Draytek Vigor2900 Series Security Router User Manual

Vigor2900 series security router

Hide thumbs Also See for Vigor2900 Series Security Router:

Troubleshooting manual (9 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

Table of Contents

Quick Links

Summary of Contents for Draytek Vigor2900 Series Security Router

Page 1 Vigor2900 Series Security Router User’s Guide Version: 2.0 Date: 2006/1/16 Copyright 2005 All rights reserved. This publication contains information that is protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders.
Page 2 Vigor2900 Series User’s Guide...
Page 3: Table Of Contents
Preface .......................1 1.1 LED Indicators and Connectors ....................1 1.1.1 Front and Rear View for Vigor2900 .................. 2 1.1.2 Front and Rear View for Vigor2900G ................3 1.1.3 Front and Rear View for Vigor2900Gi ................4 1.1.4 Front and Rear View for Vigor2900i ................. 5 1.1.5 Front and Rear View for Vigor2900V................
Page 4 3.1 Dynamic DNS Setup ......................53 3.2 Call Control and PPP/MP Setup ................... 55 3.3 Call Schedule Setup......................56 3.4 NAT Setup ..........................58 3.4.1 Configure Port Redirection Table ................... 59 3.4.2 DMZ Host Setup ......................61 3.4.3 Open Ports Setup ......................62 3.4.4 View Well-Known Ports List....................
Page 5 4.7.2 Triggered Dial-out Packet Header ................132 4.7.3 Viewing Routing Table....................132 4.7.4 View ARP Cache Table ....................133 4.7.5 Viewing DHCP Assigned IP Addresses................ 134 4.7.6 View NAT Port Redirection Running Table ..............134 4.7.7 View NAT Active Sessions Table ................. 134 4.8 Reboot System........................
Page 7: Preface
Targeting requirement for residential, SOHO (Small Office and Home Office) and business users, the Vigor2900 series provides exceptional bandwidth for Internet access. To secure your network, the Vigor2900 series provides an advanced firewall with advanced features, such as NAT with multi VPN pass-through, Stateful Packet Inspection (SPI) to offer network reliability by detecting and prohibiting malicious penetrating packets, user-configurable web filtering for parental control against network abuse etc.
Page 8: Front And Rear View For Vigor2900
QoS Attack VPN Printer WAN Status Explanation ACT (Activity) Blinking The router is powered on and running properly. DMZ Host is specified in certain site. The QoS function is active. Attack DoS Defense function is active. Blinking An attack is detected. The VPN tunnel is launched.
Page 9: Front And Rear View For Vigor2900G
QoS WLAN Attack VPN Printer WAN Status Explanation ACT (Activity) Blinking The router is powered on and running properly. The QoS function is active. WLAN The wireless LAN function is enabled. Blinking Ethernet packets are transmitting over wireless LAN. Attack DoS Defense function is active.
Page 10: Front And Rear View For Vigor2900Gi
ACT ISDN WLAN Attack VPN Printer WAN Status Explanation ACT (Activity) Blinking The router is powered on and running properly. ISDN The ISDN network is correctly setup. Blinking A successful remote connection on the ISDN BRI B1/B2 channel. WLAN The wireless LAN function is enabled. Blinking Ethernet packets are transmitting over wireless LAN.
Page 11: Front And Rear View For Vigor2900I
ISDN QoS Attack VPN Printer WAN Status Explanation ACT (Activity) Blinking The router is powered on and running properly. ISDN The ISDN network is correctly setup. Blinking A successful remote connection on the ISDN BRI B1/B2 channel. The QoS function is active. Attack DoS Defense function is active.
Page 12: Front And Rear View For Vigor2900V
Status Explanation ACT (Activity) Blinking The router is powered on and running properly. The QoS function is active. The phone is off hook (the handset of phone is Phone hanging). (FXS1, FXS2) Blinking A phone call is incoming. The VPN tunnel is launched. Printer The USB interface printer is ready.
Page 13: Front And Rear View For Vigor2900Vg
Status Explanation ACT (Activity) Blinking The router is powered on and running properly. The QoS function is active. The phone is off hook (the handset of phone is Phone hanging). (FXS1, FXS2) Blinking A phone call is incoming. WLAN The wireless LAN function is enabled. Blinking Ethernet packets are transmitting over wireless LAN.
