Page 1 ™ Netopia 4553 G.SHDSL Router User’s Reference Guide...
Page 2 This manual and any associated artwork, software, and product designs are copyrighted with all rights reserved. Under the copyright laws such materials may not be copied, in whole or part, without the prior written consent of Netopia, Inc. Under the law, copying includes translation to another language or format.
Page 3: Table Of Contents
Find a location... 2-11 What you need ... 2-11 Identify the connectors and attach the cables ... 2-12 Netopia Router status lights ... 2-13 Chapter 3 — Sharing the Connections ...3-15 Conﬁguring TCP/IP on Windows-based Computers... 3-15 Dynamic conﬁguration (recommended)... 3-16 Static conﬁguration (optional)...
Page 4 User’s Reference Guide Easy Setup Security Conﬁguration ... 6-35 Chapter 7 — WAN and System Conﬁguration ...7-37 WAN conﬁguration... 7-37 Creating a new Connection Proﬁle ... 7-40 The default proﬁle... 7-43 IP parameters (default proﬁle) screen ... 7-45 Scheduled Connections ... 7-45 Frame Relay conﬁguration ...
Page 5 Connection Proﬁles ... 8-87 Chapter 9 — Multiple Network Address Translation ...9-91 Overview ... 9-91 Features... 9-91 Supported Trafﬁc ... 9-95 MultiNAT Conﬁguration ... 9-95 Easy Setup Proﬁle conﬁguration ... 9-96 Server Lists and Dynamic NAT conﬁguration ... 9-96 IP setup... 9-97 Modifying map lists ...
Page 6 User’s Reference Guide VPN QuickView ... 10-137 Dial-Up Networking for VPN ... 10-138 Installing Dial-Up Networking ... 10-138 Creating a new Dial-Up Networking proﬁle ... 10-139 Conﬁguring a Dial-Up Networking proﬁle ... 10-140 Installing the VPN Client ... 10-141 Windows 95 VPN installation... 10-141 Windows 98 VPN installation...
Page 7 Chapter 12 — Monitoring Tools ...12-179 Quick View status overview ... 12-179 General status ... 12-180 Current status ... 12-181 Status lights ... 12-181 Statistics & Logs ... 12-182 Event histories ... 12-182 IP Routing Table... 12-185 General Statistics ... 12-185 System Information...
Page 8 viii User’s Reference Guide How to reset the router to factory defaults ... A-207 Power outages... A-207 Technical support ... A-208 How to reach us... A-208 Appendix B — Technical Speciﬁcations and Safety Information ...B-211 Warranty...
Page 9: Chapter 1 - Introduction
Overview The Netopia 4553 G.shdsl Router is a full-featured, stand-alone DSL router for connecting diverse local area networks (LANs) to the Internet and other remote networks. It supports the newly ratiﬁed ITU G.991.2 standard for symmetric DSL series. The Netopia 4553 G.shdsl Router uses a high performance telecommunications line to provide your whole network with a high-speed connection to the outside world.
Page 10: How To Use This Guide
In addition to the simple documentation contained in the accompanying Getting Started Guide, this guide is designed to be your single source for information about your Netopia 4553 G.shdsl Router. It is intended to be viewed on-line, using the powerful features of the Adobe Acrobat Reader. The information display has been deliberately designed to present the maximum information in the minimum space on your screen.
Page 11: Chapter 2 - Making The Physical Connections
Ease of access to the back of the unit for checking and changing cables Cable length and network size limitations when expanding networks For small networks, install the Netopia near one of the LANs. For large networks, you can install the Netopia in a wiring closet or a central network administration site.
Page 12: Identify The Connectors And Attach The Cables
You will need: A Windows 95 or 98–based PC or a Macintosh computer with Ethernet connectivity for conﬁguring the Netopia. This may be built-in Ethernet or an add-on card, with TCP/IP installed and conﬁgured. See “Sharing the Connection” on page A G.shdsl wall outlet wired for a connection to a Local Exchange Carrier (LEC) who supports Symmetric...
Page 13: Netopia Router Status Lights
DSL cable connected between the router and the DSL wall outlet. Netopia 4553 Router status lights The ﬁgure below represents the Netopia status light (LED) panel. Netopia LED front panel The following table summarizes the meaning of the various LED states and colors: When this happens...
Page 14 2-14 User’s Reference Guide...
Page 15: Conﬁguring Tcp/Ip On Windows-Based Computers
Once you have set up your physical local area network, you will need to conﬁgure the TCP/IP stack on each client workstation connected to your Netopia 4553. This chapter describes how to conﬁgure TCP/IP for both Windows-based and Macintosh computers.
Page 16: Dynamic Conﬁguration (Recommended)
DNS will be assigned by the router with DHCP. Click OK in this window and the next window. When prompted, reboot the computer. Note: You can also use these instructions to conﬁgure other computers on your network to accept IP addresses served by the Netopia 4553.
Page 17: Static Conﬁguration (Optional)
Static conﬁguration (optional) If you are manually conﬁguring for a ﬁxed or static IP address, perform the following: Go to Start Menu/Settings/Control Panels and double click the Network icon. From the Network components list, select the Conﬁguration tab. Select TCP/IP-->Your Network Card. Then select Properties. In the TCP/IP Properties screen, select the IP Address tab.
Page 18 Under “New gateway,” enter 192.168.1.1. Click Add. This is the Netopia 4553’s pre-assigned IP address. Click OK in this window and the next window. When prompted, reboot the computer. Note: You can also use these instructions to conﬁgure other computers on your network with manual or static IP addresses.
Page 19: Conﬁguring Tcp/Ip On Macintosh Computers
4553 to assign IP addresses to your Macintoshes, you must be running Open Transport, standard in MacOS 8 and optional in earlier system versions. You can have your Netopia 4553 dynamically assign IP addresses using MacTCP; however, to do so requires that the optional AppleTalk kit be installed which can only be done after the router is conﬁgured.
Page 20: Static Conﬁguration (Optional)
If you are using MacTCP, you must restart the computer. If you are using Open Transport, you do not need to restart. Note: You can also use these instructions to conﬁgure other computers on your network to accept IP addresses served by the Netopia 4553. Select/Type: Ethernet Manually 192.168.1.2...
Page 21 IP addresses. Be sure each computer on your network has its own IP address. More information about conﬁguring your Macintosh computer for TCP/IP connectivity through a Netopia 4553 can be found in Technote NIR_026, “Open Transport and Netopia Routers,” located on the Netopia Web site.
Page 22 3-22 User’s Reference Guide...
Page 23: Chapter 4 - Connecting To Your Local Area Network
This chapter describes how to physically connect the Netopia 4553 to your local area network (LAN). Before you proceed, make sure the Netopia 4553 is properly conﬁgured. You can customize the router’s conﬁguration for your particular LAN requirements using console-based management (see page 5-25).
Page 24: Connecting To An Ethernet Network
4-24 User’s Reference Guide Once the Netopia 4553 is properly conﬁgured and connected to your LAN, PC and Macintosh computers that have their required components in place will be able to connect to the Internet or other remote IP networks.
Page 25: Chapter 5 - Console-Based Management
Console-based management is a menu-driven interface for the capabilities built into the Netopia 4553. Console-based management provides access to a wide variety of features that the router supports. You can customize these features for your individual setup. This chapter describes how to access the console-based management screens.
Page 26: Connecting Through A Telnet Session
“Quick View status overview” on page 12-179 Connecting through a Telnet session Features of the Netopia 4553 can be conﬁgured through the console screens. Before you can access the console screens through Telnet, you must have: A network connection locally to the router or IP access to the router.
Page 27: Conﬁguring Telnet Software
NT on the PC, or ZTerm, included on the Netopia CD, for Macintosh computers. The Netopia 4553 back panel has a connector labeled “Console” for attaching the Router to either a PC or Macintosh computer via the serial port on the computer. (On a Macintosh computer, the serial port is called the Modem port or Printer port.) This connection lets you use the computer to conﬁgure and monitor the Netopia...
Page 28: Navigating Through The Console Screens
Navigating through the console screens Use your keyboard to navigate the Netopia 4553’s conﬁguration screens, enter and edit information, and make choices. The following table lists the keys to use to navigate through the console screens.
Page 29: Chapter 6 - Easy Setup
This chapter describes how to use the Easy Setup console screens on your Netopia 4553. After completing the Easy Setup console screens, your router will be ready to connect to the Internet or another remote site. Easy Setup console screens Using four Easy Setup console screens, you can: Modify a connection proﬁle for your router for the connection to your ISP or remote location...
Page 30: Quick Easy Setup Connection Path
