Page 1 Administrator’s Handbook Motorola Netopia ® Embedded Seftware Version 8.7.4 Enterprise Series Routers...
Page 2 (such as translation, transformation or adaptation) without written permission from Motorola, Inc. Motorola reserves the right to revise this publication and to make changes in content from time to time without obligation on the part of Motorola to provide notification of such revision or change. Motorola provides this guide without warranty of any kind, either implied or expressed, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Page 3: Table Of Contents
Contents Contents Chapter 1 — Introduction............1-1 What’s New in 8.7.4 ............1-1 Telnet-based Management..........1-2 Motorola Netopia® Telnet Menus........1-2 Motorola Netopia® Models..........1-3 Screen differences ..........1-3 Connecting through a Telnet Session....... 1-4 Conﬁguring Telnet software........1-4 Navigating through the Telnet Screens......1-5 Chapter 2 —...
Page 4 Administrator’s Handbook Ethernet Switching/Policy Setup ......3-12 Associating Inter-VLAN Routing Groups ....3-17 Adding a RADIUS Proﬁle ........3-18 Adding Port interfaces ........3-20 Changing or Deleting a VLAN....... 3-23 Changing or Deleting an Authentication Server Conﬁguration ............. 3-24 Conﬁguring additional Authentication Servers..3-25 VLAN Example ...........
Page 5 Contents MultiNAT Conﬁguration ........... 4-6 Easy Setup Proﬁle conﬁguration ......4-6 Server Lists and Dynamic NAT conﬁguration... 4-7 System Conﬁguration ........... 4-7 Modifying map lists ..........4-12 Adding Server Lists............4-15 Modifying server lists ......... 4-18 Deleting a server ..........4-20 Binding Map Lists and Server Lists .......
Page 6 Administrator’s Handbook Conﬁguring a Dial-Up Networking proﬁle ....5-21 Windows XP Client Conﬁguration ......5-23 Connecting using Dial-Up Networking....5-23 Allowing VPNs through a Firewall ........5-23 PPTP example............ 5-24 ATMP example ........... 5-27 Windows Networking Broadcasts........5-30 Chapter 6 — Internet Key Exchange for VPNs ......6-1 Overview ...............
Page 7 Contents Connection Proﬁles ............7-30 Multicast Forwarding............ 7-32 Virtual Router Redundancy (VRRP) ...... 7-34 Additional LANs ..........7-38 Chapter 8 — Line Backup ............8-1 Conﬁguring Backup ............8-1 Connection Proﬁles ............8-2 IP Setup .............. 8-6 WAN Conﬁguration ............8-7 Backup Conﬁguration screen ........
Page 8 viii Administrator’s Handbook Telnet Tiered Access – Two Password Levels ....10-1 UPnP Support............ 10-2 Superuser conﬁguration ........10-3 Limited user conﬁguration ........10-3 Advanced Security Options ........... 10-5 RADIUS server authentication ......10-6 TACACS+ server authentication......10-7 Warning alerts ........... 10-8 User access password ........
Page 9 Network problems..........A-2 How to Reset the Router to Factory Defaults....A-2 Power Outages .............. A-3 Technical Support ............A-3 Before contacting Motorola........A-3 Environment proﬁle ..........A-3 How to reach us ..........A-4 Online product information ........A-4 Index...
Page 10 Administrator’s Handbook...
Page 11: What's New In 8.7.4
Quickstart Guide and the Getting Started Guide. You should read the Quickstart Guide and the Getting Started Guide before reading this Administrator’s Handbook. What’s New in 8.7.4 New in Motorola Netopia® Embedded Software Version 8.7.4 are the following features: • Specify Source Address of Outbound Router Trafﬁc. See “Enhanced Dead Peer Detection”...
Page 12: Telnet-Based Management
1-2 Administrator’s Handbook Telnet-based Management Telnet-based management is a fast menu-driven interface for the capabilities built into Motorola Netopia® Embedded Software Version 8.7.4. Telnet-based management provides access to a wide variety of features that the Router supports. You can customize these features for your individual setup. This chapter describes how to access the Telnet-based management screens.
Page 13: Motorola Netopia® Models
“Quick View Status Overview” on page 9-1. ® Motorola Netopia Models ® This Administrator’s Handbook covers all of the Motorola Netopia ENT Enterprise-Series Router models. However some information in this guide will only apply to a speciﬁc model. Screen differences ® Because different Motorola Netopia ENT Enterprise-Series models offer many different features and interfaces, the options shown on some screens in this Administrator’s Handbook may not appear on your own...
Page 14: Connecting Through A Telnet Session
1-4 Administrator’s Handbook Connecting through a Telnet Session Features of Motorola Netopia® Embedded Software Version 8.7.4 can be conﬁgured through the Telnet screens. Before you can access the console screens through Telnet, you must have: • A network connection locally to the Router or IP access to the Router.
Page 15: Navigating Through The Telnet Screens
Introduction 1-5 Navigating through the Telnet Screens Use your keyboard to navigate the Motorola Netopia® Embedded Software Version 8.7.4’s conﬁguration screens, enter and edit information, and make choices. The following table lists the keys to use to navigate through the Telnet screens.
Page 16 1-6 Administrator’s Handbook...
Page 17: Wan Conﬁguration
WAN Conﬁguration 2-1 Chapter 2 WAN Configuration This chapter describes how to use the Telnet-based management screens to access and conﬁgure advanced features of your equipment. You can customize these features for your individual setup. These menus provide a powerful method for experienced users to set up their Router’s connection proﬁles conﬁguration. This section covers the following topics: •...
Page 18 2-2 Administrator’s Handbook WAN Ethernet Configuration Address Translation Enabled: Obtain WAN address via DHCP: NAT Map List... Easy-PAT List NAT Server List... Easy-Servers NAT Options... Stateful Inspection Enabled: Filter Set... Remove Filter Set WAN Ethernet Speed Setting... Auto-Negotiation Wan Ethernet MAC Address: 00:0f:cc:0b:9d:ce DHCP Client Mode: Standards-Based...
Page 19 • ® The Wan Ethernet MAC Address is the hardware address of the Motorola Netopia device. Some service providers require a speciﬁc MAC address as part of their authentication process. In such a case, you can enter the MAC address that your service provider requires.
Page 20: Adsl Line Conﬁguration Screen
Receive RIP set to “v1,” the Motorola Netopia Router’s Ethernet port will accept routing information provided by RIP packets from other routers that use the same subnet mask. Set to “v2,” the Motorola Netopia® Embedded Software Version 8.7.4 will accept routing information provided by RIP packets from other routers that use different subnet masks.
Page 21 On ADSL WAN interfaces, the Asynchronous Transfer Mode (ATM) connection between the router and the central ofﬁce equipment (DSLAM) is divided logically into one or more virtual circuits (VCs). A virtual circuit may ® be either a permanent virtual circuit (PVC) or a switched virtual circuit (SVC). Motorola Netopia Routers support PVCs.
Page 22 ﬁelds, respectively. • The Peak Cell Rate ﬁeld is editable. Motorola Netopia® Embedded Software Version 8.7.4 supports three ATM classes of service for data connections: Unspeciﬁed Bit Rate (UBR), Constant Bit Rate (CBR), and Variable Bit Rate (VBR). You can conﬁgure these classes of service on a per VC basis. The...
Page 23 WAN Conﬁguration 2-7 default ATM class of service is UBR. Quality of Service (QoS) settings Note: QoS settings are not available on Ethernet-to-Ethernet WAN models. • Select the QoS (Quality of Service) setting from the pop-up menu: UBR. CBR, or VBR. UBR: No conﬁguration is needed for UBR VCs.
Page 24: Creating A New Connection Proﬁle
2-8 Administrator’s Handbook Note: With multiple VCs you must explicitly statically bind the second (and all subsequent) VCs to a proﬁle. The ﬁrst VC will automatically statically bind according to pre-deﬁned dynamic binding rules when you add the second VC. It will revert back to dynamic binding if the number of VCs is reduced to one; for example, by deleting previously deﬁned VCs.
Page 25 WAN Conﬁguration 2-9 Main Add Connection Menu Profile Configuration The Add Connection Proﬁle screen appears. Add Connection Profile Profile Name: Profile 1 Profile Enabled: Encapsulation Type... RFC1483 RFC1483 Mode... Bridged 1483 IP Profile Parameters... COMMIT CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new Conn.
Page 26 2-10 Administrator’s Handbook • If you selected PPP or RFC1483, the screen offers different options: Add Connection Profile Add Connection Profile Profile Name: Profile 1 Profile Name: Profile 1 Profile Enabled: Profile Enabled: Encapsulation Type... +--------------+ Encapsulation Type... +--------------+ Underlying Encapsulation... None RFC1483 Mode...
Page 27 WAN Conﬁguration 2-11 Datalink (PPP/MP) Options Datalink (PPP/MP) Options Data Compression... Standard LZS Data Compression... Standard LZS Send Authentication... Send Authentication... Send User Name: Send User Name: Send Password: Send Password: Receive User Name: Receive User Name: Receive Password: Receive Password: Dial on Demand: Idle Timeout (seconds): •...
Page 28 2-12 Administrator’s Handbook IP Profile Parameters Address Translation Enabled: IP Addressing... Numbered NAT Map List... Easy-PAT List NAT Server List... Easy-Servers NAT Options... Stateful Inspection Enabled: Local WAN IP Address: 0.0.0.0 Local WAN IP Mask: 0.0.0.0 Filter Set... Remove Filter Set RIP Profile Options...
Page 29 Receive RIP set to “v1,” the Motorola Netopia Router’s Ethernet port will accept routing information provided by RIP packets from other routers that use the same subnet mask. Set to “v2,” the Motorola Netopia® Embedded Software Version 8.7.4 will accept routing information provided by RIP packets from other routers that use different subnet masks.
Page 30 If your ISP is using PPPoE, the connection will be made normally. If your ISP is using PPPoA, when the ® Motorola Netopia Gateway detects this, it will automatically switch to PPPoA transparently. Return to the Add Connection Proﬁle screen by pressing Escape.
Page 31: Advanced Connection Options
Screens shown in this section may vary from what your particular model displays. Configuration Changes Reset WAN Connection ® The menu supports delaying some conﬁguration changes until after the Motorola Netopia Router is restarted. ® If your Motorola Netopia Router is preconﬁgured by your service provider, or if you are not remotely conﬁguring...
Page 32: Scheduled Connections
2-16 Administrator’s Handbook Advanced Connection Options +----------------------------------------------------+ +----------------------------------------------------+ | The Router will now be restarted to allow this | feature to function properly. | Are you sure you want to do this? CANCEL CONTINUE +----------------------------------------------------+ Toggling from Yes to No makes the router ready to be conﬁgured. If you toggle from No to Yes after any conﬁguration changes have been entered (and conﬁrm the reboot), your changes are committed and the router comes up using the newly created conﬁguration.
Page 33 WAN Conﬁguration 2-17 Scheduled Connections Display/Change Scheduled Connection... Add Scheduled Connection... Delete Scheduled Connection... Navigate from here to add/modify/change/delete Scheduled Connections. Viewing scheduled connections To display a table of scheduled connections, select Display/Change Scheduled Connection in the Scheduled Connections screen. Each scheduled connection occupies one row of the table. Scheduled Connections +-Days----Begin At---HH:MM---When----Conn.
Page 34 2-18 Administrator’s Handbook • The time of day that the connection will Begin At • The duration of the connection (HH:MM) • Whether it’s a recurring Weekly connection or used Once Only • Which connection proﬁle (Conn. Prof.) is used to connect •...
Page 35 WAN Conﬁguration 2-19 • Demand-Allowed, meaning that this schedule will permit a demand call on the line. • Demand-Blocked, meaning that this schedule will prevent a demand call on the line. • Periodic, meaning that the connection is retried several times during the scheduled time. •...
Page 36 2-20 Administrator’s Handbook 1:3 (or 1:03) would be accepted as 3 minutes after one o’clock. The entry 7:0 (or 7:00) would be accepted as seven o’clock, exactly. The entries 44, :5, and 2: would be rejected. • Select AM or PM and choose AM or PM from the pop-up menu. •...
Page 37: Backup Configuration
WAN Conﬁguration 2-21 Note: You must enter the time in the format H:M, where H is a one- or two-digit number representing the hour and M is a one- or two-digit number representing the minutes. The colon is mandatory. For example, the entry 1:3 (or 1:03) would be accepted as 3 minutes after one o’clock.
Page 38: Diffserv Options
2-22 Administrator’s Handbook Diffserv Options Motorola Netopia® Embedded Software Version 8.7.4 offers Differentiated Services (Diffserv) enhancements. These enhancements allow your Router to make Quality of Service (QoS) decisions about what path Internet trafﬁc, such as Voice over IP (VoIP), should travel across your network. For example, you may want streaming video conferencing to use high quality, but more restrictive, connections, or, you might want e-mail to use less restrictive, but less reliable, connections.
Page 39 Much of the beneﬁt of DiffServe is a cumulative one observed as packets traverse the nodes on a network from endpoint to endpoint. A small improvement in the latency distribution for the ﬂow through a single network node (such as a Motorola ®...
Page 40 2-24 Administrator’s Handbook bandwidths from 20 kbps to 90 kbps, depending on the CODEC setting – compared to the total throughput bandwidth of the Gateway and the network. There will usually be fewer than two or three packets pending in the Gateway in any queue in the Gateway during the conversation.
Page 41: Priority Queuing (Tos Bit)
Priority Queuing (TOS bit) Motorola Netopia® Embedded Software Version 8.7.4 offers the ability to prioritize delay-sensitive data over the WAN link on DSL connections. Certain types of IP packets, such as voice or multimedia packets, are sensitive to latency introduced by the network.
Page 42: Vrrp Options (Wan Link Failure Detection)
Beginning with Software Version 8.5.1, the software offers VRRP Options to detect Layer 3 link failures on the ® WAN. When you enable this feature, the Motorola Netopia Router will continuously Ping one or two hosts that you specify to determine when a link fails, even if the physical connection remains established. If Layer 3 WAN ®...
Page 43 WAN Conﬁguration 2-27 VRRP Options WAN Link Failure Detection: Ping Enable: Return/Enter accepts * Tab toggles * ESC cancels. Toggle Ping Enable to On and press Return. The Ping settings options appear. VRRP Options WAN Link Failure Detection: Ping Enable: Ping Host Name or IP Address #1: Ping Host Name or IP Address #2: Delay (s):...
