3 3 3 3 3 3 3 3 0 0 0 0 0 0 0 0 - - - - E E E E N N N N T T T T E E E E n n n n t t t t e e e e r r r r p p p p r r r r i i i i s s s s e e e e - - - - S S S S e e e e r r r r i i i i e e e e s s s s

N N N N e e e e t t t t o o o o p p p p i i i i a a a a F F F F i i i i r r r r m m m m w w w w a a a a r r r r e e e e V V V V e e e e r r r r s s s s i i i i o o o o n n n n 8 8 8 8 . . . . 7 7 7 7

Table of Contents

Summary of Contents for Netopia 3341-ENT

Page 1 ® ® ® ® N N N N e e e e t t t t o o o o p p p p i i i i a a a a F F F F i i i i r r r r m m m m w w w w a a a a r r r r e e e e U U U U s s s s e e e e r r r r G G G G u u u u i i i i d d d d e e e e 3 3 3 3 3 3 3 3 0 0 0 0 0 0 0 0 - - - - E E E E N N N N T T T T E E E E n n n n t t t t e e e e r r r r p p p p r r r r i i i i s s s s e e e e - - - - S S S S e e e e r r r r i i i i e e e e s s s s N N N N e e e e t t t t o o o o p p p p i i i i a a a a F F F F i i i i r r r r m m m m w w w w a a a a r r r r e e e e V V V V e e e e r r r r s s s s i i i i o o o o n n n n 8 8 8 8 .
Page 2 Copyright Copyright© 2006, Netopia, Inc. Netopia, the Netopia logo, Broadband Without Boundaries, and 3-D Reach are registered trademarks belonging to Netopia, Inc., registered U.S. Patent and Trademark Ofﬁce. All other trademarks are the property of their respective owners. All rights reserved.
Page 3: Table Of Contents
C C C C o o o o n n n n t t t t e e e e n n n n t t t t s s s s Chapter 1 — Introduction...1-1 What’s New in 8.7 ... 1-1 Telnet-based Management... 1-2 Netopia Telnet Menus ... 1-2 Netopia Models ... 1-3 Screen differences ... 1-3 Connecting through a Telnet Session... 1-4 Conﬁguring Telnet software...
Page 4 Console Conﬁguration ... 3-35 SNMP (Simple Network Management Protocol)... 3-36 Security ... 3-36 Upgrade Feature Set ... 3-36 Router/Bridge Set... 3-37 IGMP (Internet Group Management Protocol) ... 3-39 Logging ... 3-42 Log event dispositions ... 3-43 Procedure for Default Installation for ICSA ﬁrewall certiﬁcation of Small/Medium Business Category Module (ADSL Routers) ...
Page 5 Modifying map lists ... 4-12 Adding Server Lists... 4-15 Modifying server lists ... 4-18 Deleting a server ... 4-20 Binding Map Lists and Server Lists ... 4-22 IP proﬁle parameters... 4-22 IP Parameters (WAN Default Proﬁle) ... 4-24 NAT Associations ... 4-26 IP Passthrough ...
Page 6 IP Address Serving ... 7-17 IP Address Pools... 7-20 DHCP NetBIOS Options ... 7-21 More Address Serving Options... 7-23 Conﬁguring the IP Address Server options ... 7-24 DHCP Relay Agent... 7-28 Connection Proﬁles ... 7-30 Multicast Forwarding... 7-33 Virtual Router Redundancy (VRRP) ... 7-34...
Page 7 Additional LANs ... 7-37 Chapter 8 — Line Backup ...8-1 Conﬁguring Backup ... 8-1 Connection Proﬁles ... 8-2 IP Setup ... 8-7 WAN Conﬁguration ... 8-8 Backup Conﬁguration screen ... 8-9 Using Scheduled Connections with Backup ... 8-12 Backup Default Gateway... 8-14 Backup Conﬁguration screen ...
Page 8 viii Firmware User Guide Limited user conﬁguration ... 10-4 Advanced Security Options ... 10-6 RADIUS server authentication ... 10-7 TACACS+ server authentication... 10-8 Warning alerts ... 10-9 User access password ... 10-12 User menu differences... 10-13 Telnet Access ... 10-20 About Filters and Filter Sets...
Page 9 Restarting the System ... 11-8 Appendix A — Troubleshooting...A-1 Conﬁguration Problems ... A-1 Network problems... A-2 How to Reset the Router to Factory Defaults... A-3 Power Outages ... A-3 Technical Support ... A-3 How to reach us ... A-4 Index...
Page 10 Firmware User Guide...
Page 11: What's New In 8.7
Chapter 1 Introduction This Firmware User Guide covers the advanced features of the Netopia ENT Enterprise-Series Router family. Your Netopia equipment offers advanced conﬁguration features accessed through the Main Menu of the Telnet conﬁguration screen. This Firmware User Guide documents the advanced features, including advanced testing, security, monitoring, and conﬁguration.
Page 12: Telnet-Based Management
1-2 Firmware User Guide Telnet-based Management Telnet-based management is a fast menu-driven interface for the capabilities built into the Netopia Firmware Version 8.7. Telnet-based management provides access to a wide variety of features that the Router supports. You can customize these features for your individual setup. This chapter describes how to access the Telnet-based management screens.
Page 13: Netopia Models
The Quick View menu displays at a glance current real-time operating information about your Router. See “Quick View Status Overview” on page Netopia Models This Firmware User Guide covers all of the Netopia ENT Enterprise-Series Router models. However some information in this guide will only apply to a speciﬁc model. Screen differences Because different Netopia ENT Enterprise-Series models offer many different features and interfaces, the options shown on some screens in this Firmware User Guide may not appear on your own particular model’s...
Page 14: Connecting Through A Telnet Session
• If you connect a Macintosh computer running Classic Mac OS, you can use the NCSA Telnet program supplied on the Netopia CD. You install NCSA Telnet by dragging the application from the CD to your hard disk. Mac OS X users can use the Terminal application that comes with Mac OS X in the Utilities folder.
Page 15: Navigating Through The Telnet Screens
Navigating through the Telnet Screens Use your keyboard to navigate the Netopia Firmware Version 8.7’s conﬁguration screens, enter and edit information, and make choices. The following table lists the keys to use to navigate through the Telnet screens. Move through selectable items in a screen or pop-up menu...
Page 16 1-6 Firmware User Guide...
Page 17: Wan Conﬁguration
This chapter describes how to use the Telnet-based management screens to access and conﬁgure advanced features of your equipment. You can customize these features for your individual setup. These menus provide a powerful method for experienced users to set up their Router’s connection proﬁles conﬁguration. This section covers the following topics: •...
Page 18: Wan Ethernet Conﬁguration Screen
Router will acquire its WAN IP address automatically. By default, the router acts as a DHCP client on the Ethernet WAN port and and attempts to acquire an address from a DHCP server.
Page 19 • The Wan Ethernet MAC Address is the hardware address of the Netopia device. Some service providers require a speciﬁc MAC address as part of their authentication process. In such a case, you can enter the MAC address that your service provider requires.
Page 20: Adsl Line Conﬁguration Screen
For more information on v2 MD5 Authentication, see If you want the Netopia Router to advertise its routing table to other routers via RIP, select Transmit RIP and select v1, v2 (broadcast), or v2 (multicast) from the popup menu. With Transmit RIP v1 selected, the Netopia Firmware Version 8.7 will generate RIP packets only to other RIP v1 routers.
Page 21 (DSLAM) is divided logically into one or more virtual circuits (VCs). A virtual circuit may be either a permanent virtual circuit (PVC) or a switched virtual circuit (SVC). Netopia Routers support PVCs. VCs are identiﬁed by a Virtual Path Identiﬁer (VPI) and Virtual Channel Identiﬁer (VCI). A VPI is an 8-bit value between 0 and 255, inclusive, while a VCI is a 16-bit value between 0 and 65535, inclusive.
Page 22 ﬁelds, respectively. • The Peak Cell Rate ﬁeld is editable. Netopia Firmware Version 8.7 supports three ATM classes of ser- vice for data connections: Unspeciﬁed Bit Rate (UBR), Constant Bit Rate (CBR), and Variable Bit Rate (VBR). You can conﬁgure these classes of service on a per VC basis. The default ATM class of service is UBR.
Page 23 Quality of Service (QoS) settings Note: QoS settings are not available on Ethernet-to-Ethernet WAN models. • Select the QoS (Quality of Service) setting from the pop-up menu: UBR. CBR, or VBR. UBR: No conﬁguration is needed for UBR VCs. Leave the default value 0 (maximum line rate). CBR: One parameter is required for CBR VCs.
Page 24 VC. It will revert back to dynamic binding if the number of VCs is reduced to one; for example, by deleting previously deﬁned VCs. When the link comes up the router binds the VC dynamically to the ﬁrst suitable Connection Proﬁle or to the Default Proﬁle if there is no Connection Proﬁle conﬁgured.
Page 25: Creating A New Connection Proﬁle
Connection proﬁles deﬁne the networking protocols necessary for the Router to make a remote connection. A connection proﬁle is like an address book entry describing how the Router is to get to a remote site, or how to recognize and authenticate a connection. To create a new connection proﬁle, you navigate to the WAN Conﬁguration screen from the Main Menu, and select Add Connection Proﬁle.
Page 26 2-10 Firmware User Guide Multiple Data Link Encapsulation Settings Select Encapsulation Options and press Return. • If you selected ATMP, PPTP, L2TP, or IPSec, see • If you selected PPP or RFC1483, the screen offers different options: Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type...
Page 27 Datalink (PPP/MP) Options Data Compression... Send Authentication... Send User Name: Send Password: Receive User Name: Receive Password: • Data Compression defaults to Standard LZS. You can select Ascend LZS, if you are connecting to compatible equipment, or None from the pop-up menu.
Page 28 2-12 Firmware User Guide Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Local WAN IP Address: Local WAN IP Mask: Filter Set... Remove Filter Set RIP Profile Options... Return/Enter to select <among/between> ... Configure IP requirements for a remote network connection here.
Page 29 8.7 will accept information from either RIP v1 or v2 routers. Alternatively, select Receive RIP and select v1, v2, or v2 MD5 Authentication from the popup menu. With Receive RIP set to “v1,” the Netopia Router’s Ethernet port will accept routing information provided by RIP packets from other routers that use the same subnet mask.
Page 30 2-14 Firmware User Guide Select COMMIT and press Return. Your new Connection Proﬁle will be added. If you want to view the Connection Proﬁles in your device, return to the WAN Conﬁguration screen, and select Display/Change Connection Proﬁle. The list of Connection Proﬁles is displayed in a scrolling pop-up screen.
Page 31: Advanced Connection Options
Conﬁguration Changes Reset WAN Connection The menu supports delaying some conﬁguration changes until after the Netopia Router is restarted. If your Netopia Router is preconﬁgured by your service provider, or if you are not remotely conﬁguring the router, you can leave this setting unchanged.
Page 32: Scheduled Connections
| Are you sure you want to do this? +----------------------------------------------------+ Toggling from Yes to No makes the router ready to be conﬁgured. If you toggle from No to Yes after any conﬁguration changes have been entered (and conﬁrm the reboot), your changes are committed and the router comes up using the newly created conﬁguration.
Page 33: Viewing Scheduled Connections
Navigate from here to add/modify/change/delete Scheduled Connections. Viewing scheduled connections To display a table of scheduled connections, select Display/Change Scheduled Connection in the Scheduled Connections screen. Each scheduled connection occupies one row of the table. +-Days----Begin At---HH:MM---When----Conn. Prof. Name----Enabled-----+ +--------------------------------------------------------------------+ | mtWtfss 08:30PM +--------------------------------------------------------------------+ The ﬁrst column in the table shows a one-letter representation of the Days of the week, from Monday (M or m)
Page 34: Adding A Scheduled Connection
• Whether the scheduled connection is currently Enabled The Router checks the date and time set in scheduled connections against the system date and time. Adding a scheduled connection To add a new scheduled connection, select Add Scheduled Connection in the Scheduled Connections screen and press Return.
Page 35: Set Weekly Schedule
• Demand-Blocked, meaning that this schedule will prevent a demand call on the line. • Periodic, meaning that the connection is retried several times during the scheduled time. • Random Retry, which operates as follows: First, it will wait 0 to 60 seconds before starting, then it will try three times to bring the connection up as quickly as possible;...
Page 36 2-20 Firmware User Guide • Select Scheduled Window Duration Per Day and enter the maximum duration allowed for this scheduled connection, per call. • Retry interval (minutes) becomes visible if you have selected Random Retry. This option allows you to set the upper limit for the number of minutes to use for the retry time (the attempts after the ﬁrst three attempts).
Page 37: Backup Conﬁguration
You are ﬁnished conﬁguring the once-only options. Return to the Add Scheduled Connection screen to continue. • In the Add Scheduled Connection screen, select Use Connection Proﬁle and choose from the list of connection proﬁles you have already created. A scheduled connection must be associated with a connection proﬁle to be useful.
Page 38: Diffserv Options
Netopia Firmware Version 8.7 offers Differentiated Services (Diffserv) enhancements. These enhancements allow your Router to make Quality of Service (QoS) decisions about what path Internet trafﬁc, such as Voice over IP (VoIP), should travel across your network. For example, you may want streaming video conferencing to use high quality, but more restrictive, connections, or, you might want e-mail to use less restrictive, but less reliable, connections.
Page 39 100(%). This would cause the Router to forward low priority data only after the high priority queue is completely empty. In practice, you should set it to something less than 100%, since the low priority trafﬁc might have to wait too long to be passed, and consequently be subject to time-outs.
Page 40 2-24 Firmware User Guide The Diffserv Rule screen appears. Name: Protocol... Priority... Direction... Start Port: End Port: Inside Ip Address: Inside Ip Netmask: Outside Ip Address: Outside Ip Netmask: COMMIT Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. •...
Page 41: Priority Queuing (Tos Bit)