You always start from this main screen. If you do not see the Main Menu, verify that: If you are using a serial connection, that your serial port speed is the same as the Netopia 4553’s default 9600 baud, for ﬁrst use.
Page 31: Dsl Line Conﬁguration
From the Regional Setting pop-up menu, select Annex A for routers in North America, Annex B for routers in Europe, or Annex C for routers in Japan. Note: Some options may not be visible. Netopia Router Easy Setup... WAN Configuration...
Page 32: Easy Setup Proﬁle
ISP or a corporate site. On a Netopia 4553 you can add up to 15 more connection proﬁles, for a total of 16, although you can only use one at a time, unless you are using Virtual Private Networks (VPNs).
Page 33: Ip Easy Setup
Press the Down arrow key until you reach NEXT SCREEN. Press Return to bring up the next screen. IP Easy Setup The IP Easy Setup screen is where you enter information about your Netopia Router’s: Ethernet IP address Ethernet Subnet mask...
Page 34 Do not confuse the remote IP address and the Default IP Gateway’s address with the block of local IP addresses you receive from your ISP. You use the local IP addresses for the Netopia 4553’s Ethernet port and for IP clients on your local network. The remote IP address and the default gateway’s IP address should point to your ISP’s router.
Page 35: Easy Setup Security Conﬁguration
PREVIOUS SCREEN Configure a Configuration Access Name and Password here. The ﬁnal step in conﬁguring the Easy Setup console screens is to restart the Netopia 4553, so that the conﬁguration settings take effect. Select RESTART DEVICE. A prompt asks you to conﬁrm your choice.
Page 36 6-36 User’s Reference Guide The Router will restart and your conﬁguration settings will be activated. You can then Exit or Quit your Telnet application. Easy Setup is now complete.
Page 37: Wan Conﬁguration
This chapter describes how to use the console-based management screens to access and conﬁgure advanced features of your Netopia 4553 Router. You can customize these features for your individual setup. These menus provide a powerful method for experienced users to set up their router’s connection proﬁles and system conﬁguration.
Page 38 7-38 User’s Reference Guide WAN DSL Mode... Regional Setting... Clock Source... Cell Format... Unused Cell Format... Data Link Encapsulation... RFC1483 Mode... PPP over Ethernet (PPPoE): Display/Change Circuit... Add Circuit... Delete Circuit... Select WAN DSL Mode and from the pop-up menu choose the type of DSLAM to which you will be connecting, either ATM or HDLC.
Page 39 Circuit Name: Circuit Enabled: Circuit VPI (0-255): Circuit VCI (0-65535): Use Connection Profile... Use Default Profile for Circuit ADD Circuit NOW Enter a name for the circuit in the Circuit Name ﬁeld. Toggle Circuit Enabled to Yes. Enter the Virtual Path Identiﬁer and the Virtual Channel Identiﬁer in the Circuit VPI and Circuit VCI ﬁelds, respectively.
Page 40: Creating A New Connection Proﬁle
COMMIT Configure a new Conn. Profile. Finished? On a Netopia 4553 you can add up to 15 more connection proﬁles, for a total of 16, but you can only use one at a time, unless you are using VPNs. Select Proﬁle Name and enter a name for this connection proﬁle. It can be any name you wish. For example: the name of your ISP.
Page 41 Select Data Link Encapsulation and press Return. The pop-up menu offers the possible data link encapsulation methods for connection proﬁles used for a variety of purposes: PPP, Frame Relay, RFC1483, ATMP, PPTP, or IPsec. If you select any data link encapsulation method other than RFC1483, a Data Link Options menu item is displayed;...
Page 42 7-42 User’s Reference Guide Auto-Detect DLCIs: Multicast DLCI Number: Toggle Auto-Detect DLCIs to Yes (the default) or No. Select the Multicast DLCI Number ﬁeld and enter a value. You can edit the Maximum Packet Size ﬁeld, if you want packets limited to a lower value than 1500. Return to the Add Connection Proﬁle screen by pressing Escape.
Page 43: The Default Proﬁle
+-Profile Name---------------------IP Address------+ +--------------------------------------------------+ | Easy Setup Profile | Profile 1 +--------------------------------------------------+ The default proﬁle If you are using RFC1483 datalink encapsulation, the Default Proﬁle screen controls whether or not the G.shdsl link will come up without an explicitly conﬁgured connection proﬁle. (PPP datalink encapsulation does not support a default proﬁle, and the corresponding menu item is unavailable.) See page 8-87 for more information.
Page 44 7-44 User’s Reference Guide Main Menu The Default Proﬁle screen appears. Must Match a Defined Profile: IP Parameters... You can set Must Match a Deﬁned Proﬁle item to Yes or No (the default). This item controls whether or not the G.shdsl link will come up without an explicitly conﬁgured connection proﬁle. If your ISP is serving you a dynamic IP Address, you need not explicitly conﬁgure a connection proﬁle, and the default behavior of the router will be to connect automatically once it is powered on.
Page 45: Ip Parameters (Default Proﬁle) Screen
IP parameters (default proﬁle) screen If you are using RFC1483 datalink encapsulation, the IP Parameters (Default Proﬁle) screen allows you to conﬁgure various IP parameters for G.shdsl connections established without an explicitly conﬁgured connection proﬁle: Address Translation Enabled: Filter Set (Firewall)... Remove Filter Set Receive RIP: Transmit RIP:...
Page 46: Viewing Scheduled Connections
7-46 User’s Reference Guide Navigate from here to add/modify/change/delete Scheduled Connections. Viewing scheduled connections To display a table of scheduled connections, select Display/Change Scheduled Connection in the Scheduled Connections screen. Each scheduled connection occupies one row of the table. +-Days----Begin At---HH:MM---When----Conn. Prof. Name----Enabled-----+ +--------------------------------------------------------------------+ | mtWtfss 08:30PM +--------------------------------------------------------------------+...
Page 47: Adding A Scheduled Connection
The other columns show: The time of day that the connection will Begin At The duration of the connection (HH:MM) Whether it’s a recurring Weekly connection or used Once Only Which connection proﬁle (Conn. Prof.) is used to connect Whether the scheduled connection is currently Enabled The router checks the date and time set in scheduled connections against the system date and time.
Page 48: Set Weekly Schedule
7-48 User’s Reference Guide demand call on the line. Demand-Allowed, meaning that this schedule will permit a demand call on the line. Demand-Blocked, meaning that this schedule will prevent a demand call on the line. Periodic, meaning that the connection is retried several times during the scheduled time. If How Often is set to Weekly, the item directly below How Often reads Set Weekly Schedule.
Page 49 Set Once-Only Schedule If you set How Often to Once Only, select Set Once-Only Schedule and go to the Set Once-Only Schedule screen. Place Call on (MM/DD/YY): Scheduled Window Start Time: AM or PM: Scheduled Window Duration: Select Place Call On (Date) and enter a date in the format MM/DD/YY or MM/DD/YYYY (month, day, year).
Page 50: Frame Relay Conﬁguration
7-50 User’s Reference Guide Modifying a scheduled connection To modify a scheduled connection, select Display/Change Scheduled Connection in the Scheduled Connections screen to display a table of scheduled connections. Select a scheduled connection from the table and press Return. The Change Scheduled Connection screen appears.
Page 51 N393 sliding window. If an N392 threshold is exceeded, the switch declares the Netopia Router inactive. The default setting is 3. The N393 option allows the user to specify the width of the sliding N392 monitored event window. The default setting is 4.
Page 52: Frame Relay Dlci Conﬁguration
Frame Relay DLCI conﬁguration If you selected None as your LMI Type then you will need to manually conﬁgure your DLCIs. A Frame Relay DLCI is a set of parameters that tells the Netopia Router how to initially connect to a remote destination.
Page 53 To go to the Frame Relay DLCI conﬁguration screen, select Frame Relay DLCI Conﬁguration in the WAN Conﬁguration screen. Add, delete, and modify DLCIs from here. Displaying a Frame Relay DLCI conﬁguration table To display a view-only table of the Frame Relay DLCIs, select Display/Change DLCIs in the Frame Relay DLCI Conﬁguration screen, and press Return.
Page 54 7-54 User’s Reference Guide Changing a Frame Relay DLCI conﬁguration To modify a Frame Relay DLCI conﬁguration, select Display/Change DLCIs in the Frame Relay DLCI Conﬁguration screen. Select a DLCI Name from the table and press Return to go to the Change DLCI screen. The parameters in this screen are the same as the parameters in the Add DLCI screen.
Page 55 This is accomplished by giving a DLCI Name to a DLCI Number. Select DLCI Enabled and toggle it to Yes to activate the proﬁle. If you disable this proﬁle, the Netopia Router will automatically disable and block access to a speciﬁc remote DLCI.
Page 56 7-56 User’s Reference Guide Identiﬁer). The setting defaults to 64000, but you may modify the committed burst size by toggling the selection in the Use Default ﬁeld to No. You can then enter a different committed burst size in the Value ﬁeld.