Page 44 2-28 Administrator’s Handbook...
Page 45: System Conﬁguration Features
The Motorola Netopia Router’s default settings may be all you need to conﬁgure. Some users, however, require advanced settings or prefer manual control over the default selections. For these users, Motorola Netopia® Embedded Software Version 8.7.4 provides many advanced system conﬁguration options.
Page 46: Ip Setup
3-2 Administrator’s Handbook System Configuration IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... Stateful Inspection... VLAN Configuration... Date and Time... Wireless Configuration... Console Configuration SNMP (Simple Network Management Protocol)... Security... Upgrade Feature Set... Router/Bridge Set... Router IGMP (Internet Group Management Protocol)... Logging...
Page 47: Stateful Inspection
System Conﬁguration 3-3 Stateful Inspection Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. Stateful inspection can be enabled on a Connection Proﬁle whether NAT is enabled or not. You can conﬁgure UDP and TCP “no-activity” periods that will also apply to NAT time-outs if stateful inspection is enabled on the interface.
Page 48 3-4 Administrator’s Handbook Stateful Inspection UDP no-activity timeout (sec): TCP no-activity timeout (sec): 14400 Add Exposed Address List... Exposed Address Associations... Return/Enter goes to new screen. Return/Enter to configure Xposed IP addresses. The Add Exposed Address List screen appears. Add Exposed Address List Exposed Address List Name: xposed_list_1 Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.
Page 49 System Conﬁguration 3-5 Add Exposed Address List Exposed Address List Name: xposed_list_1 Add Exposed Address Range... Return/Enter goes to new screen. Select Add Exposed Address Range and press Return. The Exposed Address Range screen appears. Add Exposed Address Range ("xposed_list_1") First Exposed Address: 0.0.0.0 Last Exposed Address:...
Page 50 3-6 Administrator’s Handbook Add Exposed Address Range ("xposed_list_1") First Exposed Address: 192.168.1.10 Last Exposed Address: +-------------+ +-------------+ Protocol... | TCP and UDP | | TCP | UDP | ANY +-------------+ ADD EXPOSED ADDRESS RANGE CANCEL Add Exposed Address Range ("xposed_list_1") First Exposed Address: 192.168.1.10 Last Exposed Address:...
Page 51: Exposed Address Associations
System Conﬁguration 3-7 You can edit or delete exposed address lists by selecting Show/Change Exposed Address List or Delete Exposed Address List. A list of previously conﬁgured exposed addresses appears. This allows you to select an exposed address list for editing or deletion. Add Exposed Address List +------Exposed Address Range---------Protocol-------------------+ +---------------------------------------------------------------+...
Page 52 3-8 Administrator’s Handbook IP Profile Parameters Address Translation Enabled: IP Addressing... Numbered NAT Map List... Easy-PAT List NAT Server List... Easy-Servers NAT Options... Stateful Inspection Enabled: Local WAN IP Address: 0.0.0.0 Local WAN IP Mask: 0.0.0.0 Filter Set... Remove Filter Set RIP Profile Options...
Page 53 System Conﬁguration 3-9 Stateful Inspection Parameters Max. TCP Sequence Number Difference: Enable default mapping to router: Deny Fragmented Packets: Exposed Address List... Enter max. allowed TCP sequence number difference (1 - 65535), 0 to disable. • Max. TCP Sequence Number Difference: Enter a value in this ﬁeld. This value represents the maximum sequence number difference allowed between subsequent TCP packets.
Page 54 3-10 Administrator’s Handbook Stateful Inspection Parameters +Exposed Address List N+ +----------------------+ Max. TCP Sequ| xposed_list_1 | <<None>> Enable defaul| Deny Fragment| Exposed Addre| +----------------------+ Up/Down Arrows to select, then Return/Enter; ESC to cancel. Open ports in default Stateful Inspection installation Port Protocol Description...
Page 55: Vlan Conﬁguration
(QoS). In effect, a single Motorola gateway acts as separate virtual gateways for each distinct service being delivered.
Page 56: Ethernet Switching/Policy Setup
3-12 Administrator’s Handbook Ethernet Switching/Policy Setup Before you conﬁgure any VLANs, an unconﬁgured Gateway is set up as a router composed of a LAN switch, a WAN switch, and a router in the middle, with LAN and WAN IP interfaces connected to their respective switches. These bindings between Ethernet switch ports, IP LAN interface, IP WAN interface and WAN physical ports are automatically created.
Page 57 System Conﬁguration 3-13 An example of multiple VLANs, using a Netopia Router with VGx managed switch technology, is shown below: A VLAN Model Combining Bridging and Routing...
Page 58 3-14 Administrator’s Handbook To conﬁgure VLANs, select VLAN Conﬁguration in the System Conﬁguration screen and press Return. The VLAN Conﬁguration screen appears. VLAN Configuration VLAN Enable: Set Up VLAN from this and the following Menus. Toggle VLAN Enable to On and press Return. The Add VLAN selection appears.
Page 59 System Conﬁguration 3-15 The Add VLAN screen appears. Add VLAN... VLAN ID (1-4094): VLAN Type... port-based VLAN Name: VLAN Network: <None> Inter-VLAN-Routing... 802.1x: Once a VLAN has been successfully added, configure ports using the "Add Port Interface" option of the "Display/Change VLAN" menu. ADD VLAN CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.
Page 60 802.1x – This option is only available for Router models with VGx technology. Otherwise, it does not ® appear. If you are conﬁguring a VLAN for a Motorola Netopia Router model with VGx technology (wired or wireless), you can specify a RADIUS server for user authentication by toggling 802.1x to Yes. See “Adding...
Page 61: Associating Inter-Vlan Routing Groups
System Conﬁguration 3-17 Associating Inter-VLAN Routing Groups Note: You must ﬁrst ADD the VLAN before associating the Inter-VLAN-Routing Groups or the Port Interfaces. Once you have added the VLAN, you access the Inter-VLAN-Routing screen and the Add Port Interface screen by selecting Display/Change VLAN from the VLAN Conﬁguration screen.
Page 62: Adding A Radius Proﬁle
3-18 Administrator’s Handbook Adding a RADIUS Profile • Authentication Proﬁle – If you toggle 802.1x to Yes, this option displays. Select Authentication Proﬁle and press Return. If you have RADIUS server proﬁles already deﬁned, the pop-up menu allows you to select one for use with this VLAN.
Page 63 System Conﬁguration 3-19 Add Server Profile Profile Name: Authentication Profile 1 Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port: 1812 ADD PROFILE CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new RADIUS or TACACS profile.
Page 64: Adding Port Interfaces
Once you have created a VLAN entry you must associate it with a port interface. This interface may be either a physical port, such as USB or Ethernet, or a Network ID (SSID) of a wireless LAN. If you have a Motorola ®...
Page 65 The Add Port Interface screen appears. The Add Port Interface screen varies depending on the types of ports ® available on your Motorola Netopia Router. (The example below shows the four Ethernet ports, four wireless SSIDs, and the Easy Setup Connection Proﬁle that was created in your initial conﬁguration of a 4-port wireless VGx model.)
Page 66 3-22 Administrator’s Handbook • TOS-Priority – Use any 802.1p priority bits in the VLAN header to prioritize packets within the Gateway’s internal queues, according to DiffServ priority mapping rules. See “Diffserv Options” on page 2-22 more information. • IPTOS-Promote – Write any 802.1p priority bits into the IP-TOS header bit ﬁeld for received IP packets on this port destined for this VLAN.
Page 67: Changing Or Deleting A Vlan
System Conﬁguration 3-23 Changing or Deleting a VLAN You can change or delete a VLAN by returning to the VLAN Conﬁguration screen and selecting Display/Change VLAN or Delete VLAN. In either case, select the VLAN that you want to change or delete from the pop-up menu, and press Return.
Page 68: Changing Or Deleting An Authentication Server Conﬁguration
3-24 Administrator’s Handbook Changing or Deleting an Authentication Server Configuration You can change or delete a RADIUS or TACACS server proﬁle by returning to the VLAN Conﬁguration screen and selecting Authentication Server Conﬁguration, then Display/Change Server Proﬁle or Delete Server Proﬁle. In either case, select the Server Proﬁle that you want to change or delete from the pop-up menu, and press Return.
Page 69: Conﬁguring Additional Authentication Servers
System Conﬁguration 3-25 Configuring additional Authentication Servers You can conﬁgure additional (or your ﬁrst) Authentication Server from the main VLAN Conﬁguration screen. VLAN Configuration Display/Change VLAN... Add VLAN... Delete VLAN... Authentication Server Configuration... Set Up VLAN from this and the following Menus. Select Authentication Server Conﬁguration and press Return.
Page 70 3-26 Administrator’s Handbook Add Server Profile Profile Name: Authentication Profile 2 Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port: 1812 ADD PROFILE CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new RADIUS or TACACS profile.
Page 71: Vlan Example
System Conﬁguration 3-27 VLAN Example The following is a simple example of how you might conﬁgure some VLANs: You want to conﬁgure a 3347NWG-VGx Gateway with two SSIDs (see “Multiple SSIDs” on page 3-45 for more information) for two VLANs, allowing both access to the Internet, which will be via a third VLAN. •...
Page 72 3-28 Administrator’s Handbook Enter a VLAN ID (1 – 4094) and enter the VLAN Name you would like. Add VLAN... VLAN ID (1-4094): VLAN Type... port-based VLAN Name: Network A VLAN Network: <None> Inter-VLAN-Routing... 802.1x: Once a VLAN has been successfully added, configure ports using the "Add Port Interface"...
Page 73 System Conﬁguration 3-29 Then select Inter-VLAN-Routing. The Inter-VLAN-Routing screen appears. Inter-VLAN-Routing VLAN Group-1 Enabled: VLAN Group-2 Enabled: VLAN Group-3 Enabled: VLAN Group-4 Enabled: VLAN Group-5 Enabled: VLAN Group-6 Enabled: VLAN Group-7 Enabled: VLAN Group-8 Enabled: Toggle VLAN Group-1 Enabled to On and press Return. Press Escape to return to the previous screen. Select Add Port Interface and press Return.
Page 74 3-30 Administrator’s Handbook Add Port Interface... +-NAME-----------------TYPE----+ +------------------------------+ Port Interface... | Eth 0/1 Port | Eth 0/2 Port TOS-Priority: | Eth 0/3 Port IPTOS-Promote: | Eth 0/4 Port | SSID 1 Port | SSID 2 Port | SSID 3 Port | SSID 4 Port | Easy Setup Profile...
Page 75 System Conﬁguration 3-31 In the Add VLAN screen, create your second VLAN. Add VLAN... VLAN ID (1-4094): VLAN Type... port-based VLAN Name: Network B VLAN Network: Primary LAN Inter-VLAN-Routing... 802.1x: Once a VLAN has been successfully added, configure ports using the "Add Port Interface"...
Page 76 3-32 Administrator’s Handbook 11. Select Inter-VLAN-Routing and press Return. Toggle VLAN Group-2 Enabled to On and press Return. Since we do not want this VLAN to communicate with the other LAN ports, it must be made part of a different Inter-VLAN-Routing group, Group-2. Inter-VLAN-Routing VLAN Group-1 Enabled: VLAN Group-2 Enabled:...
Page 77 System Conﬁguration 3-33 In the Add Port Interface screen, you add the Port Interfaces you want associated with this VLAN. Add Port Interface... +-NAME-----------------TYPE----+ +------------------------------+ Port Interface... | Eth 0/1 Port | Eth 0/2 Port TOS-Priority: | Eth 0/3 Port IPTOS-Promote: | Eth 0/4 Port...
Page 78 3-34 Administrator’s Handbook 14. Next, create a VLAN to provide the Inter-VLAN-Routing Groups access to the Internet (WAN). Add VLAN... VLAN ID (1-4094): VLAN Type... port-based VLAN Name: WAN VLAN VLAN Network: <None> Inter-VLAN-Routing... 802.1x: Once a VLAN has been successfully added, configure ports using the "Add Port Interface"...
Page 79 System Conﬁguration 3-35 15. In the VLAN Conﬁguration screen select Display/Change VLAN, and from the pop-up menu select WAN VLAN (which you have just created). For Inter-VLAN-Routing, toggle VLAN Group-1 Enabled and VLAN Group-2 Enabled to On and press Return. Inter-VLAN-Routing VLAN Group-1 Enabled: VLAN Group-2 Enabled:...
Page 80 Return/Enter to Add Port Interface to VLAN. Members of Groups 1 and 2 will now be able to communicate with the Internet (WAN), but not with each other. 17. Once you have ﬁnished with the VLAN conﬁguration restart the Motorola Netopia® Router.
Page 81: Date And Time
Toggle this ﬁeld to Off to manually set the time and date; the options in this screen will change to allow you to manually enter the time and date parameters. Motorola Netopia® Embedded Software Version 8.7.4 updates timestamps reported in the system logs with new timestamps as these are updated via NTP.
Page 82: Wireless Conﬁguration
3-38 Administrator’s Handbook Select a System Date Format; the options are MM/DD/YY, DD/MM/YY, and YY/MM/DD, where M is month, D is day, and Y is year. Select a System Time Format, either AM/PM or 24hrs. Press Escape to return to the System Conﬁguration menu. Note: NTP can be blocked by some ﬁrewall conﬁgurations.
Page 83 • Continuous performs the at-startup scan, and will continuously monitor the current channel for any other Access Point activity. If Access Point activity is detected on the same channel, the Motorola ® Netopia Router will initiate a scan of the other channels, locate a less active one, and switch. Once it has switched, it will remain on this channel for at least 30 minutes before switching again if a new Access Point is detected.
Page 84: Wireless Multimedia (Wmm)
In addition, if you have enabled WEP encryption on the Motorola Netopia Gateway, your network clients must ® also have WEP encryption enabled, and must have the same WEP encryption key as the Motorola Netopia Gateway. ® Once the Motorola Netopia Gateway is located by a client computer, by setting the client to a matching SSID, the client can connect immediately if WEP is not enabled.
Page 85: Enable Privacy
System Conﬁguration 3-41 Wireless LAN Configuration Enable Wireless: SSID: 0271 1000 Block Wireless Bridging: Channel... AutoChannel... +------------+ Closed System... +------------+ Wireless Multimedia (WMM)... | Off Enable Privacy... | diffserv +------------+ Wireless Multiple SSID Setup... MAC Address Authentication... To enable the Wireless Multimedia custom settings, select diffserv from the pull-down menu. Enable Privacy By default, Enable Privacy is set to Off.
Page 86 3-42 Administrator’s Handbook Wireless LAN Configuration Enable Wireless: SSID: 0271 1000 Block Wireless Bridging: Channel... AutoChannel... Closed System... Open Enable Privacy... WPA - PSK (Pre-Shared Key) Pre Shared Key: Wireless Multiple SSID Setup... MAC Address Authentication... Select an 8 to 63 character passphrase. At least 20 is ideal for best security. •...