Priority Queuing (TOS bit) Netopia Firmware Version 8.7 offers the ability to prioritize delay-sensitive data over the WAN link on DSL connections. Certain types of IP packets, such as voice or multimedia packets, are sensitive to latency introduced by the network.
Page 42: Vrrp Options (Wan Link Failure Detection)
Beginning with Firmware Version 8.5.1, the ﬁrmware offers VRRP Options to detect Layer 3 link failures on the WAN. When you enable this feature, the Netopia Router will continuously Ping one or two hosts that you specify to determine when a link fails, even if the physical connection remains established. If Layer 3 WAN Link Failure Detection is enabled, the Netopia Router will send continuous Pings, so the WAN link will stay up and idle timeout will not occur.
Page 43 IP address(es) in standard dotted-quad format of the hosts you want to Ping for connection validation. If no ICMP echo(es) are returned from these hosts, the connection is assumed to be lost, and the Virtual Router will relinquish Master status. •...
Page 44 2-28 Firmware User Guide...
Page 45: System Conﬁguration Features
Router’s system conﬁguration. System Conﬁguration Features The Netopia Router’s default settings may be all you need to conﬁgure. Some users, however, require advanced settings or prefer manual control over the default selections. For these users, Netopia Firmware Version 8.7 provides many advanced system conﬁguration options.
Page 46: Chapter 3 - System Conﬁguration
IP Address Serving... Network Address Translation (NAT)... Stateful Inspection... VLAN Configuration... Date and Time... Wireless Configuration... Console Configuration SNMP (Simple Network Management Protocol)... Security... Upgrade Feature Set... Router/Bridge Set... IGMP (Internet Group Management Protocol)... Logging... 7-2. 10-1. 7-17. Router 4-1.
Page 47: Stateful Inspection
Stateful Inspection Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. Stateful inspection can be enabled on a Connection Proﬁle whether NAT is enabled or not. You can conﬁgure UDP and TCP “no-activity” periods that will also apply to NAT time-outs if stateful inspection is enabled on the interface.
Page 48: Add Exposed Address List
3-4 Firmware User Guide Add Exposed Address List You can specify the IP addresses you want to expose by selecting Add Exposed Address List from the Stateful Inspection menu and pressing Return. UDP no-activity timeout (sec): TCP no-activity timeout (sec): Add Exposed Address List...
Page 49 Exposed Address List Name: Add Exposed Address Range... Return/Enter goes to new screen. Select Add Exposed Address Range and press Return. The Exposed Address Range screen appears. First Exposed Address: Last Exposed Address: Protocol... ADD EXPOSED ADDRESS RANGE Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). Enter the First and Last Exposed Addresses in dotted-quad format for the range of IP addresses you want to expose, Add Exposed Address List...
Page 50 3-6 Firmware User Guide The pop-up Protocol menu offers the type of protocols to be assigned to this range. First Exposed Address: Last Exposed Address: Protocol... ADD EXPOSED ADDRESS RANGE First Exposed Address: Last Exposed Address: Protocol... Port Start: Port End: ADD EXPOSED ADDRESS RANGE Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.
Page 51 You can edit or delete exposed address lists by selecting Show/Change Exposed Address List or Delete Exposed Address List. A list of previously conﬁgured exposed addresses appears. This allows you to select an exposed address list for editing or deletion. +------Exposed Address Range---------Protocol-------------------+ +---------------------------------------------------------------+ | 192.168.1.10...
Page 52: Exposed Address Associations
3-8 Firmware User Guide Exposed Address Associations Enable and conﬁgure stateful inspection on a WAN interface. Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Local WAN IP Address: Local WAN IP Mask: Filter Set...
Page 53 The acceptable range is 0 – 65535. A value of 0 (zero) disables this check. • Enable default mapping to router: This is disabled by default. Toggling this option to Yes will allow the router to respond to trafﬁc received on this interface, for example, ICMP Echo requests.
Page 54: Open Ports In Default Stateful Inspection Installation
Open ports in default Stateful Inspection installation Port Protocol 1701 1900 1723 Stateful Inspection Parameters +Exposed Address List N+ +----------------------+ | <<None>> +----------------------+ Description Private Interface telnet Bootps Bootpc HTTP Netbios-ns Netbios-dgm SNMP ISAKMP Router L2TP UPnP PPTP Public Interface...
Page 55: Vlan Conﬁguration
A Virtual Local Area Network (VLAN) is a network of computers that behave as if they are connected to the same wire even though they may be physically located on different segments of a LAN. You set up VLANs by conﬁguring the Router software rather than hardware. This makes VLANs very ﬂexible. VLANs behave like separate and independent networks.
Page 56 Configure a new VLAN and its associated ports. You can create up to 8 VLANs, and you can also restrict any VLAN, and the computers on it, from administering the Router. • VLAN ID – This must be a unique identifying number between 0 (beginning with Firmware Version 8.7) and 4094.
Page 57: Adding A Radius Proﬁle
802.1x – This option is only available for Router models with VGx technology. Otherwise, it does not appear. If you are conﬁguring a VLAN for a Netopia Router model with VGx technology (wired or wireless), you can specify a RADIUS server for user authentication by toggling 802.1x to Yes. The default is No.
Page 58 3-14 Firmware User Guide Caution!If you enable 802.1x for a VLAN that includes a wireless SSID, you must access the Wireless LAN Conﬁguration menu and set Enable Privacy to WPA-802.1x as well. See • have the VLANs set to 802.1x disabled and Wireless Privacy set to some other privacy setting. In that case Wireless Privacy can be any setting.
Page 59 The Add Server Proﬁle screen appears. Profile Name: Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port: 1812 ADD PROFILE Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new RADIUS or TACACS profile.
Page 60: Adding Port Interfaces
Once you have created a VLAN entry you must associate it with a port interface. This interface may be either a physical port, such as USB or Ethernet, or a Network ID (SSID) of a wireless LAN. If you have a Netopia Router model that offers Netopia’s VGx technology, you can also associate a VLAN with each of the physical Ethernet...
Page 61 The Add Port Interface screen appears. (The Add Port Interface screen varies depending on the types of ports available on your Netopia Router; the example below shows the four Ethernet ports, the primary SSID, and the Ethernet WAN port of a 4-port wireless VGx model.) Port Interface...
Page 62: Changing Or Deleting A Vlan
3-18 Firmware User Guide • TOS-Priority – Use any 802.1p priority bits in the VLAN header to prioritize packets within the Gateway’s internal queues, according to DiffServ priority mapping rules. See more information. • IPTOS-Promote – Write any 802.1p priority bits into the IP-TOS header bit ﬁeld for received IP packets on this port destined for this VLAN.
Page 63 Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. If you are deleting a proﬁle, you will be challenged to be sure that you want to delete the proﬁle that you have selected. +--------------------------------------------------------+--------+ +--------------------------------------------------------+ | Are you sure you want to delete this server profile? CANCEL +--------------------------------------------------------+ If you select CONTINUE, the proﬁle will be deleted.
Page 64: Conﬁguring Additional Authentication Servers
3-20 Firmware User Guide Conﬁguring additional Authentication Servers You can conﬁgure additional (or your ﬁrst) Authentication Server from the main VLAN Conﬁguration screen. Set Up VLAN from this and the following Menus. Select Authentication Server Conﬁguration and press Return. Return/Enter to modify an existing server profile. Set Up Authentication Server Profiles from this and the following Menus.
Page 65 The Add Server Proﬁle screen appears. Profile Name: Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port: 1812 ADD PROFILE Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new RADIUS or TACACS profile.
Page 66: Date And Time
Toggle this ﬁeld to Off to manually set the time and date; the options in this screen will change to allow you to manually enter the time and date parameters. Netopia Firmware Version 8.7 updates timestamps reported in the system logs with new timestamps as these are updated via NTP. See “Statistics &...
Page 67: Wireless Conﬁguration
UDP port 123 to be open. Wireless conﬁguration If your Router is a wireless model (such as a 3347NWG) you can enable or disable the wireless LAN by selecting Wireless Conﬁguration. The Wireless LAN Conﬁguration screen appears.
Page 68 Router to determine the best channel to broadcast automatically. Three settings are available from the pull-down menu: Off, At Startup, and Continuous. • Off is the default setting; the Netopia Router will use the conﬁgured default Channel selected from the previous menu. •...
Page 69: Wireless Multimedia (Wmm)
WEP encryption enabled, and must have the same WEP encryption key as the Netopia Gateway. Once the Netopia Gateway is located by a client computer, by setting the client to a matching SSID, the client can connect immediately if WEP is not enabled. If WEP is enabled then the client must also have WEP enabled and a matching WEP key.
Page 70: Enable Privacy
3-26 Firmware User Guide Enable Wireless: SSID: Block Wireless Bridging: Channel... AutoChannel... Closed System... Wireless Multimedia (WMM)... Enable Privacy... Wireless Multiple SSID Setup... MAC Address Authentication... To enable the Wireless Multimedia custom settings, select diffserv from the pull-down menu. Enable Privacy By default, Enable Privacy is set to Off.
Page 71 The Pre Shared Key ﬁeld becomes visible to allow you to enter a Pre Shared Key. The key can be between 8 and 63 characters, but for best security it should be at least 20 characters. Clients wishing to connect must also be conﬁgured to use WPA with this same key.
Page 72 3-28 Firmware User Guide • WPA Version: If you select either WPA-802.1x or WPA-PSK as your privacy setting, the WPA Version pop-up menu allows you to select the WPA version(s) that will be required for client connections. Choices are: • All, for maximum interoperability, •...
Page 73 Enable Wireless: SSID: Block Wireless Bridging: Channel... AutoChannel... Closed System... Enable Privacy... Default Key... Passphrase: Key 1 (40b): 5ad06701b4 Key 2 (40b): 80a6ab7474 Key 3 (40b): 9ea5a25101 Key 4 (40b): 1d8979e024 Wireless Multiple SSID Setup... MAC Address Authentication... You select a single key for encryption of outbound trafﬁc. The WEP-enabled client must have an identical key of the same length, in the identical slot (1 –...
Page 74: Multiple Ssids
Key +--------+c8e5281016 (Setting one of the key sizes) Default Key (#1 – #4): Speciﬁes which key the Router will use to encrypt transmitted trafﬁc. The default is key #1. Key (#1 – #4): The encryption keys. You enter keys using hexadecimal digits. For 40/64bit encryption, you need ten digits;...
Page 75 Enable Multiple SSIDs: Second SSID: Enable Privacy... Third SSID: Enable Privacy... Fourth SSID: Enable Privacy... Configure additional wireless SSID's that clients can associate with. Toggle Enable Multiple SSIDs to Yes, and enter names or other identiﬁers for up to three additional SSIDs you want to create.
Page 76 3-32 Firmware User Guide Enable Multiple SSIDs: Second SSID: Enable Privacy... WPA Version... Key: Third SSID: Enable Privacy... Fourth SSID: Enable Privacy... You can also specify a WPA Version from the pop-up menu in the same way as the primary SSID. Enable Multiple SSIDs: Second SSID: Enable Privacy...
Page 77: Mac Address Authentication
MAC Address Authentication Enhanced in Firmware Version 8.5, MAC Address Authentication allows you to specify which client PCs are allowed to join the LAN by speciﬁc hardware address. Once it is enabled, only entered MAC addresses that have been set to Allow will be accepted onto the LAN. Alternatively, you can prevent access by certain client PCs by specifying only those to be denied.
Page 78 3-34 Firmware User Guide • Allow only speciﬁed addresses - limits access to only those addresses that you enter. • Deny only speciﬁed addresses - prevents access from only those addresses that you enter. If you want to apply MAC Authentication to addresses on the wired LAN as well as the wireless LAN, toggle Wireless Only to No.
Page 79: Console Conﬁguration
You can continue to Add, Change, or Delete addresses to the list by selecting the respective menu options. Console Conﬁguration For those models with a console port, if you are communicating with the Netopia Router via a terminal emulator application, you can change the default terminal communications parameters to suit your requirements.
Page 80: Snmp (Simple Network Management Protocol)
You can upgrade your Netopia Router by adding new feature sets through the Upgrade Feature Set utility. See the release notes that came with your Router or feature set upgrade, or visit the Netopia Web site at www.netopia.com for information on new feature sets, how to obtain them, and how to install them on your Router.
Page 81: Router/Bridge Set
Router/Bridge Set For Netopia DSL Routers, this feature allows you to turn off the routing features and use your device as a bridge. It is not an option for Ethernet WAN models. Netopia Firmware Version 8.7 further allows you to choose to have the Router both bridge and route IP trafﬁc.
Page 82 Example of Bridge-only mode menus If you decide to return to the previous mode, you can repeat the process. Remember that you will have to reconﬁgure all your previous settings. Netopia Router WAN Configuration... System Configuration... Utilities & Diagnostics...
Page 83: Igmp (Internet Group Management Protocol)