Page 14: Front And Rear View For Vigor2900Vgi
Status Explanation ACT (Activity) Blinking The router is powered on and running properly. ISDN The ISDN network is correctly setup. Blinking A successful remote connection on the ISDN BRI B1/B2 channel. The phone is off hook (the handset of phone is Phone hanging).
Page 15: Front And Rear View For Vigor2900Vi
Status Explanation ACT (Activity) Blinking The router is powered on and running properly. ISDN The ISDN network is correctly setup. Blinking A successful remote connection on the ISDN BRI B1/B2 channel. The phone is off hook (the handset of phone is Phone hanging).
Page 16: Hardware Installation
Before starting to configure the router, you have to connect your devices correctly. Connect this device to a router with an Ethernet cable. Connect one port of 4-port switch to your computer with a RJ-45 cable. This device allows you to connect 4 PCs directly. Connect one end of the power cord to the power port of this device.
Page 17: Configuring Basic Settings
For use the router properly, it is necessary for you to change the password of web configuration for security and adjust primary basic settings. This chapter explains how to setup a password for an administrator and how to adjust basic settings for accessing Internet successfully.
Page 18 Notice: Some of the settings might not appear as above, because the home page will change slightly according to the features that your router has. Click Administrator Password Setup from the Basic Setup group. Enter the login password (the default is blank) on the field of Old Password. Type a new one in the field of New Password and retype it on the field of Retype New Password.
Page 19: Quick Start Wizard
If your router can be under an environment with high speed NAT, the configuration provide here can help you to deploy and use the router quickly. The first screen of Quick Start Wizard is entering login password. After typing the password, please click Next. The following screen will appear. Vigor2900 Series User’s Guide...
Page 20: Selecting Protocol
Please select the appropriate time zone for the router. Then, click Next. In the Quick Start Wizard, you can configure the router to access the Internet with different protocol/modes such as PPPoE, PPTP, L2TP, Static IP or DHCP. The router supports the DSL WAN interface for Internet access.
Page 21 PPPoE is used for most of DSL modem users. All local users can share one PPPoE connection for accessing the Internet. Your service provider will provide you information about user name, password, and authentication mode. If your ISP provides you the PPPoE connection, please select PPPoE for this router. The following page will be shown: User Name Assign a specific valid user name provided by the ISP.
Page 22: Pptp
For PPTP connection, please click PPTP as the protocol. Click Next to see the following page. User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP. Retype Password Retype the password. Obtain an IP address Click this selection to get the IP address from the router automatically...
Page 23 PPTP Server IP Specify the IP address of the PPTP Server. After finishing the settings in this page, click Next to see the following page. Click Finish to save current settings and restart the router. Vigor2900 Series User’s Guide...
Page 24: L2Tp
Note: This setting is available only for Vigor 2900, Vigor 2900G, Vigor 2900Gi and Vigor 2900i. Click L2TP as the protocol. Click Next to see the following page. User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP.
Page 25: Static Ip
Subnet Mask Type the subnet mask. PPTP Server IP Specify the IP address of the PPTP Server. After finishing the settings in this page, click Next to see the following page. Click Finish to save current settings and restart the router. Click Static IP as the protocol.
Page 26 Click Next to see the following page. WAN IP Type the WAN IP address that obtained from ISP. Subnet Mask Type the subnet mask obtained from ISP. Gateway Type the gateway address obtained from ISP. Primary DNS Type the IP address as the primary DNS obtained from ISP. Second DNS Type the IP address as the secondary DNS.
Page 27: Dhcp
Click DHCP as the protocol. Click Next to see the following page. Host Name Specify the host name for the router. This is an optional setting. The router will detect the MAC address automatically. If not, click Clone MAC Address to obtain it.
Page 28: Lan Tcp/Ip And Dhcp Server
Click Finish to save current settings and restart the router. The most generic function of Vigor router is NAT. It creates a private subnet of your own. As mentioned previously, the router will talk to other public hosts on the Internet by using public IP address and talking to local hosts by using its private IP address.
