconnect If connected to your ISP, hang up the connection. Clear Log Delete all data currently in the Log. This will make it easier to read new messages. Refresh Update the data on screen. Connection Status - Telstra Big Pond An example screen is shown below. Figure25: Telstra Big Pond Status Screen Data - Telstra Big Pond Screen Connection Physical Address The hardware address of this device, as seen by remote devices.
PAGE 41
Operation and Status is disabled. Connection Log Connection Log • The Connection Log shows status messages relating to the existing connection. • The Clear Log button will restart the Log, while the Refresh button will update the messages shown on screen. Buttons Connect If not connected, establish a connection to Telstra Big Pond. Disconnect If connected to Telstra Big Pond, terminate the connection. Clear Log Delete all data currently in the Log. This will make it easier to read new messages.
PAGE 42
Broadband VPN Router User’s Manual IP Address The IP Address of this device, as seen by Internet users. This address is allocated by your ISP (Internet Service Provider). Network Mask The Network Mask associated with the IP Address above. Default Gateway The IP Address of the remote Gateway or Router associated with the IP Address above. DNS IP Address The IP Address of the Domain Name Server which is currently used.
PAGE 43
Operation and Status Connection Details - Fixed/Dynamic IP Address If your access method is "Direct" (no login), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure27: Connection Details - Fixed/Dynamic IP Address Data - Fixed/Dynamic IP address Screen Internet Physical Address The hardware address of this device, as seen by remote devices on the Internet. (This is different to the hardware address seen by devices on the local LAN.
PAGE 44
Broadband VPN Router User’s Manual VRT-311 / VRT-311S, this button will say "Renew". Clicking the "Renew" button will attempt to re-establish the connection and obtain an IP Address from the ISP's DHCP Server. OR "Renew" • Refresh If an IP Address has been allocated to VRT-311 / VRT-311S (by the ISP's DHCP Server), this button will say "Release". Clicking the "Release" button will break the connection and release the IP Address. Update the data shown on screen.
PAGE 45
Chapter 6 Internet Features 6 This Chapter explains when and how to use VRT-311 / VRT-311S's "Internet" Features. Overview The following advanced features are provided.
PAGE 46
Broadband VPN Router User’s Manual WAN Port Configuration The WAN Port Configuration screen provides an alternative to using the Wizard. It can be accessed from the Internet menu. An example screen is shown below. Figure28: WAN Port Configuration Screen Data – WAN Port Configuration Screen Identification Hostname Normally, there is no need to change the default name, but if your ISP requests that you use a particular “Hostname”, enter it here.
PAGE 47
Internet Features IP Address IP Address is assigned automatically Also called Dynamic IP Address. This is the default, and the most common. Leave this selected if your ISP allocates an IP Address to VRT-311 / VRT-311S upon connection. Specified IP Address Also called Static IP Address. Select this if your ISP has allocated you a fixed IP Address. If this option is selected, the following data must be entered. • IP Address. The IP Address allocated by the ISP.
PAGE 48
Broadband VPN Router User’s Manual Login Login Method If your ISP does not use a login method (username, password) for Internet access, leave this at the default value "None (Direct connection)" Otherwise, check the documentation from your ISP, select the login method used, and enter the required data. • PPPoE - this is the most common login method, widely used with DSL modems. Normally, your ISP will have provided some software to connect and login.
PAGE 49
Internet Features Advanced Internet Figure29: Internet Screen This screen allows configuration of all advanced features relating to Internet access. • Communication Applications • Special Applications • Multi-DMZ • URL filter Communication Applications Most applications are supported transparently by VRT-311 / VRT-311S. But sometimes it is not clear which PC should receive an incoming connection. This problem could arise with the Communication Applications listed on this screen.
PAGE 50
Broadband VPN Router User’s Manual Send incoming calls to This lists the PCs on your LAN. • If necessary, you can add PCs manually, using the PC Database option on the Other menu. • For each application listed above, you can choose a destination PC. • There is no need to "Save" after each change; you can set the destination PC for each application, then click "Save".
PAGE 51
Internet Features Incoming Ports Outgoing Ports • Type - Select the protocol (TCP or UDP) used when you receive data from the special application or service. (Note: Some applications use different protocols for outgoing and incoming data). • Start - Enter the beginning of the range of port numbers used by the application server, for data you receive. If the application uses a single port number, enter it in both the "Start" and "Finish" fields.
PAGE 52
Broadband VPN Router User’s Manual URL Filter The URL Filter allows you to block access to undesirable Web site • To use this feature, you must define "filter strings". If the "filter string" appears in a requested URL, the request is blocked. • Enabling the URL Filter also affects the Internet Access Log. If Enabled, the "Destination" field in the log will display the URL. Otherwise, it will display the IP Address. • The URL Filter can be Enabled or Disabled on the Advanced Internet screen.
PAGE 53
Internet Features Dynamic DNS (Domain Name Server) This free service is very useful when combined with the Virtual Server feature. It allows Internet users to connect to your Virtual Servers using a URL, rather than an IP Address. This also solves the problem of having a dynamic IP address. With a dynamic IP address, your IP address may change whenever you connect, which makes it difficult to connect to you. The Service works as follows: 1.