Other uses include: updating the address books of mobile computer users in the ﬁeld or sending out company newsletters to a distribution list. Since a router should not be used as a passive forwarding device, Netopia Routers use a protocol for forwarding multicasting: Internet Group Management Protocol (IGMP).
Page 84 3-40 Firmware User Guide • IGMP Snooping – toggling this option to On enables the Netopia Router to “listen in” to IGMP trafﬁc. The Router discovers multicast group membership for the purpose of restricting multicast transmissions to only those ports which have requested them. This helps to reduce overall network trafﬁc from streaming media and other bandwidth-intensive IP multicast applications.
Page 85 You can conﬁgure the following parameters: • Last Member Query Interval (deci-sec) – the amount of time in tenths of a second that the IGMP router waits to receive a response to a Group-Speciﬁc Query message. The last member query interval is also the amount of time in seconds between successive Group-Speciﬁc Query messages.
Page 86: Logging
Logging You can conﬁgure a UNIX-compatible (BSD syslog protocol - RFC 3164) syslog client to report a number of subsets of the events entered in the Router’s WAN Event History. See Select Logging from the System Conﬁguration menu. The Logging Conﬁguration screen appears.
Page 87: Log Event Dispositions
Logging Conﬁguration screen. The following screen shows a sample syslog dump of WAN events: 5 10:14:06 tsnext.netopia.com 5 10:14:06 tsnext.netopia.com >>Issued Speech Setup Request from our DN: 5108645534 5 10:14:06 tsnext.netopia.com 5 10:14:06 tsnext.netopia.com 5 10:14:06 tsnext.netopia.com 5 10:14:06 tsnext.netopia.com >>Issued Speech Setup Request from our DN: 5108645534...
Page 88 3-44 Firmware User Guide attempt administrative access authenticated and allowed administrative access allowed dropped - violation of security policy dropped - invalid checksum dropped - invalid data length dropped - fragmented packet dropped - cannot fragment 10. dropped - no route found 11.
Page 89 The following syslog messages may be generated by the router if WAN Event Log Options are enabled: Device Restarted EN: IP up, WAN 1, gateway: <IP Address> local: <IP Address> Received NTP Date and Time [mon][dd][hh][mm][ss][year] NTP conﬁguration has been changed System Date/Time conﬁguration changed...
Page 90 3-46 Firmware User Guide 33. PPPOE: PADS Received 34. PPPOE: PADT Received 35. PPPOE: PADT Sent 36. PPPOE: Discovery state started proﬁle [Proﬁle Name] 37. PPPOE: Session state started proﬁle [Proﬁle Name] 38. PPPoE: Auth. Failed with Server: [Server] 39. PPTP: IP up, rem: [IP Address], via: [IP Address] tunnel id: [ID] 40.
Page 91 System Conﬁguration 3-47 66. IKE: phase 1 auth failure sg [IP Address] proﬁle [Name], sg [IP Address] code [code] 67. IKE: phase 1 resend timeout sg [IP Address] proﬁle [Name], sg [IP Address] 68. IKE: phase 1 complete sg [IP Address] proﬁle [Name], sg [IP Address] 69.
Page 92: Procedure For Default Installation For Icsa Firewall Certiﬁcation Of Small/Medium Business Category Module (Adsl Routers)
Install via the Console menu Access the Router through the serial interface (if available) or telnet to the product from the private (LAN) side. DHCP server is enabled on LAN by default. See Set up a Connection Proﬁle to conﬁgure WAN connectivity: (Follow the Easy Setup instructions in the Quickstart Guide, or create a new Connection Proﬁle.
Page 93 If Stateful Inspection Enabled is set to Yes, make sure that Enable default mapping to router under Stateful Inspection Options... is enabled. c. Set Remote IP Address: to a static private IP address on this Router’s network that is available and not being served via DHCP d.
Page 94 Set Hostname or IP Address to the Syslog Server c. Facility… can be changed (default to Local 0) d. Set Log Filter Violations to Yes - this will log packets that are dropped by the Router due to violations e. Set Log Accepted Packets to Yes f.
Page 95 Select Stateful Inspection Options… a. Under Stateful Inspection Parameters, conﬁgure Max. TCP Sequence Number Difference, if desired. b. Set Enable default mapping to router to No c. Deny Fragmented Packets can be set to Yes Escape twice to Change Connection Proﬁle menu, select COMMIT Escape to the Main Menu and go to Utilities and Diagnostics...
Page 96 3-52 Firmware User Guide...
Page 97: Chapter 4 - Multiple Network Address Translation
To help you understand some of the concepts discussed here, it may be helpful to introduce some NAT terminology. The term mapping refers to rules that associate one or more private addresses on the Netopia Router’s LAN to one or more public addresses on the Netopia Router’s WAN interface (typically the Internet).
Page 98: Features
IP address to which you would like to provide access. You may also deﬁne a speciﬁc public IP address to use for this service if you want to use an IP other than the WAN IP address of the Netopia Router.
Page 99: Dynamic Mapping
If a host on the private network initiates a connection to the Internet, for example, the Netopia Router automatically sets up a one-to-one mapping of that host’s private IP address to one of the public IP addresses allocated to be used for Dynamic NAT.
Page 100: Wan Network
For example, if a connection is initiated from the public network and is destined for a public IP address conﬁgured on the Netopia Router, the following comparisons are made in this order. The Netopia Router ﬁrst checks its internal NAT cache to see if the data is part of a previously initiated connection, if not…...
Page 101: Supported Trafﬁc
Support for AOL Instant Messenger (AIM) File Transfer Netopia Firmware Version 8.7 provides Application Level Gateway (ALG) support for AOL Instant Messenger (AIM) ﬁle transfer. This allows AIM users to exchange ﬁles, even when both users are behind NAT. Previously, the ﬁle transfer function would work only if one or neither of the two users were behind NAT.
Page 102: Support For Yahoo Messenger
Conﬁguration, described on • IP proﬁle parameters, described on Easy Setup Proﬁle conﬁguration The screen below is an example. Depending on the type of Router you are using, ﬁelds displayed in this screen may vary. Underlying Encapsulation... PPP Mode... PPP Authentication...
Page 103: Server Lists And Dynamic Nat Conﬁguration
An example MultiNAT conﬁguration at the end of this chapter describes some applications for these features. See the MultiNAT Conﬁguration Example on page In order to conﬁgure the Router to make servers on your LAN visible to the Internet, you use advanced features in the System Conﬁguration screens, described in System Conﬁguration To access the Network Address translation (NAT) conﬁguration screens, from the Main Menu navigate to...
Page 104 VLAN Configuration... Date and Time... Wireless Configuration... Console Configuration SNMP (Simple Network Management Protocol)... Security... Upgrade Feature Set... Router/Bridge Set... IGMP (Internet Group Management Protocol)... Logging... Network Address Translation Add Public Range... Show/Change Public Range... Delete Public Range... Add Map List...
Page 105: Nat Rules
• Static public address ranges must not overlap other static, PAT, public addresses, or the public address assigned to the Router’s WAN interface. • A PAT public address must not overlap any static address ranges. It may be the same as another PAT address or server list address, but the port range must not overlap.
Page 106 4-10 Firmware User Guide Select First Public Address and enter the ﬁrst exterior IP address in the range you want to assign. Select Last Public Address and enter an IP address at the end of the range. • Select ADD NAT PUBLIC RANGE and press Return. The range will be added to your list and you will be returned to the Network Address Translation screen.
Page 107 First Private Address: Last Private Address: Use NAT Public Range... ADD NAT MAP • Select First and Last Private Address and enter the ﬁrst and last interior IP addresses you want to assign to this mapping. • Select Use NAT Public Range and press Return. A screen appears displaying the public ranges you have deﬁned.
Page 108: Modifying Map Lists
4-12 Firmware User Guide • The Add NAT Map screen now displays the range you have assigned. First Private Address: Last Private Address: Use NAT Public Range... Public Range Type is: Public Range Start Address is: ADD NAT MAP • Select ADD NAT MAP and press Return.
Page 109 The Show/Change NAT Map List screen appears. Map List Name: Add Map... Show/Change Maps... Delete Map... • Add Map allows you to add a new map to the map list. • Show/Change Maps allows you to modify the individual maps within the list. •...
Page 110 4-14 Firmware User Guide The Change NAT Map screen appears. First Private Address: Last Private Address: Use NAT Public Range... Public Range Type is: Public Range Start Address is: Public Range End Address is: CHANGE NAT MAP Make any modiﬁcations you need and then select CHANGE NAT MAP and press Return. Your changes will become effective and you will be returned to the Show/Change NAT Map List screen.
Page 111: Adding Server Lists
Adding Server Lists Server lists, also known as Exports, are handled similarly to map lists. If you want to make a particular server’s port accessible (and it isn’t accessible through other means, such as a static mapping), you must create a server list.
Page 112 4-16 Firmware User Guide External Service... Server Private IP Address: Public IP Address: Protocol... Internal Port Start: ADD NAT SERVER Return/Enter to select <among/between> ... • Select External Service and press Return. A pop-up menu appears listing a selection of commonly exported services.
Page 113 Router. If you want to use static mappings to map internal servers to public addresses, your ISP or corporate site's Router must also be conﬁgured for static routes to these public addresses on the Netopia Router. •...
Page 114: Modifying Server Lists
Note: In order to use CUSeeMe through the Netopia Router, you must export the ports 7648 and 7649. In MultiNat, you may use a port range export. Without the export, CUSeeMe will fail to work. This is true unless a static mapping is in place for the host using CUSeeMe.
Page 115 Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. The Show/Change NAT Server List screen appears. Server List Name: Add Server... Show/Change Server... Delete Server... • Selecting Show/Change Server or Delete Server displays the same pop-up menu. Network Address Translation +-NAT Server List Name-+ +----------------------+ A| my_servers...
Page 116: Deleting A Server
4-20 Firmware User Guide +Private Address--Public Address---Port------------Protocol------+ +----------------------------------------------------------------+ | 192.168.1.254 | 192.168.1.254 | 192.168.1.254 | 192.168.1.254 | 192.168.1.254 +----------------------------------------------------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. Select any server from the list and press Return. The Change NAT Server screen appears. External Service...
Page 117 A pop-up menu lists your conﬁgured servers. Select the one you want to delete and press Return. A dialog box asks you to conﬁrm your choice. +Private Address--Public Address---Port------------Protocol------+ +----------------------------------------------------------------+ | 192.168.1.254 | 192.168.+----------------------------------------------+ UDP | 192.168.+----------------------------------------------+ | 192.168.| Are you sure you want to delete this Server? | UDP | 192.168.| +----------------------------------------------+ +----------------------------------------------------------------+...
Page 118: Binding Map Lists And Server Lists
Binding Map Lists and Server Lists Once you have created your map lists and server lists, for most Netopia Router models you must bind them to a proﬁle, either a Connection Proﬁle or the Default Proﬁle. You do this in one of the following screens: •...
Page 119 Address Trans+----------------------+s IP Addressing| Easy-PAT List NAT Map List.| my_map NAT Server Li| <<None>> NAT Options..| Stateful Insp| Local WAN IP | Local WAN IP | Remote IP Add| Remote IP Mas| Filter Set...| Remove Filter| RIP Profile O+----------------------+ Up/Down Arrows to select, then Return/Enter; ESC to cancel. •...
Page 120: Ip Parameters (Wan Default Proﬁle)
4-24 Firmware User Guide IP Parameters (WAN Default Proﬁle) The Netopia Firmware Version 8.7 using RFC 1483 supports a WAN default proﬁle that permits several parameters to be conﬁgured without an explicitly conﬁgured Connection Proﬁle. The procedure is similar to the procedure to bind map lists and server lists to a Connection Proﬁle.
Page 121 Address Trans| <<None>> NAT Map List.| NAT Server Li| Filter Set (F| Remove Filter| Rip Options: | Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. • Select the map list you want to bind to the default proﬁle and press Return. The map list you selected will now be bound to the default proﬁle.
Page 122: Nat Associations
4-26 Firmware User Guide NAT Associations Conﬁguration of map and server lists alone is not sufﬁcient to enable NAT for a WAN connection because map and server lists must be linked to a proﬁle that controls the WAN interface. This can be a Connection Proﬁle, a WAN Ethernet interface, a default proﬁle, or a default answer proﬁle.
Page 123 Profile/Interface Name-------------Nat+------------------+Server List Name Easy Setup Profile Profile 01 Profile 02 Profile 03 Profile 04 Default Answer Profile Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. • Select the list name you want to assign and press Return again. Your selection will then be associated with the corresponding proﬁle or interface.
Page 124: Ip Passthrough
IP Passthrough Netopia Firmware Version 8.7 offers an IP passthrough feature. The IP passthrough feature allows for a single PC on the LAN to have the router’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet.
Page 125 The IP Proﬁle Parameters screen, found under the WAN Conﬁguration menu, Add/Change Connection Proﬁle screen, appears as shown. Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Local WAN IP Address: Local WAN IP Mask: Filter Set...