Page 29 will serve for IP routing to help hosts in the public subnet to communicate with other public hosts or servers outside. Therefore, the router should be set as the gateway for public hosts. Vigor router will exchange routing information with neighboring routers using the RIP to accomplish IP routing.
Page 30 You can group local hosts by physical ports and create up to 4 virtual LANs. To manage the communication between different groups, please set up rules in Virtual LAN (VLAN) function and the rate of each. This page provides you the general settings for LAN. Click LAN to open the LAN settings page and choose General Setup.
Page 31 DHCP Server You can configure the router to serve as a DHCP server for the 2nd subnet. Start IP Address: Enter a value of the IP address pool for the DHCP server to start with when issuing IP addresses. If the 2nd IP address of your router is 220.135.240.1, the starting IP address must be 220.135.240.2 or greater, but smaller than 220.135.240.254.
Page 32 DHCP server for your network. If you want to use another DHCP server in the network other than the Vigor Router’s, you can let Relay Agent help you to redirect the DHCP request to the specified location. Enable Server - Let the router assign IP address to every host in the LAN.
Page 33: Isdn Setup
MSN number. For example, DrayTek provides the Remote Activation (refer to section 3.2) feature for the teleworkers who wish to dial in the head office over the ISDN. With this feature, teleworkers can make a phone call to the router at the head office and ask the router to dial up the ISP. As...
Page 34: Wireless Lan Setup
CAPI software you installed. To employ the VTA feature, please download the VTA drivers (available only to Windows 98SE/2000/XP) from http://www.draytek.com/english/support/download.php. Note: The following is available for G models only. Over recent years, the market for wireless communications has enjoyed tremendous growth.
Page 35 Real-time Hardware Encryption: Vigor Router is equipped with a hardware AES encryption engine so it can apply the highest protection to your data without influencing user experience. Complete Security Standard Selection: To ensure the security and privacy of your wireless communication, we provide several prevailing standards on market.
Page 36 Example 3 Separate the Wireless and the Wired LAN- WLAN Isolation enables you to isolate your wireless LAN from wired LAN for either quarantine or limit access reasons. To isolate means neither of the parties can access each other. To elaborate an example for business use, you may set up a wireless LAN for visitors only so they can connect to Internet without hassle of the confidential information leakage.
Page 37: General Settings
By clicking the General Settings, a new web page will appear so that you could configure the SSID and the wireless channel. Please refer to the following figure for more information. Enable Wireless LAN Check the box to enable wireless function. Mode Select an appropriate wireless mode.
Page 38 LAN. SSID can be any text numbers or various special characters. Channel The channel of frequency of the wireless LAN. The default channel is 6. You may switch channel if the selected channel is under serious interference. Hide SSID Check it to prevent from wireless sniffing and make it harder for unauthorized clients or STAs to join your wireless LAN.
Page 39: Security
By clicking the Security Settings, a new web page will appear so that you could configure the settings of WEP and WPA. Mode There are several modes provided for you to choose. Disable - Turn off the encryption mechanism. WEP Only - Accepts only WEP clients and the encryption key should be entered in WEP Key.
Page 40 applicable if you select WPA/PSK. WEP/802.1x or WPA/802.1x - Accept WEP or WPA clients with 802.1x authentication. Only Mixed(WPA+WPA2) is applicable if you select WPA/PSK. Since the key will be auto-negotiated during authentication, the field of key setting below will be not available for input. WPA/PSK Only - Accepts WPA clients and the encryption key should be entered in PSK.
Page 41: Access Control
All wireless devices must support the same WEP encryption bit size and have the same key. Four keys can be entered here, but only one key can be selected at a time. The keys can be entered in ASCII or Hexadecimal. Check the key you wish to use.
Page 42: Station List
Client’s MAC Address Manually enter the MAC address of wireless client. Attribute v - select to apply VPN to the connection of the wireless client of the MAC address. s - select to isolate the wireless connection of the wireless client of the MAC address from LAN.
Page 43: Internet Access Setup
Quick Start Wizard offers user an easy method to quick setup the connection mode for the router. Moreover, if you want to adjust more settings for different WAN modes, please go to Quick Setup group and click the Internet Access Setup link. This section will introduce some basic concepts of Internet and explain the connection modes in details.