Page 57: System Conﬁguration Screens
Through the console port, using a local terminal (see page 5-27) You can also retrieve the Netopia 4553’s conﬁguration information and remotely set its parameters using the Simple Network Management Protocol (see Open a Telnet connection to the router’s IP address; for example, “192.168.1.1.”...
Page 58: System Conﬁguration Features
To go back in this sequence of screens, use the Escape key. System conﬁguration features The Netopia 4553 Router’s default settings may be all you need to conﬁgure your Netopia 4553. Some users, however, require advanced settings or prefer manual control over the default selections. For these users, the Netopia 4553 provides system conﬁguration options.
Page 59: Ip Setup
IP setup These screens allow you to conﬁgure your network’s use of the IP networking protocol. Details are given in “IP Setup” on page Filter sets (ﬁrewalls) These screens allow you to conﬁgure security on your network by means of ﬁlter sets and a basic ﬁrewall. Details are given in “Security”...
Page 60: Console Conﬁguration
7-60 User’s Reference Guide Select the Router’s time zone from the Time Zone pop-up menu and press Return. In the NTP Update Interval ﬁeld, enter how often to synchronize with the time server, using the format HHHH:MM where H is hours and M is minutes. Select a System Date Format;...
Page 61: Security
You can upgrade your Netopia 4553 by adding new feature sets through the Upgrade Feature Set utility. See the release notes that came with your router or feature set upgrade, or visit the Netopia Web site at www.netopia.com for information on new feature sets, how to obtain them, and how to install them on your Netopia 4553.
Page 62: Installing The Syslog Client
Erase the log by selecting DUMP WAN LOG Installing the Syslog client The Goodies folder on the Netopia CD contains a Syslog client daemon program that can be conﬁgured to report the WAN events you speciﬁed in the Logging Conﬁguration screen.
Page 63 The Netopia 4553 uses Internet Protocol (IP) to communicate both locally and with remote networks. This chapter shows you how to conﬁgure the router to route IP trafﬁc. You also learn how to conﬁgure the router to serve IP addresses to hosts on your local network.
Page 64: Chapter 8 - Ip Setup
Main Menu The IP Setup options screen is where you conﬁgure the Ethernet side of the Netopia 4553. The information you enter here controls how the router routes IP trafﬁc. Consult your network administrator or ISP to obtain the IP setup information (such as the Ethernet IP address, Ethernet subnet mask, default IP gateway, and Primary Domain Name Server IP address) you will need before changing any of the settings in this screen.
Page 65: Ip Setup
Set to Both, the Netopia 4553 will accept information from either RIP v1 or v2 routers. If you want the Netopia 4553 to advertise its routing table to other routers via RIP, select Transmit RIP and select v1, v2 (broadcast), or v2 (multicast) from the pop-up menu. With Transmit RIP v1 selected, the Netopia 4553 will generate RIP packets only to other RIP v1 routers.
Page 66: Ip Subnets
All eight row labels are always visible, regardless of the number of subnets conﬁgured. To add an IP subnet, enter the Netopia 4553’s IP address on the subnet in the IP Address ﬁeld in a particular row and the subnet mask for the subnet in the Subnet Mask ﬁeld in that row.
Page 67 For example: IP Address ---------------- 192.128.117.162 192.128.152.162 0.0.0.0 To delete a conﬁgured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly or by clearing each ﬁeld and pressing Return to commit the change. When a conﬁgured subnet is deleted, the values in subsequent rows adjust up to ﬁll the vacant ﬁelds.
Page 68: Static Routes
Static routes are IP routes that are maintained manually. Each static route acts as a pointer that tells the Netopia 4553 how to reach a particular network. However, static routes are used only if they appear in the IP routing table, which contains all of the routes used by the Netopia 4553 (see page 12-185).
Page 69 The Static Routes screen will appear. Configure/View/Delete Static Routes from this and the following Screens. Viewing static routes To display a view-only table of static routes, select Display/Change Static Route. The table shown below will appear. +-Dest. Network---Subnet Mask-----Next Gateway----Priority-Enabled-+ +------------------------------------------------------------------+ | 0.0.0.0 +------------------------------------------------------------------+...
Page 70 Select Destination Network Subnet Mask and enter the subnet mask used by the destination network. Select Next Gateway IP Address and enter the IP address for the router that the Netopia 4553 will use to reach the destination network. This router does not necessarily have to be part of the destination network, but it must at least know where to forward packets destined for that network.
Page 71 If the static route conﬂicts with a connection proﬁle, the connection proﬁle will always take precedence. To make sure that the static route is known only to the Netopia 4553, select Advertise Route Via RIP and toggle it to No. To allow other RIP-capable routers to know about the static route, select Advertise Route Via RIP and toggle it to Yes.
Page 72: Ip Address Serviing
Menu Configuration In addition to being a router, the Netopia 4553 is also an IP address server. There are three protocols it can use to distribute IP addresses. The ﬁrst, called Dynamic Host Conﬁguration Protocol (DHCP), is widely supported on PC networks, as well as Apple Macintosh computers using Open Transport and computers using the UNIX operating system.
Page 73 If you enabled IP Address Serving, then DHCP, BootP clients and Dynamic WAN clients are automatically enabled. The IP Address Serving Mode pop-up menu allows you to choose the way in which the Netopia 4553 will serve IP addresses. The device can act as either a DHCP Server or a DHCP Relay Agent. (See Agent”...
Page 74 8-74 User’s Reference Guide If you have conﬁgured multiple Ethernet IP subnets, the appearance of the IP Address Serving screen is altered slightly: IP Address Serving Mode... Configure Address Pools... Serve DHCP Clients: DHCP NetBios Options... Serve BOOTP Clients: Serve Dynamic WAN Clients: The ﬁrst three menu items are hidden, and Conﬁgure Address Pools...
Page 75: Ip Address Pools
The value defaults to the Netopia 4553’s IP address on the corresponding subnet (or the Netopia 4553’s default gateway, if that gateway is located on the subnet in question). You can override the value by entering any address that is part of the subnet.
Page 76 When requesting an address, a client may provide a client identiﬁer, or, if it does not, the Netopia 4553 may construct a pseudo-client identiﬁer for the client. When the client subsequently requests an address, the Netopia 4553 will attempt to serve the address previously associated with the pseudo-client identiﬁer.
Page 77: Dhcp Netbios Options
DHCP NetBIOS Options If your network uses NetBIOS, you can enable the Netopia 4553 to use DHCP to distribute NetBIOS information. NetBIOS stands for Network Basic Input/Output System. It is a layer of software originally developed by IBM and Sytek to link a network operating system with speciﬁc hardware. NetBIOS has been adopted as an industry standard.
Page 78 8-78 User’s Reference Guide From the NetBios Type pop-up menu, select the type of NetBIOS used on your network. Serve NetBios Type: NetBios Type... Serve NetBios Scope: NetBios Scope: Serve NetBios Name Server: NetBios Name Server IP Addr: To serve DHCP clients with the NetBIOS scope, select Serve NetBios Scope and toggle it to Yes. Select NetBios Scope and enter the scope.
Page 79: More Address Serving Options
The ability to serve as a DHCP Relay Agent. The Netopia 4553 supports reserving an IP address only for a type 1 client identiﬁer (i.e., an Ethernet hardware address). It does not support reserving an IP address for an arbitrary client identiﬁer. (For more information on client identiﬁers, see RFC 2131, section 9.14.)
Page 80: Conﬁguring The Ip Address Server Options
8-80 User’s Reference Guide Conﬁguring the IP Address Server options To access the enhanced DHCP server functions, from the Main Menu navigate to Statistics & Logs and then Served IP Addresses. Main Menu The following example shows the Served IP Addresses screen after three clients have leased IP addresses. The ﬁrst client did not provide a Host Name in its DHCP messages;...
Page 81 You can select the entries in the Served IP Addresses screen. Use the up and down arrow keys to move the selection to one of the entries in the list of served IP addresses. -IP Address------Type----Expires—-Host Name/Client Identifier----------------- ----------------------------------SCROLL UP----------------------------------- 192.168.1.100 192.168.1.101 192.168.1.102...
Page 82 8-82 User’s Reference Guide Details… is displayed if the entry is associated with both a host name and a client identiﬁer. Selecting Details… displays a pop-up menu that provides additional information associated with the IP address. The pop-up menu includes the IP address as well as the host name and client identiﬁer supplied by the client to which the address is leased.