Page 126 If you specify a non-zeroes MAC address, the DHCP Client Identiﬁer must be in the format speciﬁed above. Macintosh computers allow the DHCP Client Identiﬁer to be entered as a name or text, however Netopia routers accept only strict (binary/hex) MAC address format. Macintosh computers display their strict MAC addresses in the TCP/IP Control Panel (Classic MacOS) or the Network Preference Pane of System Preferences (Mac OS X).
Page 127 For example, suppose you are a teleworker using an IPSec tunnel from the router and from the passthrough host. Both tunnels go to the same remote endpoint, such as the VPN access concentrator at your employer’s ofﬁce. In this case, the ﬁrst one to start the IPSec trafﬁc will...
Page 128: Multinat Conﬁguration Example
Public IP addresses assigned by the ISP are 206.1.1.1 through 206.1.1.6 (255.255.255.248 subnet mask). Your internal devices have IP addresses of 192.168.1.1 through 192.168.1.254 (255.255.255.0 subnet mask). Netopia Router's address is: Web server's address is: Mail server's address is: FTP server's address is: In this example you will statically map the ﬁrst ﬁve public IP addresses (206.1.1.1 - 206.1.1.5) to the ﬁrst ﬁve...
Page 129 IP Address Serving: Number of Client IP Addresses: 1st Client Address: PREVIOUS SCREEN Set up the basic IP & IPX attributes of your Netopia in this screen. Then navigate to the Network Address Translation (NAT) screen. Main Menu Connection Profile 1: Easy Setup Profile...
Page 130 4-34 Firmware User Guide Select Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned for your public address (206.1.1.6, in this example). Toggle Type to pat. Your public address is then mapped to the remaining private IP addresses using PAT. (If you were not using the Easy-PAT Range and Easy-PAT List that are created by default by using Easy Setup, you would have to deﬁne a public range and map list.
Page 131: Notes On The Example
You do this through either the NAT Associations screen or the proﬁle’s conﬁguration screens. The PAT part of this example setup will allow any user on the Netopia Router's LAN with an IP address in the range of 192.168.1.6 through 192.168.1.254 to initiate trafﬁc ﬂow to the outside world (for example, the Internet).
Page 132 IP address, 206.1.1.3. For the sake of this example, alias both services to 206.1.1.2. Now, as before, the PAT conﬁguration will allow any user on the Netopia Router's LAN with an IP address in the range of 192.168.1.6 through 192.168.1.254 to initiate trafﬁc ﬂow to the Internet.
Page 133: Chapter 5 - Virtual Private Networks (Vpns)
Computers can do the same thing; it's called Virtual Private Networks (VPNs). Equipped with a Netopia Router, a single computer or private network (LAN) can establish a private connection with another computer or private network over the public network (Internet).
Page 134 Netopia’s PPTP implementation is compatible with Microsoft’s and can function as either the client (PAC) or the server (PNS). As a client, a Netopia Router can provide all users on a LAN with secure access over the Internet to the resources of another LAN by setting up a tunnel with a Windows NT server running Remote Access Services (RAS) or with another Netopia Router.
Page 135 When used to initiate the tunnelled connection, the Router is called a PPTP Access Concentrator (PAC, in PPTP language), or a foreign agent (in ATMP language). When used to answer the tunnelled connection, the Netopia Router is called a PPTP Network Server (PNS, in PPTP language) or a home agent (in ATMP language).
Page 136: About Pptp Tunnels
PPTP server or to terminate a tunnel initiated by a remote PPTP client. PPTP conﬁguration To set up the Router as a PPTP Network Server (PNS) capable of answering PPTP tunnel requests you must also conﬁgure the VPN Default Answer Proﬁle. See PPTP is a Datalink Encapsulation option in Connection Proﬁles.
Page 137 Enter the PPTP Partner IP Address. This speciﬁes the address of the other end of the tunnel. If you do not specify the PPTP Partner IP Address the Router cannot initiate tunnels, i.e., act as a PPTP Access Concentrator (PAC) for this proﬁle. It can only accept tunnel requests as a PPTP Network Server (PNS).
Page 138 MS-CHAP version 1 (MS-CHAP-V1). When you choose MS-CHAP as the authentication method for the PPTP tunnel, the Netopia Router will start negotiating MS-CHAP-V2. If the gateway you are connecting to does not support MS-CHAP-V2, it will fall back to MS-CHAP-V1, or, if the gateway you are connecting to does not support MPPE at all, the PPP session will be dropped.
Page 139: About Ipsec Tunnels
On the receiving side, an IPsec-compliant device decrypts each packet. Netopia Routers support the more secure Tunnel mode. Netopia Firmware Version 8.7 offers IPsec 3DES encryption over the VPN tunnel. DES stands for Data Encryption Standard, a popular symmetric-key encryption method. DES uses a 56-bit key. Netopia Routers offer IPsec 3DES (triple DES) encryption as a standard option.
Page 140: About L2Tp Tunnels
5-8 Firmware User Guide About L2TP Tunnels L2TP stands for Layer 2 Tunnelling Protocol, an extension to the PPP protocol. L2TP combines features of two other tunneling protocols: PPTP and L2F. Like PPTP, L2TP is a Datalink Encapsulation option in Connection Proﬁles.
Page 141 Router partner is reached. If you do not specify the L2TP Partner IP Address, the Router will use the default gateway to reach the partner and the Tunnel Via Gateway ﬁeld is hidden. If the partner should be reached via an alternate port (i.e.
Page 142 5-10 Firmware User Guide • You can specify that this Router will Initiate Connections (acting as a PAC) or only answer them (acting as a PNS). • Tunnels are normally initiated On Demand; however, you can disable this feature. When disabled, the tunnel must be manually established or may be scheduled using the scheduled connections feature.
Page 143: About Gre Tunnels
About GRE Tunnels Generic Routing Encapsulation (GRE) protocol is another form of tunneling that Netopia routers support. A GRE tunnel is brought up when a valid GRE proﬁle is installed, and brought down when the proﬁle is disabled, or deleted.
Page 144 5-12 Firmware User Guide GRE Partner IP Address: Send Checksums: Sequence Datagrams: Key: Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). • Enter a GRE Partner IP Address in standard dotted-quad format to specify the address of the other end of the tunnel.
Page 145 The IP Proﬁle Parameters screen appears. Address Translation Enabled: IP Addressing... Remote IP Address: Remote IP Mask: Filter Set... Remove Filter Set RIP Profile Options... Toggle to Yes if this is a single IP address ISP account. Configure IP requirements for a remote network connection here. •...
Page 146: Vpn Force-All
5-14 Firmware User Guide VPN force-all GRE tunnelling supports “VPN force-all,” which forces all trafﬁc coming from the LAN onto the GRE tunnel. You accomplish this by setting the default route to go through the GRE tunnel. A secondary host route where all tunneled GRE packets route to the actual WAN interface can be conﬁgured as a static route when required.
Page 147: About Atmp Tunnels
About ATMP Tunnels To set up an ATMP tunnel, you create a Connection Proﬁle including the IP address and other relevant information for the remote ATMP partner. ATMP uses the terminology of a foreign agent that initiates tunnels and a home agent that terminates them. You use the same procedure to initiate or terminate an ATMP tunnel. Used in this way, the terms initiate and terminate mean the beginning and end of the tunnel;...
Page 148 • You can specify a Network Name. When the tunnel partner is another Netopia Router, this name may be used to match against a Connection Proﬁle. When the partner is an Ascend gateway in Gateway mode, then Network Name is used by the Ascend gateway to match a gateway proﬁle.
Page 149: Encryption Support
Netopia’s ATMP implementation supports Data Encryption Standard (DES) data encryption for user data transfer over the ATMP tunnel between two Netopia Routers. The encryption option, none or DES, is a selectable option in the ATMP Tunnel Options screen.
Page 150: Ms-Chap V2 And 128-Bit Strong Encryption
• Netopia Firmware Version 8.7 supports 128-bit (“strong”) encryption when using PPTP tunnels. ATMP does not have an option of using 128-bit MPPE. If you are using ATMP between two Netopia Routers you can optionally set 56-bit DES encryption. •...
Page 151 Receive Authentication... Data Compression... • Toggle Answer ATMP/PPTP Connections to Yes if you want the Router to accept VPN connections or No (the default) if you do not. • For PPTP tunnel connections only, you must deﬁne what type of authentication these connections will use.
Page 152: Vpn Quickview
5-20 Firmware User Guide VPN QuickView You can view the status of your VPN connections in the VPN QuickView screen. From the Main Menu select QuickView and then VPN QuickView. Main Menu The VPN QuickView screen appears. Profile Name----------Type----Rx Pckts---Tx Pckts--RxDiscard--Remote Address-- HA <->...
Page 153: Dial-Up Networking For Vpn
Microsoft Windows Dial-Up Networking software permits a remote standalone workstation to establish a VPN tunnel to a PPTP server such as a Netopia Router located at a central site. Dial-Up Networking also allows a mobile user who may not be connected to a PAC to dial into an intermediate ISP and establish a VPN tunnel to, for example, a corporate headquarters, remotely.
Page 154: Creating A New Dial-Up Networking Proﬁle
5-22 Firmware User Guide The Communications window appears. In the Communications window, select Dial-Up Networking and click the OK button. This returns you to the Windows Setup screen. Click the OK button. Respond to the prompts to install Dial-Up Networking from the system disks or CDROM. When prompted, reboot your PC.
Page 155: Conﬁguring A Dial-Up Networking Proﬁle
Windows 98 users select PPP: Windows 98, Windows NT Server, Internet In the Allowed network protocols area check TCP/IP and uncheck all of the other checkboxes. Note: Netopia’s PPTP implementation does not currently support tunnelling of IPX and NetBEUI protocols. Virtual Private Networks (VPNs) 5-23...
Page 156: Windows Xp Client Conﬁguration
In the VPN Server Selection window's text box labeled Host Name or IP address, type the Local WAN IP address of the router to which you are connecting. In the Connection Availability window, you can select the Anyone's Use radio button if you want to make this connection accessible to other users of your workstation.
Page 157: Connecting Using Dial-Up Networking
Connecting using Dial-Up Networking A Dial-Up Networking connection will be automatically launched whenever you run a TCP/IP application, such as a web browser or email client. When you ﬁrst run the application a Connect To dialog box appears in which you enter your User name and Password.
Page 158 5-26 Firmware User Guide Main Menu Configuration Select Display/Change Input Filter. Display/Change Input Filter screen +--#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd--+ +---------------------------------------------------------------------------+ 0.0.0.0 0.0.0.0 +---------------------------------------------------------------------------+ Select Input Filter 1 and press Return. In the Change Input Filter 1 screen, set the Destination Port information as shown below.
Page 159 Enabled: Forward: Call Placement/Idle Reset: Force Routing: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: Return/Enter accepts * Tab toggles * ESC cancels. Enter the packet specific information for this filter. In the Display/Change Filter Set screen select Display/Change Output Filter.
Page 160: Atmp Example
5-28 Firmware User Guide Enabled: Forward: Call Placement/Idle Reset: Force Routing: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: Established TCP Conns.
Page 161 Main Menu Configuration Select Display/Change Input Filter. Display/Change Input Filter screen +--#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd--+ +---------------------------------------------------------------------------+ 0.0.0.0 0.0.0.0 +---------------------------------------------------------------------------+ Select Input Filter 1 and press Return. In the Change Input Filter 1 screen, set the Destination Port information as shown below. Enabled: Forward: Call Placement/Idle Reset:...
Page 162 5-30 Firmware User Guide Enabled: Forward: Call Placement/Idle Reset: Force Routing: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: Return/Enter accepts * Tab toggles * ESC cancels. Enter the packet specific information for this filter. In the Display/Change IP Filter Set screen select Display/Change Output Filter.
Page 163 Select Output Filter 1 and press Return. In the Change Output Filter 1 screen, set the Protocol Type and Destination Port information as shown below. Enabled: Forward: Call Placement/Idle Reset: Force Routing: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest.
Page 164: Windows Networking Broadcasts
Windows Networking Broadcasts Netopia ﬁrmware provides the ability to forward Windows Networking NetBIOS broadcasts. This is useful for, for example, a Virtual Private Network, in which you want to be able to browse the remote network to which you are tunnelling, as part of your Windows Network Neighborhood.
Page 165 Conﬁguration for Router A Remote Tunnel Endpoint: Add Network... Display/Change Network... Delete Network... Address Translation Enabled: Stateful Inspection Enabled: Filter Set... Remove Filter Set NetBIOS Proxy Enabled Advanced IP Profile Options... COMMIT Conﬁguration for Router B Remote Tunnel Endpoint: Add Network...
Page 166 Make sure the NetBIOS ﬁlter is not enabled in your Internet Connection Proﬁle. Netopia includes the NetBIOS Proxy feature as an enhancement and convenience for our customers. It has been lab-tested and many customers use it successfully. However, Netopia cannot guarantee that this feature will automatically give you the networking functionality you expect.
Page 167: Chapter 6 - Internet Key Exchange (Ike) Ipsec Key Management For Vpns
IPsec is deployed widely to implement Virtual Private Networks (VPNs). See on page 5-1 for more information. The Netopia Firmware Version 8.7 supports Internet Key Exchange (IKE) for secure encrypted communication over a VPN tunnel. This chapter covers the following topics: •...
Page 168: Internet Key Exchange (Ike) Conﬁguration