Page 44: Pppoe
If your router supports ISDN function, you will get the following page with ISDN dial-up Internet Access. The following sections will introduce the Internet Access Modes. As a CPE device, Vigor router encapsulates the PPP session based for transport across the ADSL loop and your ISP’s Digital Subscriber Line Access Multiplexer (DSLAM).
Page 45 PPPoE Link Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid. ISP Name Type in the ISP Name provided by ISP in this field. Username Type in the username provided by ISP in this field.
Page 46 By checking the checkbox Join NAT IP Pool, data from NAT hosts will be round-robin forwarded on a session basis. If you do not check Join NAT IP Pool, you can still use these public Vigor2900 Series User’s Guide...
Page 47: Static Or Dynamic Ip
IP addresses for other purpose, such as DMZ host, Open Ports. WAN physical type Check and choose a proper type used for duplex between this device and other router that you want to communicate. Both sides should use the same physical type; otherwise, the connection might be failed due to inconsistent type.
Page 48 Access Control Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid. ISDN Dial Backup This setting is available for the routers supporting ISDN function Setup only.
Page 49 PING Interval - Enter the interval for the system to execute the PING operation. WAN physical type Check and choose a proper type used for duplex between this device and other router that you want to communicate. Both sides should use the same physical type;...
Page 50: Pptp
Specify an IP address – Click this radio button to specify some data if you want to use Static IP mode. IP Address – Type the IP address. Subnet Mask – Type the subnet mask. Gateway IP Address – Type the gateway IP address. DNS Server IP Type in the primary IP address for the router if you want to use Address...
Page 51 PPTP Setup PPTP Link - Click Enable to enable a PPTP client to establish a tunnel to a DSL modem on the WAN interface. PPTP Server - Specify the IP address of the PPTP server. ISP Access Setup ISP Name - Type in the ISP Name provided by ISP in this field. Username -Type in the username provided by ISP in this field.
Page 52: L2Tp
Idle Timeout - Set the timeout for breaking down the Internet after passing through the time without any action. IP Address Fixed IP - Usually ISP dynamically assigns IP address to you each Assignment time you connect to it and request. In some case, your ISP provides Method(IPCP) service to always assign you the same IP address whenever you request.
Page 53 L2TP Setup L2TP Link - Click Enable to enable a L2TP client to establish a tunnel to a DSL modem on the WAN interface. L2TP Server - Specify the IP address of the L2TP server. ISP Access Setup ISP Name - Type in the ISP Name provided by ISP in this field. Username -Type in the username provided by ISP in this field.
Page 54: Dialing To A Single Isp
use the same physical type; otherwise, the connection might be failed due to inconsistent type. It is recommended for you to set Auto negotiation as the physical type. If you access the Internet via a single ISP, press this link. ISP Name Enter your ISP name.
Page 55: Dialing To A Dual Isps
Idle Timeout Idle timeout means the router will be disconnect after being idle for a preset amount of time. The default is 180 seconds. If you set the time to 0, the ISDN connection to the ISP will always remain on. Fixed IP In most environments, you should not change these settings as most ISPs provide a dynamic IP address for the router when it connects to...
Page 56 The Virtual TA client only supports the CAPI 2.0 protocol and has no built-in FAX engine. One ISDN BRI interface has two B channels. The maximum number of active clients is also two. Before you configure the Virtual TA, you must set the correct country code. As depicted in the above application scenario, the Virtual TA client can make an outgoing call or accept an incoming call to/from a peer FAX machine or ISDN TA, etc.
Page 57 Virtual TA Server Enable: Select it to activate the server. Disable: Select it to deactivate the server. All Virtual TA applications will be terminated. Username Enter the username of a specific client. Password Enter the password of a specific client. MSN1/ MSN2/MSN3 MSN stands for Multiple Subscriber Number.
Page 58 On the client - Right-click the mouse on the VT icon. The following pop-up menu will be shown. Click the Virtual TA Login tab to launch the login box. Enter the Username/Password and then click OK. After a short time, the VT icon text will turn green.