PAGE 54
Broadband VPN Router User’s Manual NOT need to use the "Client" program provided by some DDNS Service providers.) • From the Internet, users will now be able to connect to your Virtual Servers (or DMZ PC) using your Domain name. DDNS Data DDNS Service Select the desired DDNS Service provider. User Name Enter your Username for the DDNS Service. Password/Key Enter your current password for the DDNS Service. Domain Name Enter the domain name allocated to you by the DDNS Service.
PAGE 55
Internet Features Virtual Servers This feature allows you to make Servers on your LAN accessible to Internet users. Normally, Internet users would not be able to access a server on your LAN because: • Your Server does not have a valid external IP Address. • Attempts to connect to devices on your LAN are blocked by the firewall in this device. The "Virtual Server" feature solves these problems and allows Internet users to connect to your servers, as illustrated below.
PAGE 56
Broadband VPN Router User’s Manual • For each enabled Virtual Server, a firewall rule to allow incoming traffic from the Internet (WAN) to the DMZ is automatically created. If the Server is connected to the LAN (hub) ports, you must add the firewall rule manually. Note that the DMZ port is a normal port, not an "uplink" port. If connecting to a hub, connect to the standard port on the hub. Virtual Servers Screen The Virtual Servers screen is reached by the Virtual Servers link on the Internet menu.
PAGE 57
Internet Features Connecting to the Virtual Servers Once configured, anyone on the Internet can connect to your Virtual Servers. They must use the Internet IP Address (the IP Address allocated to you by your ISP). e.g. http://203.70.212.52 ftp://203.70.212.52 It is more convenient if you are using a Fixed IP Address from your ISP, rather than Dynamic.
PAGE 58
Chapter 7 Security Configuration 7 This Chapter explains the settings available via the security configuration section of the "Security" menu. Overview The following advanced configurations are provided. • Admin Login • Access Control • Firewall Rules • Logs • E-mail • Security Options • Scheduling • Services Admin Login The Admin Login screen allows you to assign a user name and password to VRT-311 / VRT311S . Figure36: Admin Login Screen 1. 2. 3. The default login name is "admin".
PAGE 59
Security Configuration Figure37: Password Dialog Enter the "User Name" and "Password" you set on the Admin Login screen above.
PAGE 60
Broadband VPN Router User’s Manual Access Control This feature is accessed by the Access Control link on the Security menu. The Access Control feature allows administrators to restrict the level of Internet Access available to PCs on your LAN. With the default settings, everyone has unrestricted Internet access. To use this feature: 1. 2. 3. Set the desired restrictions on the "Default" group. All PCs are in the "Default" group unless explicitly moved to another group.
PAGE 61
Security Configuration Data - Access Control Screen Group Group Select the desired Group. The screen will update to display the settings for the selected Group. Groups are named "Default", "Group 1", "Group 2", "Group 3" and "Group 4", and cannot be renamed. "Members" Button Click this button to add or remove members from the current Group. • If the current group is "Default", then members can not be added or deleted. This group contains PCs not allocated to any other group.
PAGE 62
Broadband VPN Router User’s Manual Clear Log Click this to clear and restart the "Access Control" log, making new entries easier to read.
PAGE 63
Security Configuration Group Members Screen This screen is displayed when the Members button on the Access Control screen is clicked. Figure39: Group Members Use this screen to add or remove members (PCs) from the current group. • The "Del >>" button will remove the selected PC (in the Members list) from the current group. • The "<< Add" button will add the selected PC (in the Other PCs list) to the current group. PCs not assigned to any group will be in the "Default" group.
PAGE 64
Broadband VPN Router User’s Manual Firewall Rules For normal operation and LAN protection, it is not necessary to use this screen. The Firewall will always block DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it the service is unavailable. As well, you can use this screen to create Firewall rules to block or allow specific traffic. But incorrect configuration may cause serious problems.
PAGE 65
Security Configuration Data For each rule, the following data is shown: • Name - The name you assigned to the rule. • Source - The traffic covered by this rule, defined by the source IP address. If the IP address is followed by ... this indicates there is range of IP addresses, rather than a single address. • Destination - The traffic covered by this rule, defined by destination IP address. If the IP address is followed by ...
PAGE 66
Broadband VPN Router User’s Manual Define Firewall Rule Clicking the "Add" button in the Firewall Rules screen will display a screen like the example below. Figure41: Define Firewall Rule Data - Define Firewall Rule Screen Name Enter a suitable name for this rule. Type This determines the source and destination ports for traffic covered by this rule. Select the desired option. Source IP These settings determine which traffic, based on their source IP address, is covered by this rule.
PAGE 67
Security Configuration Dest IP These settings determine which traffic, based on their destination IP address, is covered by this rule. Select the desired option: • Any - All traffic from the source port is covered by this rule. • Single address - Enter the required IP address in the "Start IP address" field". You can ignore the "Subnet Mask" field. • Range address - If this option is selected, you must complete both the "Start IP address" and "Finish IP address" fields.
PAGE 68
Broadband VPN Router User’s Manual Logs The Logs record various types of activity on VRT-311 / VRT-311S. This data is useful for troubleshooting, but enabling all logs will generate a large amount of data and adversely affect performance. Since only a limited amount of log data can be stored in VRT-311 / VRT-311S, log data can also be E-mailed to your PC or sent to a Syslog Server.