Page 87 System Conﬁguration 3-43 • WPA Version 1, for backward compatibility, • WPA Version 2, for maximum security. All clients must support the version(s) selected in order to successfully connect. Wireless LAN Configuration Enable Wireless: SSID: 7101 3245 Block Wireless Bridging: Channel...
Page 88 3-44 Administrator’s Handbook You select a single key for encryption of outbound trafﬁc. The WEP-enabled client must have an identical key of the same length, in the identical slot (1 – 4) as the Gateway, in order to successfully receive and decrypt the trafﬁc.
Page 89: Multiple Ssids
System Conﬁguration 3-45 256bit: 592CA140F0A238B0C61AE162F592CA140F0A238B0C61AE162F21A09C Multiple SSIDs • Wireless Multiple SSID Setup: This feature allows you to add additional network identiﬁers (SSIDs or Network Names) for your wireless network. To enable it, select Wireless Multiple SSID Setup and press Return. The Multiple SSID Conﬁguration screen appears.
Page 90 3-46 Administrator’s Handbook You can then specify a Privacy mode for each one from the pop-up menu. Privacy modes available from the pull-down menu for the multiple SSIDs are: WPA-PSK, WPA-802.1x, or Off. Multiple SSID Configuration Enable Multiple SSIDs: Second SSID: GameRoom Enable Privacy...
Page 91: Mac Address Authentication
System Conﬁguration 3-47 MAC Address Authentication Enhanced in Software Version 8.5, MAC Address Authentication allows you to specify which client PCs are allowed to join the LAN by speciﬁc hardware address. Once it is enabled, only entered MAC addresses that have been set to Allow will be accepted onto the LAN.
Page 92 3-48 Administrator’s Handbook • Allow only speciﬁed addresses - limits access to only those addresses that you enter. • Deny only speciﬁed addresses - prevents access from only those addresses that you enter. If you want to apply MAC Authentication to addresses on the wired LAN as well as the wireless LAN, toggle Wireless Only to No.
Page 93: Console Conﬁguration
You can continue to Add, Change, or Delete addresses to the list by selecting the respective menu options. Console Configuration ® For those models with a console port, if you are communicating with the Motorola Netopia Router via a terminal emulator application, you can change the default terminal communications parameters to suit your requirements.
Page 94: Snmp (Simple Network Management Protocol)
Router by adding new feature sets through the Upgrade Feature Set utility. See the release notes that came with your Router or feature set upgrade, or visit the Motorola Web site at www.netopia.com for information on new feature sets, how to obtain them, and how to install them on your...
Page 95: Router/Bridge Set
DSL Routers, this feature allows you to turn off the routing features and use your device as a bridge. It is not an option for Ethernet WAN models. Motorola Netopia® Embedded Software Version 8.7.4 further allows you to choose to have the Router both bridge and route IP trafﬁc. If you select either option, the device will restart itself, and reset all the settings to factory defaults.
Page 96: Igmp (Internet Group Management Protocol)
ﬁeld or sending out company newsletters to a distribution list. ® Since a router should not be used as a passive forwarding device, Motorola Netopia Routers use a protocol for forwarding multicasting: Internet Group Management Protocol (IGMP).
Page 97 You can set the following options: ® • IGMP Snooping – toggling this option to On enables the Motorola Netopia Router to “listen in” to IGMP trafﬁc. The Router discovers multicast group membership for the purpose of restricting multicast transmissions to only those ports which have requested them. This helps to reduce overall network trafﬁc from streaming media and other bandwidth-intensive IP multicast applications.
Page 98 3-54 Administrator’s Handbook • Query Response Interval (deci-sec) – the maximum amount of time in tenths of a second that the IGMP router waits to receive a response to a General Query message. The default query response interval is 10 seconds and must be less than the query interval.
Page 99: Logging
System Conﬁguration 3-55 • Last Member Query Count – the number of Group-Speciﬁc Query messages sent before the router assumes that there are no members of the host group being queried on this interface. The default last member query count is 2. •...
Page 100: Log Event Dispositions
3-56 Administrator’s Handbook • The following three ﬁelds allow you to log exceptions based on your ﬁlter policies: • Filter Violations, • Accepted Packets, and • Access Attempts “About Filters and Filter Sets” on page 10-20 for more information. You will need to install a Syslog client daemon program on your PC and conﬁgure it to report the WAN events you speciﬁed in the Logging Conﬁguration screen.
Page 101 System Conﬁguration 3-57 Message format Protocol:<TCP/UDP> srcIP: <value> dstIP: <value> srcPort: <value> dstPort<value> <reason-string> Protocol:<ICMP> srcIP: <value> dstIP: <value> type:<value> code:<value> <reason-sting> Protocol:<value> srcIP: <value> dstIP: <value> <reason-sting> The following syslog messages may be generated by the Router based on system-events: permitted attempt administrative access authenticated and allowed...
Page 102 3-58 Administrator’s Handbook The following syslog messages may be generated by the router if WAN Event Log Options are enabled: Device Restarted EN: IP up, WAN 1, gateway: <IP Address> local: <IP Address> Received NTP Date and Time [mon][dd][hh][mm][ss][year] NTP conﬁguration has been changed System Date/Time conﬁguration changed PPP: IPCP negotiated, session [sessionID], rem: [IP Address] local: [IP Address] RFC1483-[ID]: IP up, gateway: [IP Address] local: [IP Address]...
Page 103 System Conﬁguration 3-59 33. PPPOE: PADS Received 34. PPPOE: PADT Received 35. PPPOE: PADT Sent 36. PPPOE: Discovery state started proﬁle [Proﬁle Name] 37. PPPOE: Session state started proﬁle [Proﬁle Name] 38. PPPoE: Auth. Failed with Server: [Server] 39. PPTP: IP up, rem: [IP Address], via: [IP Address] tunnel id: [ID] 40.
Page 104: Procedure For Default Installation For Icsa Firewall Certiﬁcation Of Small/Medium Business Category Module (Adsl Routers)
3-60 Administrator’s Handbook 66. IKE: phase 1 auth failure sg [IP Address] proﬁle [Name], sg [IP Address] code [code] 67. IKE: phase 1 resend timeout sg [IP Address] proﬁle [Name], sg [IP Address] 68. IKE: phase 1 complete sg [IP Address] proﬁle [Name], sg [IP Address] 69.
Page 105 System Conﬁguration 3-61 Choose None as the value for Underlying Encapsulation… Local WAN IP Address and Local WAN IP Mask can be left at 0.0.0.0 if WAN interface can receive IP Address from a DHCP server Select NEXT SCREEN Primary Domain Name Server and Secondary Domain Name Server can be left at 0.0.0.0, if dynamic address is used on WAN 10.
Page 106 3-62 Administrator’s Handbook g. Escape once back to the Add Connection Proﬁle screen. h. Press Enter on COMMIT to save this proﬁle 10. Select Display/Change Connection Proﬁle... and press Enter on the VPN proﬁle you have just created. 11. Set Proﬁle Enabled: to Yes 12.
Page 107 System Conﬁguration 3-63 a. Set Syslog Enabled to Yes b. Set Hostname or IP Address to the Syslog Server c. Facility… can be changed (default to Local 0) d. Set Log Filter Violations to Yes - this will log packets that are dropped by the Router due to violations e.
Page 108 3-64 Administrator’s Handbook...
Page 109: Chapter 4 - Multi-Nat
To help you understand some of the concepts discussed here, it may be helpful to introduce some NAT terminology. ® The term mapping refers to rules that associate one or more private addresses on the Motorola Netopia ® Router’s LAN to one or more public addresses on the Motorola Netopia Router’s WAN interface (typically the...
Page 110: Features
IP address to which you would like to provide access. You may also deﬁne a speciﬁc public IP ® address to use for this service if you want to use an IP other than the WAN IP address of the Motorola Netopia Router.
Page 111 If a host on the private network ® initiates a connection to the Internet, for example, the Motorola Netopia Router automatically sets up a one-to-one mapping of that host’s private IP address to one of the public IP addresses allocated to be used for Dynamic NAT.
Page 112: Wan Network
All NAT conﬁgurations are rule-based. This means that trafﬁc passed through NAT from either the public or the ® private network is compared to the rules and mappings conﬁgured in the Motorola Netopia Router in a particular order. The ﬁrst rule that applies to the trafﬁc being initiated is used.
Page 113: Supported Trafﬁc
Support for AOL Instant Messenger (AIM) File Transfer Motorola Netopia® Embedded Software Version 8.7.4 provides Application Level Gateway (ALG) support for AOL Instant Messenger (AIM) ﬁle transfer. This allows AIM users to exchange ﬁles, even when both users are behind NAT.
Page 114: Multinat Conﬁguration
4-6 Administrator’s Handbook Currently there is a restriction that the remote user must be routed to via the WAN interface, otherwise the connections will fail. There is no restriction as to the number of connections. There is no user conﬁguration required for this feature. MultiNAT Configuration You conﬁgure the MultiNAT features through the Telnet menu: •...
Page 115: Server Lists And Dynamic Nat Conﬁguration
Multi-NAT 4-7 Server Lists and Dynamic NAT configuration You use the advanced NAT feature sets by ﬁrst deﬁning a series of mapping rules and then grouping them into a list. There are two kinds of lists -- map lists, made up of dynamic, PAT and static mapping rules, and server lists, a list of internal services to be presented to the external world.
Page 116 4-8 Administrator’s Handbook System Configuration IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... Stateful Inspection... VLAN Configuration... Date and Time... Wireless Configuration... Console Configuration SNMP (Simple Network Management Protocol)... Security... Upgrade Feature Set... Router/Bridge Set... Router IGMP (Internet Group Management Protocol)... Logging...
Page 117 Multi-NAT 4-9 NAT rules The following rules apply to assigning NAT ranges and server lists: • Static public address ranges must not overlap other static, PAT, public addresses, or the public address assigned to the Router’s WAN interface. • A PAT public address must not overlap any static address ranges. It may be the same as another PAT address or server list address, but the port range must not overlap.
Page 118 4-10 Administrator’s Handbook • If you choose static as the range type, a new menu item, First Public Address, becomes visible. Select First Public Address and enter the ﬁrst exterior IP address in the range you want to assign. Select Last Public Address and enter an IP address at the end of the range. •...
Page 119 Multi-NAT 4-11 Add NAT Map ("my_map") First Private Address: 192.168.1.1 Last Private Address: 192.168.1.254 Use NAT Public Range... ADD NAT MAP CANCEL • Select First and Last Private Address and enter the ﬁrst and last interior IP addresses you want to assign to this mapping.
Page 120: Modifying Map Lists
4-12 Administrator’s Handbook If none of your preconﬁgured ranges are suitable for this mapping, you can select <<NEW RANGE>> and create a new range. If you choose <<NEW RANGE>>, the Add NAT Public Range screen displays and you can create a new public range to be used by this map. See Add NAT Public Range on page 4-9.
Page 121 Multi-NAT 4-13 Network Address Translation +-NAT Map List Name--+ +--------------------+ Add Out| Easy-PAT List Show/Ch| my_map Delete | Add Map| Show/Ch| Delete | Add Ser| Show/Ch| Delete | NAT Ass| +--------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. The Show/Change NAT Map List screen appears.
Page 122 4-14 Administrator’s Handbook Show/Change NAT Map List +---Private Address Range---------Type----Public Address Range------------+ +-------------------------------------------------------------------------+ | 192.168.1.1 192.168.1.254 206.1.1.6 | 192.168.1.253 192.168.1.254 static 206.1.1.1 206.1.1.2 | 192.168.1.1 192.168.1.252 dynamic 206.1.1.3 206.1.1.5 +-------------------------------------------------------------------------+ Scroll to the map you want to modify using the arrow keys and press Return. The Change NAT Map screen appears.
Page 123: Adding Server Lists
Multi-NAT 4-15 Adding Server Lists Server lists, also known as Exports, are handled similarly to map lists. If you want to make a particular server’s port accessible (and it isn’t accessible through other means, such as a static mapping), you must create a server list.
Page 124 4-16 Administrator’s Handbook Add NAT Server ("my_servers") External Service... Server Private IP Address: 0.0.0.0 Public IP Address: 0.0.0.0 Protocol... TCP and UDP Internal Port Start: ADD NAT SERVER CANCEL Return/Enter to select <among/between> ... • Select External Service and press Return. A pop-up menu appears listing a selection of commonly exported services.
Page 125 Router. If you want to use static mappings to map internal servers to public addresses, your ISP or corporate site's ® Router must also be conﬁgured for static routes to these public addresses on the Motorola Netopia Router. •...
Page 126: Modifying Server Lists
Note: ® In order to use CUSeeMe through the Motorola Netopia Router, you must export the ports 7648 and 7649. In MultiNat, you may use a port range export. Without the export, CUSeeMe will fail to work. This is true unless a static mapping is in place for the host using CUSeeMe.
Page 127 Multi-NAT 4-19 Network Address Translation +-NAT Server List Name-+ +----------------------+ A| my_servers +----------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. The Show/Change NAT Server List screen appears. Show/Change NAT Server List Server List Name: my_servers Add Server... Show/Change Server...
Page 128: Deleting A Server
4-20 Administrator’s Handbook Show/Change NAT Server List +Private Address--Public Address---Port------------Protocol------+ +----------------------------------------------------------------+ | 192.168.1.254 206.1.1.1 smtp TCP and UDP | 192.168.1.254 206.1.1.2 TCP and UDP | 192.168.1.254 206.1.1.4 tftp | 192.168.1.254 206.1.1.3 gopher TCP and UDP | 192.168.1.254 206.1.1.5 timbuktu TCP and UDP +----------------------------------------------------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.
Page 129: Binding Map Lists And Server Lists
Binding Map Lists and Server Lists ® Once you have created your map lists and server lists, for most Motorola Netopia Router models you must bind them to a proﬁle, either a Connection Proﬁle or the Default Proﬁle. You do this in one of the following screens: •...
Page 130: Ip Proﬁle Parameters
4-22 Administrator’s Handbook IP Profile Parameters Address Translation Enabled: IP Addressing... Numbered NAT Map List... Easy-PAT List NAT Server List... Easy-Servers NAT Options... Stateful Inspection Enabled: Local WAN IP Address: 0.0.0.0 Local WAN IP Mask: 0.0.0.0 Remote IP Address: 127.0.0.2 Remote IP Mask: 255.255.255.255 Filter Set...