Page 83 -IP Address------Type----Expires—-Host Name/Client Identifier----------------- ----------------------------------SCROLL UP----------------------------------- 192.168.1.100 192.168.1.101 192.1+-------------------------------------------------------------+ 192.1+-------------------------------------------------------------+ 192.1| 192.1| You are about to make changes that will affect an address 192.1| that is currently in use. Are you sure you want to do this? | 192.1| 192.1| 192.1| 192.1+-------------------------------------------------------------+ 192.168.1.111...
Page 84 8-84 User’s Reference Guide -IP Address------Type----Expires—-Host Name/Client Identifier----------------- ----------------------------------SCROLL UP----------------------------------- 192.168.1.100 192.168.1.101 192.168.1.102 +--------------------------------------+ 192.168.1.103 +--------------------------------------+ 192.168.1.104 192.168.1.105 | IP Address is 192.168.1.108 192.168.1.106 | MAC Address: 192.168.1.107 192.168.1.108 192.168.1.109 192.168.1.110 192.168.1.111 +--------------------------------------+ 192.168.1.112 192.168.1.113 ---------------------------------SCROLL DOWN---------------------------------- Lease Management... The router’s Ethernet IP address(es) will be automatically excluded from the address serving pool(s) on startup. Entries in the served IP address list corresponding to the router’s Ethernet IP address(es) that have been automatically excluded on startup are not selectable.
Page 85 Netopia Router. If the Netopia Router is conﬁgured to act as a DHCP server, it will assign the client an address from an address pool conﬁgured locally in the Netopia Router and respond to the client's request...
Page 86: Dhcp Relay Agent
8-86 User’s Reference Guide Select IP Address Serving and press Return. The IP Address Serving screen appears. IP Address Serving Mode... Number of Client IP Addresses: 1st Client Address: Client Default Gateway... Serve DHCP Clients: DHCP NetBIOS Options... Serve BOOTP Clients: Select IP Address Serving Mode.
Page 87: Connection Proﬁles
COMMIT Configure a new Conn. Profile. Finished? On a Netopia 4553 you can add up to 15 more connection proﬁles, for a total of 16, although only one can be used at a time, unless you are using VPNs. Select Proﬁle Name and enter a name for this connection proﬁle. It can be any name you wish. For example: the name of your ISP.
Page 88 8-88 User’s Reference Guide Toggle the Proﬁle Enabled value to Yes or No. The default is Yes. Select IP Proﬁle Parameters and press Return. The IP Proﬁle Parameters screen appears. Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... Local WAN IP Address: Local WAN IP Mask: Remote IP Address:...
Page 89 Select ADD PROFILE NOW and press Return. Your new connection proﬁle will be added. If you want to view the connection proﬁles in your router, return to the WAN Conﬁguration screen, and select Display/Change Connection Proﬁle. The list of connection proﬁles is displayed in a scrolling pop-up screen.
Page 90 8-90 User’s Reference Guide...
Page 91: Overview
To help you understand some of the concepts discussed here, it may be helpful to introduce some NAT terminology. The term mapping refers to rules that associate one or more private addresses on the Netopia Router’s LAN to one or more public addresses on the Netopia Routers WAN interface (typically the Internet).
Page 92 IP address to which you would like to provide access. You may also deﬁne a speciﬁc public IP address to use for this service if you want to use an IP other than the WAN IP address of the Netopia Router.
Page 93: Wan Network
NAT. Dynamic NAT is intended to provide functionality beyond many-to-one and one-to-one translation. Netopia’s NAT implementation makes it possible to have a static mapping of one public address to one private address, thus allowing applications such as NetMeeting to work by assuring that any trafﬁc sent back to the source IP address is forwarded through to the internal machine.
Page 94 For example, if a connection is initiated from the public network and is destined for a public IP address conﬁgured on the Netopia Router, the following comparisons are made in this order. The Netopia Router ﬁrst checks its internal NAT cache to see if the data is part of a previously initiated connection, if not…...
Page 95: Supported Trafﬁc
In order to support this type of mapping, you deﬁne two address ranges. First, you deﬁne a public range which contains the ﬁrst and last public address to be used and the way in which these addresses should be used (PAT, static, or dynamic).
Page 96: Easy Setup Proﬁle Conﬁguration
9-96 User’s Reference Guide Easy Setup Proﬁle conﬁguration The screen below is an example. Depending on the type of router you are using, ﬁelds displayed in this screen may vary. Connection Profile Name: Address Translation Enabled: IP Addressing... Local WAN IP Address: Local WAN IP Mask: Remote IP Address: Remote IP Mask:...
Page 97 Domain Name: Receive RIP... Transmit RIP... Static Routes... Network Address Translation (NAT)... Set up the basic IP attributes of your Netopia in this screen. Select Network Address Translation (NAT) and press Return. Multiple Network Address Translation 9-97 9-116. setup. System...
Page 98 9-98 User’s Reference Guide The Network Address Translation screen appears. Return/Enter to configure IP Address redirection. Public Range deﬁnes an external address range and indicates what type of mapping to apply when using this range. The types of mapping available are dynamic, static and pat. Map Lists deﬁne collections of mapping rules.
Page 99 The Add NAT Public Range screen appears. Range Name: Type... Public Address: First Public Port: Last Public Port: ADD NAT PUBLIC RANGE Select Range Name and give a descriptive name to this range. Select Type and from the pop-up menu, assign its type. Options are static, dynamic, or pat (the default). If you choose pat as the range type, select Public Address and enter the exterior IP address in the range you want to assign.
Page 100 9-100 User’s Reference Guide Map List Name: Add Map... Select Map List Name and enter a descriptive name for this map list. A new menu item, Add Map, appears. Select Add Map and press Return. The Add NAT Map screen appears. First Private Address: Last Private Address: Use NAT Public Range...
Page 101 +-Public Address Range------------Type----Name-------------+ +----------------------------------------------------------+ | 0.0.0.0 | 206.1.1.6 | 206.1.1.1 | <<NEW RANGE...>> +----------------------------------------------------------+ Up/Down Arrow Keys to select, ESC to cancel, Return/Enter to Delete. From the list of public ranges you deﬁned, select the one that you want to map to the interior range for this mapping and press Return.
Page 102: Modifying Map Lists
9-102 User’s Reference Guide Modifying map lists You can make changes to an existing map list after you have created it. Since there may be more than one map list you must select which one you are modifying. From the Network Address Translation screen select Show/Change Map List and press Return. Select the map list you want to modify from the pop-up menu.
Page 103 Add Map allows you to add a new map to the map list. Show/Change Maps allows you to modify the individual maps within the list. Delete Map allows you to delete a map from the list. Selecting Show/Change Maps or Delete Map displays the same pop-up menu. +---Private Address Range---------Type----Public Address Range------------+ +-------------------------------------------------------------------------+ | 192.168.1.1...
Page 104: Adding Server Lists
9-104 User’s Reference Guide Adding Server Lists Server lists, also known as Exports, are handled similarly to map lists. If you want to make a particular server’s port accessible (and it isn’t accessible through other means, such as a static mapping), you must create a server list.
Page 105 Select Add Server and press Return. The Add NAT Server screen appears. Service... Server Private IP Address: Public IP Address: ADD NAT SERVER Select Service and press Return. A pop-up menu appears listing a selection of commonly exported services. Service... Server Private IP Address: Public IP Address: ADD NAT SERVER...
Page 106 Note: CUSeeMe (or other services that listen on speciﬁc ports) through MultiNat works as it did for non-MultiNat releases prior to version 4.4. In order to use CUSeeMe through the Netopia Router, you must export the ports 7648 and 7649. In MultiNat, you may use a port range export. Without the export, CUSeeMe will fail to work.
Page 107: Modifying Server Lists
Modifying server lists Once a server list exists, you can select it for modiﬁcation or deletion. Select Show/Change Server List from the Network Address Translation screen. Select the Server List Name you want to modify from the pop-up menu and press Return. Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.
Page 108 9-108 User’s Reference Guide Selecting Show/Change Server or Delete Server displays the same pop-up menu. +-Private Address--Public Address----Port------------+ +----------------------------------------------------+ Se| 192.168.1.254 | 192.168.1.254 | 192.168.1.254 Ad| 192.168.1.254 | 192.168.1.254 +----------------------------------------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. Select any server from the list and press Return.
