Manuale d’uso / di manutenzione del prodotto 3300-ENT del fabbricante Netopia
Vai alla pagina of 302
N N N N e e e e t t t t o o o o p p p p ii i i a a a a ® ® ® ® F F F F ii i i r r r r m m m m w w w w a a a a r r r r e e e e U U U U s s s s e e e e r r r r G G G G u u u u ii i i d d d d e e e e.
C o p yright Copyright© 2004, Netopia, Inc. Netopia and the Netopia logo are register ed trademarks belonging to Netopia, Inc., registered U.S. Patent and Trademark Of fice. Broadband Without Boundaries and 3-D Reach are trademarks belonging to Netopia, Inc.
Contents iii G Chapter 1 — Introduction.......................................................... 1-1 What’s New in 8.4 ......................................................... 1-1 T elnet-based Management ........................................
iv Firmware User Guide Logging ............................................................. 2-38 Chapter 3 — Multiple Network Address Translation ................... 3-1 Over view ....................................................................
Contents v G A TMP configuration ............................................ 4-15 Encr yption Suppor t ...................................................... 4-17 MS-CHAP V2 and 128-bit strong encr yption ......... 4-18 A TMP/PPTP Default Pr ofile.
vi Firmware User Guide Authentication configuration................................ 6-10 Connection Profiles and Default Pr ofile ................ 6-15 IP Address Ser ving ...................................................... 6-17 IP Address Pools.
Contents vii G Simple Network Management Protocol (SNMP)............... 8-10 The SNMP Setup screen ..................................... 8-11 SNMP traps ....................................................... 8-12 Chapter 9 — Security ..............
viii Firmware User Guide TFTP ................................................................. 9-44 Chapter 10 — Utilities and Diagnostics ................................... 10-1 Ping ...............................................................
Contents ix G Broadcasts.................................................................. B-14 Packet header types .......................................... B-14 Appendix C — Binary Conversion T able ......................................C-1 Appendix D — T echnical Specifications and Safety Information .
x Firmware User Guide.
Introduction 1-1 C C C C h h h h a a a a p p p p t t t t e e e e r r r r 1 1 1 1 II I I n n n n t t t t r r r r o o o o d d d d u u u u c c c c t t t t ii i i o o o o n n n n This Fir mware User Guide covers the advanced features of the Netopia 3300-Series Router family .
1-2 Firmware User Guide T elnet-based Management T elnet-based management is a fast menu-driven inter face for the capabilities built into the Netopia Fir mware V ersion 8.4. T elnet-based management provides access to a wide variety of featur es that the Router suppor ts.
Introduction 1-3 provider or r emote site. See “W AN Configuration,” beginning on page 2-1 . See also Chapter 4, “Vir tual Private Networks (VPNs).” • The System Configuration menus display and per mit changing: and more. See “System Configuration Screens,” beginning on page 2-22 .
1-4 Firmware User Guide Configuring T elnet software If you are configuring your device using a T elnet session, your computer must be r unning a T elnet software program. • If you connect a PC with Microsoft Windows, you can use a Windows T elnet application or r un T elnet from the Star t menu.
Introduction 1-5 T o help you find your way to par ticular screens, some sections in this guide begin with a graphical path guide similar to the following example: This par ticular path guide shows how to get to the Network Protocols Setup screens. The path guide r epresents these steps: 1.
1-6 Firmware User Guide.
W AN and System Configuration 2-1 C C C C h h h h a a a a p p p p t t t t e e e e r r r r 2 2 2 2 W W W W A A A A N N N N a a a a n n n n d d d d S S S S y y y y s s s s t t t t e e e e m m m m C C C.
2-2 Firmware User Guide W AN Ethernet Configuration screen The W AN Ether net Configuration screen appears as follows: • Address Translation Enabled allows you to specify whether or not the router per for ms Network Address T ranslation (NA T) on the Ether net W AN por t.
W AN and System Configuration 2-3 • The W AN Ethernet Speed Setting is now configurable via a pop-up menu. Options are: Auto-Negotiation (the default), 100 Mbps Full Duplex, 100 Mbps Half Duplex, 10 Mbps Full Duplex, and 10 Mbps Half Duplex.
2-4 Firmware User Guide If you want the Netopia Router to adver tise its routing table to other routers via RIP , select T ransmit RIP and select v1 , v2 (broadcast) , or v2 (multicast) from the popup menu. With T ransmit RIP v1 selected, the Netopia Fir mware V ersion 8.
W AN and System Configuration 2-5 VCs are identified by a Vir tual Path Identifier (VPI) and Vir tual Channel Identifier (VCI). A VPI is an 8-bit value between 0 and 255, inclusive, while a VCI is a 16-bit value between 0 and 65535, inclusive. • Circuits suppor t attributes in addition to their VPI and VCI values.
2-6 Firmware User Guide • Enter a name for the circuit in the Cir cuit Name field. • T oggle Circuit Enabled to Y es. • Enter the Vir tual Path Identifier and the Vir tual Channel Identifier in the Cir cuit VPI and Circuit VCI fields, respectively .
W AN and System Configuration 2-7 VBR : This class is characterized by: • a Peak Cell Rate (PCR), which is a temporar y burst, not a sustained rate, and • a Sustained Cell Rate (SCR), • a Burst T olerance (BT), specified in ter ms of Maximum Burst Size (MBS).
2-8 Firmware User Guide Note: With multiple VCs you must explicitly statically bind the second (and all subsequent) VCs to a profile. The first VC will automatically statically bind according to pr e-defined dynamic binding rules when you add the second VC.
W AN and System Configuration 2-9 Creating a New Connection Pr ofile Connection profiles ar e useful for configuring the connection and authentication settings for negotiating a PPP connection.
2-10 Firmware User Guide Multiple Data Link Encapsulation Settings 4. Select Encapsulation Options and press Retur n. • If you selected A TMP , PPTP , L2TP , or IPSec, see Chapter 4, “ Vir tual Private Networks (VPNs) .
W AN and System Configuration 2-11 Return to the Add Connection Pr ofile screen by pressing Escape. 5. Select IP Profile Parameters and press Retur n. The IP Profile Parameters scr een appears. Datalink (PPP/MP) Options Data Compression... Standard LZS Send Authentication.
2-12 Firmware User Guide 6. T oggle or enter your IP Parameters. For more infor mation, see: • “IP Setup” on page 6-2 • “Network Address T ranslation (NA T)” on page 2-23 • “Stateful I.
W AN and System Configuration 2-13 • The Receive RIP pop-up menu controls the r eception and transmission of Routing Information Pr otocol (RIP) packets on the W AN por t. The default is Both v1 and v2. A Transmit RIP pop-up menu is hidden if NA T is enabled.
2-14 Firmware User Guide Adv anced Connection Options Configuration Changes Reset W AN Connection The menu suppor ts delaying some configuration changes until after the Netopia Router is restar ted.
W AN and System Configuration 2-15 When you toggle Configuration Changes Reset W AN Connection either to Y es or No using the T ab key and press Retur n, a pop-up window asks you to confirm your choice. T oggling from Ye s to No makes the router r eady to be configured.
2-16 Firmware User Guide Viewing scheduled connections T o display a table of scheduled connections, select Display/Change Scheduled Connection in the Scheduled Connections screen.
W AN and System Configuration 2-17 • The time of day that the connection will Begin At • The duration of the connection ( HH:MM ) • Whether it’s a recur ring W eekly connection or used Once Only • Which connection profile ( Conn.
2-18 Firmware User Guide • Demand-Blocked , meaning that this schedule will prevent a demand call on the line. • Periodic , meaning that the connection is retried several times during the scheduled time.
W AN and System Configuration 2-19 • Select Scheduled Window Duration Per Day and enter the maximum duration allowed for this scheduled connection, per call.
2-20 Firmware User Guide Y ou ar e finished configuring the once-only options. Return to the Add Scheduled Connection scr een to continue. • In the Add Scheduled Connection screen, select Use Connection Profile and choose fr om the list of connection profiles you have alr eady created.
W AN and System Configuration 2-21 The Router will recognize a delay-sensitive packet as having the low-latency bit set in the TOS field of the IP header . If you toggle Prioritize Delay-Sensitive Data to Ye s the r outer will place these packets at the front of the transmission queue to the W AN link, over taking non-delay-sensitive traf fic.
2-22 Firmware User Guide System Configuration Screens System configuration features The Netopia Router’s default settings may be all you need to configure. Some users, however , requir e advanced settings or prefer manual contr ol over the default selections.
W AN and System Configuration 2-23 IP Setup These screens allow you to configur e your network’s use of the IP networking protocol. • Details are given in “ IP Setup” on page 6-2 . Filter Sets These screens allow you to configur e security on your network by means of filter sets and a basic firewall.
2-24 Firmware User Guide • UDP no-activity time-out: The time in seconds after which a UDP session will be ter minated, if there is no traf fic on the session. • TCP no-activity time-out: The time in seconds after which an TCP session will be ter minated, if there is no traf fic on the session.