PAGE 69
Security Configuration Data - Logs Screen Enable Logs Incoming Traffic Outgoing Traffic System Log Select the desired option: • All IP traffic - this will log all incoming TCP/IP connections, of any type. This will generate the largest logs, and fill the internal log buffer more quickly. • All TCP/UDP/ICMP traffic - These 3 protocols are used by most internet traffic. TCP is used by HTTP, FTP, Telnet, E-mail and other common Internet protocols and applications.
PAGE 70
Broadband VPN Router User’s Manual Clear Log Button Use this to restart the required log. This makes it easier to read the latest entries. Timezone Timezone Select the correct Timezone for your location. This is required for the date/time shown on the logs to be correct. Syslog Server Enable Syslog If enabled, log data will be sent to your Syslog Server. Syslog Server Enter the IP address of your Syslog Server. Include Select the logs you wish to be included in the data sent to the Syslog Server.
PAGE 71
Security Configuration E-mail Figure43: E-Mail Screen Data – E-Mail Screen E-Mail Alerts Send E-Mail alert If enabled, an E-mail will be sent immediately if a DoS (Denial of Service) attack is detected. If enabled, the E-mail address information must be provided. E-Mail Logs Send Logs by E-Mail If enabled, logs will be logs to the specified E-mail address. You need to select the Logs to be E-mailed, and complete the E-mail address settings on this screen.
PAGE 72
Broadband VPN Router User’s Manual E-mail address Enter the E-mail address the Log is to be sent to. The E-mail will also show this address as the Sender's address. Subject Enter the text string to be shown in the "Subject" field for the Email. SMTP Server Enter the address or address or IP address of the SMTP (Simple Mail Transport Protocol) Server you use for outgoing E-mail. Port No. Enter the port number used to connect to the SMTP Server. The default value is 25.
PAGE 73
Security Configuration Security Options This screen allows you to set Firewall and other security-related options. Figure44: Security Options Screen Data - Security Options Screen Firewall Enable DoS Firewall If enabled, DoS (Denial of Service) attacks will be detected and blocked. The default is enabled. It is strongly recommended that this setting be left enabled.
PAGE 74
Broadband VPN Router User’s Manual Options Respond to ICMP (ping) Allow VPN passthrough Drop fragmented IP packets The ICMP protocol is used by the "ping" and "trace route" programs, and by network monitoring and diagnostic programs. • If checked, VRT-311 / VRT-311S will respond to ICMP packets received from the Internet. • If not checked, ICMP packets from the Internet will be ignored. Disabling this option provides a slight increase in security.
PAGE 75
Security Configuration Scheduling • This schedule can be (optionally) applied to any Access Control Group. • Blocking will be performed during the scheduled time (between the "Start" and "Finish" times.) • Two (2) separate sessions or periods can be defined. • Times must be entered using a 24 hr clock. • If the time for a particular day is blank, no action will be performed. Define Schedule Screen This screen is accessed by the Scheduling link on the Security menu.
PAGE 76
Broadband VPN Router User’s Manual Services Services are used in defining traffic to be blocked or allowed by the Access Control or Firewall Rules features. Many common Services are pre-defined, but you can also define your own services if required. To view the Services screen, select the Services link on the Security menu. Figure46: Services Screen Data - Services Screen Available Services Available Services This lists all defined Services.
PAGE 77
Chapter 8 VPN (IPSec) 8 This Chapter describes the VPN capabilities and configuration required for common situations. Overview This section describes the VPN (Virtual Private Network) support provided by your VRT-311 / VRT-311S. A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network - typically the Internet. This secure connection is called a VPN Tunnel. There are many standards and protocols for VPNs.
PAGE 78
Broadband VPN Router User’s Manual • Phase I is the negotiation and establishment up of the IKE connection. • Phase II is the negotiation and establishment up of the IPsec connection. Because the IKE and IPsec connections are separate, they have different SAs (security associations). Policies VPN configuration settings are stored in Policies. Note that different vendors use different terms. Generally, the terms "VPN Policy", "IPSec Policy", and "IPSec Proposal" have the same meaning.
PAGE 79
Microsoft VPN Common VPN Situations VPN Pass-through Figure47: VPN Pass-through Here, a PC on the LAN behind the VRT-311 / VRT-311S is using VPN software, but the VRT311 / VRT-311S is NOT acting as a VPN endpoint. It is only allowing the VPN connection. • The PC software can use any VPN protocol supported by the remote VPN. • The remote VPN Server must support client PCs which are behind a NAT router, and so have an IP address which is not valid on the Internet.
PAGE 80
Broadband VPN Router User’s Manual Connecting 2 LANs via VPN Figure49: Connecting 2 VPN Gateways This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the remote LAN. • The 2 LANs MUST use different IP address ranges. • The VPN Policies at each end determine when a VPN tunnel will be established, and what systems on the remote LAN can be accessed once the VPN connection is established. • It is possible to have simultaneous VPN connections to many remote sites.
PAGE 81
Microsoft VPN VPN Configuration This section covers the configuration required on VRT-311 / VRT-311S when using Manual Key Exchange (Manual Policies) or IKE (Automatic Policies). Details of using Certificates are covered in a later section. VPN Policies Screen To view this screen, select VPN Policies from the VPN menu. This screen lists all existing VPN policies. If no policies exist, the list will be empty.
