LevelOne GBR-4001 User Manual
  1. Manuals
  2. Brands
  3. LevelOne Manuals
  4. Network Router
  5. GBR-4001
  6. User manual

LevelOne GBR-4001 User Manual

4-wan gigabit broadband vpn router
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
GBR-4001
4-WAN Gigabit Broadband VPN Router

User Manual

V1.0
Digital Data Communications Asia Co., Ltd.
http://www.level1.com

Advertisement

Table of Contents
loading

Related Manuals for LevelOne GBR-4001

Summary of Contents for LevelOne GBR-4001

  • Page 1: User Manual

    GBR-4001 4-WAN Gigabit Broadband VPN Router User Manual V1.0 Digital Data Communications Asia Co., Ltd. http://www.level1.com...

  • Page 2: Table Of Contents

    Table of Contents Table of Contents ........................II Introduction ..........................1 Factory settings ......................1 Contact Us ........................1 Chapter 1. Product Overview ..................... 2 Key characteristics ......................2 Specifications ....................... 3 Chapter 2. Hardware Installation..................4 Panel description ......................4 Precaution for installation ....................
  • Page 3 DHCP auto binding ..................... 35 6.4.3 6.4.4 DHCP client list ....................35 Case of DHCP configuration ................36 6.4.5 DDNS Settings ......................38 DDNS authentication ................... 39 6.5.1 UPnP ......................... 40 Chapter 7. Advanced Configuration ................41 NAT and DMZ configuration ..................41 Description of NAT functions ................
  • Page 4 Application Control ..................... 83 9.2.1 Application Management List ................84 Internet Application Management Settings ............. 84 9.2.2 Internet Application Management ................. 86 9.2.3 QQ white list ......................88 TM Whitelist ......................90 Notification ........................ 91 9.5.1 Daily Routine Notification ................... 92 Account expiration notification ................
  • Page 5 Language ......................... 155 13.2 Time ........................155 13.3 Configuration ......................157 13.4 Firmware Upgrade ....................158 13.5 Remote Management ....................159 13.6 Scheduled task ......................160 13.7 Chapter 14. System ....................... 162 Interface Status ......................162 14.1 System information ....................162 14.2 System log .......................

  • Page 6: Introduction

    The factory user name of the system administrator is admin, and the factory password is admin (case-sensitive). Contact Us If you have any questions during installation or use, please contact us in the following manners.  Customer service: 0800-011-110  LEVELONE discussions: http://www.level1.com  E-mail support: support@level1.com http://www.level1.com Page 1...

  • Page 7: Chapter 1. Product Overview

    Chapter 1. Product Overview Key characteristics  Support DSL, FTTX+LAN and Cable Modem and other access modes  Support the configuration of dynamic WAN port  Support traffic load balancing and line backup  Support policy routing  Support intelligent bandwidth management function ...

  • Page 8: Specifications

     Support UPnP  Support dynamic domain names (3322. org, iplink. com. cn)  Support HTTP remote management  Support the WEB upgrading mode  Support backup and import of WEB configuration files  Support filtering of MAC addresses Specifications ...

  • Page 9: Chapter 2. Hardware Installation

    Chapter 2 Hardware Installation Chapter 2. Hardware Installation Panel description Figure 2_1 Front Panel - GBR-4001 Figure 2_2 Rear Panel - GBR-4001 LED description Description Function lights Power indicator It is constantly on when the power supply is working properly.

  • Page 10: Precaution For Installation

    Chapter 2 Hardware Installation The number of WAN interfaces interface depends upon product model. Asynchronous communication serial Some products support the Console Serial port ports that meet the RS232 standard Console port. Table 2_2 Description of interfaces Reset button Reset button can be used to recover the device's factory settings when you forget the administrator password.

  • Page 11: Hardware Installation

    Chapter 2 Hardware Installation The PC with Ethernet card and Internet Protocol (TCP/IP) installed. Power socket. Preparation of tools and cables: Phillips screwdriver, network cable. Hardware Installation Before installing the device, make sure the broadband service is normal. If you cannot access, please contact operators (ISP) to resolve the problem.

  • Page 12: Hardware Connection

    Chapter 2 Hardware Installation Figure 2_4 Product rack installation drawing II Hardware connection 1. Establish a LAN connection Connect the LAN port of the router or a PC or a hub or a switch in LAN with a network cable. 2.

  • Page 13: Chapter 3. Login To The Device

    Login to the device This chapter describes how to configure the correct network settings for the network computers, how to log on to the appliances and how to use shortcut icons to quickly link to the GBR-4001 website for product information and services.

  • Page 14: Login To The Device

    Chapter 3 Logging Device Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms If the screen is shown as follows, it indicates that the connection between the computer and the...
  • Page 15 Chapter 3 Logging Device Figure 3-1. In the first use, you should log in as a system administrator, that is, enter your administrator username and password (the factory values of username, password are Admin, case sensitive) on the login interface, and then click <OK>. Figure 3_1 WEB login interface If user name and password are correct, the browser will display the homepage of the WEB management interface, as shown in Figure 3-2.
  • Page 16 The top-right corner of the page displays device model, software version, hardware version and three fast link icons. These 3 shortcut icons have the following functions: Product Discussion– Link to the discussion forums of LEVELONE’s official website to participate in discussions about the product.

  • Page 17: Chapter 4. Configuration Wizard

    Chapter 4 Configuration Wizard Chapter 4. Configuration Wizard By reading this chapter, you can understand the basic network parameters required for the device to access to the Internet, and these parameters are configured to connect the device to the Internet. Before configuring "Internet Line"...

  • Page 18: Wan1 Port Configuration - Static Ip Access

    Chapter 4 Configuration Wizard Figure 4_2 Configuration Wizard - Dynamic IP access WAN1 port configuration - Static IP access If your Internet access mode is fixed IP access, please select " Static IP access" in the drop-down list box of Figure 4-3. The following describes the meaning of the parameters for configuration of fixed IP access.
  • Page 19 Chapter 4 Configuration Wizard box of Figure 4_4. The following describes the meaning of the parameters for PPPoE access. Figure 4_4 Configuration wizard - PPPoE access User name: Type in the user name the ISP provides you. If you have any questions, please ask your ISP.

  • Page 20: Chapter 5. Start Menu

    Chapter 5 Start Menu Chapter 5. Start menu Start menu is located on the top of the Level 1 menu bar of the WEB interface, providing the interface for 4 common pages, including: configuration wizard, running status, Interface Traffic , device reboot.

  • Page 21: Interface Traffic

    Chapter 5 Start Menu Interface Traffic This section describes the Start-> Interface Traffic page, as shown in Figure 5_2. You can view the average, maximum, sum and the current real-time rate for the relevant ports to receive and send data, and provide different units (kbit/s and KB/s) for them. Tip: If this page fails to display properly, please click the hyperlink "if it does not display properly, please install svgviewer"...

  • Page 22: Restart Device

    Chapter 5 Start Menu black etc. Flip: Click the Flip bLeveloneon, and the colors can swap to receive and send data. Restart Device If you need to restart the device, just enter into the Start-> Restart device page to click <Restart>. Figure 5_3 Restart device Tip: Upon restarting, all users will be disconnected from the device.