W AN and System Configuration 2-25 Select Stateful Inspection Options and press Retur n. The Stateful Inspection Parameters screen appears. • Max. TCP Sequence Number Dif ference : Enter a value in this field. This value repr esents the maximum sequence number dif ference allowed between subsequent TCP packets.
2-26 Firmware User Guide Note: If Stateful Inspection is enabled on a base connection profile (for example, for PPP , RFC1483 bridged/routed, or PPPoE), Enable default mapping to router must be yes to allow inbound VPN ter minations.
W AN and System Configuration 2-27 Exposed Addresses Y ou can specify the IP addr esses you want to expose by selecting Add Exposed Address List and pressing Return. The Add Exposed Addr ess List screen appears. Add, Edit, or delete exposed addresses options ar e active only if NA T is disabled on an W AN inter face.
2-28 Firmware User Guide • Protocol : Select the Pr otocol of the traf fic to be allowed to the host range fr om the pull-down menu. Options are Any , TCP , UDP , or TCP/UDP . • Star t Por t: Star t por t of the range to be allowed to the host range.
W AN and System Configuration 2-29 Date and time Y ou can set the system’s date and time parameters in the Set Date and Time scr een. Select Date and Time in the System Configuration screen and pr ess Return. The Set Date and Time screen appears. Follow these steps to set the system’s date and time: 1.
2-30 Firmware User Guide W ireless configuration If your Router is a wireless model (such as a 3347W) you can enable or disable the wir eless LAN by selecting Wir eless Configuration . The Wireless Configuration screen appears. Enable Wir eless is set to Ye s by default.
W AN and System Configuration 2-31 region. The widest range available is fr om 1 to 14. However , in Nor th America only 1 to 11 may be selected. Europe, France, Spain and Japan will dif fer . Channel selection can have a significant impact on per for mance, depending on other wireless activity close to this Gateway .
2-32 Firmware User Guide The Pre Shar ed Key field becomes visible to allow you to enter a Pre Shared Key . The key can be between 8 and 63 characters, but for best security it should be at least 20 characters. Clients wishing to connect must also be configured to use WP A with this same key .
W AN and System Configuration 2-33 Y ou select a single key for encr yption of outbound traf fic. The WEP-enabled client must have an identical key of the same length, in the identical slot (1 – 4) as the Gateway , in or der to successfully receive and decr ypt the traf fic.
2-34 Firmware User Guide needs to be done once. Avoid the temptation to enter all the same characters. Default Key (#1 – #4): Specifies which key the Router will use to encr ypt transmitted traf fic. The default is key #1. Key (#1 – #4): The encr yption keys.
W AN and System Configuration 2-35 The Wireless MAC Authorization scr een appears. T o enable Wireless Mac Authorization, toggle Enable MAC Authentication to Ye s . Y ou can toggle it to No to disable it at any time. Select Add MAC Address and pr ess Return.
2-36 Firmware User Guide Y our entr y will be added to a list of up to 32 authorized addr esses. T o display the list of authorized MAC addresses, select Display/Change MAC Addr esses from the Authorized Wireless MAC Addresses menu. The list is displayed as shown below .
W AN and System Configuration 2-37 Change Device to a Bridge For Netopia DSL Routers, this feature allows you to tur n of f the r outing features and use your device as a bridge. It is not an option for Ethernet WAN models. If you select this option, the device will restar t itself, and reset all the settings to factor y defaults.
2-38 Firmware User Guide Y ou can r einstate Router mode by retur ning to the System Configuration menu. Select Change Device to a Router . Press Return , confir m your choice, and the device will restar t in router mode.
W AN and System Configuration 2-39 The Logging Configuration screen appears. By default, all events are logged in the event histor y . • By toggling each event descriptor to either Ye s or No , you can deter mine which ones are logged and which are ignor ed.
2-40 Firmware User Guide Y ou will need to install a Syslog client daemon pr ogram on your PC and configure it to repor t the WAN events you specified in the Logging Configuration screen. The following screen shows a sample syslog dump of WAN events: May 5 10:14:06 tsnext.
Multiple Network Address T ranslation 3-1 C C C C h h h h a a a a p p p p t t t t e e e e r r r r 3 3 3 3 M M M M u u u u ll l l t t t t ii i i p p p p ll l l e e e e N N N N e e e e t t t t w w w w o.
3-2 Firmware User Guide Features MultiNA T featur es can be divided into several categories that can be used simultaneously in dif fer ent combinations on a per-Connection Profile basis.
Multiple Network Address T ranslation 3-3 Dynamic mapping Dynamic mapping , often refer red to as many-to-few , of fers an extension to the advantages provided by static mapping.
3-4 Firmware User Guide Exterior addresses ar e allocated to internal hosts on a demand, or as-needed, basis and then made available when traf fic from that host ceases. Once an internal host has been allocated an addr ess, it will use that address for all traf fic.
Multiple Network Address T ranslation 3-5 Complex maps Map lists and ser ver lists are completely independent of each other . A Connection Profile can use one or the other or both. MultiNA T allows complex mapping and r equires more complex configuration than in earlier fir mware versions.
3-6 Firmware User Guide Support for Y ahoo Messenger Netopia Fir mware V ersion 8.4 provides Application Level Gateway (ALG) suppor t for Y ahoo Messenger.
Multiple Network Address T ranslation 3-7 The two map lists, Easy-P A T List and Easy-Ser vers, ar e created by default and NA T configuration becomes ef fective.This will map all your private addresses (0.0.0.0 through 255.255.255.255) to your public address.
3-8 Firmware User Guide Select Network Address Translation (NA T) and press Return. The Network Address T ranslation scr een appears. Public Range defines an external addr ess range and indicates what type of mapping to apply when using this range. The types of mapping available are dynamic , static and pat .
Multiple Network Address T ranslation 3-9 NA T rules The following r ules apply to assigning NA T ranges and ser ver lists: • Static public address ranges must not overlap other static, P A T , public addresses, or the public addr ess assigned to the Router’s W AN inter face.
3-10 Firmware User Guide Select First Public Address and enter the first exterior IP addr ess in the range you want to assign. Select Last Public Address and enter an IP addr ess at the end of the range. • Select ADD NA T PUBLIC RANGE and press Return.
Multiple Network Address T ranslation 3-11 • Select First and Last Private Address and enter the first and last interior IP addresses you want to assign to this mapping. • Select Use NA T Public Range and press Return. A scr een appears displaying the public ranges you have defined.
3-12 Firmware User Guide • The Add NA T Map scr een now displays the range you have assigned. • Select ADD NA T MAP and press Return. Y our mapping is added to your map list. Modifying map lists Y ou can make changes to an existing map list after you have cr eated it.
Multiple Network Address T ranslation 3-13 The Show/Change NA T Map List scr een appears. • Add Map allows you to add a new map to the map list. • Show/Change Maps allows you to modify the individual maps within the list. • Delete Map allows you to delete a map from the list.
3-14 Firmware User Guide The Change NA T Map scr een appears. Make any modifications you need and then select CHANGE NA T MAP and press Return. Y our changes will become ef fective and you will be returned to the Show/Change NA T Map List screen. Change NAT Map ("my_map") First Private Address: 192.
Multiple Network Address T ranslation 3-15 Adding Server Lists Ser ver lists, also known as Expor ts, are handled similarly to map lists. If you want to make a par ticular ser ver’s por t accessible (and it isn’t accessible through other means, such as a static mapping), you must create a ser ver list.
3-16 Firmware User Guide • Select Ser vice and press Return. A pop-up menu appears listing a selection of commonly expor ted ser vices. • Choose the ser vice you want to expor t and press Retur n. Y ou can choose a pr econfigured ser vice from the list, or define your own by selecting Other .
Multiple Network Address T ranslation 3-17 • Enter the First and Last Por t Number between por ts 1 and 65535. Select OK and press Retur n. Y ou will be retur ned to the Add NA T Ser ver screen. • Enter the Ser ver Private IP Address of the ser ver whose ser vice you are expor ting.
3-18 Firmware User Guide • Select the Ser ver List Name you want to modify from the pop-up menu and pr ess Return. The Show/Change NA T Ser ver List scr een appears. • Selecting Show/Change Ser ver or Delete Server displays the same pop-up menu. Network Address Translation +-NAT Server List Name-+ +----------------------+ A| my_servers | S| |.
Multiple Network Address T ranslation 3-19 Select any ser ver from the list and pr ess Return. The Change NA T Ser ver scr een appears. Y ou can make changes to the ser ver’s ser vice and por t or inter nal or external address. Select CHANGE NA T SERVER and press Return.
3-20 Firmware User Guide A pop-up menu lists your configured ser vers. Select the one you want to delete and pr ess Return. A dialog box asks you to confir m your choice.
Multiple Network Address T ranslation 3-21 Binding Map Lists and Server Lists Once you have created your map lists and ser ver lists, for most Netopia Router models you must bind them to a profile, either a Connection Pr ofile or the Default Profile.
3-22 Firmware User Guide • Select the map list you want to bind to this Connection Profile and pr ess Return. The map list you selected will now be bound to this Connection Profile. • Select NA T Server List and pr ess Return. A pop-up menu displays a list of your defined ser ver lists.