PAGE 82
Broadband VPN Router User’s Manual Move The order in which policies are listed is only important if you have multiple polices for the same remote site. In that case, the first matching policy is used. There are 2 ways to change the order of policies: • Use the up and down indicators on the right to move the selected row. You must confirm your changes by clicking "OK". If you change your mind before clicking "OK", click "Cancel" to reverse your changes.
PAGE 83
Microsoft VPN • Otherwise, click Next to continue. You will see a screen like the following. Figure52: VPN Wizard – General Screen General Settings Policy Name Enter a suitable name. This name is not supplied to the remote VPN. It is used only to help you manage the policies. Enable Policy Enable or disable the policy as required. For each remote VPN, only 1 policy can be enabled at any time. Allow NetBIOS traffic Enable this if you require NetBIOS traffic to be transferred through the VPN tunnel.
PAGE 84
Broadband VPN Router User’s Manual Figure53: VPN Wizard - Traffic Selector Screen • For outgoing VPN connections, these settings determine which traffic will cause a VPN tunnel to be created, and which traffic will be sent through the tunnel. • For incoming VPN connections, these settings determine which systems on your local LAN will be available to the remote endpoint. • The 2 VPN endpoints MUST use different address ranges.
PAGE 85
Microsoft VPN Remote IP addresses Type • Single address - enter an IP address in the "Start IP address" field. • Range address - enter the starting IP address in the "Start IP address" field, and the finish IP address in the "Finish IP address" field. • Subnet address - enter the desired IP address in the "Start IP address" field, and the network mask in the "Subnet Mask" field. The remote VPN should have these IP addresses entered as it's "Local" addresses. 3. Click Next to continue.
PAGE 86
Broadband VPN Router User’s Manual SPI ESP Encryption • Each SPI (Security Parameter Index) must be unique. • The "in" SPI here must match the "out" SPI on the remote VPN, and the "out" SPI here must match the "in" SPI on the remote VPN. • Each SPI should be at least 3 characters. ESP (Encapsulating Security Payload) provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both Encryption and Authentication.
PAGE 87
Microsoft VPN IKE Phase 1 If you selected IKE, the following screen is displayed after the Traffic Selector screen. This screen sets the parameters for the IKE SA. Figure55: VPN Wizard - IKE Phase 1 Screen IKE Phase 1 (IKE SA) Local Identity Remote Identity This setting must match the "Remote Identity" on the remote VPN. Select the desired option, and enter the required data in the "Local Identity Data" field. • WAN IP Address - This is the most common method. If selected, no input is required.
PAGE 88
Broadband VPN Router User’s Manual Authentication • RSA Signature requires that both VPN endpoints have valid Certificates issued by a CA (Certification Authority). • For Pre-shared key, enter the same key value in both endpoints. The key should be at least 8 characters (maximum is 128 characters). Note that this key is used for the IKE SA only. The keys used for the IPsec SA are automatically generated.
PAGE 89
Microsoft VPN IKE Phase 2 Screen This screen sets the parameters for the IPSec SA. When using IKE, there are separate connections (SAs) for IKE and IPSec. Figure56: VPN Wizard - IKE Phase 2 Screen IKE Phase 2 (IPsec SA) IPsec SA Life Time This setting does not have to match the remote VPN endpoint; the shorter time will be used. Although measured in seconds, it is common to use time periods of several hours, such 28,800 seconds.
PAGE 90
Broadband VPN Router User’s Manual For IKE, configuration is now complete. Click "Next" to view the final screen. Figure57: VPN Wizard - Final Screen On the final screen, click "Finish" to save your settings, then "Close" to exit the Wizard.
PAGE 91
Microsoft VPN VPN Examples This section describes some examples of using VRT-311 / VRT-311S in common VPN situations. Example 1: Connecting 2 VRT-311 / VRT-311Ss In this example, 2 LANs are connected via VPN. Figure58: Connecting 2 VRT-311 / VRT-311Ss Note • The LANs MUST use different IP address ranges. • Both endpoints have fixed WAN (Internet) IP addresses. Configuration Settings Setting LAN A Gateway LAN B Gateway Notes Name Policy 1 Policy 1 Name does not affect operation.
PAGE 92
Broadband VPN Router User’s Manual method used. Pre-shared Key Xxxxxxxxxx Xxxxxxxxxx Must match IKE Authentication algorithm MD5 MD5 Must match IKE Encryption DES DES Must match IKE Exchange mode Main Mode Main Mode Must match DH Group Group 1 (768 bit) Group 1 (768 bit) Must match IKE SA Life time 28800 28800 Does not have to match. Shorter period will be used. IKE PFS Disable Disable Must match IPSec SA Parameters IPSec SA Life time 28800 28800 Does not have to match.
PAGE 93
Microsoft VPN Example 2: Windows 2000/XP Client to LAN In this example, a Windows 2000/XP client connects to VRT-311 / VRT-311S and gains access to the local LAN. Figure59: Windows 2000/XP Client to VRT-311 / VRT-311S To use 3DES encryption on Windows 2000, you need Service Pack 3 or later installed. VRT-311 / VRT-311S Configuration Setting Value Notes Name Win Client Name does not affect operation. Select a meaningful name. Remote Endpoint 172.16.9.10 Other endpoint's WAN (Internet) IP address.