6-2 Firmware User Guide The advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec secure communications without having to manually enter the lengthy encryption keys at both ends of the connection. You enter a human-readable pass phrase or shared secret English sentence, like “my dog has ﬂeas”...
Page 169 The Add Connection Proﬁle screen appears. Profile Name: Profile Enabled: Encapsulation Type... RFC1483 Mode... IP Profile Parameters... COMMIT • From the Encapsulation Type pop-up menu select IPsec. • Then select Encapsulation Options. The IPsec Tunnel Options screen appears. Key Management... IKE Phase 1 Profile...
Page 170: Adding An Ike Phase 1 Proﬁle
6-4 Firmware User Guide Key Management... IKE Phase 1 Profile| Encapsulation... ESP Encryption Tran| ESP Authentication | Compression Type...| Advanced IPsec Opti| COMMIT Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. • A pop-up window displays a list of IKE Phase 1 Proﬁles that you have conﬁgured. If you have not previously conﬁgured an IKE Phase 1 Proﬁle, the selection ADD PH1 PROFILE allows you to do that now.
Page 171 The Mode pop-up menu allows you to choose between Main Mode (the default) and Aggressive Mode. • In Main Mode the Router hides the Local and Remote Identity Type and Value ﬁelds, defaults to the host address, and always uses the IPV4 Address and the local and remote tunnel endpoint address.
Page 172 XAuth Local Password: Extended Authentication (Xauth), is an extension to the IKE protocol, for IPSec tunnelling. The Xauth extension provides dual authentication for a remote user’s Netopia Gateway to establish a VPN, authorizing network access to the user’s central ofﬁce.
Page 173 192.168.1.99, when an internal address is requested. Since the Local Range is not required to be of type “subnet,” and the Router might need to respond with an internal subnet mask, the subnet mask is set to an even multiple of 8 bits based on the num- ber of addresses in the local range.
Page 174 • Invalid SPI recovery Toggling this option to Yes allows the Router to re-establish the tunnel if either the Netopia Router or the peer gateway is rebooted. If an IPSec packet that does not have a valid SPI is received from the peer address, a new Phase 1 negotiation is initiated to the peer in order to securely transmit an invalid-SPI message.
Page 175: Changing An Ike Phase 1 Proﬁle
• DPD Keepalive Idle Time (seconds) allows you to specify an interval, from 3 to 65535 seconds, during which IPSec trafﬁc may be idle before the router sends a keepalive message to its peer. The default is 20 seconds. Changing an IKE Phase 1 Proﬁle To make changes to an IKE Phase 1 Proﬁle, select IKE Phase 1 Conﬁguration from the WAN Conﬁguration...
Page 176 | Are you sure you want to delete this IKE Phase 1 Profile? CANCEL +------------------------------------------------------------+ IPsec Configuration +--IKE Phase1 Profile--+ +----------------------+ D| IKE Profile 2 |1 Profile... A| Arthropods D| Anthropoids |e... | Anopheles | Albigensians +----------------------+ IPsec Configuration +--IKE Phase1 Profile--+ Display+----------------------+ Add IKE| Netopia +----------------------+ CONTINUE...
Page 177: Key Management
Key Management You specify your IKE key management on a per-Connection Proﬁle basis. You can do this in one of three ways: • You can create your IKE Phase 1 Proﬁle ﬁrst, and then associate it with an existing Connection Proﬁle •...
Page 178 6-12 Firmware User Guide Note: The Change Connection Proﬁle screen will offer different options, depending on the model of gateway you are using. You can associate an IPsec proﬁle with the Primary, the Backup, or choose to apply it to Any Port of the WAN interface by choosing the interface from the Interface Group pop-up menu as shown below.
Page 179 The remainder of the screen allows you to conﬁgure the IKE Phase 2 parameters that control the contents of the single IKE Phase 2 proposal sent by the Router. These same items specify the values that must be offered by one of the remote peer’s proposals.
Page 180: Advanced Ipsec Options
6-14 Firmware User Guide • The ESP Authentication Transform pop-up menu (which is visible only if you have selected ESP or AH+ESP encapsulation) allows you to specify the type of ESP authentication: None, HMAC-MD5-96, or HMAC-SHA1–96. Advanced IPsec Options If you select Advanced IPsec Options, the Advanced IPsec Options screen appears. SA Lifetime seconds: SA Lifetime Kbytes: Perfect Forward Secrecy:...
Page 181 Determination of a dead peer could take up to eight minutes. Netopia Firmware Version 8.7 provides a new Dead Peer Detection mechanism. An IPsec IP net interface sends ICMP ping requests to a speciﬁc IP address on a Remote Member network. The ping is periodic, and the reply is expected within a certain amount of time.
Page 182 When the Remote Tunnel Endpoint is a hostname, there is no check on the source address of the packet; hostnames are used/resolved only for initiating outgoing connections. Multiple Network IPsec Netopia Firmware Version 8.7 offers an enhancement to IPsec VPN tunnels allowing multiple network support. This feature enhances your Netopia Router’s Virtual Private Networking functionality. IP Profile Parameters 0.0.0.0...
Page 183 This feature allows you to deﬁne many local and remote network ranges for a given IPsec VPN proﬁle. Each of these ranges has its own IPsec tunnel. However, each tunnel has a common tunneling endpoint and encryption policy. This is useful, for example, for branch ofﬁce management of multiple IP subnets over an encrypted VPN tunnel.
Page 184 6-18 Firmware User Guide • If you choose Subnet, you must enter the Remote Member Address and the subnet mask that is the Remote Member Mask. Enter the Local Member Address and the Local Member Mask in their respective ﬁelds. •...
Page 185 --------------Local-Members-------------------------Remote-Members-------------- Net #---Type----Start-Address---Size----------Type----Start-Address---Size------ ----------------------------------SCROLL UP----------------------------------- SUBNET 192.168.2.1 SUBNET 10.0.1.1 HOST 163.176.91.101 RANGE 163.176.30.222 ---------------------------------SCROLL DOWN---------------------------------- • Scroll down and up with the arrow keys to select the one you want to change, and press Return. You will be returned to the Network Conﬁguration screen where you can make any required changes. •...
Page 186 Next Hop Gateway option allows you to enter the address by which the Router partner is reached. If you do not specify the Remote Tunnel Endpoint Address, the Router will use the default gateway to reach the partner. If the partner should be reached via an alternate port (for example, the LAN instead of the WAN), the Next Hop Gateway ﬁeld allows this path to be resolved.
Page 187: Ipsec Wan Conﬁguration Screens
IPsec WAN Conﬁguration Screens You can also conﬁgure IKE Phase 1 Proﬁles in the WAN Conﬁguration menus. Main Menu The WAN Conﬁguration screen now includes IKE Phase 1 Conﬁguration as shown: Return/Enter for WAN Line configuration. From here you will configure yours and the remote sites' WAN information. Select IKE Phase 1 Conﬁguration and press Return.
Page 188: Ipsec Manual Key Entry
6-22 Firmware User Guide The IKE Phase 1 Conﬁguration screen allows conﬁguration of global (non-connection-proﬁle-speciﬁc) IPsec parameters. This screen allows you to Display, Change, Add, or Delete an IKE Phase 1 proﬁle. IPsec Manual Key Entry The Version 8.6 ﬁrmware has a redesigned layout and additional options for manual key entry. If you selected Manual Key Management in the IPsec Tunnel Options screen, you will need to enter your encryption keys in the IPsec Manual Keys screen.
Page 189: Vpn Quickview
Select IPsec Manual Keys and press Return. SHA1 ESP Auth. Key: SHA1 AH Auth. Key: Depending on your selections of Encapsulation, Encryption Transform, and Authentication Transform in the IPsec Tunnel Options screen, the IPsec Manual Keys screen will display differing entry ﬁelds to enter authorization keys and encryption keys.
Page 190: Wan Event History Error Reporting
The DNS lookup of the remote tunnel end point has failed. An IKE phase 1 request was received and did not match any of the proﬁles stored in the local Router. An IKE phase 1 request was received and the proposal did not match an allowed parameter, or else the remote rejected the local Router’s proposal.
Page 191 IKE: phase 2 complete Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-25 Meaning: Either the local Router rejected the proposals of the remote or the remote rejected the local Router’s. The attempt to resend the phase 2 authentication timed out.
Page 192 6-26 Firmware User Guide...
Page 193: Chapter 7 — Ip Setup
Chapter 7 IP Setup Netopia Firmware Version 8.7 uses Internet Protocol (IP) to communicate both locally and with remote networks. This chapter shows you how to conﬁgure the gateway to route IP trafﬁc. You also learn how to conﬁgure the gateway to serve IP addresses to hosts on your local network.
Page 194: Ip Setup
Main Menu The IP Setup options screen is where you conﬁgure the Ethernet side of the Router. The information you enter here controls how the gateway routes IP trafﬁc. Consult your network administrator or ISP to obtain the IP setup information (such as the Ethernet IP address, Ethernet subnet mask, default IP gateway, and Primary Domain Name Server IP address) you will need before changing any of the settings in this screen.
Page 195 The Netopia Firmware Version 8.7 supports multiple IP subnets on the Ethernet interface. You may want to conﬁgure multiple IP subnets to service more hosts than are possible with your primary subnet. It is not always possible to obtain a larger subnet from your ISP. For example, if you already have a full Class C subnet, your only option is multiple Class C subnets, since it is virtually impossible to justify a Class A or Class B assignment.
Page 196: Ip Subnets
All eight row labels are always visible, regardless of the number of subnets conﬁgured. • To add an IP subnet, enter the Router’s IP address on the subnet in the IP Address ﬁeld in a particular row and the subnet mask for the subnet in the Subnet Mask ﬁeld in that row.
Page 197 For example: IP Address ---------------- 192.128.117.162 192.128.152.162 0.0.0.0 • To delete a conﬁgured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly or by clearing each ﬁeld and pressing Return to commit the change. When a conﬁgured subnet is deleted, the values in subsequent rows adjust up to ﬁll the vacant ﬁelds.
Page 198: Static Routes
Static routes are IP routes that are maintained manually. Each static route acts as a pointer that tells the Router how to reach a particular network. However, static routes are used only if they appear in the IP routing table, which contains all of the routes used by the Router (see Static routes are helpful in situations where a route to a network must be used and other means of ﬁnding the...
Page 199 The Static Routes screen will appear. Configure/View/Delete Static Routes from this and the following Screens. Viewing static routes To display a view-only table of static routes, select Display/Change Static Route. The table shown below will appear. +-Dest. Network---Subnet Mask-----Next Gateway----Priority-Enabled-+ +------------------------------------------------------------------+ | 0.0.0.0 +------------------------------------------------------------------+...
Page 200: Adding A Static Route
Select Destination Network Subnet Mask and enter the subnet mask used by the destination network. • Select Next Gateway IP Address and enter the IP address for the gateway that the Router will use to reach the destination network. This gateway does not necessarily have to be part of the destination network, but it must at least know where to forward packets destined for that network.
Page 201: Deleting A Static Route
Rules of static route installation The Netopia Firmware Version 8.7 applies certain rules before installing enabled static routes in the IP routing table. An enabled static route will not be installed in the IP routing table if any of the following conditions are true: •...
Page 202: Rip Options
If any of the peers have not used the new key yet, the Netopia router will send RIP updates twice, once with each key.
Page 203 VRRP Options... Static Routes... Additional LANs... Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). Set up the basic IP attributes of your Netopia in this screen. • Select RIP Options. The Ethernet LAN RIP Options screen appears. Receive RIP...
Page 204 7-12 Firmware User Guide Receive RIP... Transmit RIP... RIP v2 Authentication Keys... • You can also select Transmit RIP, and choose v2 MD5 (broadcast) or v2 MD5 (multicast) from the pop-up menu. Receive RIP... Transmit RIP... RIP v2 Authentication Keys... •...
Page 205 Note: • All of the changes on this menu require a reboot. This is unique to the Ethernet LAN. RIP changes on all other interfaces are immediately effective. • If you set the RIP Receive option to Both v1 and v2, the interface will ignore authenticated RIP packets since authenticated v1 packets do not exist.
Page 206 7-14 Firmware User Guide Key ID: Authentication Key: Start Date (MM/DD/YY): Start Time (hh:mm): AM or PM: End Time Mode: End Date (MM/DD/YY): End Time (hh/mm): AM or PM: COMMIT • The key identiﬁer Key ID can be any numeric value from 0 – 255, and must be unique per interface. You can not have two keys with the same key ID on an interface.
Page 207 +-Key ID--Start Date--Start Time--End Date--End Time--Valid-+ +-----------------------------------------------------------+ | 255 +-----------------------------------------------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. Note: The date and time formats are determined by the system date and time formats. If the current date and time fall within the range of dates and times, the Valid ﬁeld indicates “yes”, otherwise it indicates “no”.
Page 208: Connection Proﬁles And Default Proﬁle
7-16 Firmware User Guide Connection Proﬁles and Default Proﬁle RIP-2 MD5 authentication may be conﬁgured in Connection Proﬁles, as well. If you are not using NAT, your public Internet connection can beneﬁt from sending authenticated RIP packets as well as receiving them. To conﬁgure RIP-2 MD5 authentication for a Connection Proﬁle, you can either change an existing Connection Proﬁle, or create a new one.