Multiple Network Address T ranslation 3-23 IP Parameters (W AN Default Profile) The Netopia Fir mware V ersion 8.4 using RFC 1483 suppor ts a W AN default pr ofile that permits several parameters to be configured without an explicitly configur ed Connection Profile.
3-24 Firmware User Guide • Select the map list you want to bind to the default profile and pr ess Return. The map list you selected will now be bound to the default profile. • Select NA T Server List and pr ess Return. A pop-up menu displays a list of your defined ser ver lists.
Multiple Network Address T ranslation 3-25 NA T Associations Configuration of map and ser ver lists alone is not suf ficient to enable NA T for a W AN connection because map and ser ver lists must be linked to a profile that contr ols the W AN inter face.
3-26 Firmware User Guide • Select the list name you want to assign and press Retur n again. Y our selection will then be associated with the cor responding profile or inter face.
Multiple Network Address T ranslation 3-27 IP P assthrough Netopia Fir mware V ersion 8.4 of fers an IP passthrough feature. The IP passthr ough feature allows for a single PC on the LAN to have the router’s public addr ess assigned to it. It also provides P A T (NAPT) via the same public IP address for all other hosts on the private LAN subnet.
3-28 Firmware User Guide The IP Profile Parameters screen, found under the WAN Configuration menu, Add/Change Connection Profile screen, appears as shown. If you select NA T Options , in either case, the NA T Options screen appears. If you toggle IP Passthrough Enabled to Ye s , additional field(s) appear .
Multiple Network Address T ranslation 3-29 T oggling IP Passthrough DHCP Enabled to Ye s displays the IP Passthr ough DHCP MAC address field. This is an editable field in which you can enter the MAC (hardwar e) address of the designated PC be used as the DHCP Client Identifier for dynamic address r eser vation.
3-30 Firmware User Guide A restriction Since both the router and the passthr ough host will use same IP address, new sessions that conflict with existing sessions will be rejected by the r outer . For example, suppose you are a teleworker using an IPSec tunnel from the r outer and from the passthrough host.
Multiple Network Address T ranslation 3-31 MultiNA T Configuration Example T o help you understand a typical MultiNA T configuration, this section describes an example of the type of configuration you may want to implement on your site. The values shown are for example purposes only .
3-32 Firmware User Guide Enter your ISP-supplied values as shown below . Select NEXT SCREEN and press Retur n. Y our IP values ar e shown here. Then navigate to the Network Address T ranslation (NA T) screen. Connection Profile 1: Easy Setup Profile Connection Profile Name: Easy Setup Profile Address Translation Enabled: Yes IP Addressing.
Multiple Network Address T ranslation 3-33 Select Show/Change Public Range , then Easy-P A T Range , and press Return. Enter the value your ISP assigned for your public address (206.1.1.6, in this example). T oggle Type to pat. Y our public address is then mapped to the remaining private IP addr esses using P A T .
3-34 Firmware User Guide Select ADD NA T PUBLIC RANGE and press Return. Y ou are retur ned to the Network Address T ranslation screen. Next, select Show/Change Map List and choose Easy-P A T List . Select Add Map . The Add NA T Map scr een appears. (Now the name Easy-P A T List is a misnomer since it has a static map included in its list.
Multiple Network Address T ranslation 3-35 • First, navigate to the Show/Change Map List screen, select Easy-P A T List and then Show/Change Maps . Choose the Static Map you created and change the First Private Address fr om 192.168.1.1 to 192.168.1.
3-36 Firmware User Guide.
Virtual Private Networks (VPNs) 4-1 C C C C h h h h a a a a p p p p t t t t e e e e r r r r 4 4 4 4 V V V V ii i i r r r r t t t t u u u u a a a a ll l l P P P P r r r r ii i i v v v v a a a a t t t t.
4-2 Firmware User Guide Netopia Fir mware V ersion 8.4 can be used in VPNs either to initiate the connection or to answer it. When used in this way , the Routers are said to be tunnelling thr ough the public network (Internet).
Virtual Private Networks (VPNs) 4-3 leaves the header untouched. The more secur e T unnel mode encr ypts both the header and the payload. On the receiving side, an IPsec-compliant device decr ypts each packet. The Netopia Fir mware V ersion 8.4 suppor ts the more secure Tunnel mode.
4-4 Firmware User Guide About PPTP T unnels T o set up a PPTP tunnel, you create a Connection Pr ofile including the IP address and other relevant infor mation for the remote PPTP par tner . Y ou use the same pr ocedure to initiate a PPTP tunnel that ter minates at a remote PPTP ser ver or to ter minate a tunnel initiated by a remote PPTP client.
Virtual Private Networks (VPNs) 4-5 When you define a Connection Profile as using PPTP by selecting PPTP as the datalink encapsulation method, and then select Data Link Options , the PPTP T unnel Options scr een appears. • Enter the PPTP Par tner IP Addr ess .
4-6 Firmware User Guide Note: Netopia Fir mware V ersion 8.4 suppor ts 128-bit (“strong”) encr yption. Unlike MS-CHAP version 1, which suppor ts one-way authentication, MS-CHAP version 2 suppor ts mutual authentication between connected gateways and is incompatible with MS-CHAP version 1 (MS-CHAP-V1).
Virtual Private Networks (VPNs) 4-7 The IP Profile Parameters scr een appears. • Enter the Remote IP Address and Remote IP Mask for the host to which you want to tunnel. About IPsec T unnels IPsec stands for IP Security , a set of protocols that suppor ts secur e exchange of IP packets at the IP layer .
4-8 Firmware User Guide About L2TP T unnels L2TP stands for Layer 2 T unnelling Protocol, an extension to the PPP pr otocol. L2TP combines features of two other tunneling protocols: PPTP and L2F. Like PPTP , L2TP is a Datalink Encapsulation option in Connection Profiles.
Virtual Private Networks (VPNs) 4-9 When you define a Connection Profile as using L2TP by selecting L2TP as the datalink encapsulation method, and then select Encapsulation Options , the L2TP T unnel Options scr een appears. • Enter the L2TP Par tner IP Addr ess .
4-10 Firmware User Guide • Y ou can specify that this Router will Initiate Connections (acting as a P AC) or only answer them (acting as a PNS). • T unnels are nor mally initiated On Demand ; however , you can disable this featur e.
Virtual Private Networks (VPNs) 4-11 About GRE T unnels Generic Routing Encapsulation (GRE) protocol is another for m of tunneling that Netopia routers suppor t. A GRE tunnel is brought up when a valid GRE pr ofile is installed, and brought down when the profile is disabled, or deleted.
4-12 Firmware User Guide • Enter a GRE Par tner IP Addr ess in standard dotted-quad for mat to specify the address of the other end of the tunnel. • Y ou can optionally toggle Send Checksums to Ye s to verify that no data cor r uption or loss is incurr ed in transmission.
Virtual Private Networks (VPNs) 4-13 The IP Profile Parameters scr een appears. • Enter the Remote IP Address and Remote IP Mask for the host to which you want to tunnel. • Press Escape to r eturn to the Add Connection profile scr een, select COMMIT and press Retur n.
4-14 Firmware User Guide VPN for ce-all GRE tunnelling suppor ts “VPN force-all,” which for ces all traf fic coming fr om the LAN onto the GRE tunnel.
Virtual Private Networks (VPNs) 4-15 About A TMP T unnels T o set up an A TMP tunnel, you cr eate a Connection Profile including the IP address and other r elevant infor mation for the remote A TMP par tner . A TMP uses the ter minology of a for eign agent that initiates tunnels and a home agent that ter minates them.
4-16 Firmware User Guide When you define a Connection Profile as using A TMP by selecting A TMP as the datalink encapsulation method, and then select Data Link Options , the A TMP T unnel Options scr een appears. Note: An A TMP tunnel cannot be assigned a dynamic IP addr ess by the remote ser ver , as in a PPP connection.
Virtual Private Networks (VPNs) 4-17 • Y ou can specify that this Router will Initiate Connections , acting as a foreign agent ( Ye s ), or only answer them, acting as a home agent ( No ). • T unnels are nor mally initiated On Demand ; however , you can disable this featur e.
4-18 Firmware User Guide MS-CHAP V2 and 128-bit strong encryption Notes: • Netopia Fir mware V ersion 8.4 suppor ts 128-bit (“strong”) encr yption when using PPTP tunnels. A TMP does not have an option of using 128-bit MPPE. If you ar e using A TMP between two Netopia Routers you can optionally set 56-bit DES encr yption.
Virtual Private Networks (VPNs) 4-19 • T oggle Answer A TMP/PPTP Connections to Ye s if you want the Router to accept VPN connections or No (the default) if you do not. • For PPTP tunnel connections only , you must define what type of authentication these connections will use.
4-20 Firmware User Guide VPN Quic kView Y ou can view the status of your VPN connections in the VPN QuickView scr een. From the Main Menu select QuickView and then VPN QuickView . The VPN QuickView screen appears. Profile Name: Lists the name of the Connection Pr ofile being used, if any .