Page 109: Deleting A Server
Deleting a server To delete a server from the list, select Delete Server from the Show/Change NAT Server List menu and press Return. A pop-up menu lists your conﬁgured servers. Select the one you want to delete and press Return. A dialog box asks you to conﬁrm your choice.
Page 110: Binding Map Lists And Server Lists
Binding Map Lists and Server Lists Once you have created your map lists and server lists, for most Netopia Router models you must bind them to a proﬁle, either a Connection Proﬁle or the Default Proﬁle. You do this in one of the following screens: IP proﬁle parameters...
Page 111 Select NAT Map List and press Return. A pop-up menu displays a list of your deﬁned map lists. Address Trans| Easy-PAT IP Addressing| my_map NAT Map List.| NAT Server Li| Local WAN IP | Remote IP Add| Remote IP Mas| Filter Set...| Remove Filter| Receive RIP: |...
Page 112: Ip Parameters (Wan Default Proﬁle)
9-112 User’s Reference Guide IP Parameters (WAN Default Proﬁle) The Netopia 4553 using RFC 1483 supports a WAN default proﬁle that permits several parameters to be conﬁgured without an explicitly conﬁgured Connection Proﬁle. The procedure is similar to the procedure to bind map lists and server lists to a Connection Proﬁle.
Page 113 Select NAT Map List and press Return. A pop-up menu displays a list of your deﬁned map lists. Address Trans| <<None>> NAT Map List.| NAT Server Li| Filter Set (F| Remove Filter| Receive RIP: | Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. Select the map list you want to bind to the default proﬁle and press Return.
Page 114: Nat Associations
9-114 User’s Reference Guide NAT Associations Conﬁguration of map and server lists alone is not sufﬁcient to enable NAT for a WAN connection because map and server lists must be linked to a proﬁle that controls the WAN interface. This can be a Connection Proﬁle, a WAN Ethernet interface, a default proﬁle, or a default answer proﬁle.
Page 115 keys. Select the item by pressing Return to display a pop-up menu of all of your conﬁgured lists. Profile/Interface Name-------------Nat+------------------+Server List Name Easy Setup Profile Profile 01 Profile 02 Profile 03 Profile 04 Default Answer Profile Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. Select the list name you want to assign and press Return again.
Page 116: Multinat Conﬁguration Example
Public IP addresses assigned by the ISP are 206.1.1.1 through 206.1.1.6 (255.255.255.248 subnet mask). Your internal devices have IP addresses of 192.168.1.1 through 192.168.1.254 (255.255.255.0 subnet mask). Netopia Router's address is: Web server's address is: Mail server's address is: FTP server's address is: In this example you will statically map the ﬁrst ﬁve public IP addresses (206.1.1.1 - 206.1.1.5) to the ﬁrst ﬁve...
Page 117 Default IP Gateway: IP Address Serving: Number of Client IP Addresses: 1st Client Address: PREVIOUS SCREEN Set up the basic IP & IPX attributes of your Netopia in this screen. Then navigate to the Network Address Translation (NAT) screen. Main Menu Configuration...
Page 118 9-118 User’s Reference Guide Select Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned for your public address (206.1.1.6, in this example). Toggle Type to pat. Your public address is then mapped to the remaining private IP addresses using PAT. (If you were not using the Easy-PAT Range and Easy-PAT List that are created by default by using Easy Setup, you would have to deﬁne a public range and map list.
Page 119 You do this through either the NAT Associations screen or the proﬁle’s conﬁguration screens. The PAT part of this example setup will allow any user on the Netopia Router's LAN with an IP address in the range of 192.168.1.6 through 192.168.1.254 to initiate trafﬁc ﬂow to the outside world (for example, the Internet).
Page 120 IP address, 206.1.1.3. For the sake of this example, alias both services to 206.1.1.2. Now, as before, the PAT conﬁguration will allow any user on the Netopia Router's LAN with an IP address in the range of 192.168.1.6 through 192.168.1.254 to initiate trafﬁc ﬂow to the Internet.
Page 121: Chapter 10 - Virtual Private Networks
(Internet). The Netopia 4553 can be used in VPNs either to initiate the connection or to answer it. When used in this way, the routers are said to be tunnelling through the public network (Internet). The advantages are that, like your long distance phone call, you don't need a direct line between one computer or LAN and the other, but use the local connections, making it much cheaper;...
Page 122 Netopia’s PPTP implementation is compatible with Microsoft’s and can function as either the client (PAC) or the server (PNS). As a client, a Netopia R-series router can provide all users on a LAN with secure access over the Internet to the resources of another LAN by setting up a tunnel with a Windows NT server running Remote Access Services (RAS) or with another Netopia Router.
Page 123: About Pptp Tunnels
The Netopia 4553 offers IPsec DES encryption over the VPN tunnel. When used to initiate the tunnelled connection, the Netopia 4553 is called a PPTP Access Concentrator (PAC, in PPTP language), or a foreign agent (in ATMP language). When used to answer the tunnelled connection, the Netopia Router is called a PPTP Network Server (PNS, in PPTP language) or a home agent (in ATMP language).
Page 124: Pptp Conﬁguration
10-124 User’s Reference Guide PPTP conﬁguration To set up the router as a PPTP Network Server (PNS) capable of answering PPTP tunnel requests you must also conﬁgure the VPN Default Answer Proﬁle. See information. PPTP is a Datalink Encapsulation option in Connection Proﬁles. It is not an option in device or link conﬁguration screens, as PPTP is not a native encapsulation.
Page 125 When you deﬁne a Connection Proﬁle as using PPTP by selecting PPTP as the datalink encapsulation method, and then select Data Link Options, the PPTP Tunnel Options screen appears. PPTP Partner IP Address: Tunnel Via Gateway: Authentication... Data Compression... Send Host name: Send Password: Receive Host name: Receive Password:...
Page 126 MS-CHAP version 1 (MS-CHAP-V1). When you choose MS-CHAP as the authentication method for the PPTP tunnel, the Netopia router will start negotiating MS-CHAP-V2. If the router you are connecting to does not support MS-CHAP-V2, it will fall back to MS-CHAP-V1, or, if the router you are connecting to does not support MPPE at all, the PPP session will be dropped.
Page 127: About Ipsec Tunnels
IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPsec-compliant device decrypts each packet. Netopia Routers support the more secure Tunnel mode.
Page 128 10-128 User’s Reference Guide The Add Connection Proﬁle screen appears. Profile Name: Profile Enabled: Data Link Encapsulation... Data Link Options... IP Profile Parameters... COMMIT From the Data Link Encapsulation pop-up menu select IPsec. Then select Data Link Options. The IPsec Encryption & Authentication Options screen appears. Encryption Transform...
Page 129 Encryption Transform... Encryption Key: Authentication Type... Authentication Transform... Authentication Key: COMMIT Enter a key of 16 Hex digits, e.g. '1234567890ABCDEF' You must enter an Encryption Key if the Encryption Transform is DES. The key for DES must be a hexadecimal string of 16 characters, using Hex characters only: '0'-'9', 'A'-'F' and 'a' - 'f'. No key entry appears if the encryption transform is NULL.
Page 130: Ip Proﬁle Parameters
10-130 User’s Reference Guide IP Proﬁle Parameters The following IP Proﬁle Options screen is displayed for an IPsec Connection Proﬁle. SPI (Security Parameters Index): Remote Tunnel Endpoint Address: Idle Timeout (seconds): Remote Members Network: Remote Members Mask: Address Translation Enabled: NAT Map List...
Page 131: Advanced Ip Proﬁle Optiona
Map Lists, Server Lists, and PAT addresses are described in detail in Translation.” You can specify a Filter Set. See You can remove a Filter Set. You can choose to conﬁgure Advanced IP Proﬁle Options (see following section). Note: The SPI title ﬁeld above changes to SPI (Security Parameters Index) -- Use Advanced IP Proﬁle Options if any of the SPI values differ from each other.
Page 132: Interoperation With Other Features
10-132 User’s Reference Guide If you do not specify the Remote Tunnel Endpoint Address, the router will use the default gateway to reach the partner. If the partner should be reached via an alternate port (for example, the LAN instead of the WAN), the Next Hop Gateway ﬁeld allows this path to be resolved.
Page 133 Profile Name: Profile Enabled: Data Link Encapsulation... Data Link Options... IP Profile Parameters... COMMIT When you deﬁne a Connection Proﬁle as using ATMP by selecting ATMP as the datalink encapsulation method, and then select Data Link Options, the ATMP Tunnel Options screen appears. ATMP Partner IP Address: Tunnel Via Gateway: Network Name:...
Page 134 You can specify a Network Name. When the tunnel partner is another Netopia router, this name may be used to match against a Connection Proﬁle. When the partner is an Ascend router in Gateway mode, then Network Name is used by the Ascend router to match a gateway proﬁle.