Page 209: Ip Address Serving
Connection Proﬁle. Power interruptions Netopia 4000 Series routers use NTP updates to set the correct time. Consequently, the starting time after a power cycle, whether from power failure or deliberately switching power off and on, is in the year 1904. This could invalidate some keys that would otherwise be valid.
Page 210 • The IP Address Serving Mode pop-up menu allows you to choose the way in which the Router will serve IP addresses. The device can act as either a DHCP Server or a DHCP Relay Agent. (See on page 7-28 for more information.) In most cases, you will use the device to serve its own pool of IP...
Page 211 • The DHCP Next-Server ﬁeld allows you to enter the IP address of the next server in the boot process, which is typically a Trivial File Transfer Protocol (TFTP) server. • The default DHCP Lease time is one hour. This may be unnecessarily brief in your network environment. Consequently, the DHCP lease time is conﬁgurable.
Page 212: Ip Address Pools
The Client Gateway column allows you to specify the default gateway address that will be provided to clients served an address from the corresponding pool. The value defaults to the Router’s IP address on the corresponding subnet (or the Router’s default gateway, if that gateway is located on the subnet in question).
Page 213: Dhcp Netbios Options
• When requesting an address, a client may provide a client identiﬁer, or, if it does not, the Netopia Firmware Version 8.7 may construct a pseudo-client identiﬁer for the client. When the client subsequently requests an address, the Router will attempt to serve the address previously associated with the pseudo-client identiﬁer.
Page 214 7-22 Firmware User Guide Serve NetBIOS Type: NetBIOS Type... Serve NetBIOS Scope: NetBIOS Scope: Serve NetBIOS Name Server: NetBIOS Name Server IP Addr: Configure DHCP-served NetBIOS options here. • To serve DHCP clients with the type of NetBIOS used on your network, select Serve NetBIOS Type and toggle it to Yes.
Page 215: More Address Serving Options
• Back in IP Address Serving, the Serve Dynamic WAN Clients toggle More Address Serving Options The Netopia Firmware Version 8.7 includes a number of enhancements in the built-in DHCP IP address server. These enhancements include: • The ability to exclude one or more IP addresses from the address serving pool so the addresses will not be served to clients.
Page 216: Conﬁguring The Ip Address Server Options
The ability to serve as a DHCP Relay Agent. The Netopia Firmware Version 8.7 supports reserving an IP address only for a type 1 client identiﬁer (i.e., an Ethernet hardware address). It does not support reserving an IP address for an arbitrary client identiﬁer. (For more information on client identiﬁers, see RFC 2131, section 9.14.)
Page 217 You can select the entries in the Served IP Addresses screen. Use the up and down arrow keys to move the selection to one of the entries in the list of served IP addresses. -IP Address------Type----Expires—-Host Name/Client Identifier----------------- ----------------------------------SCROLL UP----------------------------------- 192.168.1.100 192.168.1.101 192.168.1.102...
Page 218 7-26 Firmware User Guide Selecting Details… displays a pop-up menu that provides additional information associated with the IP address. The pop-up menu includes the IP address as well as the host name and client identiﬁer supplied by the client to which the address is leased. -IP Address------Type----Expires—-Host Name/Client Identifier----------------- ----------------------------------SCROLL UP----------------------------------- 192.168.1.100...
Page 219 An IP address is marked declined when a client to whom the DHCP server offers the address declines the address. A client declines an address if it determines that a leased address is already in use by another device. Selecting Include restores the selected IP address to the address serving pool so that the IP address is once again eligible to be served to a client.
Page 220: Dhcp Relay Agent
Netopia Router. If the Netopia Router is conﬁgured to act as a DHCP server, it will assign the client an address from an address pool conﬁgured locally in the Netopia Router and respond to the client's request...
Page 221 Main Menu Select IP Address Serving and press Return. The IP Address Serving screen appears. IP Address Serving Mode... Number of Client IP Addresses: 1st Client Address: Client Default Gateway... Serve DHCP Clients: DHCP NetBIOS Options... Serve BOOTP Clients: Select IP Address Serving Mode. The pop-up menu offers the choices of Disabled, DHCP Server (the default), and DHCP Relay Agent.
Page 222: Connection Proﬁles
Netopia Router does not. The DHCP server(s) to which the Netopia Router is relaying DHCP requests must be conﬁgured with one or more address pools that are within the Netopia Router’s primary Ethernet LAN subnet. (There is no mechanism for DHCP clients to receive an address on a secondary subnet via a relayed DHCP request.)
Page 223 COMMIT Configure a new Conn. Profile. Finished? On a Router you can add up to 15 more connection proﬁles, for a total of 16, although only one can be used at a time, unless you are using VPNs. Select Proﬁle Name and enter a name for this connection proﬁle. It can be any name you wish. For example: the name of your ISP.
Page 224 7-32 Firmware User Guide Address Translation Enabled: NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Local WAN IP Address: Filter Set... Remove Filter Set RIP Profile Options... Toggle to Yes if this is a single IP address ISP account. Configure IP requirements for a remote network connection here.
Page 225: Multicast Forwarding
You see and hear the channel you are interested in, but not the others. Since a router should not be used as a passive forwarding device, Netopia Routers use a protocol for forwarding multicasting. This protocol is Internet Group Management Protocol (IGMP). Netopia Routers can use either IGMP Version 1, Version 2, or Version 3, however, Multicast Forwarding will only work if your service provider supports it.
Page 226: Virtual Router Redundancy (Vrrp)
Connection Proﬁle to receive multicast data. You enable it by selecting Rx. from the pop-up menu. Virtual Router Redundancy (VRRP) Netopia Firmware Version 8.7 offers Virtual Router Redundancy Protocol (VRRP). A Virtual Router is a software abstraction consisting of a group of two or more hardware routers protecting one or more IP addresses. One of the routers is designated as the Master, while the others are backups.
Page 227 • VRID – Enter a VRID value. Each logical IP interface can have a maximum of two Virtual Routers. A Virtual Router is identiﬁed by its Virtual Router Identiﬁer (VRID). The VRID must be unique within the IP interface. •...
Page 228 • Priority – Assign a Priority in the range of 1 – 255 to the Virtual Router. The default is 100. The priority of a Virtual Router will default to 255 if the Virtual Router is the IP address owner. A priority of 255 indicates that the Virtual Router should operate in Master mode.
Page 229: Additional Lans
+-------------------------------------------------------+ +-------------------------------------------------------+ Additional LANs Netopia Firmware Version 8.7 includes support for creating additional logical local area networks. When used in combination with VLANs (see “VLAN Conﬁguration” on page end-to-end networks to support such services as voice-over-IP, point-of-sale applications, or audio and video services.
Page 230 7-38 Firmware User Guide Multiple logical IP LAN support allows you to create additional IP routed LAN interfaces (ALANs). You can add, edit, or delete Additional LANs similarly to Connection Proﬁles on the WAN connection. You then associate physical or logical Ethernet-encapsulated interfaces, such as wired Ethernet ports, wireless SSIDs, and ATM RFC 1483 bridged VCs, to these interfaces on platforms with more than one Ethernet-encapsulated interface.
Page 231 RIP Options – Same as the primary interface. See • VRRP Options – Same as the primary interface. Two Virtual routers can be added to each of the ALANs. “Virtual Router Redundancy (VRRP)” on page • Multicast Forwarding – Same as the primary interface. See •...
Page 232 7-40 Firmware User Guide Editing or Deleting ALANs You can manage or edit your ALANs at any time. To modify or delete a conﬁgured ALAN, return to the IP Setup screen and select Additional LANs. The Additional LAN Conﬁguration screen appears. If you select either Show/Change ALAN or Delete ALAN, a pop-up window allows you to choose the ALAN you want to modify or delete.
Page 233: Conﬁguring Backup
Chapter 8 Line Backup Netopia Firmware Version 8.7 offers line backup functionality in the event of a line failure on the primary WAN link: • to an internal V.92 modem (supported models) or • to a backup default gateway. This chapter covers the following topics: •...
Page 234: Connection Proﬁles
8-2 Firmware User Guide • the Backup IP Gateway menu item in the IP Setup screen under the System Conﬁguration menu Here you enter a Backup Gateway IP address. See different backup gateway device; see Detailed descriptions follow. Connection Proﬁles The dial backup feature allows you to conﬁgure a complete Connection Proﬁle for the modem backup, just as you do for your primary WAN connection.
Page 235 Profile Name: Profile Enabled: Encapsulation Type... Encapsulation Options... IP Profile Parameters... COMMIT Assuming you selected PPP, new ﬁelds appear. Profile Name: Profile Enabled: Encapsulation Type... Encapsulation Options... IP Profile Parameters... Interface Group... Telco Options... COMMIT Underlying Encapsulation and PPP Mode do not usually need to be changed for a PPP connection. •...
Page 236 8-4 Firmware User Guide The Datalink (PPP/MP) Options screen appears. Data Compression... Send Authentication... Send User Name: Send Password: Receive User Name: Receive Password: Dial on Demand: PAP-- Password protection is used. • Data Compression should remain set to Standard LZS. •...
Page 237 • Select IP Proﬁle Parameters. The IP Proﬁle Parameters screen appears. Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Local WAN IP Address: Remote IP Address: Remote IP Mask: Filter Set... Remove Filter Set RIP Profile Options...
Page 238 You can add the Number to Dial and an Alternate Site to Dial, if available. • You can toggle Dial on Demand to Yes or No. This allows the router to determine whether or not to dial the backup number when there is trafﬁc that needs to be transmitted or received.
Page 239: Ip Setup
RIP Options... Multicast Forwarding... Static Routes... Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). Set up the basic IP attributes of your Netopia in this screen. • Set Backup IP Gateway to 127.0.0.2. • Set Secondary Domain Name Server to the IP Address DNS of your dial-up ISP.
Page 240: Wan Conﬁguration
8-8 Firmware User Guide WAN Conﬁguration To conﬁgure the modem characteristics, from the Main Menu select WAN Conﬁguration and then WAN Setup. Main Menu Return/Enter to create a new Connection Profile. From here you will configure yours and the remote sites' WAN information. The Choose Interface to Conﬁgure screen appears.
Page 241: Backup Conﬁguration Screen
Choose the interface to conﬁgure for backup, MODEM (Wan Module 2) Setup. The Internal Modem Setup screen appears. Modem Dialing Prefix: PBX Dialing Prefix: Line Directory Number: Speaker On... Speaker Volume... Answer Incoming calls... Country... Enter the dialing prefix to be sent to all modems. •...
Page 242 Select Ping Host Name or IP Address #1 and #2 and enter IP address(es) or resolvable DNS name(s) that the Router will ping. These are optional items that are particularly useful for testing if the remote end of a VPN connection has gone down.
Page 243 Note: If you want the router to initiate the backup connection on loss of Layer 1 or 2 only (Physical or Data link Layer), leave Ping Host Name or IP Address blank. Do not use 0.0.0.0 in this ﬁeld. Hit the space bar or Delete key to CLEAR the ﬁeld totally.
Page 244: Using Scheduled Connections With Backup
8-12 Firmware User Guide • Data Link Encapsulation is Async PPP – if it appears (not on all models) this ﬁeld is not editable. When you are ﬁnished, press Escape. Using Scheduled Connections with Backup The backup link is a PPP dial-up connection and only connects to the Internet service provider when trafﬁc is initiated from the LAN.
Page 245 Scheduled Connection Enable: How Often... Schedule Type... Set Weekly Schedule... Use Connection Profile... ADD SCHEDULED CONNECTION Return/Enter accepts * Tab toggles * ESC cancels. Scheduled Connections dial remote Networks on a Weekly or Once-Only basis. • Toggle Scheduled Connection Enable to On. •...
Page 246: Backup Default Gateway
Backup Default Gateway If your Netopia equipment does not have an internal modem, or if you do not want to use the internal modem for backup, the Netopia Firmware Version 8.7 offers backup functionality to an alternate gateway typically connected to a LAN port.
Page 247 Select Ping Host Name or IP Address #1 and #2 and enter IP address(es) or resolvable DNS name(s) that the Router will ping. These are optional items that are particularly useful for testing if the remote end of a VPN connection has gone down.
Page 248: Ip Setup Screen
Static Routes... Network Address Translation (NAT)... Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). Set up the basic IP attributes of your Netopia in this screen. For more information on IP Setup see the Note: Backup and Recovery have resolutions of ﬁve seconds. This is how often the gateway evaluates the state of the connections and makes decisions.
Page 249: Backup Management/Statistics
Backup Management/Statistics If backup is enabled, the Statistics & Logs menu offers a Backup Management/Statistics option. To view Backup Management/Statistics, from the Main Menu select Statistics & Logs then Backup Management/Statistics and press Return. Main Menu The Backup Management/Statistics screen appears. Current Gateway: Backup State: Reason:...
Page 250: Quickview