PAGE 94
Broadband VPN Router User’s Manual DH Group Group 1 (768 bit) Must match client PC IKE SA Life time 28800 Does not have to match client PC. Shorter period will be used. IKE PFS Disable Must match client PC IPSec SA Parameters IPSec SA Life time 28800 Do not have to match. Shorter period will be used.
PAGE 95
Microsoft VPN Figure61: Windows 2000/XP - Policy Properties 6. • Note that no rules are in use. Two 2 rules are required - incoming and outgoing. • The outgoing rule will be added first. Deselect the "Use Add Wizard" checkbox, then click "Add" to view the screen below. Figure62: IP Filter List 7. Type "To DUT" for the name, then click "Add" to see a screen like the following.
PAGE 96
Broadband VPN Router User’s Manual Figure63: Filter Properties: Addressing 8. Enter the Source IP address and the Destination IP address. • 9. Since this is the outgoing filter, the Source IP address is "My IP address" and the Destination IP address is the address range used on the remote LAN. • Ensure the Mirrored option is checked. Click "OK" to save your settings and close this dialog. Figure64: New Rule Properties: IP Filter List 10.
PAGE 97
Microsoft VPN Figure65: New Rule Properties: Filter Action 11. Select Require Security, then click the "Edit" button, to view the Require Security Properties screen. Figure66: Require Security Properties 12. Select Negotiate security (this selects IKE), then click "Add".
PAGE 98
Broadband VPN Router User’s Manual Figure67: Modify Security Method 13. On the resulting screen (above), select High [ESP] then click "OK" to save your changes and return to the Require Security Properties screen. Figure68: Require Security Properties 14. Ensure the following settings are correct, then click "OK" to return to the Filter Action tab of the Edit Rule Properties screen.
PAGE 99
Microsoft VPN 15. Click the Tunnel Setting tab, then select The tunnel endpoint is specified by this IP address. Enter the WAN (Internet) IP address of VRT-311 / VRT-311S, as shown below. Figure69: Tunnel Setting 16. Click the Authentication Methods tab, then click the "Edit" to see the screen like the example below. Figure70: Authentication Method 17. Select Use this string to protect the key exchange (preshared key), then enter your preshared key in the field provided. 18.
PAGE 100
Broadband VPN Router User’s Manual Figure71: Windows 2000/XP Client to VRT-311 / VRT-311S 20. To add the second (incoming) rule, click "Add". For the name, enter "To Win2K", then click "Add". Figure72: Windows 2000/XP Client to VRT-311 / VRT-311S 21. Enter the Source IP address and the Destination IP address as shown below. • Since this is the incoming filter, the Source IP address is the address range used on the remote LAN and the Destination IP address is "My IP address".
PAGE 101
Microsoft VPN Figure73: Filter Properties: Addressing 22. Click "OK" to save your changes, then "Close". Figure74: Filter List 23. Ensure the "To Win2K" filter is selected, then click the Filter Action tab.
PAGE 102
Broadband VPN Router User’s Manual Figure75: Filter Action 24. Select Require Security, then click "Edit". On the Require Security Methods screen below, select Negotiate security. Figure76: Security Methods 25. Click the "Add" button. On the resulting Modify Security Method screen below, select High [ESP].
PAGE 103
Microsoft VPN Figure77: Modify Security Method 26. Click "OK" to save your changes, then click "OK" again to return to the Filter Action screen. 27. Select the Tunnel Setting tab, and enter the WAN (Internet) IP address of this PC (172.16.9.10 in this example). Figure78: Tunnel Setting 28. Select the Authentication Methods tab, and click the "Edit" button to see the screen below.
PAGE 104
Broadband VPN Router User’s Manual Figure79: Authentication Method 29. Select Use this string to protect the key exchange (preshared key), then enter your preshared key in the field provided. 30. Click "OK" to save your settings, then "Close" to return to the DUT to Win2K Properties screen. There should now be 2 IP Filers listed, as shown below. Figure80: DUT to Win2K Properties 31. Select the General tab.
PAGE 105
Microsoft VPN Figure81: Properties - General Tab 32. Click the "Advanced" button to see the screen below. Figure82: Key Exchange Settings 33. Click the "Methods" button to see the screen below.
PAGE 106
Broadband VPN Router User’s Manual Figure83: Key Exchange Security Methods 34. Select the first entry, and click the "Edit" button to see the following screen. Figure84: IKE Security Algorithms 35. Select "SHA1" for Integrity Algorithm, "3DES" for Encryption algorithm, and "Low(1)" for the Diffie-Hellman Group. 36. Click "OK" to save, then "OK" again, and then "Close" to return to the Local Security Settings screen. 37. Right click the DUT to Win2K Policy and select "Assign" to make your policy active.
PAGE 107
Microsoft VPN Example 3: Windows 2000 Server to VPN Gateway In this example, a Windows 2000 Server connects to VRT-311 / VRT-311S. Users on each LAN can then gain access to the remote LAN. Figure86: VRT-311 / VRT-311S to Windows 2000 Server VRT-311 / VRT-311S Configuration This is the same as for the client setup earlier, with the exception of the IP address range for the remote endpoint. Setting Single Client Server/Gateway Remote IP addresses 172.16.9.10 Subnet address: 11.5.0.0 255.255.0.