  • Page 23: Chapter 6. Network Parameters

    Chapter 6 Network parameters Chapter 6. Network parameters In the network parameter menu, you can configure the basic network parameters for the device, including WAN/LAN configuration, DHCP server, DDNS configuration, UPnP and WAN port number configuration. Configuration of WAN port This section focuses on the configuration interface and methods of Network parameters —>...
  • Page 24 Chapter 6 Network parameters Figure 6_1 Configuration of WAN port Dynamic IP access As shown in Figure 6_1, the following describes the meaning of the parameters for dynamic IP access. Interface: Selects the appropriate interface for the device. Access mode: Selects "Dynamic IP access" here. Operator policy: Selects the operator of the interface, with the options as follows: Operator policy, Telecom, China Unicom and China Mobile respectively.
  • Page 25 Chapter 6 Network parameters modification. Interface mode: Sets the duplex mode and rate for interfaces. Options are: Auto (adaptive), 10M-FD (10M full duplex), 10M-HD (10M half duplex), 100M-FD (100M full duplex), 100M-HD (100M half duplex), 1000M-FD (1000M full duplex, supported by Gigabit devices).
  • Page 26 Chapter 6 Network parameters Primary DNS server, secondary DNS server: The DNS server address the operator provides to you. For the working mode in the advanced options, MAC address, interface mode, please refer to the configuration of dynamic access. PPPoE access Figure 6_3 PPPoE access The interface as shown in Figure 6_3 is the configuration interface for PPPoE access.

  • Page 27: Internet Connection List

    Chapter 6 Network parameters previous dial-up disconnection occurs.  Manual dial-up: Users may click related bLeveloneons below the "Line connection information list" of the Network parameters —>WAN configuration to manually connect and hang up.  On-demand dialing: The device will connect automatically when there is Internet traffic in the Intranet.
  • Page 28 Chapter 6 Network parameters Figure 6_5 Internet Connection List information (Continued Figure 6_4) Interface: This column displays the WAN port of the device. Connection type: The connection type of the current Internet access lines, including fixed access, dynamic access, PPPoE access. Connection status: The current connection status of the lines.

  • Page 29: Line Combination

    Chapter 6 Network parameters Figure 6_6 Internet Connection List - PPPoE access Update and release of dynamic IP accesslines If a line is a dynamic IP access line, then click on the interface, the "Update" and "Release" bLeveloneons are displayed below the "Line connection information list", as shown in Figure 6_7. Figure 6_7 Internet Connection List - Dynamic IP access Update: The system automatically complete the process of releasing the IP address, and then obtaining an IP address again.

  • Page 30: Description Of Line Combination Function

    Chapter 6 Network parameters 6.2.1 Description of line combination function Line detection mechanism Regardless of line combination modes, make sure that the network is not interrupted when the line fails, which require that the device must be able to monitor line status in real time. To this end, we designed a flexible automatic detection mechanism, and provide a variety of line detection methods for users to choose, in order to meet the practical application needs.

  • Page 31: Global Settings

    Chapter 6 Network parameters "backup line" group are collectively known as backup line. All lines are main lines by default. Users can divide some lines into the "Backup line" group as needed. The device provides two line combination modes, "All line load balancing" and "Partial line load balancing while the other backed up".
  • Page 32 Chapter 6 Network parameters Figure 6_8 Full Load Balancing Line load balancing mode: " Full Load Balancing " is selected here. Save: The line combination configuration parameters take effect. Refill: Restores to the configuration parameters before modification. Tip: Line combination mode is " Full Load Balancing " by default. Partial Load Balancing Figure 6_9 Partial Load Balancing Line combination mode: "...

  • Page 33: Load Balancing List

    Chapter 6 Network parameters Save: The line combination configuration parameters take effect. Refill: Restores to the configuration parameters before modification. 6.2.3 Load Balancing List In the Network parameter -> Load Balancing -> Load Balancing List page, you can view the information of configuration line.

  • Page 34: Identity Binding

    Chapter 6 Network parameters Figure 6_11 Detection and Bandwidth Detection interval: The time interval for sending inspection packets, Unit: seconds, when you enable line detection, the value range is 1-60 (the value is 0, which means not to enable the line detection).

  • Page 35: Configuration Of Lan Port

    Chapter 6 Network parameters connection line, all the online banking sessions of this user will go out from the WAN2 port until the user logs out. Figure 6_12 Enabling identity binding Enable identity binding: Enables/disables the identity binding function. If multiple lines are configured, please enable the device's identity binding function to make normal use of such apps as QQ, online bank.

  • Page 36: Dhcp Server

    Chapter 6 Network parameters IP address: Sets the LAN IP addresses, and the first IP address is 192.168.1.1 by default, while the other three IP addresses are 0.0.0.0 by default. Subnet mask: Sets the subnet mask of the corresponding IP address, which is 255.255.255.0 by default.
  • Page 37 Chapter 6 Network parameters Figure 6_14 Configuration of DHCP service Enable DHCP server: Used to disable or enable the device's DHCP server function. Selecting it means allow. Start and end IP address: The IP address fields the DHCP server assigns to the network computer automatically (which should be on the same network segment as the IP address of the device LAN port).

  • Page 38: Static Dhcp

    Chapter 6 Network parameters a client as primary, secondary DNS servers. Operator DNS servers 1, 2: The IP address of operator DNS server. Tip: If the device's DHCP server function is to be used, network computer's TCP/IP protocol can be set to "obtain an IP address automatically". If what's originally used by the user is a proxy server software (such as Wingate), and the PC's DNS server is set as the IP address of the proxy server, then the LAN IP address of the device only needs to be set to the same IP address, so that the user can switch to using the...
  • Page 39 Chapter 6 Network parameters Figure 6_15 Static DHCP list Static DHCP configuration Click <Add new entry> in the page as shown in Figure 6_15, to enter into the Static DHCP configuration page as shown in the figure below. Below is a description of the meaning of the parameters for configuring static DHCP.

  • Page 40: Dhcp Auto Binding

    Chapter 6 Network parameters Tip: After the setting is successful, the device will assign the preset IP address for the specified computer in a fixed way. The assigned IP addresses must be within the range provided by the DHCP server. 6.4.3 DHCP auto binding Below is the description of DHCP automatic binding function.

  • Page 41: Case Of Dhcp Configuration

    Chapter 6 Network parameters Figure 6_18 DHCP client list 6.4.5 Case of DHCP configuration Application requirements In this example, the device must have the DHCP function enabled, and the starting address is 192.168.1.10, with a total number of 100 allocable addresses. The host with the MAC address of00:21:85:9B:45:46 assigns the fixed IP address of 192.168.1.15, while the host with the MAC address of00:1F:3C:0f:07:F4 assigns the fixed IP address of 192.168.1.10.
  • Page 42 Chapter 6 Network parameters Figure 6_19 DHCP service settings - Instance The third step is to enter the Network parameters -> DHCP server-> Static DHCP page, and click <Add new entry>, to configure the two static DHCP instances in the request (such as Figure 6_20, Figure 6_21).

  • Page 43: Ddns Settings

    Chapter 6 Network parameters Figure 6_21 Static DHCP configuration - Instance B At this point, the configuration is complete, and you can view the information about 2 static DHCP entries in the "Static DHCP information list", as shown in Figure 6_22. If configuration errors are found, you can click the corresponding item's icon directly and enter into the Static DHCP configuration page for modification and saving.

  • Page 44: Ddns Authentication

    DDNS service provider may charge some fee for using DDNS services in providing network services. In this case, LEVELONE will give a notice as soon as possible. If you refuse to pay such expenses, you cannot use the related services. At the free stage, LEVELONE does not guarantee the DDNS service must be able to meet the requirements, nor guarantee the service will not be uninterrupted, nor guarantee the timeliness, safety, and accuracy of network services.

  • Page 45: Upnp

    Chapter 6 Network parameters UPnP Universal Plug and Play (UPnP) is an architecture for common peer network connections used for PCs and intelligent devices (or instruments). Using UPnP means simpler, more choices and more innovative experiences. The network products supporting Universal Plug and Play needs only be physically connected to the network, to begin to work.

  • Page 46: Chapter 7. Advanced Configuration

    Internet, it is reflected as limited range of public network IP addresses. Since the internal network can be effectively isolated from the outside world, so NAT can also provide some assurance for network security. LEVELONE routing products provide flexible NAT function. The following will detail its characteristics. NAT address space...