8-18 Firmware User Guide During recovery, the following reasons may appear: Recovery of Layer 1 Layer 2 Override Layer 2 Recovery • Time Since Detection is a display-only ﬁeld that is only visible if backup or recovery is in progress. It displays the elapsed time since detection of either WAN line failure or re-establishment of the connection.
Page 251: Quick View Status Overview
“Simple Network Management Protocol (SNMP)” on page 9-9 Quick View Status Overview You can get a useful, overall status report from the Netopia Firmware Version 8.7 in the Quick View screen. To go to the Quick View screen, select Quick View in the Main Menu.
Page 252: General Status
IP address as a secondary gateway, it is shown here. Domain Name: The domain name you have assigned, typically the name of your ISP. MAC Address: The Router’s hardware address, for those interfaces that support DHCP. IP Address: The Router’s IP address, entered in the IP Setup screen.
Page 253: Status Lights
Netopia Firmware Version 8.7 updates timestamps reported in the system logs with new timestamps as these are updated via NTP. The restamp of the time is done in the background after NTP is received. It may take a few moments for the log to show up with the correct times added.
Page 254: Event Histories
Main Menu Netopia Firmware Version 8.7 records certain relevant occurrences in event histories. Event histories are useful for diagnosing problems because they list what happened before, during, and after a problem occurs. You can view two different event histories: one for the gateway’s system and one for the WAN.
Page 255: Device Event History
The ﬁrst event in each call sequence is marked with double arrows (>>). Failures are marked with an asterisk (*). If the event history exceeds the size of the screen, you can scroll through it by using the SCROLL UP and SCROLL DOWN items.
Page 256: Ip Routing Table
9-6 Firmware User Guide IP Routing Table Main Menu The IP routing table displays all of the IP routes currently known to the Router. Network Address-Subnet Mask-----via Gateway------Port------------------Type---- ----------------------------------SCROLL UP----------------------------------- 0.0.0.0 255.0.0.0 127.0.0.1 255.255.255.255 127.0.0.1 192.168.1.0 255.255.255.240 192.168.1.1 192.168.1.1 255.255.255.255 192.168.1.1 192.168.1.15...
Page 257: Physical Interface
Physical I/F-----Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err Ethernet Hub ATM ADSL 1 Network----------Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err VC Traffic Statistics... Physical Interface The top left side of the screen lists total packets received and total packets transmitted for the following data ports: •...
Page 258: System Information
9-8 Firmware User Guide System Information The System Information screen gives a summary view of the general system level values in the Router. From the Statistics & Logs menu select System Information. The System Information screen appears. Serial Number Firmware Version...
Page 259: Simple Network Management Protocol (Snmp)
SNMP manager. • Netopia Routers support SNMP-V1 and SNMP-V2c. • Beginning with Netopia Firmware Version 8.7, Netopia Routers implement the following in the Netopia enterprise-speciﬁc MIB: • Wireless privacy objects support wireless conﬁguration and information about wireless clients associ- ated with the router.
Page 260: Community Strings
The Read-Only Community String and the Read/Write Community String are like passwords that must be used by an SNMP manager querying or conﬁguring the Netopia Firmware Version 8.7. An SNMP manager using the Read-Only Community String can examine statistics and conﬁguration information from the gateway, but cannot modify the gateway’s conﬁguration.
Page 261: Snmp Traps
Netopia Firmware Version 8.7 sends traps using UDP (for IP networks). You can specify which SNMP managers are sent the IP traps generated by the Netopia Firmware Version 8.7. Up to eight receivers can be set. You can also review and remove IP traps.
Page 262: Setting The Ip Trap Receivers
9-12 Firmware User Guide Return/Enter to modify an existing Trap Receiver. Navigate from here to view, add, modify and delete IP Trap Receivers. Setting the IP trap receivers Select Add IP Trap Receiver. Receiver IP Address or Domain Name: Community String: Send Heartbeat Trap: ADD TRAP RECEIVER NOW Select Receiver IP Address or Domain Name.
Page 263 Toggle Send Heartbeat Trap on (Yes) or off (No). The heartbeat setting is used to broadcast contact and location information about your Router. Select ADD TRAP RECEIVER NOW and press Return. You can add up to seven more receivers. Viewing IP trap receivers To display a view-only table of IP trap receivers, select Display/Change IP Trap Receiver in the IP Trap Receivers screen.
Page 264 9-14 Firmware User Guide...
Page 265: Suggested Security Measures
Chapter 10 Security Netopia Firmware Version 8.7 provides a number of security features to help protect its conﬁguration screens and your local network from unauthorized access. Although these features are optional, it is strongly recommended that you use them. This section covers the following topics: •...
Page 266: Telnet Tiered Access - Two Password Levels
10-2 Firmware User Guide Telnet Tiered Access – Two Password Levels Netopia Firmware Version 8.7 offers tiered access control for greater security and protection against accidental or malicious misconﬁguration. Service providers and network administrators can now limit the access of other users to the various conﬁguration screens to prevent misconﬁgurations.
Page 267: Superuser Conﬁguration
PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This means that applications that support UPnP, and are used with a UPnP-enabled Netopia Gateway, will not need application layer gateway support on the Netopia Gateway to work through NAT.
Page 268: Limited User Conﬁguration
10-4 Firmware User Guide Limited user conﬁguration The Add Access Name/Password and Show/Change Access Name/Passwords screens allow you to select which conﬁguration features a limited (non-Superuser) user can access. From the Security Options screen, select Add Access Name/Password. The Add Access Name/Password screen appears. Name (19 characters max): Password: Telnet Access Enabled:...
Page 269 WAN Data Configuration: Connection Profile Configuration: Circuit (PVC/DLCI) Configuration: LAN Data Configuration: LAN Subnet Configuration: NAT/Filters Configuration: Preferences (Global) Configuration:Yes You can toggle the default user privileges for each user. The defaults are set to minimize the possibility of an individual user inadvertently damaging the WAN connection.
Page 270: Advanced Security Options
10-6 Firmware User Guide Advanced Security Options The Advanced Security Options screen allows you to conﬁgure the global access privileges of users authenticated via a RADIUS server or a TACACS+ server. From the Security Options screen, select Advanced Security Options. The Advanced Security Options screen appears.
Page 271: Radius Server Authentication
Choosing Remote Only causes the router to ignore the local database and to authenticate users using the conﬁgured RADIUS server. • Choosing Remote then Local causes the router to attempt to authenticate a user ﬁrst using a RADIUS server and then, if that fails, using the local authentication database. •...
Page 272: Tacacs+ Server Authentication
RADIUS authentication service. TACACS+ server authentication Netopia Firmware Version 8.7 supports TACACS+ server authentication. Its application to a Netopia Router is to control access to the Router’s management interface, and to audit commands submitted by a user.
Page 273: Warning Alerts
Command Line Interface (CLI) mode (see the Command Line Interface Commands Reference) and cannot be switched to console mode. If TACACS+ Accounting is enabled on the Netopia Router, each command is sent to the TACACS+ server in a TACACS+ Accounting transaction. The CLI command is then executed, regardless of the return code from the server.
Page 274 +---------------------------------------------------------------+ Attempting to delete the last username/password pair from the local authentication database when the Security Databases pop-up menu is set to either Local then Remote or Remote then Local causes the router to present the following warning alert: +-------------------------------------------------------------+ +-------------------------------------------------------------+ | You are about to delete the only local password.
Page 275 Remote Authentication... Security Databases... Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port+-----------+ Remote Access Privileges... Telnet Server Port: MAC Address Authentication... LAN (Ethernet) IP Filter Set... Remove Filter Set •...
Page 276: User Access Password
10-12 Firmware User Guide User access password Users must be able to change their names and passwords, regardless of other security access restrictions. If a user does not have security access, then they will only be able to modify the password for their account. When a limited-access user logs into the gateway.
Page 277: User Menu Differences
The Quick Menus screen reﬂects the security access level of the user. Menus to which conﬁguration access is forbidden are hidden. Main Menu The following is an example comparison of the Main Menu as seen by the Superuser and by a Limited user. Superuser Netopia Router Easy Setup... WAN Configuration... System Configuration... Utilities & Diagnostics...
Page 278 WAN (Wide Area Network) Setup... ATM Circuits Configuration... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... WAN Default Profile... ATMP/PPTP Default Profile... IKE Phase 1 Configuration... Advanced Connection Options... Establish WAN Connection... Disconnect WAN Connection... Netopia Router WAN Configuration...
Page 279 User Access Level Connection Profiles Connection Profiles Connection Proﬁles The Superuser can disallow limited user access to a particular Connection Proﬁle. When adding a Connection Proﬁle in the Add Connection Proﬁle screen the Superuser can toggle the Superuser Accessible Only option to Yes or No.
Page 280 10-16 Firmware User Guide System Conﬁguration menu The System Conﬁguration menu is always available to all users. Based on access level, the System Conﬁguration menu displays its conﬁguration options according to the following diagram: User Access Level Global Superuser Superuser, All Superuser Note: Network Address Translation (NAT) is displayed in this screen in order to make access control...
Page 281 Superuser Statistics & Logs menu The Statistics & Logs menu shown below is a composite of all the possible options on all Netopia gateways supported by the ﬁrmware. Substantial differences exist among screens on a given gateway. Here, all selection options are shown.
Page 282 10-18 Firmware User Guide User Access Level WAN Event History... Global Device Event History... Global IP Routing Table... Global Served IP Addresses... Global Served IP Addresses... Global Backup Management/Statistics... Global General Statistics... Global System Information... Global Statistics & Logs...
Page 283: Quick Menus
Quick Menus Quick Menus vary considerably between models, features, and access levels. The following is an example comparison of the Quick Menu as seen by the Superuser and by a Limited user. Connection Profiles Add Connection Profiles Change Connection Profiles Delete Connection Profiles WAN Default Profile ATMP/PPTP Default Profile...
Page 284: Telnet Access
PVC conﬁguration access, they are permitted conﬁguration access to all PVC parameters. Telnet Access Telnet is a TCP/IP service that allows remote terminals to access hosts on an IP network. Netopia Firmware Version 8.7 supports Telnet access to its conﬁguration screens. Caution! You should consider password-protecting or restricting Telnet access to the Router if you suspect there is a chance of tampering.
Page 285: About Filters And Filter Sets
ﬁlters to control network communications can greatly improve your network’s security. The Netopia Firmware Version 8.7’s packet ﬁlters are designed to provide security for the Internet connections made to and from your network. You can customize the gateway’s ﬁlter sets for a variety of packet ﬁltering applications.
Page 286: How Individual Filters Work
10-22 Firmware User Guide Filter priority Continuing the customs inspectors analogy, imagine the inspectors lined up to examine a package. If the package matches the ﬁrst inspector’s criteria, the package is either rejected or passed on to its destination, depending on the ﬁrst inspector’s particular orders. In this case, the package is never seen by the remaining inspectors.
Page 287: Port Numbers
This rule applies to Telnet packets that come from a host with the IP address 199.211.211.17. If a match occurs, the packet is blocked. Here is what this rule looks like when implemented as a ﬁlter on the Netopia Firmware Version 8.7: +-#--Source IP Addr--Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+ +--------------------------------------------------------------------+ 199.211.211.17...
Page 288: Port Number Comparisons
10-24 Firmware User Guide Internet service Telnet SMTP (mail) Gopher Internet service Who Is World Wide Web SNMP Port number comparisons A ﬁlter can also use a comparison option to evaluate a packet’s source or destination port number. The comparison options are: No Compare: No comparison of the port number speciﬁed in the ﬁlter with the packet’s port number.
Page 289: Putting The Parts Together
Putting the parts together When you display a ﬁlter set, its ﬁlters are displayed as rows in a table: +-#---Source IP Addr---Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+ +----------------------------------------------------------------------+ 192.211.211.17 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 +----------------------------------------------------------------------+ The table’s columns correspond to each ﬁlter’s attributes: #: The ﬁlter’s priority in the set. Filter number 1, with the highest priority, is ﬁrst in the table. Source IP Addr: The packet source IP address to match.