Virtual Private Networks (VPNs) 4-21 Dial-Up Netw orking for VPN Microsoft Windows Dial-Up Networking softwar e permits a r emote standalone workstation to establish a VPN tunnel to a PPTP ser ver such as a Netopia Router located at a central site.
4-22 Firmware User Guide The Communications window appears. 5. In the Communications window , select Dial-Up Networking and click the OK button. This retur ns you to the Windows Setup screen. Click the OK button. 6. Respond to the prompts to install Dial-Up Networking fr om the system disks or CDROM.
Virtual Private Networks (VPNs) 4-23 Configuring a Dial-Up Networking profile Once you have created your Dial-Up Networking pr ofile, you configure it for TCP/IP networking to allow you to connect to the Internet thr ough your Internet connection device.
4-24 Firmware User Guide 4. Click the TCP/IP Settings button. • If your ISP uses dynamic IP addressing (DHCP), select the Ser ver assigned IP addr ess radio button. • If your ISP uses static IP addressing, select the Specify an IP addr ess radio button and enter your assigned IP address in the fields pr ovided.
Virtual Private Networks (VPNs) 4-25 For PPTP negotiation to work, TCP packets inbound and outbound destined for por t 1723 must be allowed. Likewise, for A TMP negotiation to work, UDP packets inbound and outbound destined for por t 5150 must be allowed.
4-26 Firmware User Guide PPTP example T o enable a firewall to allow PPTP traf fic, you must provision the firewall to allow inbound and outbound TCP packets specifically destined for por t 1723. The source por t may be dynamic, so often it is not useful to apply a compare function upon this por tion of the control/negotiation packets.
Virtual Private Networks (VPNs) 4-27 In the Display/Change Filter Set screen select Display/Change Output Filter . Display/Change Output Filter screen Select Output Filter 1 and press Retur n. In the Change Output Filter 1 screen, set the Protocol Type and Destination Por t infor mation as shown below .
4-28 Firmware User Guide Select Output Filter 2 and press Retur n. In the Change Output Filter 2 screen, set the Protocol Type to allow GRE as shown below . A TMP example T o enable a firewall to allow A TMP traf fic, you must provision the firewall to allow inbound and outbound UDP packets specifically destined for por t 5150.
Virtual Private Networks (VPNs) 4-29 Select Input Filter 1 and press Retur n. In the Change Input Filter 1 screen, set the Destination Por t infor mation as shown below . Select Input Filter 2 and press Retur n. In the Change Input Filter 2 screen, set the Protocol Type to allow GRE as shown below .
4-30 Firmware User Guide In the Display/Change Filter Set screen select Display/Change Output Filter . Display/Change Output Filter screen Select Output Filter 1 and press Retur n. In the Change Output Filter 1 screen, set the Protocol Type and Destination Por t infor mation as shown below .
Virtual Private Networks (VPNs) 4-31 Windows Netw orking Broadcasts Netopia fir mware provides the ability to for war d Windows Networking NetBIOS broadcasts.
4-32 Firmware User Guide Configuration for Router A Configuration for Router B IP Profile Parameters Address Translation Enabled: No Remote IP Address: 192.168.2.1 Remote IP Mask: 255.255.255.0 Filter Set... Remove Filter Set NetBIOS Proxy Enabled Yes RIP Profile Options.
Virtual Private Networks (VPNs) 4-33 Note: Microsoft Network br owsing is available with or without a Windows Internet Name Ser vice (WINS) ser ver . Shar ed volumes on the remote network are accessible with or without a WINS ser ver .
4-34 Firmware User Guide.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-1 C C C C h h h h a a a a p p p p t t t t e e e e r r r r 5 5 5 5 II I I n n n n t t t t e e e e r r r r n n n n e e e e t t t t K K K K e e.
5-2 Firmware User Guide The advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec secure communications without having to manually enter the lengthy encr yption keys at both ends of the connection.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-3 The Add Connection Profile scr een appears. • From the Encapsulation Type pop-up menu select IPsec . • Then select Encapsulation Options . The IPsec T unnel Options scr een appears. For Key Management you can use either IKE or Manual .
5-4 Firmware User Guide • A pop-up window displays a list of IKE Phase 1 Profiles that you have configur ed. If you have not previously configured an IKE Phase 1 Pr ofile, the selection ADD PH1 PROFILE allows you to do that now .
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-5 • The Profile Name field accepts any name of up to 16 characters. Sixteen IKE Phase 1 pr ofiles are suppor ted, since each of the potential sixteen Connection Profiles may be associated with a separate IKE Phase 1 profile.
5-6 Firmware User Guide Nor mally it is not necessar y to change the settings of the items on the Advanced IKE Phase 1 Options screen. Most of these settings exist for ensuring compatibility with remote IKE implementations that may have cer tain limitations.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-7 • Include V endor-ID Payload toggles whether or not the Router includes the vendor-ID payload in its IKE Phase 1 messages. • Independent Phase 2 Re-keys toggles whether or not a Phase 2 re-keys requir es a Phase 1 re-key .
5-8 Firmware User Guide Selecting Delete IKE Phase 1 Profile and choosing an IKE phase 1 profile name fr om the pop-up list displays a confir mation aler t asking you to confirm that you r eally want to delete the specified IKE phase 1 profile: Ke y Management Y ou specify your IKE key management on a per-Connection Pr ofile basis.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-9 A Change Connection Profile scr een is shown below . Note: The Change Connection Profile scr een will of fer dif ferent options, depending on the model of gateway you are using.
5-10 Firmware User Guide The Key Management pop-up menu at the top of the IPsec T unnel Options screen allows you to choose between IKE key management (the default for a new IPsec profile) and Manual key management.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-11 • The ESP Authentication T ransform pop-up menu (which is visible only if you have selected ESP or AH+ESP encapsulation) allows you to specify the type of ESP authentication: None, HMAC-MD5-96, or HMAC-SHA1–96.
5-12 Firmware User Guide • Maximum Packet Size per mits you to modify the MTU setting for the tunnel. Some ISPs require a setting of e.g. 1492 (or other value). The default 1500 is the most common and you usually don’t need to change this unless other wise instr ucted.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-13 The defaults are 5 seconds and 90 seconds, r espectively . Y ou may adjust these to suit your network’s tolerances. Note: • ICMP Dead Peer Detection is not available when using manual re-keying.
5-14 Firmware User Guide Advantages of Multiple Network IPsec are: • scalability • flexibility , by adding any combination of remote/local network ranges • suppor t for sub-netting, host and ne.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-15 Last Address . Y ou supply these values. Complete the Local Member 1st Address and Local Member Last Addr ess fields. • If you choose Host Address , you need only supply the Remote Member Addr ess and the Local Mem- ber Address ; the other fields ar e hidden.
5-16 Firmware User Guide • Scroll down and up with the ar row keys to select the one you want to change, and pr ess Return. Y ou will be retur ned to the Network Configuration screen where you can make any r equired changes. • If you select Delete Network in the IP Profile Parameters screen, the same scr olling list will display .
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-17 • Specifying IKE key management alters the Advanced IP Profile Options screen as follows: • Y ou can specify a Local Tunnel Endpoint Address . If not 0.0.0.0, this value must be one of the assigned inter face addresses, either WAN or LAN.
5-18 Firmware User Guide IPsec W AN Configuration Screens Y ou can also configur e IKE Phase 1 Profiles in the W AN Configuration menus. The W AN Configuration screen now includes IKE Phase 1 Configuration as shown: Select IKE Phase 1 Configuration and press Retur n.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-19 The IKE Phase 1 Configuration screen allows configuration of global (non-connection-pr ofile-specific) IPsec parameters. This screen allows you to Display , Change, Add, or Delete an IKE Phase 1 pr ofile.
5-20 Firmware User Guide Select IPsec Manual Keys and press Retur n. Depending on your selections of Encapsulation, Encr yption T ransfor m, and Authentication T ransfor m in the IPsec T unnel Options screen, the IPsec Manual Keys scr een will display dif fering entr y fields to enter authorization keys and encr yption keys.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-21 If the remote tunnel end point is a hostname (or “0.0.0.0”) 0.0.0.0 is displayed until a Security Association is established.
5-22 Firmware User Guide IKE: no matching ph2 proposal Either the local Router rejected the pr oposals of the remote or the r emote rejected the local Router’s. IKE: ph2 resend timeout The attempt to resend the phase 2 authentication timed out. IKE: phase 2 complete The phase 2 negotiation completed successfully .
IP Setup 6-1 C C C C h h h h a a a a p p p p t t t t e e e e r r r r 6 6 6 6 II I I P P P P S S S S e e e e t t t t u u u u p p p p The Netopia Fir mware V ersion 8.4 uses Inter net Protocol (IP) to communicate both locally and with remote networks. This chapter shows you how to configure the gateway to r oute IP traf fic.
6-2 Firmware User Guide IP Setup The IP Setup options screen is wher e you configure the Ethernet side of the Router. The infor mation you enter here contr ols how the gateway routes IP traf fic.