Page 131: Ip Parameters (Wan Default Proﬁle)
ﬁelds’ visibility are dependent only on the IP Addressing type. IP Parameters (WAN Default Profile) The Motorola Netopia® Embedded Software Version 8.7.4 using RFC 1483 supports a WAN default proﬁle that permits several parameters to be conﬁgured without an explicitly conﬁgured Connection Proﬁle.
Page 132 4-24 Administrator’s Handbook IP Parameters (Default Profile) Address Translation Enabled: NAT Map List... Easy-PAT List NAT Server List... Easy-Servers Filter Set (Firewall)... Remove Filter Set Rip Options... Return/Enter accepts * Tab toggles * ESC cancels. • Toggle Address Translation Enabled to Yes. •...
Page 133: Nat Associations
Multi-NAT 4-25 IP Parameters (Default Profile) +-NAT Server List Name-+ +----------------------+ | Easy-Servers | my_servers Address Trans| <<None>> NAT Map List.| |_first_map NAT Server Li| Filter Set (F| Remove Filter| Rip Options: | +----------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. •...
Page 134 4-26 Administrator’s Handbook NAT Associations Profile/Interface Name-------------Nat?-Map List Name-----Server List Name Default Answer Profile my_first_map my_servers Easy Setup Profile Easy-PAT my_servers Profile 01 my_second_map my_servers Profile 02 my_first_map my_server_list Profile 03 <<None>> <<None>> • You can toggle NAT? On or Off for each Proﬁle/Interface name. You do this by navigating to the NAT? ﬁeld associated with each proﬁle using the arrow keys.
Page 135: Ip Passthrough
Multi-NAT 4-27 IP Passthrough Motorola Netopia® Embedded Software Version 8.7.4 offers an IP passthrough feature. The IP passthrough feature allows for a single PC on the LAN to have the router’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet.
Page 136 4-28 Administrator’s Handbook IP Profile Parameters Address Translation Enabled: IP Addressing... Numbered NAT Map List... Easy-PAT List NAT Server List... Easy-Servers NAT Options... Stateful Inspection Enabled: Local WAN IP Address: 0.0.0.0 Local WAN IP Mask: 0.0.0.0 Filter Set... Remove Filter Set RIP Profile Options...
Page 137 ('0' – 'FF'). First Come First Serve Mode Motorola Netopia® Embedded Software Version 8.7.4 IP Passthrough allows a ﬁrst come ﬁrst serve mode. NAT Options defaults to an all-zeroes MAC address. If you leave the default all-zeroes MAC address, the Router will select the next DHCP client that initiates a DHCP lease request or renewal to be the IP passthrough host.
Page 138: Multinat Conﬁguration Example
4-30 Administrator’s Handbook A restriction Since both the router and the passthrough host will use same IP address, new sessions that conﬂict with existing sessions will be rejected by the router. For example, suppose you are a teleworker using an IPSec tunnel from the router and from the passthrough host.
Page 139 Multi-NAT 4-31 Easy Main Connection Menu Profile Setup Enter your ISP-supplied values as shown below. Connection Profile 1: Easy Setup Profile Underlying Encapsulation... None RFC1483 Mode... Bridged 1483 Address Translation Enabled: IP Addressing... Numbered Local WAN IP Address: 206.1.1.6 Local WAN IP Mask: 255.255.255.248 PREVIOUS SCREEN NEXT SCREEN...
Page 140 4-32 Administrator’s Handbook System Main Network Address Menu Translation (NAT) Configuration Select Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned for your public address (206.1.1.6, in this example). Toggle Type to pat. Your public address is then mapped to the remaining private IP addresses using PAT.
Page 141 Multi-NAT 4-33 Add NAT Public Range Range Name: Static Range Type... static First Public Address: 206.1.1.1 Last Public Address: 206.1.1.5 ADD NAT PUBLIC RANGE CANCEL Return/Enter to commit changes. Select ADD NAT PUBLIC RANGE and press Return. You are returned to the Network Address Translation screen.
Page 142 You do this through either the NAT Associations screen or the proﬁle’s conﬁguration screens. ® The PAT part of this example setup will allow any user on the Motorola Netopia Router's LAN with an IP address in the range of 192.168.1.6 through 192.168.1.254 to initiate trafﬁc ﬂow to the outside world (for example, the Internet).
Page 143: Chapter 5 - Virtual Private Networks (Vpns)
Computers can do the same thing; it's called Virtual Private Networks (VPNs). Equipped with a Motorola ® Netopia Router, a single computer or private network (LAN) can establish a private connection with another computer or private network over the public network (Internet).
Page 144 5-2 Administrator’s Handbook Motorola Netopia® Embedded Software Version 8.7.4 can be used in VPNs either to initiate the connection or to answer it. When used in this way, the Routers are said to be tunnelling through the public network (Internet).
Page 145 IP. ATMP is more efﬁcient than PPTP for network-to-network tunnels. When used to initiate the tunnelled connection, the Router is called a PPTP Access Concentrator (PAC, in PPTP language), or a foreign agent (in ATMP language). When used to answer the tunnelled connection, the Motorola ®...
Page 146: About Pptp Tunnels
5-4 Administrator’s Handbook This feature provides individuals at home, on the road, or in branch ofﬁces with a cost-effective and secure way ® to access resources on remote LANs connected to the Internet with Motorola Netopia Routers. About PPTP Tunnels To set up a PPTP tunnel, you create a Connection Proﬁle including the IP address and other relevant information...
Page 147 Virtual Private Networks (VPNs) 5-5 When you deﬁne a Connection Proﬁle as using PPTP by selecting PPTP as the datalink encapsulation method, and then select Data Link Options, the PPTP Tunnel Options screen appears. PPTP Tunnel Options PPTP Partner IP Address: 173.167.8.134 Tunnel Via Gateway: 0.0.0.0...
Page 148 MS-CHAP version 1 (MS-CHAP-V1). When ® you choose MS-CHAP as the authentication method for the PPTP tunnel, the Motorola Netopia Router will start negotiating MS-CHAP-V2. If the gateway you are connecting to does not support MS-CHAP-V2, it will fall back to MS-CHAP-V1, or, if the gateway you are connecting to does not support MPPE at all, the PPP session will be dropped.
Page 149: About Ipsec Tunnels
IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPsec-compliant device decrypts each packet. Motorola ®...
Page 150: L2Tp Configuration
5-8 Administrator’s Handbook L2TP configuration To deﬁne an L2TP tunnel, navigate to the Add Connection Proﬁle menu from the Main Menu. Main Add Connection Menu Profile Configuration Add Connection Profile Profile Name: Profile 1 Profile Enabled: +-------------+ +-------------+ Encapsulation Type... | PPP Encapsulation Options...
Page 151 Virtual Private Networks (VPNs) 5-9 L2TP Tunnel Options L2TP Partner IP Address: 0.0.0.0 L2TP Tunnel Authentication: PPP Authentication: Data Compression... Standard LZS Send Host Name: Send Password: Receive Host Name: Receive Password: Initiate Connections: On Demand: Idle Timeout (seconds): Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). •...
Page 152: About Gre Tunnels
Return. The tunnel Connection Proﬁle will be activated. About GRE Tunnels ® Generic Routing Encapsulation (GRE) protocol is another form of tunneling that Motorola Netopia routers support. A GRE tunnel is brought up when a valid GRE proﬁle is installed, and brought down when the proﬁle is disabled, or deleted.
Page 153 Virtual Private Networks (VPNs) 5-11 Add Connection Profile Profile Name: Profile 2 Profile Enabled: +-------------+ +-------------+ Encapsulation Type... | PPP Underlying Encapsulation... | ATMP | PPTP Encapsulation Options... | IPsec | L2TP | GRE IP Profile Parameters... +-------------+ Interface Group... Primary COMMIT CANCEL...
Page 154: Vpn Force-All
5-12 Administrator’s Handbook • Sequence Datagrams can also be left at the default No, unless you are otherwise instructed. Datagram sequencing is mainly needed if compression is being used. • You can enter a 32- bit Key of up to 10-digits (numbers only). The receiver can use this key to identify the source of the packet.
Page 155 Virtual Private Networks (VPNs) 5-13 GRE Proﬁle System Conﬁguration GRE Proﬁle IP Easy Setup Encapsulation Menu Parameters Menu Menu IP = IP Default Gateway = Remote Tunnel Remote Member some_IP_address 127.0.0.2 End Point = IP = 127.0.0.2 peer_tunnel_ Mask = Gateway Static Route: IP_address Remote Member...
Page 156: About Atmp Tunnels
5-14 Administrator’s Handbook About ATMP Tunnels To set up an ATMP tunnel, you create a Connection Proﬁle including the IP address and other relevant information for the remote ATMP partner. ATMP uses the terminology of a foreign agent that initiates tunnels and a home agent that terminates them.
Page 157 ® • You can specify a Network Name. When the tunnel partner is another Motorola Netopia Router, this name may be used to match against a Connection Proﬁle. When the partner is an Ascend gateway in Gateway mode, then Network Name is used by the Ascend gateway to match a gateway proﬁle.
Page 158: Encryption Support
PPTP tunnel. Microsoft Windows NT Server provides MPPE encryption capability only ® when Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is enabled. Motorola Netopia complies with this feature to allow MPPE only when MS-CHAP is negotiated. MS-CHAP and MPPE are user-selectable options in the PPTP Tunnel Options screen.
Page 159: Ms-Chap V2 And 128-Bit Strong Encryption
• Motorola Netopia® Embedded Software Version 8.7.4 supports 128-bit (“strong”) encryption when using PPTP tunnels. ATMP does not have an option of using 128-bit MPPE. If you are using ATMP between two Motorola ® Netopia Routers you can optionally set 56-bit DES encryption.
Page 160: Vpn Quickview
5-18 Administrator’s Handbook ATMP/PPTP Default Profile Answer ATMP/PPTP Connections: PPTP Configuration Options Receive Authentication... Data Compression... None • Toggle Answer ATMP/PPTP Connections to Yes if you want the Router to accept VPN connections or No (the default) if you do not. •...
Page 161: Dial-Up Networking For Vpn
In such a ® case, the Dial-Up Networking software is not required, since the Motorola Netopia Router initiates the tunnel. This section is provided for users who may require the VPN client software for Dial-Up Networking in order to connect to an ISP who provides a PPTP account.
Page 162: Installing Dial-Up Networking
Motorola Netopia Router. Note: For the latest information and tech notes on Dial-Up Networking and VPNs be sure to visit the Motorola ® Netopia website at http://www.netopia.com and, for the latest software and release notes, the Microsoft website at http://www.microsoft.com.
Page 163: Creating A New Dial-Up Networking Proﬁle
Virtual Private Networks (VPNs) 5-21 Creating a new Dial-Up Networking profile A Dial-Up Networking proﬁle is like an address book entry that contains the information and parameters you need for a secure private connection. You can create this proﬁle by using either the Internet Connection Wizard or the Make New Connection feature of Dial-Up Networking.
Page 164 Windows 98 users select PPP: Windows 98, Windows NT Server, Internet In the Allowed network protocols area check TCP/IP and uncheck all of the other checkboxes. ® Note: Motorola Netopia ’s PPTP implementation does not currently support tunnelling of IPX and NetBEUI protocols.
Page 165: Windows Xp Client Conﬁguration
Virtual Private Networks (VPNs) 5-23 Click the OK button in this window and the next two windows. Windows XP Client Configuration From your Windows XP desktop, click on Start ---> My Network Places and select View Network Connections from the Network Tasks area. Click Create a New Connection in the Network Tasks area to start the New Connection Wizard.
Page 166: Pptp Example
5-24 Administrator’s Handbook For PPTP negotiation to work, TCP packets inbound and outbound destined for port 1723 must be allowed. Likewise, for ATMP negotiation to work, UDP packets inbound and outbound destined for port 5150 must be allowed. Source ports are dynamic, so, if possible, make this ﬂexible, too. Additionally, PPTP and ATMP both require a ﬁrewall to allow GRE bi-directionally.
Page 167 Virtual Private Networks (VPNs) 5-25 Change Input Filter 1 Enabled: Forward: Call Placement/Idle Reset: No Change Force Routing: Source IP Address: 0.0.0.0 Source IP Address Mask: 0.0.0.0 Dest. IP Address: 0.0.0.0 Dest. IP Address Mask: 0.0.0.0 TOS: TOS Mask: Protocol Type: Source Port Compare...
Page 168 5-26 Administrator’s Handbook In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ 0.0.0.0 0.0.0.0 =1723 Yes Yes | 0.0.0.0 0.0.0.0 Yes Yes | +-------------------------------------------------------------------------+ Select Output Filter 1 and press Return. In the Change Output Filter 1 screen, set the Protocol Type and Destination Port information as shown below.
Page 169: Atmp Example
Virtual Private Networks (VPNs) 5-27 Change Output Filter 2 Enabled: Forward: Call Placement/Idle Reset: No Change Force Routing: Source IP Address: 0.0.0.0 Source IP Address Mask: 0.0.0.0 Dest. IP Address: 0.0.0.0 Dest. IP Address Mask: 0.0.0.0 TOS: TOS Mask: Protocol Type: Return/Enter accepts * Tab toggles * ESC cancels.
Page 170 5-28 Administrator’s Handbook Change Input Filter 1 Enabled: Forward: Call Placement/Idle Reset: No Change Force Routing: Source IP Address: 0.0.0.0 Source IP Address Mask: 0.0.0.0 Dest. IP Address: 0.0.0.0 Dest. IP Address Mask: 0.0.0.0 TOS: TOS Mask: Protocol Type: Source Port Compare... No Compare Source Port ID: Dest.
Page 171 Virtual Private Networks (VPNs) 5-29 In the Display/Change IP Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ 0.0.0.0 0.0.0.0 =1723 Yes Yes | 0.0.0.0 0.0.0.0 Yes Yes | +-------------------------------------------------------------------------+ Select Output Filter 1 and press Return. In the Change Output Filter 1 screen, set the Protocol Type and Destination Port information as shown below.
Page 172: Windows Networking Broadcasts
Enter the packet specific information for this filter. Windows Networking Broadcasts ® Motorola Netopia software provides the ability to forward Windows Networking NetBIOS broadcasts. This is useful for, for example, a Virtual Private Network, in which you want to be able to browse the remote network to which you are tunnelling, as part of your Windows Network Neighborhood.
Page 173 Virtual Private Networks (VPNs) 5-31 Example: LAN IP 192.168.1.0/24 LAN IP 192.168.2.0/24 Tunnel PC # A --------- Router A Router B --------- PC # B .100 .100 When PC #A sends a Windows networking broadcast it sends it with a destination IP 192.168.1.255. When Router A receives this broadcast it translates the destination of this broadcast to match the remote IP of the NetBIOS Proxy-enabled VPN proﬁles and it forwards the broadcast through the VPN tunnel.
Page 174 5-32 Administrator’s Handbook When Router B receives this broadcast, it sends it on its LAN. Conﬁguration for Router A IP Profile Parameters Remote Tunnel Endpoint: 192.168.2.1 Add Network... Display/Change Network... Delete Network... Address Translation Enabled: Stateful Inspection Enabled: Filter Set... <<None>>...