  • Page 47: Port Forwarding

    Chapter 7 Advanced Configuration (DMZ host) needs to be set up on the device in order to achieve this objective. With the static NAT mapping function, a one-to-one mapping relationship can be established between<External IP address + External port>and<Internal IP address + Internal port>, so that all the service requests for a specified port of the device will be forwarded to the matching intranet server, and the computer in the external network can access to the services provided by this server.
  • Page 48 Chapter 7 Advanced Configuration Port Forwarding list Figure 7_1 Port Forwarding list Tip: After enabling certain functions of the system, the list displays some NAT static mapping entries (A static mapping entry named as "admin" is added in the list after remote management is enabled in Systems management ->...
  • Page 49 Chapter 7 Advanced Configuration Figure 7_2 Port Forwarding Settings Static mapping name: The name of static NAT mapping, which is custom and cannot be repeated. Enable this configuration: Selecting it indicates that the static NAT mapping takes effect, and not selecting it means that the static NAT mapping does not take effect, but retains its configuration.

  • Page 50: Nat Rules

    Chapter 7 Advanced Configuration 7.1.3 NAT rules The NAT rules features of the device are described below, including: NAT rule info lists, meaning of Easy IP NAT rules configuration parameters, meaning of One2One NAT rules configuration parameters. List of NAT rules information In NAT rules information list, you can see the configured NAT rules.
  • Page 51 Chapter 7 Advanced Configuration Figure 7_4 Easy IP Rule name: Customizes the name of the NAT rule. NAT type: Selects EasyIP here, which means the internal IP address are mapped to the same external IP address. External IP address: In the NAT rule, the external IP address mapped to the internal IP address.

  • Page 52: Dmz

    Chapter 7 Advanced Configuration subject to one-to-one mapping. External starting IP address: In the NAT rule, the external starting IP address mapped to the internal starting IP address. Tip: Each One2One rule can only bind 20 external addresses at maximum. "External starting IP address"...

  • Page 53: Nat And Dmz Configuration Instances

    Chapter 7 Advanced Configuration 7.1.5 NAT and DMZ configuration instances This section describes the specific instances of NAT and DMZ configuration. Includes: Static NAT mapping instances, instances with the type of NAT rules as EasyIP, One2One. Instances of Static NAT mapping configuration Intranet computer 192.168.1.99 starts the TCP80 port services, and wants to access this service through WAN1 port 80.
  • Page 54 Chapter 7 Advanced Configuration "Rule name". The third step is to select "NAT type" as "EasyIP". The fourth step is to fill in 218.1.21.3 in the "External IP address". Fill in 192.168.1.10 and 192.168.1.100 in "Internal starting IP address" and "Internal ending IP address" respectively. The fifth step is to select the rule-bound interface as WAN1 port.

  • Page 55: Static Route Settings

    Chapter 7 Advanced Configuration the fixed IP access to the default Internet line in Network parameters —> WAN port configuration page, or directly enter the Start--> Configuration wizard > Network parameter spage to configure the line. After the default Internet access line is configured correctly, the system-reserved NAT rules corresponding to the default line will be automatically generated, and the NAT function is automatically enabled.
  • Page 56 Chapter 7 Advanced Configuration Static route is manually configured by a network administrator, making the transmission of packets to the specified destination network be realized according to the predetermined path. Static routing does not change with changes in the structure of the network, therefore, when network structure changes or there is a network failure, you need to manually modify the static routing information in the routing table.

  • Page 57: Policy Routing

    Chapter 7 Advanced Configuration Routing name: The name of static routes (custom, no repetition). Enable this configuration: Enables this static route. Selecting it means enabled, while deselecting it means the route is disabled. Destination network: The destination network number for this static route. Subnet mask: The mask of the destination network for this static route.

  • Page 58: Enable Policy Routing

    Chapter 7 Advanced Configuration 7.3.1 Enable policy routing Figure 7_12 Policy routing list Enable policy routing: This is a global switch of policy routing. Only after it is enabled can the configured policy routing can take effect. Move to: Users can appropriately sort the policies using this bLeveloneon. 7.3.2 Policy routing configuration Click <Add new entry>...
  • Page 59 Chapter 7 Advanced Configuration Figure 7_13 Policy routing configuration Interface: Sets the physical interface bound by the policy routing, and the packets that meet the conditions of policy routing will be forwarded from the bound interface. Policy route name: Customizes the name of the policy. Source address: The source IP address of the packets following this policy route, which can be configured in two ways.

  • Page 60: Anti-Netsniper

    Chapter 7 Advanced Configuration protocol is ICMP, the port range needs not be configured. Effective time setting: Selects the time period for the policy routing takes effect, and the default date is "Every day". The time is "All day". You can go to Advanced settings —> Configure policy route page to edit the time for the policy route to take effect.

  • Page 61: Port Vlan

    Chapter 7 Advanced Configuration configuration interface is shown in the figure below. Figure 7_15 Port mirroring Enable mirroring: Checking it to enable this feature. When the HiPER 840G device supports two or more LAN ports, the port mirroring function can work.
  • Page 62 Chapter 7 Advanced Configuration Figure 7_16 Port VLAN list VLAN group number: Displays the VLAN group number of the VLAN. VLAN group name: Displays the VLAN group name of the VLAN. VLAN members: Displays the members to the VLAN. Port VLAN Figure 7_17 Port VLAN settings VLAN group number: Sets the VLAN group number.

  • Page 63: Syslog Configuration

    Chapter 7 Advanced Configuration A VLAN can contain more than one port, and one port can belong to more than one VLAN. Instances of Port VLAN Requirements: The host under the LAN1 port can communicate with the hosts under the LAN2, LAN3 ports, but those under the LAN2 and LAN3 ports cannot access to each other.

  • Page 64: Chapter 8. User Management

    Chapter 8 User Management Chapter 8. User management This chapter describes the secondary menu under the primary menu of user management, including: User state, IP/MAC binding, PPPoE server, WEB authentication, user group configuration. User status This section describes the User management-> User status page. Administrators can understand all intranet users' net behaviors, the traffic occupied by the net behaviors and the status of each user, and so on by viewing, analyzing the pie charts and lists in this page.
  • Page 65 Chapter 8 User Management disabled. The following describes the list of user status information, through checking of which, administrators can learn about each online user's online time, real-time upload/download rate, total uplink/downlink traffic, net behaviors, etc. Figure 8_2 User status information list The first column of user status information displays if each user's net behaviors are affecting work, whose status includes: Severe (red), minor (yellow), normal (green).

  • Page 66: Ip/Mac Binding

    Chapter 8 User Management Total uplink, downlink traffic: Displays the total uplink and downlink traffic of Intranet users. Online time: Displays the user's online time. Group: Displays the group to which the user belongs. Net behavior: Displays the user's net behaviors. Settings: Click the icon.

  • Page 67: Ip/Mac Binding List

    Chapter 8 User Management 8.2.1 IP/MAC binding list Figure 8_3 IP/MAC binding global configuration Allow non-IP/MAC bound user to connect to the device: Allows or disallows the non-IP/MAC bound users to connect to the device, and access to other networks through the device.

  • Page 68: Ip/Mac Binding Configuration

    Chapter 8 User Management Tip: Before deciding to cancel the "Allow non-IP/MAC bound user to connect to the device" function, you must make sure that the management computer has been added to the "IP/MAC binding information list", otherwise it will cause the management computer to be unable to connect to the device.

  • Page 69: Ip/Mac Binding Instances

    Chapter 8 User Management Binding: Binds all the IP/MAC entries in the text box. Tip: In the above input format, there may be one or more spaces between the IP and MAC, MAC and username. For the invalid entries, the system will skip the invalid configuration entries in binding. 8.2.3 IP/MAC binding instances Flexibly using the IP/MAC binding feature can configure "white list"...
  • Page 70 Chapter 8 User Management Figure 8_6 IP/MAC binding information list – Instance I Configure "Black list" of Internet access for intranet users, following these steps: First, specify the illegal user by configuring the IP/MAC binding entries, and there are two methods: Use the IP address of the host that is prohibited from Internet access and the MAC address of any of the non-intranet adapter as the IP/MAC address binding pair, and add it into the...
  • Page 71 Chapter 8 User Management Figure 8_7 IP/MAC binding information list – Instance II For example, if you want to prohibit a host with the IP address of 192.168.1.30 and the MAC address of 0021859b2564 from connecting and passing the device, you can add an IP/MAC address binding pair, enter the host's IP address and MAC address, and deselect "Allow"...