IP Setup 6-3 The Netopia Fir mware V ersion 8.4 suppor ts multiple IP subnets on the Ether net inter face. Y ou may want to configure multiple IP subnets to ser vice mor e hosts than are possible with your primar y subnet. It is not always possible to obtain a lar ger subnet from your ISP .
6-4 Firmware User Guide that the addresses distributed by the Router and those that ar e manually configured are not the same. Each method of distribution must have its own exclusive range of addresses to draw fr om.
IP Setup 6-5 For example: • T o delete a configured subnet, set both the IP addr ess and subnet mask values to 0.0.0.0, either explicitly or by clearing each field and pressing Retur n to commit the change. When a configured subnet is deleted, the values in subsequent rows adjust up to fill the vacant fields.
6-6 Firmware User Guide If you have configured multiple Ether net IP subnets, the IP Setup screen changes slightly: The IP address and Subnet mask items ar e hidden, and the Define Additional Subnets.
IP Setup 6-7 The Static Routes screen will appear . Viewing static r outes T o display a view-only table of static routes, select Display/Change Static Route . The table shown below will appear . The table has the following columns: Dest. Network: The network IP address of the destination network.
6-8 Firmware User Guide Subnet Mask: The subnet mask associated with the destination network. Next Gateway: The IP address of the gateway that will be used to r each the destination network. Priority: An indication of whether the Router will use the static route when it conflicts with infor mation received from RIP packets.
IP Setup 6-9 • T o make sure that the static r oute is known only to the Router, select Adver tise Route V ia RIP and toggle it to No . T o allow other RIP-capable gateways to know about the static route, select Adver tise Route Via RIP and toggle it to Ye s .
6-10 Firmware User Guide RIP-2 MD5 A uthentication Fir mware version 5.3.7 suppor ts RIP-2 MD5 Authentication (RFC2082 Routing Internet Pr otocol V ersion 2, Message Digest 5). The purpose of MD5 authentication is to provide an additional level of confidence that a RIP packet received was generated by a r eliable source.
IP Setup 6-11 • Select RIP Options . The Ethernet LAN RIP Options scr een appears. • Select Receive RIP , and fr om the pull-down menu choose v2 MD5 Authentication . IP Setup Ethernet IP Address: 192.168.1.1 Ethernet Subnet Mask: 255.255.255.0 Define Additional Subnets.
6-12 Firmware User Guide • Y ou can also select Transmit RIP , and choose v2 MD5 (br oadcast) or v2 MD5 (multicast) from the pull-down menu. • RIP v2 Authentication Keys is visible only if v2 MD5 Authentication is enabled for either Receive or T ransmit RIP .
IP Setup 6-13 • Select RIP v2 Authentication Keys . The RIP v2 Authentication Keys screen appears. Adding a key Select Add Key . The Add Key Screen appears. • The key identifier Key ID can be any numeric value from 0 – 255, and must be unique per inter face.
6-14 Firmware User Guide • The Star t Date and End Date for mats are deter mined by the System Date For mat, set on the Set Date and Time menu under the System Configuration menus. • The Star t T ime and End Time formats ar e determined by the System Time For mat.
IP Setup 6-15 Connection Profiles and Default Profile RIP-2 MD5 authentication may be configured in Connection Pr ofiles, as well. If you are not using NA T , your public Internet connection can benefit fr om sending authenticated RIP packets as well as receiving them.
6-16 Firmware User Guide • Receive RIP is always visible. Here you select Of f, v1, v2, Both v1 and v2, or v2 MD5 Authentication from the pull-down menu. For MD5 authentication, you must select v2 MD5 Authentication . • If NA T is disabled, Transmit RIP is visible.
IP Setup 6-17 IP Address Serving In addition to being a gateway , the Router is also an IP address ser ver . Ther e are three pr otocols it can use to distribute IP addresses.
6-18 Firmware User Guide Follow these steps to configure IP Addr ess Ser ving: • If you enabled IP Address Ser ving, then DHCP , BootP clients and Dynamic W AN clients are automatically enabled. • The IP Address Ser ving Mode pop-up menu allows you to choose the way in which the Router will ser ve IP addresses.
IP Setup 6-19 If you have configured multiple Ether net IP subnets, the appearance of the IP Address Ser ving screen is alter ed slightly: Three menu items ar e hidden, and Configure Address Pools... appears instead. If you select Configure Address Pools.
6-20 Firmware User Guide IP Address Pools The IP Address Pools scr een allows you to configure a separate IP address ser ving pool for each of up to eight configured Ether net IP subnets: This screen consists of between two and eight r ows of four columns each.
IP Setup 6-21 Numerous factors influence the choice of ser ved addr ess. It is dif ficult to specify the address that will be ser ved to a par ticular client in all circumstances.
6-22 Firmware User Guide • T o ser ve DHCP clients with the type of NetBIOS used on your network, select Serve NetBIOS Type and toggle it to Ye s . • From the NetBIOS Type pop-up menu, select the type of NetBIOS used on your network. • T o ser ve DHCP clients with the NetBIOS scope, select Serve NetBIOS Scope and toggle it to Ye s .
IP Setup 6-23 Select NetBIOS Name Ser ver IP Addr and enter the IP address for the NetBIOS name ser ver . Y ou ar e now finished setting up DHCP NetBIOS Options. T o return to the IP Addr ess Ser ving screen, press Escape. • T o enable BootP’s address ser ving capability , select Ser ve BOOTP Clients and toggle to Ye s .
6-24 Firmware User Guide • The ability to view the host name associated with a client to which the gateway has leased an IP address. • The ability for the gateway’s Ethernet IP addr ess(es) to overlap the DHCP address ser ving pool(s). • The ability to ser ve as a DHCP Relay Agent.
IP Setup 6-25 Y ou can select the entries in the Ser ved IP Addr esses screen. Use the up and down ar row keys to move the selection to one of the entries in the list of ser ved IP addresses. Once you select an entr y , pressing Retur n displays an action pop-up menu that lists operations that can be per for med on that entr y .
6-26 Firmware User Guide Selecting Details… displays a pop-up menu that provides additional infor mation associated with the IP address. The pop-up menu includes the IP addr ess as well as the host name and client identifier supplied by the client to which the address is leased.
IP Setup 6-27 An IP address is marked declined when a client to whom the DHCP ser ver of fers the address declines the address. A client declines an addr ess if it determines that a leased addr ess is already in use by another device.
6-28 Firmware User Guide DHCP Rela y Ag ent The Netopia Fir mware V ersion 8.4 of fers DHCP Relay Agent functionality , as defined in RFC1542. A DHCP relay agent is a computer system or a gateway tha.
IP Setup 6-29 Select IP Address Ser ving and press Retur n. The IP Address Ser ving screen appears. Select IP Address Ser ving Mode . The pop-up menu of fers the choices of Disabled , DHCP Ser ver (the default), and DHCP Relay Agent . If you select DHCP Relay Agent and press Retur n, the screen changes as shown below .
6-30 Firmware User Guide Now you can enter the IP address(es) of your r emote DHCP ser ver(s), such as might be located in your company’s corporate headquar ters. Each time you enter an IP address and press Retur n, an additional field appears. Y ou can enter up to four DHCP ser ver addr esses.
IP Setup 6-31 The Add Connection Profile scr een appears. On a Router you can add up to 15 more connection pr ofiles, for a total of 16, although only one can be used at a time, unless you are using VPNs. 1. Select Profile Name and enter a name for this connection pr ofile.
6-32 Firmware User Guide 4. T oggle or enter any IP parameters you requir e and return to the Add Connection Pr ofile screen by pressing Escape. For more infor mation on NA T , see “Multiple Network Address Translation,” beginning on page 3-1 . The Local W AN IP Address is displayed for number ed or NA T pr ofiles.
IP Setup 6-33 Multicast Forwar ding Multicast is a method for transmitting lar ge amounts of information to many , but not all, hosts over an Internet. One common use is to distribute real time audio and video to the set of hosts which have joined a distributed conference.
6-34 Firmware User Guide Typically , you will have a Connection Profile that you cr eated in Easy Setup. Y ou may have mor e. Select the Connection Profile that you want to use fr om the Display/Change Connection Profile menu, and then select IP Profile Parameters .
Line Backup 7-1 C C C C h h h h a a a a p p p p t t t t e e e e r r r r 7 7 7 7 L L L L ii i i n n n n e e e e B B B B a a a a c c c c k k k k u u u u p p p p Netopia Fir mware V ersion 8.4 of fers line backup functionality in the event of a line failure on the primar y W AN link: • to an internal V .
7-2 Firmware User Guide • the Backup IP Gateway menu item in the IP Setup screen under the System Configuration menu Here you enter a Backup Gateway IP addr ess. See “ IP Setup” on page 7-7 . Alter natively , you can choose a dif ferent backup gateway device; see “Backup Default Gateway” on page 7-14 .
Line Backup 7-3 Assuming you selected PPP , new fields appear . Underlying Encapsulation and PPP Mode do not usually need to be changed for a PPP connection. • From the Inter face Gr oup pull-down menu, select Backup . • Select Encapsulation Options .