Page 175 Make sure the NetBIOS ﬁlter is not enabled in your Internet Connection Proﬁle. Motorola includes the NetBIOS Proxy feature as an enhancement and convenience for our customers. It has been lab-tested and many customers use it successfully. However, Motorola cannot guarantee that this feature will automatically give you the networking functionality you expect.
Page 176 5-34 Administrator’s Handbook...
Page 177: Chapter 6 - Internet Key Exchange For Vpns
IPsec is deployed widely to implement Virtual Private Networks (VPNs). See “Virtual Private Networks (VPNs)” on page 5-1 for more information. The Motorola Netopia® Embedded Software Version 8.7.4 supports Internet Key Exchange (IKE) for secure encrypted communication over a VPN tunnel. This chapter covers the following topics: •...
Page 178: Internet Key Exchange (Ike) Conﬁguration
6-2 Administrator’s Handbook The advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec secure communications without having to manually enter the lengthy encryption keys at both ends of the connection. You enter a human-readable pass phrase or shared secret English sentence, like “my dog has ﬂeas”...
Page 179 Internet Key Exchange for VPNs 6-3 Add Connection Profile Profile Name: Profile 1 Profile Enabled: +-------------+ +-------------+ Encapsulation Type... | PPP | RFC1483 RFC1483 Mode... | ATMP | PPTP | IPsec | L2TP IP Profile Parameters... +-------------+ COMMIT CANCEL • From the Encapsulation Type pop-up menu select IPsec.
Page 180: Adding An Ike Phase 1 Proﬁle
6-4 Administrator’s Handbook +-IKE Phase1 Profile--+ +---------------------+ | <<ADD PH1 PROFILE>> | | <<NONE>> Key Management... IKE Phase 1 Profile| Encapsulation... ESP Encryption Tran| ESP Authentication | |5-96 Compression Type...| Advanced IPsec Opti| COMMIT +---------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. •...
Page 181 Internet Key Exchange for VPNs 6-5 • The Proﬁle Name ﬁeld accepts any name of up to 16 characters. Sixteen IKE Phase 1 proﬁles are supported, since each of the potential sixteen Connection Proﬁles may be associated with a separate IKE Phase 1 proﬁle.
Page 182 ******************** Extended Authentication (Xauth), is an extension to the IKE protocol, for IPSec tunnelling. The Xauth ® extension provides dual authentication for a remote user’s Motorola Netopia Gateway to establish a VPN, authorizing network access to the user’s central ofﬁce.
Page 183 Internet Key Exchange for VPNs 6-7 • VPN concentrator – This conﬁgures Xauth to expect to receive authentication credentials, and to pos- sibly serve VPN IP parameters. When Xauth is set to VPN concentrator, you can conﬁgure the IPSec proﬁle to allow the Router to respond when the remote client requests an internal IP address: Remote Members: If the Remote Members is a single address within the Local Members range, then the Router will respond with that address to incoming address requests from Xauth clients.
Page 184 6-8 Administrator’s Handbook Advanced IKE Phase 1 Options Negotiation... Normal SA Use Policy... Newest SAs Immediately Allow Dangling Phase 2 SAs: Phase 1 SA Lifetime (seconds): 28800 Phase 1 SA Lifetime (Kbytes): Send Initial Contact Message: Include Vendor ID Payload: Independent Phase 2 Re-keys: Strict Port Policy: Invalid SPI recovery:...
Page 185: Changing An Ike Phase 1 Proﬁle
Internet Key Exchange for VPNs 6-9 • Include Vendor-ID Payload toggles whether or not the Router includes the vendor-ID payload in its IKE Phase 1 messages. • Independent Phase 2 Re-keys toggles whether or not a Phase 2 re-keys requires a Phase 1 re-key. If this item is set to Yes (the default), Phase 2 re-keys will be performed independently when necessary without requiring a Phase 1 re-key.
Page 186 6-10 Administrator’s Handbook WAN Configuration WAN (Wide Area Network) Setup... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... ATMP/PPTP Default Profile... IKE Phase 1 Configuration... Advanced Connection Options... Return/Enter to configure IPSec tunnel configuration options. From here you will configure yours and the remote sites' WAN information. Selecting Display/Change IKE Phase 1 Proﬁle or Delete IKE Phase 1 Proﬁle displays an IKE Phase 1 Proﬁle pop-up menu listing the names of all currently deﬁned IKE Phase 1 proﬁles: IPsec Configuration...
Page 187: Key Management
Internet Key Exchange for VPNs 6-11 IPsec Configuration +--IKE Phase1 Profile--+ Display+----------------------+ Add IKE| Netopia +------------------------------------------------------------+ | Are you sure you want to delete this IKE Phase 1 Profile? CANCEL CONTINUE +------------------------------------------------------------+ +----------------------+ Key Management You specify your IKE key management on a per-Connection Proﬁle basis. You can do this in one of three ways: •...
Page 188 6-12 Administrator’s Handbook A Change Connection Proﬁle screen is shown below. Example #1: Change Connection Proﬁle menu, showing Encapsulation Type pop-up: Change Connection Profile Profile Name: Easy Setup Profile Profile Enabled: +-------------+ +-------------+ Encapsulation Type... | PPP Encapsulation Options... | ATMP | PPTP | IPsec IP Profile Parameters...
Page 189 Internet Key Exchange for VPNs 6-13 From the Encapsulation Type pop-up menu, select IPsec. Then select Encapsulation Options and press Return. The IPsec Tunnel Options screen appears. IPsec Tunnel Options Key Management... IKE Phase 1 Profile... Encapsulation... ESP Encryption Transform... ESP Authentication Transform...
Page 190: Advanced Ipsec Options
6-14 Administrator’s Handbook • The ESP Encryption Transform pop-up menu (which is visible only if you have selected ESP or AH+ESP encapsulation) allows you to specify the type of ESP encryption: DES, 3DES, or NULL (no encryption). • The ESP Authentication Transform pop-up menu (which is visible only if you have selected ESP or AH+ESP encapsulation) allows you to specify the type of ESP authentication: None, HMAC-MD5-96, or HMAC-SHA1–96.
Page 191 Determination of a dead peer could take up to eight minutes. Motorola Netopia® Embedded Software Version 8.7.4 provides a new Dead Peer Detection mechanism. An IPsec IP net interface sends ICMP ping requests to a speciﬁc IP address on a Remote Member network.
Page 192 6-16 Administrator’s Handbook The defaults are 5 seconds and 90 seconds, respectively. You may adjust these to suit your network’s tolerances. Note: • ICMP Dead Peer Detection is not available when using manual re-keying. • ICMP Dead Peer Detection does not initiate a series of phase 2 exchanges upon detecting a dead peer; it instead initiates a new phase 1 negotiation, followed by a new phase 2 negotiation once contact with the peer has been re-established.
Page 193 Internet Key Exchange for VPNs 6-17 Multiple Network IPsec Motorola Netopia® Embedded Software Version 8.7.4 offers an enhancement to IPsec VPN tunnels allowing ® multiple network support. This feature enhances your Motorola Netopia Router’s Virtual Private Networking functionality. This feature allows you to deﬁne many local and remote network ranges for a given IPsec VPN proﬁle. Each of these ranges has its own IPsec tunnel.
Page 194 6-18 Administrator’s Handbook Add Network Configuration +--------------+ +--------------+ Remote Member Format... | Subnet Remote Member Address: | Range Remote Member Mask: | Host Address | Local Member Format... +--------------+ Local Member Address: 0.0.0.0 Local Member Mask: 0.0.0.0 COMMIT CANCEL • The Remote Member Format and Local Member Format pop-up menus allow you to choose a format for your network end points: Subnet, Range, or a single Host Address.
Page 195 Internet Key Exchange for VPNs 6-19 IP Profile Parameters Remote Tunnel Endpoint: 0.0.0.0 Add Network... Display/Change Network... Delete Network... Address Translation Enabled: Stateful Inspection Enabled: Filter Set... <<None>> Remove Filter Set NetBIOS Proxy Enabled Advanced IP Profile Options... COMMIT CANCEL Define new local/remote member(s) •...
Page 196 6-20 Administrator’s Handbook • If you select Delete Network in the IP Proﬁle Parameters screen, the same scrolling list will display. When you select one of the networks and press Return, a warning screen will ask you to conﬁrm your choice: +--------------------------------------------------------------+24 | Are you sure you want to delete this network configuration? CANCEL...
Page 197: Ipsec Wan Conﬁguration Screens
Internet Key Exchange for VPNs 6-21 • Maximum Packet Size permits you to modify the MTU setting for the tunnel. Some ISPs require a setting of e.g. 1492 (or other value). The default 1500 is the most common and you usually don’t need to change this unless otherwise instructed.
Page 198: Ipsec Manual Key Entry
6-22 Administrator’s Handbook IKE Phase 1 Configuration Display/Change IKE Phase 1 Profile... Add IKE Phase 1 Profile... Delete IKE Phase 1 Profile... The IKE Phase 1 Conﬁguration screen allows conﬁguration of global (non-connection-proﬁle-speciﬁc) IPsec parameters. This screen allows you to Display, Change, Add, or Delete an IKE Phase 1 proﬁle. IPsec Manual Key Entry The Version 8.6 software has a redesigned layout and additional options for manual key entry.
Page 199: Vpn Quickview
Internet Key Exchange for VPNs 6-23 Select IPsec Manual Keys and press Return. IPsec Manual Keys SHA1 ESP Auth. Key: SHA1 AH Auth. Key: Depending on your selections of Encapsulation, Encryption Transform, and Authentication Transform in the IPsec Tunnel Options screen, the IPsec Manual Keys screen will display differing entry ﬁelds to enter authorization keys and encryption keys.
Page 200: Wan Event History Error Reporting
6-24 Administrator’s Handbook VPN Quick View Profile Name----------Type--Rx Pckts--Tx Pckts--Discard--Remote Address-- HA <-> FA1 (Jony Fon ATMP 173.166.82.8 HA <-> FA3 (Sleve M. ATMP 63.193.117.91 My IPsec Tunnel IPsec 0.0.0.0 Bangalore PPTP 1.1.1.1 If the remote tunnel end point is a hostname (or “0.0.0.0”) 0.0.0.0 is displayed until a Security Association is established.
Page 201 Internet Key Exchange for VPNs 6-25 Event message: Meaning: IKE: no matching ph2 proposal Either the local Router rejected the proposals of the remote or the remote rejected the local Router’s. IKE: ph2 resend timeout The attempt to resend the phase 2 authentication timed out.
Page 202 6-26 Administrator’s Handbook...
Page 203 Chapter 7 IP Setup Motorola Netopia® Embedded Software Version 8.7.4 uses Internet Protocol (IP) to communicate both locally and with remote networks. This chapter shows you how to conﬁgure the gateway to route IP trafﬁc. You also learn how to conﬁgure the gateway to serve IP addresses to hosts on your local network.
Page 204: Ip Setup
“IP subnets” on page 7-3 for details. The Motorola Netopia® Embedded Software Version 8.7.4 supports multiple IP subnets on the Ethernet interface. You may want to conﬁgure multiple IP subnets to service more hosts than are possible with your primary subnet. It is not always possible to obtain a larger subnet from your ISP. For example, if you already have a full Class C subnet, your only option is multiple Class C subnets, since it is virtually impossible to justify a Class A or Class B assignment.
Page 205: Ip Subnets
The secondary DNS server is used by the Router when the primary DNS server is inaccessible. Entering a secondary DNS is useful but not necessary. • Select Domain Name and enter your network’s domain name (for example, motorola.com). Motorola strongly recommends that you enter a domain name. •...
Page 206 7-4 Administrator’s Handbook IP Subnets IP Address Subnet Mask ---------------- --------------- 192.128.117.162 255.255.255.0 0.0.0.0 0.0.0.0 Note: You need not use this screen if you have only a single Ethernet IP subnet. In that case, you can continue to enter or edit the IP address and subnet mask for the single subnet on the IP Setup screen. This screen displays up to eight rows of two editable columns, preceded by a row number between one and eight.
Page 207 IP Setup 7-5 IP Subnets IP Address Subnet Mask ---------------- --------------- 192.128.117.162 255.255.255.0 192.128.152.162 255.255.0.0 0.0.0.0 0.0.0.0 • To delete a conﬁgured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly or by clearing each ﬁeld and pressing Return to commit the change. When a conﬁgured subnet is deleted, the values in subsequent rows adjust up to ﬁll the vacant ﬁelds.
Page 208: Static Routes
7-6 Administrator’s Handbook The IP address and Subnet mask items are hidden, and the Deﬁne Additional Subnets... item becomes Subnet Conﬁguration..If you select Subnet Conﬁguration, you will return to the IP Subnets screen that allows you to deﬁne IP addresses and masks for additional Ethernet IP subnets. Static routes Static routes are IP routes that are maintained manually.
Page 209 IP Setup 7-7 +-Dest. Network---Subnet Mask-----Next Gateway----Priority-Enabled-+ +------------------------------------------------------------------+ | 0.0.0.0 0.0.0.0 163.176.8.1 +------------------------------------------------------------------+ Select a Static Route to modify. The table has the following columns: Dest. Network: The network IP address of the destination network. Subnet Mask: The subnet mask associated with the destination network. Next Gateway: The IP address of the gateway that will be used to reach the destination network.
Page 210 7-8 Administrator’s Handbook Add Static Route Static Route Enabled: Destination Network IP Address: 0.0.0.0 Destination Network Subnet Mask: 0.0.0.0 Next Gateway IP Address: 0.0.0.0 Route Priority... High Advertise Route Via RIP: ADD STATIC ROUTE NOW CANCEL Configure a new Static Route in this Screen. •...
Page 211: Rip Options
Rules of static route installation The Motorola Netopia® Embedded Software Version 8.7.4 applies certain rules before installing enabled static routes in the IP routing table. An enabled static route will not be installed in the IP routing table if any of the following conditions are true: •...
Page 212: Authentication Configuration
If ® any of the peers have not used the new key yet, the Motorola Netopia router will send RIP updates twice, once with each key.
Page 213 IP Setup 7-11 • Select RIP Options. The Ethernet LAN RIP Options screen appears. Ethernet LAN RIP Options +-----------------------+ +-----------------------+ Receive RIP... | Off | v1 Transmit RIP... | v2 | Both v1 and v2 | v2 MD5 Authentication | +-----------------------+ •...
Page 214 7-12 Administrator’s Handbook Ethernet LAN RIP Options Receive RIP... +--------------------+n +--------------------+ Transmit RIP... | Off | v1 RIP v2 Authentication Keys... | v2 (broadcast) | v2 (multicast) | v2 MD5 (broadcast) | | v2 MD5 (multicast) | +--------------------+ • RIP v2 Authentication Keys is visible only if v2 MD5 Authentication is enabled for either Receive or Transmit RIP.