  • Page 72: Pppoe Server

    Chapter 8 User Management PPPoE Server This section describes the device's PPPoE function, including: PPPoE introduction, PPPoE global configuration of device, configuration of PPPoE accounts and viewing of PPPoE connection status. 8.3.1 PPPoE introduction PPPoE (Point-to-Point Protocol over Ethernet). It allows a host on the Ethernet to connect to the Internet through a simple access device.

  • Page 73: Pppoe Global Settings

    Chapter 8 User Management same as that in the PADI packet. If the PPPoE server cannot provide services to PADI, it is not allowed to use the PADO packet to respond.  PADR: Since PADI is sent as a broadcast, the PPPoE client may receive more than one PADO packet, and it will review all the PADO packets received and choose a PPPoE server based on the server name in it or the services provided, and then send a PADR (PPPoE Active Discovery Request) packet to the selected server.
  • Page 74 Chapter 8 User Management Figure 8_10 PPPoE Global Settings Enable PPPoE server: Enables/disables the PPPoE server function of the device. Select it to enable. Forcing PPPoE authentication: Enabling it means to only allow the users who pass the intranet PPPoE authentication to access the Internet. Exception address group: After the device enables the forcing PPPoE authentication, the users of the address group can communicate with external network without dial-up authentication, and the address group needs to be configured in the User management ->...

  • Page 75: Pppoe Account Configuration

    Chapter 8 User Management system to be established. Tip: The steps that PPPoE users change the dial-up password: 1) Users open the dial-up client, and dial up using the user name, password. 2) After a successful dial-up, log into the self-service page, whose address is: http://192.168.1.1/poeUsers.asp (the address is the LAN IP address for the device).
  • Page 76 Chapter 8 User Management User name: The user name of PPPoE dial-up users. Enable: If the user is allowed to access the Internet. Checking it means allow. Fixed IP address: Displays the IP address bound to that user name. Charging mode: When the charging feature is enabled, the "by date" will be displayed (which currently supports charged by date).

  • Page 77: Pppoe User Status

    Chapter 8 User Management User name: The account (custom, not repeatable) used by users in initiating PPPoE connections for the PPPoE server to authenticate, the value range is: 1-31 characters. Password: The password used by users in initiating PPPoE connections for the PPPoE server to authenticate.

  • Page 78: Export Pppoe Accounts

    Chapter 8 User Management you can view the account information used; if users use the configured user name to connect to the PPPoE server, we can see such information of the IP addresses, the user's MAC address, online time of PPPoE connections, upload/download rates, etc. the PPPoE server assigns to the user in the list.

  • Page 79: Import Pppoe Accounts

    Chapter 8 User Management Figure 8_14 Export PPPoE Accounts Export account: Click this bLeveloneon to export all PPPoE accounts in the list, including the user name, password for the account, in the. txt format. 8.3.6 Import PPPOE Accounts Figure 8_15 Import PPPOE Accounts Tip: When configuring PPPOE accounts to be imported and bound in batch, its input format is "Account + password", for example, test 123456, each row can have only one configuration...

  • Page 80: Instance Of Pppoe Server Configuration

    Chapter 8 User Management 8.3.7 Instance of PPPoE server configuration Demand: Only the users authenticated by the Intranet can access the Internet. Now, 3 accounts are configured for intranet users, and their user names are test1, test2, and test3 respectively. Initial passwords are: password1, password2, password3, in which test1, test2 are separately bound with 10.0.0.1, 10.0.0.2 and the charging feature is enabled (the using period of the account is from October 1, 2012 to December 31, 2013) and a notification is issued 15 days prior to account expiration;...
  • Page 81 Chapter 8 User Management Figure 8_17 PPPoE account Settings Repeat Step 2, and configure the account with the PPPoE user name as test2. Bind it with 10.0.0.2. Configure the account of test3, and set the maximum number of sessions for its account to 5.

  • Page 82: Web Authentication

    Chapter 8 User Management WEB authentication 8.4.1 WebAuth Global Settings Enter the User management->WEB certification page to configure the WEB authentication feature of the device. WEB Authentication is used to authenticate Intranet users as to having permission to access the Internet, that is, after enabling this feature, the intranet users cannot access to the Internet unless passing the WEB authentication.

  • Page 83: Web Authentication Account List

    Chapter 8 User Management Window title: The title of the custom WEB authentication pop-up window. Window tip text: Tip texts for custom WEB authentication pop-up window. Network image link: Enters the network link to the picture, to make this picture as the background of the WEB authentication pop-up window.
  • Page 84 Chapter 8 User Management User name: Displays/configures the user name of the WEB authentication user. Concurrent number: Displays the number of users using the same WEB authentication. User status: Displays the connection status of the WEB authentication users, including: not used, in use.

  • Page 85: Web Authentication Client Status

    Chapter 8 User Management 2. How the WEB authenticated users to go off line safely 1) Users open the browser for authentication using the user name, password. 2) After successful authentication, the dialog box for successful authentication that opens, click Go off line safely. 3) Click OK in the web page message dialog box that opens.

  • Page 86: User Group Settings

    Chapter 8 User Management User Group Settings In the User management -> User Group Settings page, and click <Add new entry> in the "User group configuration list", to enter the page as shown in Figure 8_24. Figure 8_23 User group list Figure 8_24 User group Settings Group name: Customizes the group name of the user group.

  • Page 87: Chapter 9. App Control

    Chapter 9 App Control Chapter 9. App Control The features described in this chapter are include time period, net behavior management, QQ white list, MSN white list, electronic notifications. Schedule Settings Enter the App Control -> Schedule Settings page, and click "Add new entry" to enter into the configuration page as shown in Figure 9_2.

  • Page 88: Application Control

    Chapter 9 App Control Figure 9_2 Schedule Settings Application Control This section describes the net behavior management list and net behavior management configuration in the App Control -> Application Control page. http://www.level1.com Page 83...

  • Page 89: Application Management List

    Chapter 9 App Control 9.2.1 Application Management List Enter the Behavior management-> Net behavior management page, to enable the net behavior management feature in this page, and view the net behavior management information configured in the list of net behavior management information. Figure 9_3 Application Management List Enable net behavior management: Checking it means to enable the net behavior management feature.
  • Page 90 Chapter 9 App Control messages, forums, etc. Effective time setting: Sets the time when the net behavior management instance takes effect. Tip: When a net behavior management feature does not take effect, make sure that this policy library is  up-to-date.

  • Page 91: Internet Application Management

    Chapter 9 App Control Figure 9_4 Internet Application Management Settings 9.2.3 Internet Application Management Demands In order to control its employees' net behavior, a company prescribes according to their actual needs, to prohibit QQ, MSN and other chat software, stocks and game software, checking stocks and game site information, and access to the shopping website during the working time.
  • Page 92 Chapter 9 App Control The R & D Department (address: 192.168.1.100-192.168.1.129) prohibits the use of chat software. The company's working hours are: Monday-Friday, 9 o'clock -18 o'clock. Analysis From above, 2 net behavior management policies are configured based on the requirements of the company's net behavior management.

  • Page 93: Qq White List

    Chapter 9 App Control Figure 9_5 Internet Application Management Figure 9_6 Internet Application Management (Continued Figure 9_5) QQ white list QQ white list refers to the QQ users who are defined to be allowed to log on after QQ is http://www.level1.com Page 88...
  • Page 94 Chapter 9 App Control prohibited in the Net behavior management page. Enter the App Control-> QQ white list page, after the QQ white list feature is enabled, click "Add new entry" to add QQ white list users in the QQ white list configuration page. Figure 9_7 QQ white list Allow 400/800 Business QQ: Checks to allow 400/800 Business QQ.