Page 59: Dynamic Dns Setup
After finished basic configuration of the router, you can access Internet with ease. For the people who want to adjust more setting for suiting his/her request, please refer to this chapter for getting detailed information about the advanced configuration of this router. As for other examples of application, please refer to chapter 4.
Page 60 Active Display if this account is active or inactive. View Log It opens another dialog and shows log for DDNS information. Force Update Click this button to get the newest DDNS information. Select Index number 1 to add an account for the router. Check Enable Dynamic DNS Account, and choose correct Service Provider: dyndns.org, type the registered hostname: hostname and domain name suffix: dyndns.org in the Domain Name block.
Page 61: Call Control And Ppp/Mp Setup
Some applications require that the router (only for the i models) be remotely activated, or be able to dial up to the ISP via the ISDN interface. Vigor routers provide this feature which allows you to make a phone call to the router and then ask it to dial up to the ISP. Accordingly, you can access your remote network to retrieve resources.
Page 62: Call Schedule Setup
Note: If you are not sure whether your ISP can support BOD and/or ML-PPP’s features, please seek assistance from your ISP, local dealers or our website: support@draytek.com. The Vigor router has a built-in real time clock which can update itself manually or automatically by means of Network Time Protocols (NTP).
Page 63 Index Click the number below Index to access into the setting page of schedule. Status Display if this schedule setting is active or inactive. You can set up to 15 schedules. Then you can apply them to your Internet Access or VPN and Remote Access >>...
Page 64: Nat Setup
Disable Dial-On-Demand -Specify the connection to be up when it has traffic on the line. Once there is no traffic over idle timeout, the connection will be down and never up again during the schedule. Idle Timeout Specify the duration (or period) for the schedule. How often Specify how often the schedule will be applied.
Page 65: Configure Port Redirection Table
On NAT page, you will see the private IP address defined in RFC-1918. Usually we use the 192.168.1.0/24 subnet for the router. As stated before, the NAT facility can map one or more IP addresses and/or service ports into different specified services. In other words, the NAT function can be achieved by using port mapping methods.
Page 66 Service Name Enter the description of the specific network service. Protocol Select the transport layer protocol (TCP or UDP). Public Port Specify which port can be redirected to the specified Private IP and Port of the internal host. Private IP Specify the private IP address of the internal host providing the service.
Page 67: Dmz Host Setup
As mentioned above, Port Redirection can redirect incoming TCP/UDP or other traffic on particular ports to the specific private IP address/port of host in the LAN. However, other IP protocols, for example Protocols 50 (ESP) and 51 (AH), do not travel on a fixed port. Vigor router provides a facility DMZ Host that maps ALL unsolicited data on any protocol to a single host in the LAN.
Page 68: Open Ports Setup
Enable Check to enable the DMZ Host function. Private IP Enter the private IP address of the DMZ host, or click Choose PC to select one. Choose PC Click this button and then a window will automatically pop up, as depicted below.
Page 69 Index Indicate the relative number for the particular entry that you want to offer service in a local host. You should click the appropriate index number to edit or clear the corresponding entry. Comment Specify the name for the defined network service. Aux.
Page 70 However, if you previously have set up WAN Alias in Internet Access>>PPPoE, you will find that WAN IP appeared for your selection. Enable Open Ports Check to enable this entry. Comment Make a name for the defined network application/service. Local Computer Enter the private IP address of the local host or click Choose PC to select one.
Page 71: View Well-Known Ports List
There is a list providing some well-known port numbers of certain services/applications for your reference. If you have a group of static public IP addresses obtained from your ISP, you can use the Multi-NAT feature to set up multiple DMZ hosts or multiple hosts with open ports on your Vigor router.
Page 72 When you press the WAN IP Alias button, a window will show up for you to input other public IP addresses. The Join NAT IP Pool check box indicates that the local users can use this IP to connect to the Internet. If you do not chick this check box, this IP address will not be available to the local users.
Page 73: Radius Setup
Remote Authentication Dial-In User Service (RADIUS) is a security authentication client/server protocol that supports authentication, authorization and accounting, which is widely used by Internet service providers. It is the most common method of authenticating and authorizing dial-up and tunneled network users. The built-in RADIUS client feature enables the router to assist the remote dial-in user or a wireless station and the RADIUS server in performing mutual authentication.