Page 215 IP Setup 7-13 RIP v2 Authentication Keys Display/Change Key... Add Key... Delete Key... Adding a key Select Add Key. The Add Key Screen appears. Add Key Key ID: Authentication Key: Start Date (MM/DD/YY): 10/10/2002 Start Time (hh:mm): 12:00 AM or PM: End Time Mode: Date End Date (MM/DD/YY):...
Page 216 7-14 Administrator’s Handbook • The Start Date and End Date formats are determined by the System Date Format, set on the Set Date and Time menu under the System Conﬁguration menus. • The Start Time and End Time formats are determined by the System Time Format. The AM or PM pop-up menus do not appear if the time format is 24 hour time.
Page 217: Connection Proﬁles And Default Proﬁle
IP Setup 7-15 +----------------------------------------------------------+ +----------------------------------------------------------+ | Are you sure you want to delete this RIP MD5 Key? CANCEL CONTINUE +----------------------------------------------------------+ Connection Profiles and Default Profile RIP-2 MD5 authentication may be conﬁgured in Connection Proﬁles, as well. If you are not using NAT, your public Internet connection can beneﬁt from sending authenticated RIP packets as well as receiving them.
Page 218 Connection Proﬁle. Power interruptions ® Motorola Netopia 4000 Series routers use NTP updates to set the correct time. Consequently, the starting time after a power cycle, whether from power failure or deliberately switching power off and on, is in the year 1904.
Page 219: Ip Address Serving
IP Setup 7-17 IP Address Serving • Serve DHCP Clients System Main IP Address • Serve BootP Clients Menu Configuration Serving • Serve Dynamic WAN Clients In addition to being a gateway, the Router is also an IP address server. There are three protocols it can use to distribute IP addresses.
Page 220 7-18 Administrator’s Handbook IP Address Serving +------------------+ +------------------+ IP Address Serving Mode... | Disabled | DHCP Server Number of Client IP Addresses: | DHCP Relay Agent | 1st Client Address: +------------------+ Client Default Gateway... 192.168.1.1 Serve DHCP Clients: DHCP Next-Server: 0.0.0.0 DHCP Lease Time (Hours): DHCP NetBIOS Options...
Page 221: Ip Address Pools
IP Setup 7-19 • The default DHCP Lease time is one hour. This may be unnecessarily brief in your network environment. Consequently, the DHCP lease time is conﬁgurable. The DHCP Lease Time (Hours) setting allows you to modify the gateway’s default lease time of one hour. You can enter any number up to and including 168 hours (one week) for the DHCP lease.
Page 222 7-20 Administrator’s Handbook IP Address Pools Subnet (# host addrs) 1st Client Addr Clients Client Gateway --------------------- --------------- ------- -------------- 192.128.117.0 (253) 192.128.117.196 192.128.117.162 192.129.117.0 (253) 192.129.117.110 192.129.117.4 This screen consists of between two and eight rows of four columns each. There are exactly as many rows as there are Ethernet IP subnets conﬁgured on the IP Subnets screen.
Page 223: Dhcp Netbios Options
• When requesting an address, a client may provide a client identiﬁer, or, if it does not, the Motorola Netopia® Embedded Software Version 8.7.4 may construct a pseudo-client identiﬁer for the client. When the client subsequently requests an address, the Router will attempt to serve the address previously associated with the pseudo-client identiﬁer.
Page 224 7-22 Administrator’s Handbook DHCP NetBIOS Options Serve NetBIOS Type: NetBIOS Type... Type B Serve NetBIOS Scope: NetBIOS Scope: Serve NetBIOS Name Server: NetBIOS Name Server IP Addr: 0.0.0.0 Configure DHCP-served NetBIOS options here. • To serve DHCP clients with the type of NetBIOS used on your network, select Serve NetBIOS Type and toggle it to Yes.
Page 225: More Address Serving Options
Select Release BootP Leases and press Return. • Back in IP Address Serving, the Serve Dynamic WAN Clients toggle More Address Serving Options The Motorola Netopia® Embedded Software Version 8.7.4 includes a number of enhancements in the built-in DHCP IP address server. These enhancements include:...
Page 226: Conﬁguring The Ip Address Server Options
The ability to serve as a DHCP Relay Agent. The Motorola Netopia® Embedded Software Version 8.7.4 supports reserving an IP address only for a type 1 client identiﬁer (i.e., an Ethernet hardware address). It does not support reserving an IP address for an arbitrary client identiﬁer.
Page 227 IP Setup 7-25 Note: The server does not query the client for its host name. Macintosh computers running versions of MacOS prior to MacOS version 8.5 (OT 2.0.1, TCP/IP 2.0.1) do not supply a host name option in their DHCP messages, so no host name will appear in the Served IP Addresses list.
Page 228 7-26 Administrator’s Handbook Served IP Addresses -IP Address------Type----Expires—-Host Name/Client Identifier----------------- ----------------------------------SCROLL UP----------------------------------- 192.168.1.100 192.168.1.101 +----------------------------------------------------------------------------+ +----------------------------------------------------------------------------+ | IP Address is 192.168.1.108 | Host Name is Barr's XPi 120 | Client ID is EN: 00-00-c5-45-89-ef +----------------------------------------------------------------------------+ 192.168.1.111 | Reserve... | 192.168.1.112 +------------+ 192.168.1.113 ---------------------------------SCROLL DOWN----------------------------------...
Page 229 IP Setup 7-27 An IP address is marked declined when a client to whom the DHCP server offers the address declines the address. A client declines an address if it determines that a leased address is already in use by another device.
Page 230: Dhcp Relay Agent
Hit RETURN/ENTER for available operations. DHCP Relay Agent The Motorola Netopia® Embedded Software Version 8.7.4 offers DHCP Relay Agent functionality, as deﬁned in RFC1542. A DHCP relay agent is a computer system or a gateway that is conﬁgured to forward DHCP requests from clients on the LAN to a remote DHCP server, and to pass the replies back to the requesting client systems.
Page 231 IP Setup 7-29 System Main IP Address Menu Serving Configuration Select IP Address Serving and press Return. The IP Address Serving screen appears. IP Address Serving +------------------+ +------------------+ IP Address Serving Mode... | Disabled | DHCP Server Number of Client IP Addresses: | DHCP Relay Agent | 1st Client Address: +------------------+...
Page 232: Connection Proﬁles
Router is relaying DHCP requests must be conﬁgured with ® one or more address pools that are within the Motorola Netopia Router’s primary Ethernet LAN subnet. (There is no mechanism for DHCP clients to receive an address on a secondary subnet via a relayed DHCP request.)
Page 233 IP Setup 7-31 The Add Connection Proﬁle screen appears. Add Connection Profile Profile Name: Profile 1 Profile Enabled: Data Link Encapsulation... Data Link Options... IP Profile Parameters... COMMIT CANCEL Configure a new Conn. Profile. Finished? COMMIT or CANCEL to exit. On a Router you can add up to 15 more connection proﬁles, for a total of 16, although only one can be used at a time, unless you are using VPNs.
Page 234: Multicast Forwarding
Multicasting is similar to radio or TV broadcasts in the sense that only those who have tuned in to a particular frequency receive the information. You see and hear the channel you are interested in, but not the others. ® Since a router should not be used as a passive forwarding device, Motorola Netopia Routers use a protocol for ®...
Page 235 IP Setup 7-33 • Then you associate it with a Connection Proﬁle in the IP Proﬁle Parameters screen in the Add/Display/Change Connection Proﬁle menus. Navigate to the IP Setup screen. Main System Configuration Menu Setup By default, Multicast Forwarding is tuned off (None). You enable the gateway to transmit multicast data by selecting Tx.
Page 236: Virtual Router Redundancy (Vrrp)
Connection Proﬁle to receive multicast data. You enable it by selecting Rx. from the pop-up menu. Virtual Router Redundancy (VRRP) Motorola Netopia® Embedded Software Version 8.7.4 offers Virtual Router Redundancy Protocol (VRRP). A Virtual Router is a software abstraction consisting of a group of two or more hardware routers protecting one or more IP addresses.
Page 237 IP Setup 7-35 Ethernet LAN VRRP Options Display/Change Virtual Routers... Add Virtual Router... Delete Virtual Router... Monitor WAN: Serve/Relay DHCP only if Virtual Router in Master state: DHCP Gateway IP Address: 0.0.0.0 Select Add Virtual Router and press Return. The Add Virtual Router screen appears. Add Virtual Router VRID: Virtual IP Address:...
Page 238 7-36 Administrator’s Handbook • must not match the IP address of any other VIP If it matches the local IP address of that interface or the subnets, the Virtual Router will be defaulted to have a priority of 255. See below. Note: A router currently in VRRP Master mode is the only device which will respond on the Virtual IP address.
Page 239 IP Setup 7-37 Ethernet LAN VRRP Options Display/Change Virtual Routers... Add Virtual Router... Delete Virtual Router... Monitor WAN: Serve/Relay DHCP only if Virtual Router in Master state: DHCP Gateway IP Address: 0.0.0.0 • Monitor WAN – Toggle this option to Yes (the default) to enable VRRP routers on the interface to relinquish Master status if the WAN connection is down.
Page 240: Additional Lans
Virtual Router in Master state: DHCP Gateway IP Address: 0.0.0.0 Additional LANs Motorola Netopia® Embedded Software Version 8.7.4 includes support for creating additional logical local area networks. When used in combination with VLANs (see “VLAN Conﬁguration” on page 3-11), you can maintain separate functional end-to-end networks to support such services as voice-over-IP, point-of-sale applications, or audio and video services.
Page 241 IP Setup 7-39 Additional LAN Configuration Add ALAN... Select Add ALAN and press Return. The Add Additional LAN screen appears. Add Additional LAN Name: Additional LAN 1 Enabled: MAC Address: 00:00:00:00:00:00 Ethernet IP Address: 0.0.0.0 Ethernet Subnet Mask: 0.0.0.0 Define Additional Subnets... IP Address Serving...
Page 242 7-40 Administrator’s Handbook • Ethernet IP Address – The IP address of the additional LAN. • Ethernet Subnet Mask – The IP subnet mask address of the additional LAN. • Deﬁne Additional Subnets – Additional subnets for multi-homing (same as the primary interface). See “IP Address Pools”...
Page 243 IP Setup 7-41 Additional LAN Configuration +-Name---------------------------IP Address------+ +------------------------------------------------+ | Additional LAN 1 1.1.1.1 | Additional LAN 2 0.0.0.0 +------------------------------------------------+...
Page 244 7-42 Administrator’s Handbook...
Page 245: Backup Conﬁguration
Line Backup 8-1 Chapter 8 Line Backup Motorola Netopia® Embedded Software Version 8.7.4 offers line backup functionality in the event of a line failure on the primary WAN link: • to an internal V.92 modem (supported models) or • to a backup default gateway.
Page 246: Connection Proﬁles
8-2 Administrator’s Handbook Here you can select Backup is = Automatic, and Recovery is Automatic. See “Backup Conﬁguration screen” on page 8-9. • the Backup IP Gateway menu item in the IP Setup screen under the System Conﬁguration menu Here you enter a Backup Gateway IP address. See “IP Setup”...
Page 247 Line Backup 8-3 • Encapsulation Type: From the pop-up menu select the encapsulation type. Usually, for modem dial-up connections, this will be PPP, but you can also select ATMP, PPTP, or IPsec for VPN connections. These are the options needed for dial-up. Add Connection Profile Profile Name: Profile 1...
Page 248 8-4 Administrator’s Handbook Datalink (PPP/MP) Options Data Compression... +------+rd LZS +------+ Send Authentication... | None | | PAP Send User Name: | CHAP | Send Password: +------+ Receive User Name: Receive Password: Dial on Demand: PAP-- Password protection is used. Passwords are exchanged in clear text.
Page 249 Line Backup 8-5 IP Profile Parameters Address Translation Enabled: IP Addressing... Unnumbered NAT Map List... Easy-PAT List NAT Server List... Easy-Servers NAT Options... Stateful Inspection Enabled: Local WAN IP Address: 0.0.0.0 Remote IP Address: 0.0.0.0 Remote IP Mask: 0.0.0.0 Filter Set... Remove Filter Set RIP Profile Options...
Page 250: Ip Setup
8-6 Administrator’s Handbook • From the Dial pop-up menu, you can choose whether to Dial Out Only, Dial In Only, or Dial In/Out (default). • Dialing Preﬁx: If you are connected to a Centrex or PBX phone system that requires you to dial a preﬁx number (such as “9”...
Page 251: Wan Configuration
Line Backup 8-7 IP Setup Ethernet IP Address: 192.168.1.1 Ethernet Subnet Mask: 255.255.255.0 Define Additional Subnets... Default IP Gateway: 0.0.0.0 Backup IP Gateway: 0.0.0.0 Primary Domain Name Server: 0.0.0.0 Secondary Domain Name Server: 0.0.0.0 Domain Name: RIP Options... Multicast Forwarding... None Static Routes...
Page 252: Wan Conﬁguration
8-8 Administrator’s Handbook WAN Configuration WAN (Wide Area Network) Setup... ATM Circuits Configuration... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... WAN Default Profile... ATMP/PPTP Default Profile... IKE Phase 1 Configuration... Advanced Connection Options... Return/Enter to create a new Connection Profile. From here you will configure yours and the remote sites' WAN information.
Page 253: Backup Conﬁguration Screen
Line Backup 8-9 Internal Modem Setup Modem Dialing Prefix: ATDT PBX Dialing Prefix: Line Directory Number: Speaker On... Until Carrier Speaker Volume... 2-Medium Answer Incoming calls... Always Country... United States Enter the dialing prefix to be sent to all modems. •...
Page 254 8-10 Administrator’s Handbook This screen is used to conﬁgure the conditions under which backup will occur, if it will recover, and how the modem is conﬁgured. For the internal V.92 modem, the Backup Conﬁguration screen appears as follows, when all options are enabled (default screen shows fewer menu items until some are enabled): Backup Configuration Backup Parameters...
Page 255 Line Backup 8-11 Note: For best results, enter an IP address and not a host name. If a host name is used it may not be resolvable, and may keep the interface down. Set the Ping Host Name or IP Address to the router's Default Gateway, or other reliable IP address elsewhere on the backbone –...
Page 256: Using Scheduled Connections With Backup
8-12 Administrator’s Handbook When you are ﬁnished, press Escape. Using Scheduled Connections with Backup The backup link is a PPP dial-up connection and only connects to the Internet service provider when trafﬁc is initiated from the LAN. If you want to use the backup link to provide redundancy for services, such as a Web service that you provide to the outside world, you must force the connection to stay up.