  • Page 95: Tm Whitelist

    Chapter 9 App Control Figure 9_8 Import QQ Accounts Tip: The maximum number of QQ numbers supported by this version is 4294967295 TM Whitelist Aliwangwang White List refers to the Aliwangwang users allowed to log in after Aliwangwang is prohibited in the Net behavior management Enter the App Control ->...

  • Page 96: Notification

    Chapter 9 App Control Figure 9_9 Trademanager Whitelist Enabled Aliwangwang white list: Checks to enable Aliwangwang white list feature. Notification Enter the App Control -> Notification page to configure routine business notification and account expiration notification. Notification is a notice sent by the device to users in the form of Web pages when the Intranet users access to the website.

  • Page 97: Daily Routine Notification

    Chapter 9 App Control 9.5.1 Daily Routine Notification Figure 9_10 Daily Routine Notification Enable: Checks to enable the Routine business notification feature. Notification network segment: Sets the address range of routine business notification, which can only contain 65535 addresses at maximum. Notification title, content: Sets the title and content of the routine business notification.

  • Page 98: Account Expiration Notification

    Chapter 9 App Control Effective frequency: Sets the frequency of routine business notification. Preview page: Click this bLeveloneon to preview the configured notification contents. Save: After click <Save>, the specified users in the Intranet will receive a routine business notification sent by the device when it accesses to the web page for the first time with the effective time period.

  • Page 99: Application Audit

    Enable web logs: Enables the web log to view the records of Intranet users' access to webpages in the Behavior audit page. Such as “2012-12-03 15:07:47 srcip=10.0.0.10; url=www.Levelone.com.cn”, which means that the users whose Intranet IP address is 10.0.0.10 at 15:07 on December 3, 2012 visited www.Levelone.com.cn.

  • Page 100: Policy Database

    Chapter 9 App Control Enable behavior-blocking log: Enable the behavior-blocking log to view the user records filtered by the behavior management PDB. Figure 9_13 Internet Audit Note: Net behavior audit can record the latest 400 log information. Policy Database This section describes the App Control - Policy Database page and operating procedures. The system provides 11 different types of policies at present, including: emails, IM, P2P, STOCK, online video, online games, shopping websites, social networking sites, web games, forums, etc.
  • Page 101 Chapter 9 App Control Figure 9_14 Policy Database list The following describes the meaning of the parameters in the policy library info list. Name: The name of a policy. Type: The type of a policy, for example, QQ is of the IM type as shown in the above figure. Notes: A detailed description of a policy.

  • Page 102: Chapter 10. Qos

    Chapter 10 QoS Chapter 10. This chapter describes the fine rate limit, flexible bandwidth and connection limit features. 10.1 Fixed Rate Limiting This section describes the QoS -> Fixed Rate Limiting page and the meaning of configuration parameters. Users can limit the uploading, downloading rates of the Intranet users in a segment of address through the fine rate limit feature, in order to achieve a rational distribution and utilization of bandwidth.

  • Page 103: Flexible Bandwidth

    Chapter 10 QoS Fixed Rate Limiting Rule Settings Click <Add new entry> in the above figure to enter the Fixed Rate Limiting Rule Settings page. The following describes the meaning of the parameters for configuring fine rate limit. Figure 10_2 Fixed Rate Limiting Rule Settings Group name: Customizes the group name of the instance of the fine rate limit, which cannot be the same as another instance name.
  • Page 104 Chapter 10 QoS Tip: It is not recommended to enable the flexible bandwidth feature and fine rate limit feature. Figure 10_3 Flexible Bandwidth Enable flexible bandwidth: Checks to enable the flexible bandwidth feature. Uplink and downlink bandwidth of WAN1: Sets the uplink and downlink bandwidth of WAN1 applied for from ISP, and the custom maximum value of Gigabit devices can be set to 1000M.

  • Page 105: Session Limiting

    Chapter 10 QoS 10.3 Session Limiting This section describes the QoS-> Session Limiting page. You can define the maximum total number of connections, the maximum number of TCP connections, the maximum number of UDP connections, and the maximum number of ICMP connections established by each host in the Intranet allowed by the device by setting the numbers of connections.
  • Page 106 Chapter 10 QoS Under normal circumstances, the maximum number of sessions cannot be set too low, so it is recommended that: "The number of TCP connections" is not less than 100, "the number of UDP connections" is not less than 50, "the number of ICMP connections" is not less than 10. If their value is too small, it will cause the LAN users to be unable to access the Internet or access the Internet normally.

  • Page 107: Chapter 11. Firewall

    Chapter 11 Firewall Chapter 11. Firewall This chapter describes how to configure the device's firewall feature, including security configuration, access control policy, and domain name filtering. 11.1 Attack Prevention This section describes the Firewall -> Attack Prevention interface and its configuration. Internal Attack Prevention Figure 11_1 Attack Prevention - Internal Attack Prevention Enable DDoS attack defense: When enabled, the device will effectively defend against the...

  • Page 108: Access Control

    Chapter 11 Firewall Enable SYN FLOOD defense: When enabled, the device can effectively defend against Intranet SYN FLOOD attacks. Enable ARP proofing defense: When enabled, the device's LAN port can send ARP broadcast packets at a certain time interval (the default is 100 milliseconds), which can effectively defend against ARP spoofing.

  • Page 109: Access Control Rule

    Chapter 11 Firewall 11.2.1 Access Control Rule Configuring access control policies on the device can monitor each packet flowing through the device. By default, the device is not configured with access control policies, and it will forward all the legitimate packets received. If the access control policy is configured, when the device receives a packet, it will extract the source MAC address, source address, destination address, upper-layer protocol, port number or the packet content for analysis, and assign them according to the order of the policy table from top to bottom, view any matching policy, and implement the...

  • Page 110: Access Control List

    Chapter 11 Firewall domain name. When the filter type is DNS filtering, the filtering conditions available for setting include: source address, filtering content (refers to the domain names to be filtered), action, effective time period. Tip: DNS filtering is implemented through Port 53, while URL filtering is implemented through Port 80.

  • Page 111: Access Control Settings

    Chapter 11 Firewall Move to: This bLeveloneon allows you to sort the instances accordingly. Tip: The user-defined access control policies are matched from top to bottom according to the order in the list. 11.2.3 Access Control Settings Access control policy is to control the packets flowing through the device. Click <Add new entry>...
  • Page 112 Chapter 11 Firewall Figure 11_4 Access Control Settings - IP address filtering Policy name: The name of the custom access control policy. Enable this configuration: Enables this access control policy. Selecting it means to enable this policy, while deselecting it means to disable it. Source address: The Intranet users controlled by the access control policy.
  • Page 113 Chapter 11 Firewall all protocols. Appendix C provides a table of commonly used protocol numbers and protocol names. Common services: Provides the common service ports using UDP or TCP. Among them, the option "All" means all ports: Ports 1-65535. After a port number (service) is selected, the system will automatically fill the port number in "Destination starting port"...
  • Page 114 Instance 2: If you enter www.Levelone.com.cn/bbs/, then all web pages beginning with www.Levelone.com.cn/bbs/ will match that policy, thus controlling the LEVELONE's access to BBS page in this site.
  • Page 115 URL filtering cannot control users in using a Web browser to access other services. For example, the URL filtering cannot control the access to ftp://ftp.Levelone.com.cn. In this case, you need to disallow or allow FTP connections by configuring the access control policy of IP filter type.
  • Page 116 Chapter 11 Firewall For the access control policy with the filter type of "Keyword" , "Action" has only the option, "Disallow". The filtered content should exclude: < > , % ‘ \ “ & ; and the characters except spaces. Access Control Settings -- DNS filtering Figure 11_7 Access Control Settings - DNS filtering "Policy name", "Source address", "Action"...