Page 135: Encryption Support
Notes: The Netopia 4553 supports 128-bit (“strong”) encryption when using PPTP tunnels. ATMP does not have an option of using 128-bit MPPE. If you are using ATMP between two Netopia routers you can optionally set 56-bit DES encryption. When you choose MS-CHAP as the authentication method for a PPTP tunnel, the Netopia router will start negotiating MS-CHAPv2.
Page 136: Atmp/Pptp Default Proﬁle
10-136 User’s Reference Guide and transparently. ATMP/PPTP Default Proﬁle The WAN Conﬁguration menu offers a ATMP/PPTP Default Proﬁle option. Use this selection when your router is acting as the server for VPN connections, that is, when you are on the answering end of the tunnel establishment.
Page 137: Vpn Quickview
If you chose MS-CHAP authentication, the Data Compression option is not required, and this menu item becomes hidden. VPN QuickView You can view the status of your VPN connections in the VPN QuickView screen. From the Main Menu select QuickView and then VPN QuickView. Main Menu The VPN QuickView screen appears.
Page 138: Dial-Up Networking For Vpn
Microsoft Windows Dial-Up Networking software permits a remote standalone workstation to establish a VPN tunnel to a PPTP server such as a Netopia Router located at a central site. Dial-Up Networking also allows a mobile user who may not be connected to a PAC to dial into an intermediate ISP and establish a VPN tunnel to, for example, a corporate headquarters, remotely.
Page 139: Creating A New Dial-Up Networking Proﬁle
The Communications window appears. In the Communications window, select Dial-Up Networking and click the OK button. This returns you to the Windows Setup screen. Click the OK button. Respond to the prompts to install Dial-Up Networking from the system disks or CDROM. When prompted, reboot your PC.
Page 140: Conﬁguring A Dial-Up Networking Proﬁle
Windows 98 users select PPP: Windows 98, Windows NT Server, Internet In the Allowed network protocols area check TCP/IP and uncheck all of the other checkboxes. Note: Netopia’s PPTP implementation does not currently support tunnelling of IPX and NetBEUI protocols.
Page 141: Installing The Vpn Client
Click the TCP/IP Settings button. If your ISP uses dynamic IP addressing (DHCP), select the Server assigned IP address radio button. If your ISP uses static IP addressing, select the Specify an IP address radio button and enter your assigned IP address in the ﬁelds provided. Also enter the IP address in the Primary and Secondary DNS ﬁelds.
Page 142: Windows 98 Vpn Installation
10-142 User’s Reference Guide This displays a list of possible selections for the communications option. Active components will have a check in the checkboxes to their left. Check Dial Up Networking at the top of the list and Virtual Private Networking at the bottom of the list. Click OK at the bottom right on each screen until you return to the Control Panel.
Page 143: Connecting Using Dial-Up Networking
Connecting using Dial-Up Networking A Dial-Up Networking connection will be automatically launched whenever you run a TCP/IP application, such as a web browser or email client. When you ﬁrst run the application a Connect To dialog box appears in which you enter your User name and Password.
Page 144: Pptp Example
10-144 User’s Reference Guide PPTP example To enable a ﬁrewall to allow PPTP trafﬁc, you must provision the ﬁrewall to allow inbound and outbound TCP packets speciﬁcally destined for port 1723. The source port may be dynamic, so often it is not useful to apply a compare function upon this portion of the control/negotiation packets.
Page 145 Enabled: Forward: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: Protocol Type: In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ 0.0.0.0 0.0.0.0 +-------------------------------------------------------------------------+ Select Output Filter 1 and press Return.
Page 146: Atmp Example
10-146 User’s Reference Guide Select Output Filter 2 and press Return. In the Change Output Filter 2 screen, set the Protocol Type to allow GRE as shown below. Enabled: Forward: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest.
Page 147 Select Input Filter 1 and press Return. In the Change Input Filter 1 screen, set the Destination Port information as shown below. Enabled: Forward: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: Protocol Type: Source Port Compare...
Page 148 10-148 User’s Reference Guide In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ 0.0.0.0 0.0.0.0 +-------------------------------------------------------------------------+ Select Output Filter 1 and press Return. In the Change Output Filter 1 screen, set the Protocol Type and Destination Port information as shown below.
Page 149 Change Output Filter 2 Enabled: Forward: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: Protocol Type: Virtual Private Networks (VPNs) 10-149 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0...
Page 150 10-150 User’s Reference Guide...
Page 151: Suggested Security Measures
User accounts When you ﬁrst set up and conﬁgure the Netopia 4553, no passwords are required to access the conﬁguration screens. Anyone could tamper with the router’s conﬁguration by simply connecting it to a console. However, by adding user accounts, you can protect the most sensitive screens from unauthorized access. User accounts are composed of name/password combinations that can be given to authorized users.
Page 152 11-152 User’s Reference Guide Once user accounts are created, users who attempt to access protected screens will be challenged. Users who enter an incorrect name or password are returned to a screen requesting a name/password combination to access the Main Menu. To set up user accounts, in the System Conﬁguration screen select Security and press Return.
Page 153: Telnet Access
Return to delete it. To exit the list without deleting the selected account, press Escape. Telnet access Telnet is a TCP/IP service that allows remote terminals to access hosts on an IP network. The Netopia 4553 supports Telnet access to its conﬁguration screens.
Page 154: About Filters And Filter Sets
ﬁlters to control network communications can greatly improve your network’s security. The Netopia 4553’s packet ﬁlters are designed to provide security for the Internet connections made to and from your network. You can customize the router’s ﬁlter sets for a variety of packet ﬁltering applications.
Page 155 Each inspector has a speciﬁc task. One inspector’s task may be to examine the destination address of all outgoing packages. That inspector looks for a certain destination—which could be as speciﬁc as a street address or as broad as an entire country—and checks each package’s destination address to see if it matches that destination.
Page 156: How Individual Filters Work
This rule applies to Telnet packets that come from a host with the IP address 199.211.211.17. If a match occurs, the packet is blocked. Here is what this rule looks like when implemented as a ﬁlter on the Netopia 4553: +-#--Source IP Addr--Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+ +--------------------------------------------------------------------+ 199.211.211.17...
Page 157 Parts of a ﬁlter A ﬁlter consists of criteria based on packet attributes. A typical ﬁlter can match a packet on any one of the following attributes: The source IP address (where the packet was sent from) The destination IP address (where the packet is going) The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP Port numbers A ﬁlter can also match a packet’s port number attributes, but only if the ﬁlter’s protocol type is set to TCP or...
Page 158 11-158 User’s Reference Guide Port number comparisons A ﬁlter can also use a comparison option to evaluate a packet’s source or destination port number. The comparison options are: No Compare: No comparison of the port number speciﬁed in the ﬁlter with the packet’s port number. Not Equal To: For the ﬁlter to match, the packet’s port number cannot equal the port number speciﬁed in the ﬁlter.
Page 159 Putting the parts together When you display a ﬁlter set, its ﬁlters are displayed as rows in a table: +-#---Source IP Addr---Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+ +----------------------------------------------------------------------+ 192.211.211.17 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 +----------------------------------------------------------------------+ The table’s columns correspond to each ﬁlter’s attributes: #: The ﬁlter’s priority in the set. Filter number 1, with the highest priority, is ﬁrst in the table. Source IP Addr: The packet source IP address to match.
Page 160 11-160 User’s Reference Guide Filtering example #1 Returning to our ﬁltering rule example from above (see ﬁlter. Start with the rule, then ﬁll in the ﬁlter’s attributes: The rule you want to implement as a ﬁlter is: Block all Telnet attempts that originate from the remote host 199.211.211.17. The host 199.211.211.17 is the source of the Telnet packets you want to block, while the destination address is any IP address.
Page 161: Design Guidelines