Page 257 Line Backup 8-13 Add Scheduled Connection Scheduled Connection Enable: How Often... Weekly Schedule Type... Forced Up Set Weekly Schedule... Use Connection Profile... ADD SCHEDULED CONNECTION CANCEL Return/Enter accepts * Tab toggles * ESC cancels. Scheduled Connections dial remote Networks on a Weekly or Once-Only basis. •...
Page 258: Backup Default Gateway
Motorola Netopia® Embedded Software Version 8.7.4 offers backup functionality to an alternate gateway typically connected to a LAN port.
Page 259 Line Backup 8-15 Backup Configuration +-----------+ Backup Parameters +-----------+ Backup is... | Disabled Requires Failure of (seconds): | Manual Ping Host Name or IP Address #1: | Automatic | Ping Host Name or IP Address #2: +-----------+ Recovery to ADSL... Automatic Requires Recovery of (seconds): Auto-Recovery on loss of Layer 2:...
Page 260: Ip Setup Screen
8-16 Administrator’s Handbook the system to wait before attempting to switch back to the WAN connection. This allows you to be sure that the WAN connection is well re-established before the gateway switches back to it from the backup mode. •...
Page 261 Line Backup 8-17 To view Backup Management/Statistics, from the Main Menu select Statistics & Logs then Backup Management/Statistics and press Return. Main Backup Management/ Statistics & Logs Menu Statistics The Backup Management/Statistics screen appears. Backup Management/Statistics Current Gateway: Primary Backup State: Primary Port Failure in Progress Reason: Loss of Layer 1...
Page 262: Quickview
8-18 Administrator’s Handbook During recovery, the following reasons may appear: Indicates sync restored on the Primary link Recovery of Layer 1 Indicates the backup occurred on layer 2, and Layer 2 Override ‘Auto-Recovery on loss of Layer 2’ was set to YES Indicates that backup was on Layer 2 and the interface is Layer 2 Recovery fully restored (including Backup Ping)
Page 263: Quick View Status Overview
“Simple Network Management Protocol (SNMP)” on page 9-8 Quick View Status Overview You can get a useful, overall status report from the Motorola Netopia® Embedded Software Version 8.7.4 in the Quick View screen. To go to the Quick View screen, select Quick View in the Main Menu.
Page 264: General Status
9-2 Administrator’s Handbook General status Quick View 10/11/2006 07:31:26 AM Default IP Gateway: 0.0.0.0 Primary DNS Server: 0.0.0.0 Gateway installed -- Backup Secondary DNS Server: 0.0.0.0 Domain Name: netopia.com ----------------MAC Address--------IP Address-------Status-------------------- Ethernet LAN: 00-00-c5-ff-70-00 192.168.1.1 100Mbps Full Duplex ATM ADSL WAN: 00-00-c5-ff-70-02 0.0.0.0 USB LAN:...
Page 265: Status Lights
When you are troubleshooting your Router, the Statistics & Logs screens provide insight into the recent event activities of the gateway. Motorola Netopia® Embedded Software Version 8.7.4 updates timestamps reported in the system logs with new timestamps as these are updated via NTP. The restamp of the time is done in the background after NTP is received.
Page 266: Event Histories
Menu • Device Event History Motorola Netopia® Embedded Software Version 8.7.4 records certain relevant occurrences in event histories. Event histories are useful for diagnosing problems because they list what happened before, during, and after a problem occurs. You can view two different event histories: one for the gateway’s system and one for the WAN.
Page 267 Monitoring Tools 9-5 The ﬁrst event in each call sequence is marked with double arrows (>>). Failures are marked with an asterisk (*). If the event history exceeds the size of the screen, you can scroll through it by using the SCROLL UP and SCROLL DOWN items.
Page 268: Ip Routing Table
9-6 Administrator’s Handbook IP Routing Table Main Statistics & Logs • IP Routing Table Menu The IP routing table displays all of the IP routes currently known to the Router. IP Routing Table Network Address-Subnet Mask-----via Gateway------Port------------------Type---- ----------------------------------SCROLL UP----------------------------------- 0.0.0.0 255.0.0.0 0.0.0.0 Other...
Page 269 Monitoring Tools 9-7 General Statistics Physical I/F-----Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err Ethernet Hub 1234567 123456 123456 123456 123456 12345 ATM ADSL 1 1234567 123456 123456 123456 123456 12345 Network----------Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err 1234567 123456 123456 123456 123456 12345...
Page 270: System Information
The information display varies by model, software version, feature set, and so on. You can tell at a glance your particular system conﬁguration. Simple Network Management Protocol (SNMP) Motorola Netopia® Embedded Software Version 8.7.4 includes a Simple Network Management Protocol (SNMP) agent, allowing monitoring and conﬁguration by a standard SNMP manager. •...
Page 271: The Snmp Setup Screen
Interface MIB (RFC 1229) • Ethernet MIB (RFC 1643) • Netopia MIB ® • SNMP-v2 Traps: SNMP v2 MIB (RFC1907) v2 traps only; NPAV2TRAP.MIB (Motorola Netopia -speciﬁc) • ATM: ATM TC (RFC2514); ATM MIB (RFC2515) • ADSL: ADSL MIB (RFC2662) ®...
Page 272 The Read-Only Community String and the Read/Write Community String are like passwords that must be used by an SNMP manager querying or conﬁguring the Motorola Netopia® Embedded Software Version 8.7.4. An SNMP manager using the Read-Only Community String can examine statistics and conﬁguration information from the gateway, but cannot modify the gateway’s conﬁguration.
Page 273: Snmp Traps
Motorola Netopia® Embedded Software Version 8.7.4 sends traps using UDP (for IP networks). You can specify which SNMP managers are sent the IP traps generated by the Motorola Netopia® Embedded Software Version 8.7.4. Up to eight receivers can be set. You can also review and remove IP traps.
Page 274 9-12 Administrator’s Handbook Add IP Trap Receiver Receiver IP Address or Domain Name: Community String: Send Heartbeat Trap: ADD TRAP RECEIVER NOW CANCEL Select Receiver IP Address or Domain Name. Enter the IP address or domain name of the SNMP manager you want to receive the trap.
Page 275: Suggested Security Measures
Chapter 10 Security Motorola Netopia® Embedded Software Version 8.7.4 provides a number of security features to help protect its conﬁguration screens and your local network from unauthorized access. Although these features are optional, it is strongly recommended that you use them.
Page 276: Upnp Support
Gateway. ® For Windows XP users, the automatic discovery feature places an icon representing the Motorola Netopia Gateway automatically in the “My Network Places” folder. PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This ®...
Page 277: Superuser Conﬁguration
Security 10-3 Superuser configuration The access privileges of the Superuser account are not modiﬁable. It is possible, however, to control who can log in as Superuser. Select Superuser Conﬁguration and press Return. The Superuser Conﬁguration screen appears. Superuser Configuration Name (19 characters max): admin Password: Telnet Access Enabled:...
Page 278 10-4 Administrator’s Handbook Add Access Name/Password Name (19 characters max): user Password: ******************** Telnet Access Enabled: +-----------+ +-----------+ Access Privileges... | All | LAN | WAN | Custom... | +-----------+ ADD USER CANCEL • Assign a User Name and Password, and enable or disable Telnet and Web access as in the Superuser Conﬁguration screen.
Page 279: Advanced Security Options
Security 10-5 You can toggle the default user privileges for each user. The defaults are set to minimize the possibility of an individual user inadvertently damaging the WAN connection. Exercise caution in assigning privileges other than these defaults to limited users. Access Privilege Default WAN Data Conﬁguration...
Page 280: Radius Server Authentication
10-6 Administrator’s Handbook • “TACACS+ server authentication” on page 10-7 RADIUS server authentication Advanced Security Options +---------------------------+ +---------------------------+ Remote Authentication... | Local only Security Databases... | Remote only Remote Server Addr/Name: | Remote then Local Remote Server Secret: | Remote then Lcl/Ser. Only | Alt Remote Server Addr/Name: | Local then Remote Alt Remote Server Secret:...
Page 281: Tacacs+ Server Authentication
Motorola Netopia Router is to control access to the Router’s management interface, and to audit commands submitted by a user. TACACS (Terminal Access Controller Access Control System) protocol provides access control for Motorola ® Netopia Routers via a centralized server. TACACS+ provides separate authentication, authorization and accounting services.
Page 282: Warning Alerts
Command Line Interface (CLI) mode (see the Command Line Interface Commands Reference) ® and cannot be switched to console mode. If TACACS+ Accounting is enabled on the Motorola Netopia Router, each command is sent to the TACACS+ server in a TACACS+ Accounting transaction. The CLI command is then executed, regardless of the return code from the server.
Page 283 Security 10-9 Advanced Security Options +---------------------------------------------------------------+ +---------------------------------------------------------------+ | You have no local passwords defined. If you continue you will | | be unable to configure this device unless a Remote Server is | available to authenticate you. CONTINUE CANCEL +---------------------------------------------------------------+ Attempting to delete the last username/password pair from the local authentication database when the Security Databases pop-up menu is set to either Local then Remote or Remote then Local causes the router to present the following warning alert:...
Page 284 10-10 Administrator’s Handbook Advanced Security Options Remote Authentication... RADIUS Security Databases... Local only Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port+-----------+ +-----------+ Remote Access Privileges... | All | LAN Telnet Server Port: | WAN | Custom...
Page 285: User Access Password
Security 10-11 User access password Users must be able to change their names and passwords, regardless of other security access restrictions. If a user does not have security access, then they will only be able to modify the password for their account. When a limited-access user logs into the gateway.
Page 286: User Menu Differences
10-12 Administrator’s Handbook User menu differences Menus reﬂect the security access level of the user. Consequently, conﬁguration menus will display differing options based upon the parameters a particular user is allowed to change. Some differences include: • Limited users (non-Superusers) do not have access to Easy Setup. •...
Page 287 Security 10-13 User Access Level Netopia Router Superuser Easy Setup... WAN, Conn. Profiles, PVC WAN Configuration... System Configuration... Global, Voice Utilities & Diagnostics... Statistics & Logs... Quick Menus... Quick View... WAN Configuration screens If a limited user is allowed WAN, Connection Proﬁle, or PVC conﬁguration access, the WAN Conﬁguration option in the Main Menu is visible.
Page 288 10-14 Administrator’s Handbook User Access Level Advanced Connection Options Configuration Changes Reset WAN Connection: Connection Profiles Scheduled Connections... Connection Profiles Backup Configuration... Prioritize Delay-Sensitive Data: No Connection Profiles The Superuser can disallow limited user access to a particular Connection Proﬁle. When adding a Connection Proﬁle in the Add Connection Proﬁle screen the Superuser can toggle the Superuser Accessible Only option to Yes or No.
Page 289 Security 10-15 System Configuration menu The System Conﬁguration menu is always available to all users. Based on access level, the System Conﬁguration menu displays its conﬁguration options according to the following diagram: System Configuration User Access Level IP Setup... Filter Sets... IP Address Serving...
Page 290 Statistics & Logs menu ® The Statistics & Logs menu shown below is a composite of all the possible options on all Motorola Netopia gateways supported by the software. Substantial differences exist among screens on a given gateway. Here, all selection options are shown.
Page 291 Security 10-17 User Access Level Statistics & Logs WAN Event History... Global Device Event History... Global IP Routing Table... Global Served IP Addresses... Global Served IP Addresses... Global Backup Management/Statistics... Global General Statistics... Global System Information... Global...
Page 292 10-18 Administrator’s Handbook Quick Menus Quick Menus vary considerably between models, features, and access levels. The following is an example comparison of the Quick Menu as seen by the Superuser and by a Limited user. Superuser Quick Menu Connection Profiles Line Configuration IP Setup Add Connection Profiles...
Page 293: Telnet Access
PVC conﬁguration access, they are permitted conﬁguration access to all PVC parameters. Telnet Access Telnet is a TCP/IP service that allows remote terminals to access hosts on an IP network. Motorola Netopia® Embedded Software Version 8.7.4 supports Telnet access to its conﬁguration screens. Caution! You should consider password-protecting or restricting Telnet access to the Router if you suspect there is a chance of tampering.
Page 294: About Filters And Filter Sets
ﬁlters to control network communications can greatly improve your network’s security. The Motorola Netopia® Embedded Software Version 8.7.4’s packet ﬁlters are designed to provide security for the Internet connections made to and from your network. You can customize the gateway’s ﬁlter sets for a variety of packet ﬁltering applications.
Page 295: How Individual Filters Work
Security 10-21 Filter priority Continuing the customs inspectors analogy, imagine the inspectors lined up to examine a package. If the package matches the ﬁrst inspector’s criteria, the package is either rejected or passed on to its destination, depending on the ﬁrst inspector’s particular orders. In this case, the package is never seen by the remaining inspectors.
Page 296 This rule applies to Telnet packets that come from a host with the IP address 199.211.211.17. If a match occurs, the packet is blocked. Here is what this rule looks like when implemented as a ﬁlter on the Motorola Netopia® Embedded Software Version 8.7.4: +-#--Source IP Addr--Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+...
Page 297 Security 10-23 Internet service TCP port Internet service TCP port Telnet World Wide Web SMTP (mail) News Gopher rlogin Internet service UDP port Internet service UDP port Who Is TFTP World Wide Web SNMP Port number comparisons A ﬁlter can also use a comparison option to evaluate a packet’s source or destination port number. The comparison options are: No Compare: No comparison of the port number speciﬁed in the ﬁlter with the packet’s port number.