PAGE 108
Broadband VPN Router User’s Manual Windows 2000 Server Configuration Configuration is the same as for Example 2: Windows 2000/XP Client to except for specifying the Source and Destination addresses for the "Filter Properties". Instead, for both IP Filters, the Filter Properties- Addressing should be completed as follows.
PAGE 109
Microsoft VPN Certificates Certificates are used to authenticate users. Certificates are issued to you by various CAs (Certification Authorities). These Certificates are called "Self Certificates". Each CA also issues a certificate to itself. This Certificate is required in order to validate communication with the CA. These certificates are called "Trusted Certificates.
PAGE 110
Broadband VPN Router User’s Manual Figure89: Add Trusted Certificate 3. 4. 5. 6. Click the "Browse" button, and locate the certificate file on your PC Select the file. The name will appear in the "Certificate File" field. Click "Upload" to upload the certificate file to VRT-311 / VRT-311S. Click "Back" to return to the Trusted Certificate list. The new Certificate will appear in the list.
PAGE 111
Microsoft VPN Delete button Use this button to delete a Self Certificate. Select the checkbox in the Delete column for any Certificates you wish to delete, then click the "Delete" button. Self Certificate Requests Request List Any current requests are listed. These requests are generated by using the New Request button described below. • After you have received the Certificate file for a request, you must select the request in the list, and upload the certificate file.
PAGE 112
Broadband VPN Router User’s Manual 3. Subject Name This is the name which other organizations will see as the Holder (owner) of this Certificate. This should be your registered business name or official company name. Generally, all Certificates should have the same value in the Subject field. Hash Algorithm Select the desired option. Signature Algorithm Select the desired option. RSA is recommended. Signature Key Length Select the desired option. Normally, 1024 bits provides adequate security.
PAGE 113
Microsoft VPN 8. After obtaining a new Certificate, as described above, you need to upload it VRT-311 / VRT-311S. • Return to the Self Certificates screen. • In the Self Certificate Requests list, select the request matching this certificate. • Click the Upload Certificate button. You will see a screen like the one below. Figure93: Upload Self Certificate 9. Upload the Certificate: • Click the Browse button, and locate the certificate file on your PC • Select the file.
PAGE 114
Broadband VPN Router User’s Manual Figure 95: Upload CRL 4. 5. Upload the CRL file: • Click the "Browse" button, and locate the CRL file on your PC • Select the file. The name will appear in the "File to Upload" field. • Click "Upload" to upload the CRL file to VRT-311 / VRT-311S. • Click "Back" to return to the CRL list. The new CRL will appear in the list. Use the "Delete" button to delete the previous (now outdated) CRL.
PAGE 115
Microsoft VPN Data Rx Measures the quantity of data which has been received via this SA. Buttons Refresh Update the data shown on screen. View Log Open a new window and view the contents of the VPN log.
PAGE 116
Chapter 9 Microsoft VPN 9 This Chapter explains the screens and settings available for the Microsoft VPN function. Overview Microsoft VPN uses the Microsoft VPN Adapter which is provided in recent versions of Windows. This feature can be used to provide remote access to your LAN by individual PCs. This method provides an alternative to using IPSec VPN, which is described in the previous chapter. Using Microsoft VPN provides easier setup than using IPSec VPN.
PAGE 117
Microsoft VPN Data – Microsoft VPN Screen PPTP Server Enable Use this checkbox to enable or disable this feature as required. To allow connection by remote Windows clients, you must enable this feature, and enter the client details (on the Clients screen) to allow them to login to this Server. Authentication Methods Enable the desired authentication methods. The methods are listed with the most secure first, least secure last. If multiple methods are checked, the most secure will be tried first.
PAGE 118
Broadband VPN Router User’s Manual Data - Microsoft VPN Client Database Screen Existing Users User List All existing users are listed. If you have not added any users, this list will be empty. When a user is selected, their details are displayed in the Properties panel. You can then edit the user's information as required; click Update Selected User to save your changes. (If you select another user before saving your changes, your changes are lost.
PAGE 119
Microsoft VPN Status Screen The Status screen is accessed by selecting the Status option on the Microsoft VPN menu. Figure99: Microsoft VPN Status Screen Data - Microsoft VPN Status Screen Server Status Status This indicates whether or not the PPTP (VPN) Server is enabled. Current Connections This indicates the number of remote clients currently logged into the PPTP (VPN) Server. Server Log Server Log This displays details of each connection or connection attempt.
PAGE 120
Broadband VPN Router User’s Manual Windows Client Setup To connect to the PPTP (VPN) Server in the VPN Broadband Gateway: • The Microsoft VPN feature in the VPN Broadband Gateway must be enabled and configured, as described in the previous section. • Each user must have a login (username and password) on the VPN client database on the VPN Broadband Gateway. • The remote client PC must be configured as described in the following sections.
PAGE 121
Microsoft VPN 5. Click "Finish" to exit the Wizard. The new entry will now be listed in "Dial-up Networking". If necessary, you can change the settings for this connection by right-clicking on it, and selecting Properties. To force all outgoing traffic to be sent via VPN, enable the setting This is the default Internet connection on the Dialing tab. (Do NOT enable this setting if using Dial-up or PPPoE client software.) Figure102: Windows ME VPN Dialing Properties To establish a connection: 1. 2. 3. 4.