This ﬁlter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address signiﬁes any host on the class C IP network 200.233.14.0. If, for example, the ﬁlter is applied to a packet with the source IP address 200.233.14.5, it will block it. In this case, the mask, which does not appear in the table, must be set to 255.255.255.0.
Page 162: Working With Ip Filters And Filter Sets
11-162 User’s Reference Guide An approach to using ﬁlters The ultimate goal of network security is to prevent unauthorized access to the network without compromising authorized access. Using ﬁlter sets is part of reaching that goal. Each ﬁlter set you design will be based on one of the following approaches: That which is not expressly prohibited is permitted.
Page 163 To add a new ﬁlter set, select Add Filter Set in the Filter Sets screen and press Return. The Add Filter Set screen appears. Filter Set Name: ADD FILTER SET Naming a new ﬁlter set All new ﬁlter sets have a default name. The ﬁrst ﬁlter set you add will be called Filter Set 1, the next ﬁlter will be Filter Set 2, and so on.
Page 164 The Netopia Router Packets in the Netopia 4553 pass through an input ﬁlter if they originate in the WAN and through an output ﬁlter if they’re being sent out to the WAN. The process for adding input and output ﬁlters is exactly the same. The main difference between the two involves their reference to source and destination.
Page 165 Filter Set Name: Note: There are two groups of items in this screen, one for input ﬁlters and one for output ﬁlters. In this section, you’ll learn how to add an input ﬁlter to a ﬁlter set. Adding an output ﬁlter works exactly the same way, providing you keep the different source and destination perspectives in mind.
Page 166 11-166 User’s Reference Guide Select Source IP Address Mask and enter a mask for the source IP address. This allows you to further modify the way the ﬁlter will match on the source address. Enter 0.0.0.0 to force the ﬁlter to match on all source IP addresses, or enter 255.255.255.255 to match the source IP address exclusively.
Page 167: Deleting A Filter Set
Select a ﬁlter set from the list and press Return. Select CONTINUE and press Return to delete it. A sample ﬁlter set This section contains the settings for a ﬁlter set called Basic Firewall, which is part of the Netopia 4553’s factory conﬁguration.
Page 168 11-168 User’s Reference Guide Basic Firewall blocks undesirable trafﬁc originating from the WAN (in most cases, the Internet), but forwards all trafﬁc originating from the LAN. It follows the conservative “that which is not expressly permitted is prohibited” approach: unless an incoming packet expressly matches one of the constituent input ﬁlters, it will not be forwarded to the LAN.
Page 169 Output ﬁlter 1: This ﬁlter forwards all outgoing trafﬁc to make sure that no outgoing connections from the LAN are blocked. Basic Firewall is suitable for a LAN containing only client hosts that want to access servers on the WAN, but not for a LAN containing servers providing services to clients on the WAN.
Page 170: Firewall Tutorial
11-170 User’s Reference Guide FTP sessions. To allow WAN-originated FTP sessions to a LAN-based FTP server with the IP address a.b.c.d (corresponding to a numbered IP address such as 163.176.8.243), insert the following input ﬁlter ahead of the current input ﬁlter 1: Enabled: Yes Forward: Yes Source IP Address: 0.0.0.0...
Page 171: Basic Ip Packet Components
Basic IP packet components All IP packets contain the same basic header information, as follows: This header information is what the packet ﬁlter uses to make ﬁltering decisions. It is important to note that a packet ﬁlter does not look into the IP data stream (the User Data from above) to make ﬁltering decisions. Basic protocol types TCP: Transmission Control Protocol.
Page 172: Firewall Design Rules
11-172 User’s Reference Guide Firewall design rules There are two basic rules to ﬁrewall design: “What is not explicitly allowed is denied.” “What is not explicitly denied is allowed.” The ﬁrst rule is far more secure, and is the best approach to ﬁrewall design. It is far easier (and more secure) to allow in or out only certain services and deny anything else.
Page 173 Logical AND function When a packet is compared (in most cases) a logical AND function is performed. First the IP addresses and subnet masks are converted to binary and then combined with AND. The rules for the logical use of AND are as follows: 0 AND 0 = 0 0 AND 1 = 0...
Page 174: Filter Basics
In the source or destination IP address ﬁelds, the IP address that is entered must be the network address of the subnet. A host address can be entered, but the applied subnet mask must be 32 bits (255.255.255.255). The Netopia 4553 has the ability to compare source and destination TCP or UDP ports. These options are as follows:...
Page 175: Example Filters
IP Address 200.1.1.28 255.255.255.128 This incoming IP packet has a source IP address that matches the network address in the Source IP Address ﬁeld (00000000) in the Netopia 4553. This will not forward this packet. Incoming Packet Filter Netopia 200.1.1.0 (Source IP Network Address) 255.255.255.128...
Page 176 IP Address 200.1.1.184 255.255.255.240 Since the Source IP Network Address in the Netopia 4553 is 01100000, and the source IP address after the logical AND is 1011000, this rule does not match and this packet will be forwarded. 200.1.1.0 (Source IP Network Address) 255.255.255.128...
Page 177 IP Address 200.1.1.104 255.255.255.240 Since the Source IP Network Address in the Netopia 4553 is 01100000, and the source IP address after the logical AND is 01100000, this rule does match and this packet will not be forwarded. Example 5 Filter Rule: Incoming packet has the source address of 200.1.1.96.
Page 178 11-178 User’s Reference Guide...
Page 179: Quick View Status Overview
“SNMP” on page 12-188 Quick View status overview You can get a useful, overall status report from the Netopia 4553 in the Quick View screen. To go to the Quick View screen, select Quick View in the Main Menu. The Quick View screen has three status sections:...
Page 180: General Status
Domain Name: The domain name you have assigned, typically the name of your ISP. MAC Address: The Netopia 4553’s hardware address, for those interfaces that support DHCP. IP Address: The Netopia 4553’s IP address, entered in the IP Setup screen.
Page 181: Current Status
More Info: Indicates the NAT address in use for this connection. Status lights This section shows the current real-time status of the Netopia 4553’s status lights (LEDs). It is useful for remotely monitoring the router’s status. The Quick View screen’s arrangement of LEDs corresponds to the physical arrangement of LEDs on the router.
Page 182: Statistics & Logs
You can view two different event histories: one for the router’s system and one for the WAN. The Netopia 4553’s built-in battery backup prevents loss of event history from a shutdown or reset.
Page 183 WAN Event History The WAN Event History screen lists a total of 128 events on the WAN. The most recent events appear at the top. -Date-----Time-----Event------------------------------------------------------ ----------------------------------SCROLL UP----------------------------------- 07/03/98 13:59:06 07/03/98 13:59:05 07/03/98 13:59:05 >>WAN: data link activated at 1040 Kbps 07/03/98 13:58:32 --Device restarted----------------------------------------- 07/03/98 12:46:39 --Device restarted----------------------------------------- 07/03/98 11:45:57 --Device restarted-----------------------------------------...
Page 184 12-184 User’s Reference Guide In the Statistics & Logs screen, select Device Event History. The Device Event History screen appears. -Date-----Time-----Event------------------------------------------------------ ----------------------------------SCROLL UP----------------------------------- 01/22/96 02:03:11 01/22/96 02:03:11 --BOOT: Warm start v4.3 01/22/96 02:02:32 01/22/96 02:02:32 --BOOT: Warm start v4.3 01/22/96 01:59:50 * IP: Route 0.0.0.0/0.0.0.0 not installed 01/22/96 01:59:50 01/22/96 01:59:50 --BOOT: Cold start v4.3 01/22/96 01:55:07 * IP: Route 0.0.0.0/0.0.0.0 not installed...
Page 185: Ip Routing Table
IP Routing Table Main Menu The IP routing table displays all of the IP routes currently known to the Netopia 4553. Network Address-Subnet Mask-----via Router------Port------------------Type---- ----------------------------------SCROLL UP----------------------------------- 0.0.0.0 255.0.0.0 127.0.0.1 255.255.255.255 127.0.0.1 192.168.1.0 255.255.255.240 192.168.1.1 192.168.1.1 255.255.255.255 192.168.1.1 192.168.1.15 255.255.255.255 192.168.1.15 224.0.0.0...
Page 186 12-186 User’s Reference Guide Physical I/F-----Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err Ethernet Hub ATM SDSL 1 Network----------Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err VC Traffic Statistics... Physical Interface The top left side of the screen lists total packets received and total packets transmitted for the following data ports: Ethernet Network Interface...
Page 187: System Information
Bytes Tx : The number of bytes transmitted System Information The System Information screen gives a summary view of the general system level values in the Netopia 4553. From the Statistics & Logs menu select System Information. The System Information screen appears.
Page 188: Snmp