Page 298 10-24 Administrator’s Handbook +-#---Source IP Addr---Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+ +----------------------------------------------------------------------+ 192.211.211.17 0.0.0.0 Yes No 0.0.0.0 0.0.0.0 =6000 Yes No 0.0.0.0 0.0.0.0 ICMP Yes Yes | 0.0.0.0 0.0.0.0 >1023 Yes Yes | 0.0.0.0 0.0.0.0 >1023 Yes Yes | +----------------------------------------------------------------------+ The table’s columns correspond to each ﬁlter’s attributes: #: The ﬁlter’s priority in the set.
Page 299 Security 10-25 The rule you want to implement as a ﬁlter is: Block all Telnet attempts that originate from the remote host 199.211.211.17. The host 199.211.211.17 is the source of the Telnet packets you want to block, while the destination address is any IP address.
Page 300: Design Guidelines
10-26 Administrator’s Handbook In this case, the mask, which does not appear in the table, must be set to 255.255.255.0. This way, all packets with a source address of 200.233.14.x will be matched correctly, no matter what the ﬁnal address byte Note: The protocol attribute for this ﬁlter is 0 by default.
Page 301: Working With Ip Filters And Filter Sets
Security 10-27 It is strongly recommended that you take the latter, and safer, approach to all of your ﬁlter set designs. Working with IP Filters and Filter Sets This section covers IP ﬁlters and ﬁlter sets. System Main Filter Menu Sets Configuration To work with ﬁlters and ﬁlter sets, begin by accessing the ﬁlter set screens.
Page 302 10-28 Administrator’s Handbook To add a new ﬁlter set, select Add Filter Set in the Filter Sets screen and press Return. The Add Filter Set screen appears. Add Filter Set... Filter Set Name: Filter Set 3 ADD FILTER SET CANCEL Naming a new filter set All new ﬁlter sets have a default name.
Page 303 The Motorola Netopia Router Packets in the Motorola Netopia® Embedded Software Version 8.7.4 pass through an input ﬁlter if they originate in the WAN and through an output ﬁlter if they’re being sent out to the WAN. The process for adding input and output ﬁlters is exactly the same. The main difference between the two involves their reference to source and destination.
Page 304 10-30 Administrator’s Handbook Display/Change Filter Set... Filter Set Name: Filter Set Add Input Filter to Filter Set... Display/Change Input Filter... Delete Input Filter... Move Input Filter... Add Output Filter to Filter Set... Display/Change Output Filter... Delete Output Filter... Move Output Filter... Note: There are two groups of items in this screen, one for input ﬁlters and one for output ﬁlters.
Page 305 Security 10-31 If you want the ﬁlter to forward packets that match its criteria to the destination IP address, select Forward and toggle it to Yes. If Forward is toggled to No, packets matching the ﬁlter’s criteria will be discarded. Select Source IP Address and enter the source IP address this ﬁlter will match on.
Page 306: Deleting A Filter Set
Select a ﬁlter set from the list and press Return. Select CONTINUE and press Return to delete it. A sample filter set This section contains the settings for a ﬁlter set called Basic Firewall, which is part of Motorola Netopia® Embedded Software Version 8.7.4’s factory conﬁguration.
Page 307 Security 10-33 Basic Firewall blocks undesirable trafﬁc originating from the WAN (in most cases, the Internet), but forwards all trafﬁc originating from the LAN. It follows the conservative “that which is not expressly permitted is prohibited” approach: unless an incoming packet expressly matches one of the constituent input ﬁlters, it will not be forwarded to the LAN.
Page 308 10-34 Administrator’s Handbook Output ﬁlter 1: This ﬁlter forwards all outgoing trafﬁc to make sure that no outgoing connections from the LAN are blocked. Basic Firewall is suitable for a LAN containing only client hosts that want to access servers on the WAN, but not for a LAN containing servers providing services to clients on the WAN.
Page 309: Policy-Based Routing Using Filtersets
Policy-based Routing using Filtersets Previous software versions routed IP packets only by destination IP address. Motorola Netopia® Embedded Software Version 8.7.4 now offers the ability to route IP packets using criteria other than the destination IP address.
Page 310 10-36 Administrator’s Handbook In previous software versions, a ﬁlter would either pass or block the speciﬁed trafﬁc. Motorola Netopia® Embedded Software Version 8.7.4 adds a third option, force routing. You specify a gateway IP address, and each packet matching the ﬁlter is routed according to that gateway address, rather than by means of the global routing table.
Page 311: Tos Field Matching
Security 10-37 TOS field matching Motorola Netopia® Embedded Software Version 8.7.4 supports two additional parameters in an IP ﬁlter: TOS and TOS Mask. Both ﬁelds accept values in the range 0 – 255. Certain types of IP packets, such as voice or multimedia packets, are sensitive to latency introduced by the network.
Page 312: Firewall Tutorial
10-38 Administrator’s Handbook Firewall Tutorial General firewall terms Filter rule: A ﬁlter set is comprised of individual ﬁlter rules. Filter set: A grouping of individual ﬁlter rules. Firewall: A component or set of components that restrict access between a protected network and the Internet, or between two networks.
Page 313: Firewall Design Rules
Security 10-39 Example TCP/UDP Ports TCP Port Service UDP Port Service 20/21 SNMP Telnet TFTP SMTP AURP News Firewall design rules There are two basic rules to ﬁrewall design: • “What is not explicitly allowed is denied.” • “What is not explicitly denied is allowed.” The ﬁrst rule is far more secure, and is the best approach to ﬁrewall design.
Page 314 10-40 Administrator’s Handbook and a packet goes through these rules destined for FTP, the packet would forward through the ﬁrst ﬁlter rule (WWW), match the second rule (FTP), and the packet is allowed through. Even though the next rule is to deny all FTP trafﬁc, the FTP packet will never make it to this rule.
Page 315: Filter Basics
A host address can be entered, but the applied subnet mask must be 32 bits (255.255.255.255). The Motorola Netopia® Embedded Software Version 8.7.4 has the ability to compare source and destination TCP or UDP ports. These options are as follows:...
Page 316: Example Filters
10-42 Administrator’s Handbook Less Than or Equal Any port less than or equal to the port deﬁned Equal Matches only the port deﬁned Greater Than or Equal Matches the port or any port greater Greater Than Matches anything greater than the port deﬁned Example network Input Packet Filter...
Page 317 Security 10-43 This incoming IP packet has a source IP address that matches the network address in the Source IP Address ﬁeld (00000000) in the Motorola Netopia® Embedded Software Version 8.7.4. This will not forward this packet. Example 2 Filter Rule: 200.1.1.0...
Page 318 10-44 Administrator’s Handbook Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 1011000, this rule does not match and this packet will be forwarded. Example 4 Filter Rule: 200.1.1.96 (Source IP Network Address) 255.255.255.240...
Page 319: Conﬁguration Management
AND is 01100000, this rule does match and this packet will not be forwarded. This rule masks off a single IP address. Configuration Management Motorola Netopia® Embedded Software Version 8.7.4 offers a Conﬁguration Management feature. Conﬁguration Management provides a way to store several gateway conﬁgurations in a single device for use at different times.
Page 320 10-46 Administrator’s Handbook Configuration Management Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... Factory Default from Configuration: <none> Remove Factory Default Configuration Return/Enter to select Factory Default Configuration. Select Save Current Conﬁguration as , and press Return. The Save Current Conﬁguration screen appears. Save Current Configuration Configuration Name: HappyInternet...
Page 321 Security 10-47 Configuration Management +-Configuration Name---Type---+ Save Current Configuration as... +-----------------------------+ Replace Existing Configuration... | HappyInternet Binary | Boot from a Configuration... | Config1 Binary | Delete a Configuration... | LesMizz Binary | +-----------------------------+ Factory Default from Configuration: <none> Remove Factory Default Configuration A warning screen will ask you to conﬁrm your choice.
Page 322: Tftp
10-48 Administrator’s Handbook Once you make the selection, if you factory Default the Router, it will reboot with the saved conﬁguration you have selected. Configuration Management Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... Factory Default from Configuration: HappyInternet Remove Factory Default Configuration...
Page 323: Chapter 11 — Utilities And Diagnostics
Utilities and Diagnostics 11-1 Chapter 11 Utilities and Diagnostics A number of utilities and tests are available for system diagnostic and control purposes. This section covers the following topics: • “Ping” on page 11-2 • “Trace Route” on page 11-4 •...
Page 324: Ping
11-2 Administrator’s Handbook Ping The Motorola Netopia® Embedded Software Version 8.7.4 includes a standard Ping test utility. A Ping test generates IP packets destined for a particular (Ping-capable) IP host. Each time the target host receives a Ping packet, it returns a packet to the original sender.
Page 325 Utilities and Diagnostics 11-3 Status: The current status of the Ping test. This item can display the status messages shown in the able below: Description Message Resolving host name Finding the IP address for the domain name-style address Can’t resolve host name IP address can’t be found for the domain name–style address Pinging Ping test is in progress...
Page 326: Trace Route
Select Host Name or IP Address and enter the name or address of the destination you want to trace. ® Select Maximum Hops to set the maximum number of gateways to count between the Motorola Netopia Router and the destination gateway, up to the maximum of 64. The default is 30 hops.
Page 327: Telnet Client
Utilities and Diagnostics 11-5 ® Select Use Reverse DNS to learn the names of the gateways between the Motorola Netopia Router and the destination gateway. The default is Yes. Select START TRACE ROUTE and press Return. A scrolling screen will appear that lists the destination, number of hops, IP addresses of each hop, and DNS names, if selected.
Page 328: Factory Defaults
To use the Router as a TFTP client, a TFTP server must be available. Motorola, Inc., has a public access TFTP server on the Internet where you can obtain the latest software versions.
Page 329: Updating Software
Utilities and Diagnostics 11-7 Updating software Software updates may be available periodically from Motorola or from a site maintained by your organization’s network administrator. The software governs how the device communicates with your network and the WAN or ® remote site. Software updates are periodically posted on the Motorola Netopia website.
Page 330: Uploading Configuration Files
TFTP server. You may need to enter a ﬁle path along with the ﬁle name (for example, Mypc/Netopia/myﬁle). Select SEND CONFIG TO SERVER and press Return. Motorola will begin to transfer the ﬁle. The TFTP Transfer State item will change from Idle to Writing Conﬁg. The TFTP Current Transfer Bytes item will reﬂect the number of bytes transferred.
Page 331: Appendix A - Troubleshooting
Troubleshooting This appendix is intended to help you troubleshoot problems you may encounter while setting up and using Motorola Netopia® Embedded Software Version 8.7.4. It also includes information on how to contact Motorola Technical Support. Important information on these problems can be found in the event histories kept by the Router. These event histories can be accessed in the Statistics &...
Page 332 Verify the accuracy of the default gateway’s IP address (entered in the IP Setup or Easy Setup screen). • Use the Motorola Netopia® Embedded Software Version 8.7.4’s Ping utility, in the Utilities & Diagnostics screen, and try to Ping local and remote hosts. See “Ping”...
Page 333: Before Contacting Motorola
Environment profile • Locate the Router’s model number, product serial number, and ﬁrmware version. The serial number is on the bottom of the gateway, along with the model number. The ﬁrmware version appears in the Motorola ® Netopia Router’s Main Menu screen.
Page 334: How To Reach Us
We can help you with your problem more effectively if you have completed the environment proﬁle in the previous section. If you contact us by telephone, please be ready to supply Motorola Technical Support with the information you used to conﬁgure the Router. Also, please be at the site of the problem and prepared to reproduce it and to try some troubleshooting steps.
Page 335: Index
Index-1 Index configuring the console 3-49 Connection profiles console add static route configuring 3-49 Additional LANs 7-3, 7-38 console configuration 3-49 ADSL Line Configuration console-based management advanced configuration configuring with 1-2, 2-1, features Constant Bit Rate (CBR) ALANs 7-38 ATMP 5-17 D.
Page 336 Index-2 navigating firewall 10-32 encryption firmware files 5-2, 5-7, 5-16, event history updating with TFTP 11-7 device FTP sessions 10-35 Exposed Addresses general statistics Extended Authentication Generic Routing Encapsulation (GRE) factory default Factory Default from Configuration 10-47 how to reach us filter parts 10-22...
Page 337 Index-3 line backup security 10-1 backup IP gateway system utilities and diagnostics 8-16 11-1 connection profiles Network Address Translation management and statistics see NAT 8-16 scheduled connections network problems 8-12 WAN configuration network status overview 8-7, Logging 3-55 output filter 1 10-34 MAC Address Authentication 3-47...
Page 338 Index-4 routing tables technical syslog 7-6, 3-55 scheduled connections technical support 2-16 adding telnet 2-18 deleting access 2-21 10-19 modifying terminal emulation software 2-21 once-only configuring 2-20 viewing TFTP 2-17 weekly defined 2-19 11-6 security downloading configuration files 11-7 filters transferring files 10-20–10-35 11-6...
Page 339 Index-5 uploading configuration files 11-8 with TFTP 11-8 utilities and diagnostics 11-1 Variable Bit Rate (VBR) viewing scheduled connections 2-17 Virtual Private Networks (VPN) Virtual Redundant Routers Virtual Router Redundancy Protocol 7-34 allowing through a firewall 5-23 ATMP tunnel options 5-14 default answer profile 5-17...
Page 340 Index-6...

This manual is also suitable for:

Netopia ent enterprise-series

Motorola Netopia Embedded Software Handbook

Chapter 1 — Introduction

Chapter 2 - WAN Configuration

Chapter 3 - System Configuration

Chapter 4 - Multi-NAT

Chapter 5 - Virtual Private Networks (Vpns)

Chapter 6 - Internet Key Exchange for Vpns

Chapter 7 - IP Setup

Chapter 8 — Line Backup

Chapter 9 — Monitoring Tools

Chapter 10 - Security

Chapter 11 — Utilities and Diagnostics

Appendix A - Troubleshooting

Index

Quick Links

Related Manuals for Motorola Netopia Embedded Software

Summary of Contents for Motorola Netopia Embedded Software