PAGE 122
Broadband VPN Router User’s Manual Windows 2000 Ensure you have logged on with Administrator rights before attempting this procedure. 1. Open "Network Connections", and start the "New Connection" Wizard. Figure103: Windows 2000 Network Connection 2. Select the VPN option ("Connect to a private network through the Internet"), as shown above, and click Next. Figure104: Windows 2000 Public Network 3. On the screen above: • Select "Do not dial the initial connection" if Internet access is via the LAN.
PAGE 123
Microsoft VPN Figure105: Windows 2000 VPN Host 4. On the screen above, enter the Domain Name or Internet IP address of VRT-311 / VRT311S you wish to connect to. Click Next to continue. Figure106: Windows 2000 Connection Availability 5. Choose whether to allow this connection for everyone, or only for yourself, as required. Click Next to continue.
PAGE 124
Broadband VPN Router User’s Manual Figure107: Windows 2000 Finish Wizard 6. Enter a suitable name, and click "Finish" to save and exit. Setup is now complete. To establish a connection: 1. 2. 3. Right-click the connection in "Network Connections", and select "Connect". You will then be prompted for the username and password. Enter the username and password assigned to you, as recorded in the VPN client database on VRT-311 / VRT-311S.
PAGE 125
Microsoft VPN Windows XP Ensure you have logged on with Administrator rights before attempting this procedure. 1. Open Network Connections (Start-Settings-Network Connections), and start the New Connection Wizard. Figure108: Windows XP Network Connection Type 2. Select the option "Connect to the network at my workplace", as shown above, and click Next. Figure109: Windows XP Network Connection 3. On the next screen, shown above, select the "Virtual Private Network connection" option.
PAGE 126
Broadband VPN Router User’s Manual Figure110: Windows XP Connection Name 4. Enter a suitable name for this connection. Click Next to continue. Figure111: Windows XP Public Network 5. On the screen above, select "Do not dial the initial connection". Click Next to continue.
PAGE 127
Microsoft VPN 6. On the screen above, enter the Domain Name or Internet IP address of VRT-311 / VRT311S you wish to connect to. Click Next to continue. Figure113: Windows XP Connection Availability 7. 8. Choose whether to allow this connection for everyone, or only for yourself, as required. Click Next to continue. On the final screen, click Finish to save and exit. Setup is now complete. To establish a connection: 1. 2. 3. Right-click the connection in "Network Connections", and select "Connect".
PAGE 128
Chapter 10 Other Features & Settings 10 This Chapter explains the screens and settings available via the "Other" menu. Overview Normally, it is not necessary to use these screens, or change any settings. These screens and settings are provided to deal with non-standard situations, or to provide additional options for advanced users. The screens available are: Config File Backup or restore the configuration file for VRT-311 / VRT-311S. This file contains all the configuration data.
PAGE 129
Other Features and Settings Config File This feature allows you to backup (download) the current settings from VRT-311 / VRT-311S, and save them to a file on your PC. You can restore a previously-downloaded configuration file to VRT-311 / VRT-311S, by uploading it to VRT-311 / VRT-311S. This screen also allows you to set VRT-311 / VRT-311S back to its factory default configuration. Any existing settings will be deleted. An example Config File screen is shown below.
PAGE 130
Broadband VPN Router User’s Manual Network Diagnostics This screen allows you to perform a "Ping" or a "DNS lookup". These activities can be useful in solving network problems. An example Network Diagnostics screen is shown below. Figure115: Network Diagnostics Screen Data - Network Diagnostics Screen Ping IP Address Enter the IP address you wish to ping. The IP address can be on your LAN, or on the Internet.
PAGE 131
Other Features and Settings PC Database The PC Database is used whenever you need to select a PC (e.g. for the "DMZ" PC). It eliminates the need to enter IP addresses. Also, you do not need to use fixed IP addresses on your LAN. PC Database Screen An example PC Database screen is shown below. Figure116: PC Database • PCs which are "DHCP Clients" are automatically added to the database, and updated as required.
PAGE 132
Broadband VPN Router User’s Manual Data - PC Database Screen Known PCs This lists all current entries. Data displayed is name (IP Address) type. The "type" indicates whether the PC is connected to the LAN. Name If adding a new PC to the list, enter its name here. It is best if this matches the PC's "hostname". IP Address Enter the IP Address of the PC. The PC will be sent a "ping" to determine its hardware address.
PAGE 133
Other Features and Settings PC Database (Admin) This screen is displayed if the "Advanced Administration" button on the PC Database is clicked. It provides more control than the standard PC Database screen. Figure117: PC Database (Admin) Data - PC Database ( Admin) Screen Known PCs This lists all current entries. Data displayed is name (IP Address) type. The "type" indicates whether the PC is connected to the LAN. PC Properties Name If adding a new PC to the list, enter its name here.
PAGE 134
Broadband VPN Router User’s Manual MAC Address Select the appropriate option • Automatic discovery - Select this to have VRT-311 / VRT-311S contact the PC and find its MAC address. This is only possible if the PC is connected to the LAN and powered On. • MAC is - Enter the MAC address on the PC. The MAC address is also called the "Hardware Address", "Physical Address", or "Network Adapter Address". VRT-311 / VRT-311S uses this to provide a unique identifier for each PC.