Ethernet MIB (RFC 1643) Netopia MIB These MIBs are on the Netopia CustomerCare CD included with the Netopia 4553. Load these MIBs into your SNMP management software in the order they are listed here. Follow the instructions included with your SNMP manager on how to load MIBs.
Page 189: Snmp Traps
SNMP traps An SNMP trap is an informational message sent from an SNMP agent (in this case, the Netopia 4553) to a manager. When a manager receives a trap, it may log the trap as well as generate an alert message of its own.
Page 190 The Netopia 4553 sends traps using UDP (for IP networks). You can specify which SNMP managers are sent the IP traps generated by the Netopia 4553. Up to eight receivers can be set. You can also review and remove IP traps.
Page 191 Select an IP trap receiver from the table and press Return. In the Change IP Trap Receiver screen, edit the information as needed and press Return. Deleting IP trap receivers To delete an IP trap receiver, select Delete IP Trap Receiver in the IP Trap Receivers screen. Select an IP trap receiver from the table and press Return.
Page 192 12-192 User’s Reference Guide...
Page 193: Chapter 13 — Utilities And Diagnostics
A number of utilities and tests are available for system diagnostic and control purposes. This section covers the following topics: “Ping” on page 13-194 “Trace Route” on page 13-196 “Telnet client” on page 13-197 “Factory defaults” on page 13-198 “Transferring conﬁguration and ﬁrmware ﬁles with TFTP” on page 13-198 “Transferring conﬁguration and ﬁrmware ﬁles with XMODEM”...
Page 194: Ping
13-194 User’s Reference Guide Ping The Netopia 4553 Router includes a standard Ping test utility. A Ping test generates IP packets destined for a particular (Ping-capable) IP host. Each time the target host receives a Ping packet, it returns a packet to the original sender.
Page 195 Ping packets. Note that the second return Ping packet is considered to be late because it is not received by the Netopia 4553 before the third Ping packet is sent. The ﬁrst and third return Ping packets are on time.
Page 196: Trace Route
The time-to-live (TTL) value for each Ping packet sent by the Netopia 4553 is 255, the maximum allowed. The TTL value deﬁnes the number of IP routers that the packet can traverse. Ping packets that reach their TTL value are dropped, and a “destination unreachable”...
Page 197: Telnet Client
Select Use Reverse DNS to learn the names of the routers between the Netopia Router and the destination router. The default is Yes. Select START TRACE ROUTE and press Return. A scrolling screen will appear that lists the destination, number of hops, IP addresses of each hop, and DNS names, if selected.
Page 198: Factory Defaults
Trivial File Transfer Protocol (TFTP) is a method of transferring data over an IP network. TFTP is a client-server application, with the router as the client. To use the Netopia 4553 as a TFTP client, a TFTP server must be available.
Page 199: Updating Firmware
Some models do not support all ﬁrmware versions. Loading an incorrect ﬁrmware version can permanently damage the unit. Do not manually power down or reset the Netopia 4553 while it is automatically resetting or it could be damaged. If you choose to download the ﬁrmware, the TFTP Transfer State item will change from Idle to Reading Firmware.
Page 200: Uploading Conﬁguration Files
Using TFTP, you can send a ﬁle containing a snapshot of the router’s current conﬁguration to a TFTP server. The ﬁle can then be downloaded by a different Netopia 4553 unit to conﬁgure its parameters (see conﬁguration ﬁles” on page 13-199).
Page 201: Updating Firmware
Send Config to Netopia... Receive Config from Netopia... Updating ﬁrmware Firmware updates may be available periodically from Netopia or from a site maintained by your organization’s network administration. Follow these steps to update the Netopia 4553’s ﬁrmware: Make sure you have the ﬁrmware ﬁle on disk and know the path to its location.
Page 202: Downloading Conﬁguration Files
The system will reset at the end of a successful ﬁle transfer to put the new ﬁrmware into effect. While the system resets, the LEDs will blink on and off. Caution! Do not manually power down or reset the Netopia 4553 while it is automatically resetting or it could be damaged. Downloading conﬁguration ﬁles The Netopia 4553 can be conﬁgured by downloading a conﬁguration ﬁle.
Page 203: Restarting The System
You can restart the system by selecting the Restart System item in the Utilities & Diagnostics screen. You must restart the system whenever you reconﬁgure the Netopia 4553 and want the new parameter values to take effect. Under certain circumstances, restarting the system may also clear up system or network malfunctions.
Page 204 13-204 User’s Reference Guide...
Page 205: Conﬁguration Problems
Note: If you are attempting to modify the IP address or subnet mask from a previous, successful conﬁguration attempt, you will need to clear the IP address or reset your Netopia 4553 to the factory default before reinitiating the conﬁguration process. For further information on resetting your Netopia 4553 to factory default, “How to reset the router to factory defaults”...
Page 206: Console Connection Problems
Problems communicating with remote IP hosts Verify the accuracy of the default gateway’s IP address (entered in the IP Setup or Easy Setup screen). Use the Netopia 4553’s Ping utility, in the Utilities & Diagnostics screen, and try to Ping local and remote hosts. See “Ping”...
Page 207: How To Reset The Router To Factory Defaults
Power outages If you suspect that power was restored after a power outage and the Netopia 4553 is connected to a remote site, you may need to switch the Netopia 4553 off and then back on again. After temporary power outages, a connection that still seems to be up may actually be disconnected.
Page 208: Technical Support
If you contact us by telephone, please be ready to supply Netopia Technical Support with the information you used to conﬁgure the Netopia 4553. Also, please be at the site of the problem and prepared to reproduce it and to try some troubleshooting steps.
Page 209 Online product information Product information can be found in the following: Netopia World Wide Web server via http://www.netopia.com Internet via anonymous FTP to ftp.netopia.com/pub FAX-Back This service provides technical notes that answer the most commonly asked questions and offers solutions for many common problems encountered with Netopia products.
Page 210 A-210 User’s Reference Guide...
Page 211: Appendix B - Technical Speciﬁcations And Safety Information
Dimensions: 124.0 cm (w) x 20.0 cm (d) x 5.3 cm (h) 9.4” (w) x 7.9” (d) x 2.1” (h) Communications interfaces: The Netopia 4553 G.shdsl Router has an RJ-48 jack for DSL connections; an RJ-45 10Base-T Ethernet port for your LAN connection; and a DB-9 Console port.
Page 212: Regulatory Notices
B-212 User’s Reference Guide December 1, 2000 Canada – CSA: CAN/CSA-C22.2 No. 950-95 EMI: FCC Part 15 Class B International Safety Approvals: Low Voltage (European directive) 73/23/EEC EN60950 1992 (Europe) AS/NRZ 3260 (Australia) TS001(Australia) EMI Compatibility: European Directive 89/336/EEC EN 300 368.2-1997 Telco: European Directive 1999/5/EC Regulatory notices...
Page 213 It is the responsibility of users requiring service to report the need for service to our Company or to one of our authorized agents. Service can be obtained at Netopia, Inc., 2470 Mariner Square Loop, Alameda, California, 94501. Important This product was tested for FCC compliance under conditions that included the use of shielded cables and connectors between system components.
Page 214: Important Safety Instructions
Do not use the telephone to report a gas leak in the vicinity of the leak.Never install telephone wiring during a lightning storm. Battery The Netopia 4553’s lithium battery is designed to last for the life of the product. The battery is not user-ser- viceable. Caution!
Page 215 Technical Speciﬁcations and Safety Information B-215 Replace only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer's instructions.
Page 216 B-216 User’s Reference Guide...
Page 217 Netopia warrants to you, the end user, that the Netopia 4553™ G.shdsl Router (the “Product”) will be free from defects in materials and workmanship under normal use for a period of one (1) year from date of purchase. Netopia’s entire liability and your sole remedy under this warranty during the warranty period is that Netopia shall, at its sole option, either repair or replace the Product.
Page 218 User’s Reference Guide...

Netopia 4553 User Reference Manual

Chapter 1 - Introduction

Chapter 2 - Making the Physical Connections

Chapter 3 - Sharing the Connections

Chapter 4 - Connecting to Your Local Area Network

Chapter 5 - Console-Based Management

Chapter 6 - Easy Setup

Chapter 7 — WAN and System Conﬁguration

Chapter 8 - IP Setup

Chapter 9 — Multiple Network Address Translation

Chapter 10 - Virtual Private Networks

Chapter 11 — Security

Chapter 12 — Monitoring Tools

Chapter 13 — Utilities and Diagnostics

Appendix A - Troubleshooting

Appendix B - Technical Speciﬁcations and Safety Information

Quick Links

Related Manuals for Netopia 4553

Summary of Contents for Netopia 4553

Table of Contents