  • Page 117: Access Control Settings Instance

    Chapter 11 Firewall 11.2.4 Access Control Settings instance This section describes two instances of access control. Instance I Requirements: An enterprise Intranet requires allowing only the users with the IP addresses of 192.168.1.10 - 192.168.1.20 to use WEB services during working hours (Monday to Friday, 9:00-18:00).
  • Page 118 Chapter 11 Firewall Figure 11_9 Access Control Settings - Instance I (Continued Figure 11_8) Instance II Requirements: An enterprise network wants to prohibit the users in 192.168.1.80-192.168.1.100 from visiting the website http://www.bbc.com (IP address is 212.58.246.93) and the website http://www.cnn.com (IP address is 157.166.255.18), but allow all other online services of the group.
  • Page 119 Chapter 11 Firewall Figure 11_10 Access Control Settings –Instance II Figure 11_11 Access Control Settings – Instance I (Continued Figure 11_10) http://www.level1.com Page 114...

  • Page 120: Domain Filtering

    Chapter 11 Firewall 11.3 Domain filtering This section describes the domain name filtering feature of the Firewall -> Domain filtering page, including the matters needing attention in the domain name filtering operation steps, domain name filtering configuration process. 11.3.1 Domain filtering Settings Figure 11_12 Domain filtering page Steps of configuring domain name filtering: Check the "Enable domain name filtering".

  • Page 121: Domain Block Notification

    Chapter 11 Firewall Select the time period for the domain name filtering to take effect. In the text box corresponding to "Domain name", enter the appropriate domain name, and click < Add new entry > bLeveloneon. A corresponding domain name will appear in the "Domain name list".
  • Page 122 Chapter 11 Firewall Figure 11_13 Domain Block Notification page Enable domain name filtering notification feature: Checking it means to enable this feature. After this feature is enabled, the device will send a notice to the user when the intranet users access the prohibited domain names, and after the set time, it will skip to a specific web site.

  • Page 123: Mac Address Filtering

    Chapter 11 Firewall Figure 11_14 Domain Block Notification page 11.4 MAC Address Filtering This section describes the MAC address filtering function of the Firewall -> MAC address filtering page, including: The steps of MAC address filtering and the points for attention to the process of MAC address filter configuration.

  • Page 124: Mac Address Filtering

    Chapter 11 Firewall 11.4.1 MAC Address Filtering Figure 11_15 MAC Address Filtering List Enable MAC address filtering: Checks to enable the MAC address filtering function. Filtering rules: Users can choose "Allow Allow only the MAC addresses in the list to access to the network"...

  • Page 125: Mac Address Filtering Settings

    Chapter 11 Firewall 11.4.2 MAC Address Filtering Settings Enter the MAC address filtering information list, click "Add new entry", to enter the MAC address filtering configuration page, as shown in the figure below. Figure 11_16 MAC Address Filtering Settings User name: Displays the user name of the configured MAC address filtering. MAC address: Configures the MAC address to be filtered.
  • Page 126 Chapter 11 Firewall Text box: Sets the corresponding MAC address information in the text box. The input format is "MAC+ user name".  MAC address: The user's MAC address (which can be obtained using the ipconfig /all command under the DOS environment on Windows platforms). ...

  • Page 127: Chapter 12. Vpn

    Chapter 12 VPN Chapter 12. VPN (Virtual Private Network): VPN refers to the technology for establishing a dedicated data communication network in the public network (such as Internet) based on ISP (Internet Service Provider) and NSP (Network Service Provider). 12.1 PPTP 12.1.1 PPTP overview PPTP (Point-to-Point Tunneling Protocol): PPTP is a virtual private networking protocol,...

  • Page 128: Pptp List

    Chapter 12 VPN PPTP Tunnel Server Mobile user Figure 12_1 PPTP typical application 12.1.2 PPTP list Enter the VPN ->PPTP page to view the information related to the PPTP tunnel, such as user name, business type, remote Intranet IP address, session state, time of connection established. Figure 12_2 PPTP list Tip: The operation of the "Establish"...

  • Page 129: Pptp Server Configuration

    Chapter 12 VPN NAT, and after the PPTP configuration is complete, the system will automatically generate a static NAT mapping to TCP 1723 port (which can be viewed in the "Static mapping information list" of Advanced Configuration->NAT static mapping and DMZ, named as "PPTP").

  • Page 130: Account Settings

    Chapter 12 VPN Number of address pool addresses: Sets the total number of the addresses in the address pool. Server IP address: The virtual interface IP address of the tunnel server. This address is not included in the address pool. Please confirm that the address and the address pool that is configured are located on the same network segment.

  • Page 131: Pptp Client Settings

    Chapter 12 VPN single PC, to implement the communications between the PPTP tunnel remote PC and the local LAN. User name: The user name used when the custom client is dialing. Password: The password used when the custom client is dialing. Fixed IP address: Sets up the IP address assigned by the PPTP server to the client, and the address must be in the PPTP server address pool.
  • Page 132 Chapter 12 VPN Enable the configuration: Check it to enable this configuration. Enable NAT: After NAT is enabled, the PPTP client will do NAT to the PPTP tunnel, that is, translate the LAN IP address to the IP address assigned by the peer PPTP server, so that LAN users will be connected to the LAN at the opposite end of the tunnel with the IP address assigned by the PPTP server, and the device at the opposite end of the tunnel need not to set the local route.

  • Page 133: Pptp Configuration Instance

    Chapter 12 VPN 12.1.5 PPTP configuration instance Figure 12_6 PPTP instance topology In this scenario, a company is based in Shanghai. It has a branch office in Beijing, and hopes to achieve a mutual access to the internal resources of the LAN in two places. The company also has some mobile users in business trips and using remote office hoping to remotely access the company's internal resources of LAN.
  • Page 134 Chapter 12 VPN Configure Shanghai VPN gateway Figure 12_7 PPTP server Settings Create an account for the Beijing Branch, user type: LAN to LAN. User name: Test2. Password: 123456. Password authentication mode: MS-CHAPV2. Remote Intranet network addresses: 192.168.16.1. Remote Intranet subnet mask: 255.255.255.0. Figure 12_8 PPTP server Settings - LAN to LAN Create an account for mobile users, user types: Mobile users.
  • Page 135 Chapter 12 VPN Figure 12_9 PPTP server Settings - Mobile users Configure Beijing PPTP Client Figure 12_10 PPTP client Settings PPTP clients are configured as shown in the above figure, user name: test1. Password: 123456. Password authentication mode: MS-CHAPV2. Remote Intranet network addresses: 192.168.1.1. Remote subnet mask: 255.255.255.0, tunnel server address: 200.200.202.126.
  • Page 136 Chapter 12 VPN The first step is to create a PPTP dial-up connection: Enter the Windows XP ->"Start"-> "Settings" -> "Control Panel", and select "Switch to category view". Select "Network and Internet connections". Select "Set up a network connection to your work location". Select "Virtual private network connection (V)", and click "Next".
  • Page 137 Chapter 12 VPN Enter the corresponding pages respectively, to view the PPTP instance connection information. As shown in the figure below, you can view the user name, service type, session status, using time, remote Intranet IP address/mask and other information of the PPTP instances. Figure 12_11 PPTP List 1 Figure 12_12 PPTP List 2 http://www.level1.com...

  • Page 138: Ipsec

    Chapter 12 VPN Figure 12_13 PPTP Client Info List 1 Figure 12_14 PPTP Client Info List 2 12.2 IPSec 12.2.1 IPSec Overview With the development of security standards and network protocols, various VPN technologies http://www.level1.com Page 133...