7-4 Firmware User Guide The Datalink (PPP/MP) Options screen appears. • Data Compression should r emain set to Standard LZS. • Usually , you use PA P Authentication, with a dial-up connection, but you can also use CHAP , or None .
Line Backup 7-5 • Select IP Profile Parameters . The IP Profile Parameters scr een appears. • Unless other wise instr ucted, accept the defaults, except the following: • Set Remote IP Address to 127.0.0.2. • Set Remote IP Mask to 255.255.255.
7-6 Firmware User Guide • From the Dial pop-up menu, you can choose whether to Dial Out Only , Dial In Only , or Dial In/Out (default). • Dialing Prefix : If you ar e connected to a Centrex or PBX phone system that requir es you to dial a prefix number (such as “9” for an outside line), enter it here.
Line Backup 7-7 IP Setup Here, you set the IP addr ess of the alternate gateway . Navigate to the IP Setup screen under the System Configuration menu. • Set Backup IP Gateway to 127.0.0.2. • Set Secondar y Domain Name Server to the IP Address DNS of your dial-up ISP .
7-8 Firmware User Guide W AN Configuration T o configure the modem characteristics, fr om the Main Menu select W AN Configuration and then W AN Setup . The Choose Inter face to Configur e screen appears. These settings govern the general modem behavior .
Line Backup 7-9 Choose the inter face to configure for backup, MODEM (W an Module 2) Setup . The Internal Modem Setup scr een appears. • Modem Dialing Prefix : A TDT is the standard Hayes-compatible code for aler ting the modem itself.
7-10 Firmware User Guide Bac kup Configuration screen Navigate to the Backup Configuration screen. This screen is used to configur e the conditions under which backup will occur , if it will recover, and how the modem is configured. For the internal V .
Line Backup 7-11 has gone down. Should this address become unr eachable the router will treat this as a loss of connectivity and begin the backup timer . This loss is a Layer 2 loss. Note: For best results, enter an IP addr ess and not a host name. If a host name is used it may not be resolvable, and may keep the inter face down.
7-12 Firmware User Guide Using Scheduled Connections with Bac kup The backup link is a PPP dial-up connection and only connects to the Internet ser vice pr ovider when traf fic is initiated from the LAN.
Line Backup 7-13 • T oggle Scheduled Connection Enable to On . • From the How Often pop-up menu, select Weekly and press Return. • From the Schedule Type pop-up menu, accept the default Forced Up and press Retur n. • Select Set W eekly Schedule , and press Retur n.
7-14 Firmware User Guide • Select Use Connection Profile , and press Retur n. A screen displays all of your Connection Pr ofiles. Select the one you want to apply this scheduled connection to and press Retur n.
Line Backup 7-15 The Backup Configuration screen appears. This screen is used to configur e the conditions under which backup will occur , if it will recover, and how the alternate gateway is configur ed. • Select Backup is and press Retur n. A pop-up menu allows you to select Disabled, Manual, or Automatic.
7-16 Firmware User Guide IP Setup screen T o configure the backup gateway , fr om the Main Menu select System Configuration then IP Setup . The IP Setup screen appears.
Line Backup 7-17 Bac kup Management/Statistics If backup is enabled, the Statistics & Logs menu of fers a Backup Management/Statistics option. T o view Backup Management/Statistics, from the Main Menu select Statistics & Logs then Backup Management/Statistics and press Retur n.
7-18 Firmware User Guide During recover y , the following r easons may appear: • Time Since Detection is a display-only field that is only visible if backup or recover y is in pr ogress. It displays the elapsed time since detection of either W AN line failure or r e-establishment of the connection.
Monitoring T ools 8-1 C C C C h h h h a a a a p p p p t t t t e e e e r r r r 8 8 8 8 M M M M o o o o n n n n ii i i t t t t o o o o r r r r ii i i n n n n g g g g T T T T o o o o o o o o ll l l s s s s This chapter discusses the Router’s device and network monitoring tools.
8-2 Firmware User Guide General status Current Date: The cur rent date; this can be set with the Date and Time utility (see “Date and time” on page 2-29 ). Default IP Gateway: The gateway’s default gateway , which may be either manually configured or lear ned via DHCP .
Monitoring T ools 8-3 Current status The cur rent status section is a table showing the cur rent status of the DSL connection. For example: Profile Name: Lists the name of the connection pr ofile being used, if any . Rate: Shows the line rate for this connection.
8-4 Firmware User Guide Statistics & Logs When you are tr oubleshooting your Router, the Statistics & Logs screens provide insight into the r ecent event activities of the gateway . From the Main Menu go to Statistics & Logs and select one of the options described in the sections below .
Monitoring T ools 8-5 W AN Event History The W AN Event Histor y screen lists a total of 128 events on the WAN. The most recent events appear at the top. Each entr y in the list contains the following infor mation: Date: Date of the event. Time: Time of the event.
8-6 Firmware User Guide In the Statistics & Logs screen, select Device Event Histor y . The Device Event Histor y screen appears. If the event histor y exceeds the size of the screen, you can scr oll through it by using SCROLL UP and SCROLL DOWN. T o scroll up, select SCROLL UP at the top of the list and press Retur n.
Monitoring T ools 8-7 IP Routing T able The IP routing table displays all of the IP r outes curr ently known to the Router. The routing table scr een represents a snapshot of the r outing table information at the time the scr een is first invoked. T o take a new snapshot, select Update at the bottom of the screen and press Retur n.
8-8 Firmware User Guide Physical Interface The top left side of the screen lists total packets r eceived and total packets transmitted for the following data por ts: • Ethernet • DSL Network Inter.
Monitoring T ools 8-9 System Inf ormation The System Infor mation screen gives a summar y view of the general system level values in the Router. From the Statistics & Logs menu select System Information . The System Infor mation screen appears. The infor mation display varies by model, firmwar e version, feature set, and so on.
8-10 Firmware User Guide Simple Netw ork Management Protocol (SNMP) The Netopia Fir mware V ersion 8.4 includes a Simple Network Management Protocol (SNMP) agent, allowing monitoring and configuration by a standard SNMP manager . Netopia Routers now suppor t SNMP-V1 and SNMP-V2c.
Monitoring T ools 8-11 The SNMP Setup screen From the Main Menu, select SNMP in the System Configuration screen and pr ess Return. The SNMP Setup screen appears. Follow these steps to configure the first thr ee items in the screen: 1. Select System Name and enter a descriptive name for the Router’s SNMP agent.
8-12 Firmware User Guide Community strings The Read-Only Community String and the Read/W rite Community String are like passwords that must be used by an SNMP manager quer ying or configuring the Netopia Fir mware V ersion 8.
Monitoring T ools 8-13 T o go to the IP T rap Receivers screen, select IP Trap Receivers . The IP T rap Receivers scr een appears. Setting the IP trap receivers 1. Select Add IP Trap Receiver . 2. Select Receiver IP Address or Domain Name . Enter the IP address or domain name of the SNMP manager you want to receive the trap.
8-14 Firmware User Guide.
Security 9-1 C C C C h h h h a a a a p p p p t t t t e e e e r r r r 9 9 9 9 S S S S e e e e c c c c u u u u r r r r ii i i t t t t y y y y The Netopia Fir mware V ersion 8.4 provides a number of security featur es to help protect its configuration screens and your local network fr om unauthorized access.
9-2 Firmware User Guide T elnet Tiered Access – T w o P assw or d Levels Netopia Fir mware V ersion 8.4 of fers tiered access control for gr eater security and protection against accidental or malicious misconfiguration.
Security 9-3 PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NA T por t maps. This means that applications that suppor t UPnP , and ar e used with a UPnP-enabled Netopia Gateway , will not need application layer gateway suppor t on the Netopia Gateway to work through NA T .
9-4 Firmware User Guide Limited user configuration The Add Access Name/Password and Show/Change Access Name/Passwor ds screens allow you to select which configuration features a limited (non-Super user) user can access. From the Security Options scr een, select Add Access Name/Password .
Security 9-5 Y ou can toggle the default user privileges for each user . The defaults ar e set to minimize the possibility of an individual user inadver tently damaging the W AN connection. Exercise caution in assigning privileges other than these defaults to limited users.
9-6 Firmware User Guide Advanced Security Options The Advanced Security Options screen allows you to configur e the global access privileges of users authenticated via a RADIUS ser ver or a T ACACS+ ser ver . From the Security Options scr een, select Advanced Security Options .
Security 9-7 Since authentication via RADIUS ser ver is, by definition, authentication of remote users, the WAN-related defaults are pr eset to Y es. T oggle any that should be changed.
9-8 Firmware User Guide T ACACS+ server authentication Netopia Fir mware V ersion 8.4 suppor ts T ACACS+ ser ver authentication. Its application to a Netopia Router is to control access to the Router’s management inter face, and to audit commands submitted by a user .
Security 9-9 Selecting this option displays the Change Access Password scr een. When changing a password, you will be challenged to enter it again to be sur e you have entered it cor rectly . User menu differences Menus reflect the security access level of the user .