Page 290 10-26 Firmware User Guide Filtering example #1 Returning to our ﬁltering rule example from above (see Start with the rule, then ﬁll in the ﬁlter’s attributes: The rule you want to implement as a ﬁlter is: Block all Telnet attempts that originate from the remote host 199.211.211.17. The host 199.211.211.17 is the source of the Telnet packets you want to block, while the destination address is any IP address.
Page 291: Design Guidelines
This ﬁlter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address signiﬁes any host on the class C IP network 200.233.14.0. If, for example, the ﬁlter is applied to a packet with the source IP address 200.233.14.5, it will block it. In this case, the mask, which does not appear in the table, must be set to 255.255.255.0.
Page 292: Working With Ip Filters And Filter Sets
10-28 Firmware User Guide • That which is not expressly prohibited is permitted. • That which is not expressly permitted is prohibited. It is strongly recommended that you take the latter, and safer, approach to all of your ﬁlter set designs. Working with IP Filters and Filter Sets This section covers IP ﬁlters and ﬁlter sets.
Page 293: Adding A Filter Set
Adding a ﬁlter set You can create up to eight different custom ﬁlter sets. Each ﬁlter set can contain up to 16 output ﬁlters and up to 16 input ﬁlters. To add a new ﬁlter set, select Add Filter Set in the Filter Sets screen and press Return. The Add Filter Set screen appears.
Page 294 The Netopia Router Packets in the Netopia Firmware Version 8.7 pass through an input ﬁlter if they originate in the WAN and through an output ﬁlter if they’re being sent out to the WAN. The process for adding input and output ﬁlters is exactly the same. The main difference between the two involves their reference to source and destination.
Page 295 Filter Set Name: Note: There are two groups of items in this screen, one for input ﬁlters and one for output ﬁlters. In this section, you’ll learn how to add an input ﬁlter to a ﬁlter set. Adding an output ﬁlter works exactly the same way, providing you keep the different source and destination perspectives in mind.
Page 296 10-32 Firmware User Guide If you want the ﬁlter to forward packets that match its criteria to the destination IP address, select Forward and toggle it to Yes. If Forward is toggled to No, packets matching the ﬁlter’s criteria will be discarded. Select Source IP Address and enter the source IP address this ﬁlter will match on.
Page 297: Deleting A Filter Set
Select a ﬁlter set from the list and press Return. Select CONTINUE and press Return to delete it. A sample ﬁlter set This section contains the settings for a ﬁlter set called Basic Firewall, which is part of Netopia Firmware Version 8.7’s factory conﬁguration.
Page 298 10-34 Firmware User Guide Basic Firewall blocks undesirable trafﬁc originating from the WAN (in most cases, the Internet), but forwards all trafﬁc originating from the LAN. It follows the conservative “that which is not expressly permitted is prohibited” approach: unless an incoming packet expressly matches one of the constituent input ﬁlters, it will not be forwarded to the LAN.
Page 299 Output ﬁlter 1: This ﬁlter forwards all outgoing trafﬁc to make sure that no outgoing connections from the LAN are blocked. Basic Firewall is suitable for a LAN containing only client hosts that want to access servers on the WAN, but not for a LAN containing servers providing services to clients on the WAN.
Page 300: Policy-Based Routing Using Filtersets
ﬁlter. In previous ﬁrmware versions, a ﬁlter would either pass or block the speciﬁed trafﬁc. Netopia Firmware Version 8.7 adds a third option, force routing. You specify a gateway IP address, and each packet matching the ﬁlter is...
Page 301: Tos Field Matching
Destination Port ID(s) for the ﬁlter, if desired. TOS ﬁeld matching Netopia Firmware Version 8.7 supports two additional parameters in an IP ﬁlter: TOS and TOS Mask. Both ﬁelds accept values in the range 0 – 255. Change Input Filter 1 No Change 163.176.8.134...
Page 302 If you expect to route signiﬁcant amounts of such trafﬁc you can conﬁgure your router to route this type of trafﬁc to a gateway other than your normal gateway using this feature.
Page 303: Firewall Tutorial
Firewall Tutorial General ﬁrewall terms Filter rule: A ﬁlter set is comprised of individual ﬁlter rules. Filter set: A grouping of individual ﬁlter rules. Firewall: A component or set of components that restrict access between a protected network and the Internet, or between two networks.
Page 304: Firewall Design Rules
10-40 Firmware User Guide Example TCP/UDP Ports TCP Port 20/21 Firewall design rules There are two basic rules to ﬁrewall design: • “What is not explicitly allowed is denied.” • “What is not explicitly denied is allowed.” The ﬁrst rule is far more secure, and is the best approach to ﬁrewall design. It is far easier (and more secure) to allow in or out only certain services and deny anything else.
Page 305: Implied Rules
and a packet goes through these rules destined for FTP, the packet would forward through the ﬁrst ﬁlter rule (WWW), match the second rule (FTP), and the packet is allowed through. Even though the next rule is to deny all FTP trafﬁc, the FTP packet will never make it to this rule.
Page 306: Filter Basics
A host address can be entered, but the applied subnet mask must be 32 bits (255.255.255.255). The Netopia Firmware Version 8.7 has the ability to compare source and destination TCP or UDP ports. These options are as follows:...
Page 307: Example Filters
Less Than or Equal Equal Greater Than or Equal Greater Than Example network Input Packet Example ﬁlters Example 1 Filter Rule: Incoming packet has the source address of 200.1.1.28 IP Address 200.1.1.28 255.255.255.128 Any port less than or equal to the port deﬁned Matches only the port deﬁned Matches the port or any port greater Matches anything greater than the port deﬁned...
Page 308 This incoming IP packet (10000000) has a source IP address that does not match the network address in the Source IP Address ﬁeld (00000000) in the Netopia Firmware Version 8.7. This rule will forward this packet because the packet does not match.
Page 309 255.255.255.240 Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 1011000, this rule does not match and this packet will be forwarded. Example 4 Filter Rule: Incoming packet has the source address of 200.1.1.104.
Page 310: Conﬁguration Management
255.255.255.255 Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 01100000, this rule does match and this packet will not be forwarded. This rule masks off a single IP address.
Page 311 Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... Factory Default from Configuration: Remove Factory Default Configuration Return/Enter to select Factory Default Configuration. Select Save Current Conﬁguration as , and press Return. The Save Current Conﬁguration screen appears. Configuration Name: SAVE Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.
Page 312 Factory Default to a saved conﬁguration If you need to Factory Default the Router, it may be useful to be able to return to a previously saved conﬁguration, rather than to completely reconﬁgure all your settings. To do this, you designate one of your saved conﬁgurations as the Factory Default conﬁguration.
Page 313: Tftp
Once you make the selection, if you factory Default the Router, it will reboot with the saved conﬁguration you have selected. Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... Factory Default from Configuration: Remove Factory Default Configuration Return/Enter to select Factory Default Configuration.
Page 314 10-50 Firmware User Guide...
Page 315: Chapter 11 — Utilities And Diagnostics
Chapter 11 Utilities and Diagnostics A number of utilities and tests are available for system diagnostic and control purposes. This section covers the following topics: • “Ping” on page 11-2 • “Trace Route” on page 11-4 • “Telnet Client” on page 11-5 •...
Page 316: Ping
11-2 Firmware User Guide Ping The Netopia Firmware Version 8.7 includes a standard Ping test utility. A Ping test generates IP packets destined for a particular (Ping-capable) IP host. Each time the target host receives a Ping packet, it returns a packet to the original sender.
Page 317 Packets In count. In the example that follows, a Router is sending Ping packets to another host, which responds with return Ping packets. Note that the second return Ping packet is considered to be late because it is not received by the Router before the third Ping packet is sent.
Page 318: Trace Route
MIB-II ip group’s ipDefaultTTL object. Trace Route You can count the number of gateways between your Netopia Router and a given destination with the Trace Route utility. In the Statistics & Diagnostics screen, select Trace Route and press Return. The Trace Route screen appears.
Page 319: Telnet Client
Select Timeout (seconds) to set when the trace will timeout for each hop, up to 10 seconds. The default is 3 seconds. Select Use Reverse DNS to learn the names of the gateways between the Netopia Router and the destination gateway. The default is Yes.
Page 320: Factory Defaults
To use the Router as a TFTP client, a TFTP server must be available. Netopia, Inc., has a public access TFTP server on the Internet where you can obtain the latest ﬁrmware versions.
Page 321: Updating Firmware
The sections below describe how to update the Router’s ﬁrmware and how to download and upload conﬁguration ﬁles. Updating ﬁrmware Firmware updates may be available periodically from Netopia or from a site maintained by your organization’s network administrator. The Router ships with an embedded operating system referred to as ﬁrmware. The ﬁrmware governs how the device communicates with your network and the WAN or remote site.
Page 322: Uploading Conﬁguration Files
Select GET CONFIG FROM SERVER and press Return. You will see the following dialog box: +----------------------------------------------------------------------+ +----------------------------------------------------------------------+ | Are you sure you want to send a saved configuration to your Netopia? | +----------------------------------------------------------------------+ • Select CANCEL to exit without downloading the ﬁle, or select CONTINUE to download the ﬁle. The system will reset at the end of the ﬁle transfer to put the new conﬁguration into effect.
Page 323 Utilities and Diagnostics 11-9 You must restart the system whenever you reconﬁgure the Router and want the new parameter values to take effect. Under certain circumstances, restarting the system may also clear up system or network malfunctions. Some conﬁguration processes automatically restart the system to apply the changes you have made.
Page 324 11-10 Firmware User Guide...
Page 325: Appendix A - Troubleshooting
This appendix is intended to help you troubleshoot problems you may encounter while setting up and using Netopia Firmware Version 8.7. It also includes information on how to contact Netopia Technical Support. Important information on these problems can be found in the event histories kept by the Router. These event histories can be accessed in the Statistics &...
Page 326: Network Problems
Verify the accuracy of the default gateway’s IP address (entered in the IP Setup or Easy Setup screen). • Use the Netopia Firmware Version 8.7’s Ping utility, in the Utilities & Diagnostics screen, and try to Ping local and remote hosts. See successfully Ping hosts using their IP addresses but not their domain names (198.34.7.1 but not...
Page 327: How To Reset The Router To Factory Defaults
How to Reset the Router to Factory Defaults Lose your password? This section shows how to reset the Netopia Router so that you can access the conﬁguration screens once again. Note: Keep in mind that all of your settings may need to be reconﬁgured.
Page 328: How To Reach Us
We can help you with your problem more effectively if you have completed the environment proﬁle in the previous section. If you contact us by telephone, please be ready to supply Netopia Technical Support with the information you used to conﬁgure the Router. Also, please be at the site of the problem and prepared to reproduce it and to try some troubleshooting steps.
Page 329 Index add static route 7-8 7-4, 7-38 Additional LANs ADSL Line Configuration 2-4 advanced configuration features 3-1 ALANs 7-38 ATMP 5-17 tunnel options 5-15 AutoChannel Wireless 3-24 backup default gateway 8-14 backup, line 8-1 basic firewall 10-34 BootP 7-17 clients 7-23 change static route 7-9 community strings 9-10 configuration...
Page 330 navigating 1-5 encryption 5-2, 5-7, 5-17, event history device 9-5 WAN 9-4 Exposed Addresses 3-4 Extended Authentication 6-6 factory default A-3 Factory Default from Configuration 10-48 filter parts 10-23 parts of 10-23 filter priority 10-22 filter sets adding 10-29 defined 10-21 deleting 10-33 disadvantages 10-27 display 10-25...
Page 331 4-12 outside ranges 4-8 server lists 4-8 navigating Easy Setup 1-5 NCSA Telnet 1-4 NetBIOS 7-21 NetBIOS scope 7-22 Netopia distributing IP addresses 7-17 Index-3 models 1-3 monitoring 9-1 security 10-1 system utilities and diagnostics 11-1 Network Address Translation...
Page 332 IP addresses to hosts 7- routing tables 7-6, scheduled connections 2-16 adding 2-18 deleting 2-21 modifying 2-21 once-only 2-20 viewing 2-17 weekly 2-19 security filters 10-21–10-36 measures to increase 10-1 telnet 10-20 Security Policy Database (SPD) 6-2...
Page 333 Netopia’s firmware 11-7 upgrade 1-3 uploading configuration files 11-8 with TFTP 11-8 utilities and diagnostics 11-1 Variable Bit Rate (VBR) 2-6 viewing scheduled connections 2-17 Virtual Local Area Network 3-11 Virtual Private Networks (VPN) 5-1 Virtual Redundant Routers 7-3...
Page 334 Index-6...

This manual is also suitable for:

3346n-ent 3366-ent 3386-ent 3347nwg-ent 3387wg-ent 3300-ent

Netopia 3341-ENT Firmware User Manual

Chapter 1 — Introduction

Chapter 2 - WAN Configuration

Chapter 3 - System Conﬁguration

Chapter 4 - Multiple Network Address Translation

Chapter 5 - Virtual Private Networks (Vpns)

Chapter 6 - Internet Key Exchange (IKE) Ipsec Key Management for Vpns

Chapter 7 — IP Setup

Chapter 8 — Line Backup

Chapter 9 — Monitoring Tools

Chapter 10 - Security

Chapter 11 — Utilities and Diagnostics

Appendix A - Troubleshooting

Quick Links

Related Manuals for Netopia 3341-ENT

Summary of Contents for Netopia 3341-ENT