  • Page 139: Abbreviations And Terminology

    Chapter 12 VPN emerge, but IPSec VPN is currently one of the most widely used VPN security technologies. IPSec is a set of open standards, protocols to create and maintain IP network secure communication that provides two security mechanisms: encryption and authentication. Encryption mechanism ensures the confidentiality of data, while authentication mechanism ensures that data come from the original sender and are not destroyed and tampered with during transmission.
  • Page 140 Chapter 12 VPN generated hash (as the input fingerprints) is used to validate the authenticity and integrity of the contents and sources. SHA-1 (Secure Hash Alogrithm1): The algorithm for generating a 160-bit hash from any length information and the 20-byte key. It is generally considered more secure than MD5 because it generates a larger hash.
  • Page 141 Chapter 12 VPN communication, namely establish a security association SA. SA consists of a pair of specified security parameter indexes (SPI), the destination IP address and the used security protocol. Through SA, the IPSec tunnel provides the following security features: Confidentiality (through encryption) ...
  • Page 142 Chapter 12 VPN The first exchange, (Messages 1 and 2): Provides and accepts encryption and authentication  algorithms. The second exchange, (Messages 3 and 4): Implements the Diffie-Hellman exchange, both  the initiator and the responder provide a current number (which is randomly generated). The third exchange, (Messages 5 and 6): Sends and verifies their identity.
  • Page 143 Chapter 12 VPN When both communication parties establish an authenticated secure channel, the second phase will continue to be implemented, and in this phase, IPSec SA will be negotiated to protect user data to be transmitted through the IPSec tunnel. Similar to the process of the first phase, both parties exchanged proposals to determine the security parameters used in the SA.
  • Page 144 Chapter 12 VPN In the WEB UI mode, you can enable the DPD function by selecting the "DPD" option, and determine the test cycle by configuring "heartbeat" in the "Advanced options" of VPN configuration—>IPSec. 12.2.1.3 IPSec NAT traversal Due to historical reasons, one of the problems in deploying an IPSec VPN network in the NAT mode lies in the impossibility to locate the IPSec peers after network address translation (NAT).

  • Page 145: Ipsec List

    Chapter 12 VPN 12.2.2 IPSec list Enter the VPN configuration->IPSec page to view the information about associated IPSec tunnels, such as SA status, remote gateway address, remote Intranet address, locally bound interfaces, etc. Figure 12_15 IPSec list Tip: If the IPSec connection mode is "The other party dynamically connects to the local", the "Establish"...

  • Page 146: Gateway To Gateway

    Chapter 12 VPN 12.2.3.1 Gateway to gateway Figure 12_16 Gateway to gateway Connection mode: Here, gateway to gateway is selected. Remote end Gateway address (domain name): The address of the remote gateway address (or domain name) of the IPSec tunnel. When set to a domain name, a DNS server needs to be configured on the device, and then the device will periodically resolves the domain name.
  • Page 147 Chapter 12 VPN Intranet mask: Subnet mask of locally protected Intranet. Security options: Pre-shared key: Pre-shared key used by negotiation, with the maximum of 128 characters. Encryption and authentication algorithm 1: The preferred encryption and authentication algorithm that can be used for negotiation in the second phase. Figure 12_17 IPSec Advanced options -- Main mode First phase Negotiation mode: Sets the negotiation mode in the first phase, with the options: main mode...
  • Page 148 Chapter 12 VPN Encryption and authentication algorithm (1-4): Sets the encryption and authentication algorithm used for negotiation in the first phase. You can select four groups, each of which the combination of different encryption algorithms and authentication algorithms and DH groups.
  • Page 149 Chapter 12 VPN 12.2.3.2 Dynamic connection to the gateway Figure 12_18 Dynamic connection to the gateway The parameters described in the "gateway to gateway" connections are no longer to be described again one by one. Connection mode: Here, dynamic connection to the gateway is selected. In this case, this device can only be used as the initiator when establishing an IPSec tunnel, and the IPSec tunnel should have the aggressive mode selected at both ends for the IKE negotiation in the first phase.
  • Page 150 Chapter 12 VPN "Domain name" and "IP address". 12.2.3.3 Other party dynamically connects to local machine Figure 12_19 Other party dynamically connects to local machine The parameters for the other party to dynamically connect to local machine has been described in the previous two sections, so there is no need to repeat any more.

  • Page 151: Ipsec Configuration Instance

    Chapter 12 VPN 12.2.4 IPSec configuration instance 12.2.4.1 Gateway to gateway 上海 北京 LAN: 192.168.1.1/24 LAN: 192.168.16.1/24 WAN:200.200.202.126/24 WAN:200.200.202.127/24 Internet IPSec 隧道 UTT VPN 网关 UTT VPN 网关 Figure 12_20 Gateway to gateway topology Requirements: In this scenario, a company is based in Shanghai. It has a branch office in Beijing, and hopes to achieve a mutual access to the internal resources of the LAN in two places.
  • Page 152 Chapter 12 VPN Figure 12_21 Gateway to gateway configuration 1 Remote gateway address is set as the WAN IP address of Beijing gateway, 200.200.202.127, and remote Intranet address is the LAN IP address of Beijing gateway, 192.168.1.1, which is locally bound at WAN1 port.
  • Page 153 Chapter 12 VPN Figure 12_22 Gateway to gateway configuration 2 Remote gateway address is set as the WAN IP address of Shanghai gateway, 200.200.202.126, and remote Intranet address is the LAN IP address of Shanghai gateway, 192.168.1.1, which is locally bound at WAN1 port.
  • Page 154 Chapter 12 VPN Figure 12_23 IPSec connection status - Shanghai gateway Figure 12_24 IPSec connection status - Beijing gateway http://www.level1.com Page 149...
  • Page 155 Chapter 12 VPN 12.2.4.2 Dynamic on one party 上海 北京 LAN: 192.168.1.1/24 LAN: 192.168.16.1/24 WAN:200.200.202.126/24 WAN:动态获取 Internet IPSec 隧道 UTT VPN 网关 UTT VPN 网关 Figure 12_25 "Dynamic on one party" topology Requirements: In this scenario, a company is based in Shanghai. It has a branch office in Beijing, and hopes to achieve a mutual access to the internal resources of the LAN in two places.
  • Page 156 Chapter 12 VPN Figure 12_26 Dynamic on one party - The other party dynamically connects to local machine Set the connection mode to the other party dynamically connecting to the local machine, and Beijing gateway dynamically connecting to Shanghai gateway. Meanwhile, set the Beijing gateway information, such as Intranet addresses, identity ID.
  • Page 157 Chapter 12 VPN Figure 12_27 Dynamic on one party - Dynamically connects to the gateway Sets the connection mode of Beijing gateway to a dynamic connection to the gateway. Meanwhile, sets up Shanghai gateway - related information, such as gateway address, Intranet address, identity ID.
  • Page 158 Chapter 12 VPN Figure 12_28 IPSec connection status -- Other party connects to local host dynamically Figure 12_29 IPSec connection status -- Connect to local host dynamically http://www.level1.com Page 153...

  • Page 159: Chapter 13. System

    Chapter 12 VPN Chapter 13. System In the System Management main menu, you can enter the Administrator configuration, Language selection, clock management, configuration management, software upgrade, remote management, scheduled task page. This chapter mainly describes how to change administrator user name and password. How to set the device clock. How to back up and import configuration files.

  • Page 160: Language

    Chapter 12 VPN User name: Customizes the user name of the administrator who logs in the WEB interface. Password, confirming password: Customizes the password of the administrator who logs in the WEB interface. Modification of administrators' factory user name, password For security reasons, we strongly recommend to modify the initial administrator user name and password, and to keep them with care.
  • Page 161 Chapter 12 VPN Figure 13-4 Time Current system time: Displays the current date and time information of the device (unit: Y-M-D, H:M:S). Time zone selection: Selects the international time zone in which the device resides. Only choosing a correct time zone can the network time synchronization function work properly. Manual time setting: Manually enters the current date and time (unit: Y-M-D, H:M:S).

  • Page 162: Configuration

    Chapter 12 VPN 13.4 Configuration This section describes the configuration methods of System -> Configuration. In this page, you can back up the current configuration files to a local PC, import the new configuration file to the device and restore the factory settings of the device. Figure 13-5 Configuration management Back up configuration files Click the <Save>...