9-10 Firmware User Guide • All users have access to System Configuration, Quick Menus, and Quick View , but limited users have only limited access to configuration elements in their descendant menus. • Configuration screen elements to which configuration access is forbidden ar e usually hidden.
Security 9-11 W AN Configuration screens If a limited user is allowed W AN, Connection Pr ofile, or PVC configuration access, the W AN Configuration option in the Main Menu is visible.
9-12 Firmware User Guide Connection Profiles The Super user can disallow limited user access to a par ticular Connection Profile. When adding a Connection Profile in the Add Connection Pr ofile screen the Super user can toggle the Superuser Accessible Only option to Ye s or No .
Security 9-13 Note: Network Address Translation (NA T) is displayed in this screen in order to make access control simpler . Security becomes Change Access Passwor d for non-Super users, and provides access to the associated menu described previously .
9-14 Firmware User Guide Utilities & Diagnostics menu Based on access level, the Utilities & Diagnostics menu displays its configuration options according to the following diagram: Statistics.
Security 9-15 Quick Menus Quick Menus var y considerably between models, features, and access levels. The following is an example comparison of the Quick Menu as seen by the Super user and by a Limited user . Note: Console Configuration is always visible.
9-16 Firmware User Guide The A TM Cir cuits Configuration menu screen appears as follows: Note: Multiple A TM cir cuit configuration is suppor ted on multiple A TM-capable gateways.
Security 9-17 About Filters and Filter Sets Security should be a high priority for anyone administering a network connected to the Internet. Using packet filters to control network communications can gr eatly improve your network’s security . The Netopia Fir mware V ersion 8.
9-18 Firmware User Guide Filter priority Continuing the customs inspectors analogy , imagine the inspectors lined up to examine a package. If the package matches the first inspector’s criteria, the package is either rejected or passed on to its destination, depending on the first inspector’s par ticular orders.
Security 9-19 • Blocks (discards) the packet • Ignores the packet A filter for wards or blocks a packet only if it finds a match after applying its criteria. When no match occurs, the filter ignores the packet. A filtering rule The criteria are based on infor mation contained in the packets.
9-20 Firmware User Guide Port number comparisons A filter can also use a comparison option to evaluate a packet’s source or destination por t number . The comparison options are: No Compare: No comparison of the por t number specified in the filter with the packet’s por t number .
Security 9-21 Putting the parts together When you display a filter set, its filters are displayed as r ows in a table: The table’s columns cor respond to each filter’s attributes: #: The filter’s priority in the set. Filter number 1, with the highest priority , is first in the table.
9-22 Firmware User Guide Filtering example #1 Returning to our filtering r ule example fr om above (see page 9-19 ), look at how a rule is translated into a filter.
Security 9-23 This filter blocks any packets coming from a r emote network with the IP network address 200.233.14.0. The 0 at the end of the address signifies any host on the class C IP network 200.233.14.0. If, for example, the filter is applied to a packet with the source IP addr ess 200.
9-24 Firmware User Guide • That which is not expressly per mitted is prohibited. It is strongly r ecommended that you take the latter , and safer , approach to all of your filter set designs. W orking with IP Filters and Filter Sets This section covers IP filters and filter sets.
Security 9-25 Adding a filter set Y ou can cr eate up to eight dif fer ent custom filter sets. Each filter set can contain up to 16 output filters and up to 16 input filters. T o add a new filter set, select Add Filter Set in the Filter Sets screen and press Retur n.
9-26 Firmware User Guide Adding filters to a filter set There ar e two kinds of filters you can add to a filter set: input and output. Input filters check packets received from the Inter net, destined for your network. Output filters check packets transmitted from your network to the Internet.
Security 9-27 Note: There ar e two groups of items in this screen, one for input filters and one for output filters. In this section, you’ll learn how to add an input filter to a filter set. Adding an output filter works exactly the same way , providing you keep the dif ferent sour ce and destination perspectives in mind.
9-28 Firmware User Guide 3. If you want the filter to for ward packets that match its criteria to the destination IP addr ess, select For ward and toggle it to Ye s . If For war d is toggled to No , packets matching the filter’s criteria will be discarded.
Security 9-29 Deleting filters T o delete a filter , select Delete Input Filter or Delete Output Filter in the Display/Change Filter Set screen to display a table of filters. Select the filter from the table and pr ess Return to delete it. Press Escape to exit the table without deleting the filter .
9-30 Firmware User Guide Basic Firewall blocks undesirable traf fic originating from the WAN (in most cases, the Internet), but for wards all traf fic originating from the LAN.
Security 9-31 Output filter 1: This filter for wards all outgoing traf fic to make sure that no outgoing connections from the LAN are blocked. Basic Firewall is suitable for a LAN containing only client hosts that want to access ser vers on the WAN, but not for a LAN containing ser vers providing ser vices to clients on the WAN.
9-32 Firmware User Guide FTP sessions. T o allow W AN-originated FTP sessions to a LAN-based FTP ser ver with the IP address a.b.c.d (cor responding to a numbered IP addr ess such as 163.176.8.243), inser t the following input filter ahead of the cur rent input filter 1: • Enabled: Y es • For ward: Y es • Source IP Addr ess: 0.
Security 9-33 The new filterset screen appears as follows: T o use the policy-based routing featur e, you create a filter that for wards the traf fic. • T oggle For ward to Ye s . This will display the For ce Routing options. • T oggle Force Routing to Ye s .
9-34 Firmware User Guide Note: Default For warding Filter If you create one or mor e filters that have a matching action of for war d , then action on a packet matching none of the filters is to block any traf fic.
Security 9-35 Firewall T utorial General firewall terms Filter rule : A filter set is comprised of individual filter r ules. Filter set : A grouping of individual filter r ules. Firewall : A component or set of components that r estrict access between a protected network and the Internet, or between two networks.
9-36 Firmware User Guide Example TCP/UDP Ports Firewall design rules There ar e two basic rules to fir ewall design: • “What is not explicitly allowed is denied.” and • “What is not explicitly denied is allowed.” The first r ule is far more secure, and is the best appr oach to firewall design.
Security 9-37 and a packet goes through these r ules destined for FTP , the packet would for ward through the first filter r ule (WWW), match the second r ule (FTP), and the packet is allowed through. Even though the next r ule is to deny all FTP traf fic, the FTP packet will never make it to this rule.
9-38 Firmware User Guide Established connections The TCP header contains one bit called the ACK bit (or TCP Ack bit). This ACK bit appears only with TCP , not UDP . The ACK bit is par t of the TCP mechanism that guarantees the deliver y of data. The ACK bit is set whenever one side of a connection has received data fr om the other side.
Security 9-39 Example network Example filters Example 1 Incoming packet has the source addr ess of 200.1.1.28 Less Than or Equal Any por t less than or equal to the por t defined Equal Matches only .
9-40 Firmware User Guide This incoming IP packet has a source IP addr ess that matches the network address in the Source IP Addr ess field (00000000) in the Netopia Fir mware V ersion 8.4. This will not for ward this packet. Example 2 Incoming packet has the source addr ess of 200.
Security 9-41 Since the Source IP Network Addr ess in the Router is 01100000, and the source IP address after the logical AND is 1011000, this r ule does not match and this packet will be for warded. Example 4 Incoming packet has the source addr ess of 200.
9-42 Firmware User Guide Since the Source IP Network Addr ess in the Router is 01100000, and the source IP address after the logical AND is 01100000, this r ule does match and this packet will not be for warded. This r ule masks of f a single IP address.
Security 9-43 Select Save Current Configuration as , and press Retur n. The Save Cur rent Configuration screen appears. Enter a descriptive name for your cur rent configuration, select SA VE , and press Retur n. Y our configuration will be saved to the flash memor y , and you will be retur ned to the Configuration Management screen.
9-44 Firmware User Guide A warning scr een will ask you to confirm your choice. TFTP Y ou can also send or r eceive your stored configuration files via TFTP . Y ou select the stored configuration files from pull-down menus in the TFTP File T ransfer scr een in the Utilities & Diagnostics menu, as shown.
Utilities and Diagnostics 10-1 C C C C h h h h a a a a p p p p t t t t e e e e r r r r 1 1 1 1 0 0 0 0 U U U U t t t t ii i i ll l l ii i i t t t t ii i i e e e e s s s s a a a a n n n n d d d d D D D.
10-2 Firmware User Guide Ping The Netopia Fir mware V ersion 8.4 includes a standar d Ping test utility . A Ping test generates IP packets destined for a par ticular (Ping-capable) IP host. Each time the tar get host receives a Ping packet, it retur ns a packet to the original sender .
Utilities and Diagnostics 10-3 Status: The cur rent status of the Ping test. This item can display the status messages shown in the able below: Packets Out: The number of packets sent by the Ping test. Packets In: The number of retur n packets received from the tar get host.
10-4 Firmware User Guide Packets Lost: The number of packets unaccounted for , shown in total and as a per centage of total packets sent. This statistic may be updated during the Ping test, and may not be accurate until after the test is over .