PAGE 135
Other Features and Settings Remote Administration Remote Administration allows you to connect to this interface via the Internet, using your Web browser. Figure118: Remote Administration Screen Data - Remote Administration Screen Information Information To establish a connection from the Internet: 1. Enable Remote Administration and configure this screen. 2. From a remote location, start your Browser. 3.
PAGE 136
Broadband VPN Router User’s Manual nected to the Internet. But if using a Dynamic IP Address, this value can change each time you connect to your ISP. There are 2 solutions to this problem: Port Number • Have your ISP allocate you a Fixed IP address. • Use the DDNS feature (Internet menu) so you can connect using a Domain Name, rather than an IP address. Enter a port number between 1024 and 65535. The default for HTTP connections is port 80, and for HTTPS port 443.
PAGE 137
Other Features and Settings Routing Overview • If you don't have other Routers or Gateways on your LAN, you can ignore the "Routing" page completely. • If VRT-311 / VRT-311S is only acting as a Gateway for the local LAN segment, ignore the "Routing" page even if your LAN has other Routers. • If your LAN has a standard Router (e.g. Cisco) on your LAN, and VRT-311 / VRT-311S is to act as a Gateway for all LAN segments, enable RIP (Routing Information Protocol) and ignore the Static Routing table.
PAGE 138
Broadband VPN Router User’s Manual Figure119: Routing Screen Data - Routing Screen RIP Enable RIP Check this to enable the RIP (Routing Information Protocol) feature of VRT-311 / VRT-311S. VRT-311 / VRT-311S supports RIP 1 only. Static Routing Static Routing Table Entries This list shows all entries in the Routing Table. • The "Properties" area shows details of the selected item in the list.
PAGE 139
Other Features and Settings Properties • Destination Network - The network address of the remote LAN segment. For standard class "C" LANs, the network address is the first 3 fields of the Destination IP Address. The 4th (last) field can be left at 0. • Network Mask - The Network Mask for the remote LAN segment. For class "C" networks, the default mask is 255.255.255.
PAGE 140
Broadband VPN Router User’s Manual Other Routers on the Local LAN Other routers on the local LAN must use VRT-311 / VRT-311S 's Local Router as the Default Route. The entries will be the same as VRT-311 / VRT-311S 's local router, with the exception of the Gateway IP Address. • For a router with a direct connection to VRT-311 / VRT-311S 's local Router, the Gateway IP Address is the address of VRT-311 / VRT-311S 's local router.
PAGE 141
Other Features and Settings Metric 3 For Router A's Default Route Destination IP Address 0.0.0.0 Network Mask 0.0.0.0 Gateway IP Address 192.168.0.1 (VRT-311 / VRT-311S ’s IP Address) Interface LAN For Router B's Default Route Destination IP Address 0.0.0.0 Network Mask 0.0.0.0 Gateway IP Address 192.168.1.
PAGE 142
Broadband VPN Router User’s Manual Upgrade Firmware Use this screen to upgrade your VRT-311 / VRT-311S 's firmware. • You must download the required firmware file, and store it on your PC. • During the upgrade process, all existing Internet connections will be terminated. • The upgrade process must NOT be interrupted!. Figure121: Upgrade Firmware Screen Data – Upgrade Firmware Screen Upgrade Firmware VRT-311 / VRT311S Password Enter the current password assigned to VRT-311 / VRT-311S.
PAGE 143
Other Features and Settings UPnP An example UPnP screen is shown below. Figure122: UPnP Screen Data - UPnP Screen UPnP Enable UPnP Services Allow Configuration... Allow Internet access to be disabled • UPnP (Universal Plug and Play) allows automatic discovery and configuration of equipment attached to your LAN. UPnP is by supported by Windows ME, XP, or later. • If Enabled, this device will be visible via UPnP. • If Disabled, this device will not be visible via UPnP.
PAGE 144
Appendix A Troubleshooting A This Appendix covers the most likely problems and their solutions. Overview This chapter covers some common problems that may be encountered while using VRT-311 / VRT-311S and some possible solutions to them. If you follow the suggested steps and VRT311 / VRT-311S still does not function properly, contact your dealer for further advice. General Problems Problem 1: Can't connect to VRT-311 / VRT-311S to configure it.
PAGE 145
Appendix A - Troubleshooting Solution 2: VRT-311 / VRT-311S processes the data passing through it, so it is not transparent. Use the Special Applications feature to allow the use of Internet applications which do not function correctly. If this does solve the problem you can use the DMZ function. This should work with almost every application, but: • It is a security risk, since the firewall is disabled. • Only one (1) PC can use this feature.
PAGE 146
Appendix B Specifications B VRT-311 / VRT-311S Model VRT-311 / VRT-311S Dimensions VRT-311 : 170mm(W) * 147mm(D) * 27mm(H) VRT-311S : 148mm(W) * 120mm(D) * 30mm(H) Operating Temperature 0° C to 40° C Storage Temperature -10° C to 70° C Network Protocol: TCP/IP Network Interface: 5 Ethernet: 3 * 10/100BaseT (RJ45) LAN connection 1 * 10/100BaseT (RJ45) DMZ connection 1 * 10/100BaseT (RJ45) for WAN LEDs 12 Power Adapter 12 V DC External FCC Statement This equipment has been tested and found
PAGE 147
Appendix B - Specifications FCC Radiation Exposure Statement This equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters between the radiator and your body. This device complies with Part 15 of the FCC Rules.