  • Page 163: Firmware Upgrade

    Upgrading steps: Step 1: Download the latest version of software Click on the hyperlink "Download the latest version" and go to the official site of LEVELONE to download the latest version of the software to your local PC. Tip: Please select the most appropriate type of the latest software.

  • Page 164: Remote Management

    Chapter 12 VPN or select the new software on the local PC by clicking < Browse ... >. Step 3: Update device software After selecting the software, click on the <Upgrade> bLeveloneon, to update the device software. Tip: It is strongly recommended to upgrade when the device load is low (less users). Upgrading device software on a regular basis enables the device to get more functions or to have a better working performance.

  • Page 165: Scheduled Task

    If “WAN1” adopts PPPoE dial-up, its IP address is dynamic, and you can configure the DDNS function in the Network parameters -> DDNS configuration. For security purposes, unless absolutely necessary, do not enable the remote management function. In looking for LEVELONE's customer service engineer's service, please enable the remote management function. 13.7 Scheduled task This section describes the System management->...
  • Page 166 Chapter 12 VPN Figure 13_9 Scheduled task list 2 Description of scheduled task parameters Figure 13-10 Scheduled Task Settings Task name: Name of the custom tasks. Startup type: Indicates time cycle, and the options are: per week, per day, per hour, per minute.

  • Page 167: Chapter 14. System

    Chapter 14. System In System status, you can easily view the running state of the device, and the system information and history of the device. 14.1 Interface Status The running status page described in this section is the same as 5.2 Interface status, so it is not to be detailed again here.

  • Page 168: System Log

    System running time: Displays the time from starting of the device at this time to viewing the time. CPU utilization: Shows the percentage of the current CPU utilization. Memory usage: Shows the percentage of the current memory usage. Serial number: Shows the internal serial number of product (which may be different from the surface serial number).
  • Page 169 Figure 14_2 System information The common log information displayed in the device is as follows: Content of logs Details Meaning of information DHCP:IP arp:[IP address] Means DHCP address conflicts: The conflicted device discovers the IP address already existing in the Intranet when its DHCP Server is ready to assign it to a user, at this point, the system will assign another IP address to the user.

  • Page 170: Log Management Settings

    notice Give notice to user: [IP Push notification messages to the IP address] address. Figure 14- 1 Log information 14.3.2 Log Management Settings Figure 14_3 Log Management Settings Enable DHCP logging: Check to enable DHCP logging, for recording the conflicts of the DHCP server and DHCP Distribute the address conflicts, and other messages.

  • Page 171: Chapter 15. Customer Service

    On the Customer service page, you can easily link to LEVELONECare, Product discussion, Knowledge base, Appointment service and other columns of the LEVELONE company's official website, so that you can get to know LEVELONE services system in a faster way, and enjoy its intimate services.

  • Page 172: Appendix A Configuration Of Lan Computers

    Appendix A Configuration of LAN computers This chapter describes how to configure the TCP/IP properties of the computer in the Windows XP environment. Step I Check network IP status Click “Start” “Control panel”. Double click on the "Network connections" icon, right click on "Local connection" and select "Properties".
  • Page 173 in the "Local connection Properties" and click "Install (R)" bLeveloneon, to install the TCP/IP. After adding the TCP/IP, you need to restart the computer to update the system's network settings for it to take effect. Step II Configure TCP/IP properties The following introduces the steps for configuring TCP/IP properties in two cases, setting IP addresses manually and setting IP addresses by DHCP server.
  • Page 174 Figure A-2 TCP/IP properties IP address configuration window Method II Setting IP addresses by the DHCP server Before using this feature, you must ensure that the DHCP Server function is activated in the Network parameters -> DHCP server of the device. Click “Start”...

  • Page 175: Appendix Afaq

    Appendix A FAQ B-1. How ADSL users go online? First, set the ADSL Modem to Bridge mode (1483 bridge mode). Confirm that the PPPoE line is a standard dial-up type (you can use the PPPoE dial-up software that comes with the computer system for testing). Connect the ADSL Modem to the WAN port of the device with a network cable, and connect the telephone cord to the Line port of the ADSL Modem.

  • Page 176: B-2. How The Fixed Ip Access Users Go Online

    Figure B- 2 PPPoE dial-up configuration Configure the LAN computer as described in Appendix A of this manual. B-2. How the Fixed IP access users go online? Confirm that the line is normal (which can be tested by a PC). Connect the WAN port of the device to the ISP network device with a network cable.

  • Page 177: B-4. How To Restore The Device To Its Factory Settings

    Connect the WAN port of the device to the ISP network device with a network cable. In the Network parameters -> WAN configuration page, configure the parameters of the dynamic IP access line. Tip: When some dynamic IP is connected (such as a cable modem), Cable Modem will record the MAC address of the network devices (such as network adapters) originally used the line, this will cause the device to fail to obtain IP addresses normally, in this case, the WAN port MAC address of the device needs to be set to be the same as that of the original network device.
  • Page 178 management page, and then click the “Restore” bLeveloneon in the column of “Restore factory settings” to manually restart the device, to restore the device to its factory settings. Case II: Forget the administrator password If you forget the administrator password, you will not be able to enter the WEB interface, and now you can only use the Reset bLeveloneon to restore the factory settings of the device.

  • Page 179: Appendix B Figure Index

    Appendix B Figure Index Figure 2_1 Front Panel - GBR-4001 ..................4 Figure 2_2 Rear Panel - GBR-4001 ..................4 Figure 2_3 Product rack installation drawing I ..............6 Figure 2_4 Product rack installation drawing II ..............7 Figure 2_5 Establish a connection to LAN and WAN ............7 Figure 3_1 WEB login interface ..................
  • Page 180 Figure 7_3 List of NAT rules information................45 Figure 7_4 Easy IP ......................46 Figure 7_5 One2One ......................46 Figure 7_6 DMZ configuration ................... 47 Figure 7_7 Port Forwarding Settings ................. 48 Figure 7_8 NAT rules Settings——EasyIP ................ 49 Figure 7_9 NAT rule Settings —One2One ................ 50 Figure 7_10 Static Route List.....................
  • Page 181 Figure 9_5 Internet Application Management ..............88 Figure 9_6 Internet Application Management (Continued Figure 9_5) ......88 Figure 9_7 QQ white list ....................89 Figure 9_8 Import QQ Accounts ..................90 Figure 9_10 Trademanager Whitelist ................91 Figure 9_11 Daily Routine Notification ................92 Figure 9_12 Account expiration notification ...............
  • Page 182 Figure 12_15 IPSec list ....................140 Figure 12_16 Gateway to gateway ................141 Figure 12_17 IPSec Advanced options -- Main mode ............. 142 Figure 12_18 Dynamic connection to the gateway ............144 Figure 12_19 Other party dynamically connects to local machine ........145 Figure 12_20 Gateway to gateway topology ..............

  • Page 183: Appendix Clicense Statement / Gpl Code Statement

    Appendix C LICENSE STATEMENT / GPL CODE STATEMENT This product resp. the here (http://global.level1.com/downloads.php?action=init) for downloading offered software includes software code developed by third parties, including software code subject to the GNU General Public License Version 2 (“GPLv2”) and GNU Lesser General Public License 2.1 („LGPLv2.1“). WRITTEN OFFER FOR GPL/LGPL SOURCE CODE We will provide everyone upon request the applicable GPLv2 and LGPLv2.1 source code files via CDROM or similar storage medium for a nominal cost to cover...

  • Page 184: Gnu General Public License

    BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
  • Page 185 licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. TERMS CONDITIONS COPYING,...
  • Page 186 users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole.
  • Page 187 components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
  • Page 188 she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries...

  • Page 189: How To Apply These Terms To Your New Programs

    (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  • Page 190 You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker.
  • Page 191 http://www.level1.com Page 186...

Table of Contents