Utilities and Diagnostics 10-5 4. Select Use Reverse DNS to learn the names of the gateways between the Netopia Router and the destination gateway . The default is Y es. 5. Select ST ART TRACE ROUTE and press Retur n. A scrolling screen will appear that lists the destination, number of hops, IP addresses of each hop, and DNS names, if selected.
10-6 Firmware User Guide F actor y Defaults Y ou can r eset the Router to its factor y default settings. In the Utilities & Diagnostics screen, select Rever t to Factor y Defaults and press Return. Select CONTINUE in the dialog box and pr ess Return.
Utilities and Diagnostics 10-7 Updating firmware Fir mware updates may be available periodically from Netopia or fr om a site maintained by your organization’s network administrator . The Router ships with an embedded operating system refer red to as fir mware.
10-8 Firmware User Guide • Select Config File Name and enter the name of the file you will download. The name of the file is available from the site wher e the ser ver is located. Y ou may need to enter a file path along with the file name (for example, bigroot/config/myfile).
T roubleshooting A-1 A A A A p p p p p p p p e e e e n n n n d d d d ii i i x x x x A A A A T T T T r r r r o o o o u u u u b b b b ll l l e e e e s s s s h h h h o o o o o o o o t t t t ii i i n n n n g g g g This appendix is intended to help you troubleshoot pr oblems you may encounter while setting up and using Netopia Fir mware V ersion 8.
A-2 Firmware User Guide Note: If you are attempting to modify the IP addr ess or subnet mask from a previous, successful configuration attempt, you will need to clear the IP address or r eset your Router to the factor y default before reinitiating the configuration pr ocess.
T roubleshooting A-3 How to Reset the Router to F actor y Defaults Lose your password? This section shows how to r eset the Netopia Router so that you can access the configuration screens once again. Note: Keep in mind that all of your settings will need to be reconfigur ed.
A-4 Firmware User Guide Environment pr ofile • Locate the Router’s model number , product serial number , and fir mware version. The serial number is on the bottom of the gateway , along with the model number . The fir mware version appears in the Netopia Netopia Router’s Main Menu screen.
Understanding IP Addressing B-1 A A A A p p p p p p p p e e e e n n n n d d d d ii i i x x x x B B B B U U U U n n n n d d d d e e e e r r r r s s s s t t t t a a a a n n n n d d d d ii i i n n n n g .
B-2 Firmware User Guide IP addresses ar e maintained and assigned by the InterNIC, a quasi-governmental or ganization now increasingly under the auspices of private industr y . Note: It’s ver y common for an or ganization to obtain an IP address from a thir d par ty , usually an Internet ser vice provider (ISP).
Understanding IP Addressing B-3 Subnet masks T o create subnets, the network manager must define a subnet mask, a 32-bit number that indicates which bits in an IP address ar e used for network and subnetwork addresses and which are used for host addresses.
B-4 Firmware User Guide Network configuration Below is a diagram of a simple network configuration. The ISP is providing a Class C addr ess to the customer site, and both networks A and B want to gain Internet access thr ough this address. Router B connects to Router A and is provided Inter net access through Routers A and B.
Understanding IP Addressing B-5 Background The IP addresses and r outing configurations for the devices shown in the diagram are outlined below . In addition, each individual field and its meaning are described.
B-6 Firmware User Guide These two methods are not mutually exclusive; you can manually issue some of the addr esses while the rest are distributed by the Router.
Understanding IP Addressing B-7 Configuration This section describes the specific IP address lease, r enew , and release mechanisms for both the Mac and PC, with either DHCP or MacIP address ser ving. DHCP address serving Windows 95 workstation: • The Win95 workstation requests and r enews its lease ever y half hour .
B-8 Firmware User Guide • For a dynamic address, the Router r eleases the address back to the address pool after it has lost contact with the Mac workstation for over 2 minutes. • For a static address, the Router r eleases the address back to the address pool after it has lost contact with the Mac workstation for over 20 minutes.
Understanding IP Addressing B-9 • define the address that you want to ser ve in the Connection Pr ofile's IP Setup screen. This method requir es a static value to be used. Thus any user dialing in can obtain the same IP address for ever y connection to the profile.
B-10 Firmware User Guide The figure above shows an example of a block of IP addr esses being distributed corr ectly . The example follows these r ules: • An IP address must not be used as a static addr ess if it is also in a range of addresses being distributed by DHCP or MacIP .
Understanding IP Addressing B-11 Nested IP Subnets Under cer tain circumstances, you may want to cr eate remote subnets from the limited number of IP addr esses issued by your ISP or other authority . Y ou can do this using connection profiles. These subnets can be nested within the range of IP addresses available to your network.
B-12 Firmware User Guide Routers B and C (which could also be Routers) ser ve the two remote networks that ar e subnets of a.b.c.0. The subnetting is accomplished by configuring the Router with connection profiles for Routers B and C (see the following table).
Understanding IP Addressing B-13 Let’s see how a packet from the Inter net gets routed to the host with IP address a.b.c.249, which is ser ved by Router C. The packet first ar rives at Router A, which delivers it to its local network (a.b.c.0). The packet is then received by the Router, which examines its destination IP addr ess.
B-14 Firmware User Guide The following diagram illustrates the IP address space taken up by the two r emote IP subnets. Y ou can see from the diagram why the ter m nested is appropriate for describing these subnets.
Binary Conversion T able C-1 A A A A p p p p p p p p e e e e n n n n d d d d ii i i x x x x C C C C B B B B ii i i n n n n a a a a r r r r y y y y C C C C o o o o n n n n v v v v e e e e r r r r s s s.
C-2 Firmware User Guide 30 11110 62 111110 94 1011110 126 1111110 31 11111 63 111111 95 1011111 127 1111111 Decimal Binar y Decimal Binary Decimal Binar y Decimal Binary 128 10000000 160 10100000 192 .
Binary Conversion T able C-3 159 10011111 191 10111111 223 11011111 255 11111111 Decimal Binar y Decimal Binary Decimal Binar y Decimal Binary.
C-4 Firmware User Guide.
T echnical Specifications and Safety Information D-1 A A A A p p p p p p p p e e e e n n n n d d d d ii i i x x x x D D D D T T T T e e e e c c c c h h h h n n n n ii i i c c c c a a a a ll l l S S S.
D-2 Firmware User Guide Agency appr ov als North America Safety Approvals: • United States – UL 60950 Third Edition • Canada – CSA: CAN/CSA-C22.
T echnical Specifications and Safety Information D-3 Manufacturer’ s Declaration of Conf ormance Note: Warnings: This is a Class B product. In a domestic envir onment this product may cause radio inter ference, in which case the user may be requir ed to take adequate measures.
D-4 Firmware User Guide Before installing this equipment, users should ensur e that it is permissible to be connected to the facilities of the local telecommunications company . The equipment must also be installed using an acceptable method of connection.
T echnical Specifications and Safety Information D-5 • USB-powered models: For Use with Listed I.T .E. Only . T elecommunication installation cautions • Never install telephone wiring during a lightning stor m. • Never install telephone jacks in wet locations unless the jack is specifically designed for wet locations.
D-6 Firmware User Guide b) List all applicable cer tification jack Universal Ser vice Order Codes (“USOC”) for the equipment: RJ11. c) A plug and jack used to connect this equipment to the premises wiring and telephone network must comply with the applicable FCC Par t 68 r ules and requirements adopted by the ACT A.
T echnical Specifications and Safety Information D-7 Electrical Safety Ad visory T elephone companies repor t that electrical sur ges, typically lightning transients, are ver y destr uctive to customer ter minal equipment connected to AC power sources.
D-8 Firmware User Guide.
Index-1 II I I n n n n d d d d e e e e x x x x A add static route 6-8 ADSL Line Configuration 2-4 advanced configuration features 2-22 ATMP 4-17 tunnel options 4-15 B backup default gateway 7-14 backu.
Index-2 F filter parts 9-19 parts of 9-19 filter priority 9-18 filter set adding 9-25 display 9-21 filter sets adding 9-25 defined 9-17 deleting 9-29 disadvantages 9-23 sample (Basic Firewall) 9-29 us.
Index-3 management and statistics 7-17 scheduled connections 7-12 WAN configuration 7-8 M MIBs supported 8-10 model numbers 1-3 MPPE 4-17 MS-CHAPv2 4-18 Multicast Forwarding 6-33 multiple subnets 6-4 .
Index-4 S scheduled connections 2-15 adding 2-17 deleting 2-20 modifying 2-20 once-only 2-19 viewing 2-16 weekly 2-18 security filters 9-17 – 9-32 measures to increase 9-1 telnet 9-16 Security Polic.
Index-5 upgrade 1-3 uploading configuration files 10-8 with TFTP 10-8 utilities and diagnostics 10-1 V Variable Bit Rate (VBR) 2-6 viewing scheduled connections 2-16 Virtual Private Networks (VPN) 4-1.
Index-6.
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il Netopia 3300-ENT è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del Netopia 3300-ENT - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso Netopia 3300-ENT imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul Netopia 3300-ENT ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il Netopia 3300-ENT, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del Netopia 3300-ENT.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il Netopia 3300-ENT. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo Netopia 3300-ENT insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.