Page 74: Static Route Setup
Shared Secret The RADIUS server and client share a secret that is used to authenticate the messages sent between them. Both sides must be configured to use the same shared secret. Re-type Shared Secret Re-type the Shared Secret for confirmation. Choose Static Route Setup on the Advanced Setup group.
Page 75 is that those hosts on the internal private subnets (ex. 192.168.10.0/24) can access the Internet via the router, and continuously exchange of IP routing information with different subnets. Click Index Number 1 from the Static Route Configuration page. Please add a static route as shown below, which regulates all packets destined to 192.168.10.0 will be forwarded to 192.168.1.2.
Page 76 Click the Index Number that you want to delete from the Static Route Configuration page. Select Empty/Clear from the drop-down menu, and then click the OK button to delete the route. Vigor2900 Series User’s Guide...
Page 77 Click the Index Number that you want to disable from the Static Route Configuration page. Select Inactive/Disable from the drop-down menu, and then click the OK button to delete the route. Vigor2900 Series User’s Guide...
Page 78: Ip Filter/Firewall Setup
While the broadband users demand more bandwidth for multimedia, interactive applications, or distance learning, security has been always the most concerned. The firewall of the Vigor router helps to protect your local network against attack from unauthorized outsiders. It also restricts users in the local network from accessing the Internet.
Page 79 Data Filter - When there is an existing Internet connection, Data Filter is applied to incoming and outgoing traffic. It will check packets according to the filter rules. If legal, the packet will pass the router. The following illustrations are flow charts explaining how router will treat incoming traffic and outgoing traffic respectively.
Page 80 The DoS Defense functionality helps you to detect and mitigate the DoS attack. The attacks are usually categorized into two types, the flooding-type attacks and the vulnerability attacks. The flooding-type attacks will attempt to exhaust all your system's resource while the vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the protocol or operation system.
Page 81 We all know that the content on the Internet just like other types of media may be inappropriate sometimes. As a responsible parent or employer, you should protect those in your trust against the hazards. With Web filtering service of the Vigor router, you can protect your business from common primary threats, such as productivity, legal liability, network and security threats.
Page 82 Filter Rule Click a button numbered (1 ~ 7) to edit the filter rule. Click the button will open Edit Filter Rule web page. For the detailed information, refer to the following page. Active Enable or disable the filter rule. Comment Enter filter set comments/description.
Page 83 Pass or Block Specifies the action to be taken when packets match the rule. Block Immediately - Packets matching the rule will be dropped immediately. Pass Immediately - Packets matching the rule will be passed immediately. Block If No Further Match - A packet matching the rule, and that does not match further rules, will be dropped.
Page 84 Don’t care -No action will be taken towards fragmented packets. Unfragmented -Apply the rule to unfragmented packets. Fragmented - Apply the rule to fragmented packets. Too Short - Apply the rule only to packets that are too short to contain a complete header. IP Address Specify a source and destination IP address for this filter rule to apply to.
Page 85: General Setup
To set a simple example to restrict someone from accessing WWW services, we assume the IP address of the access-restricted user is 192.168.1.10. The filter rule is created in the Data Filter set and is shown as below. General Setup allows you to adjust settings of IP Filter and common options. Here you can enable or disable the Call Filter or Data Filter.
Page 86: Mac Address Control
Call Filter Check Enable to activate the Call Filter function. Assign a start filter set for the Call Filter. Data Filter Check Enable to activate the Data Filter function. Assign a start filter set for the Data Filter. Log Flag For troubleshooting needs you can specify the filter log here.
Page 87: Dos Defense
Active Check this box to invoke this setting. MAC Address Type in the MAC Address of the device that the router connects to. Pass Scheduler (1..15) Let the device with the specific MAC address to be passed within certain time interval only. You may choose up to 4 schedules out of the 15 schedules pre-defined in Call Schedule Setup in Advanced Setup group setup.
Page 88 Enable Dos Defense Check the box to activate the DoS Defense Functionality. Enable SYN flood Check the box to activate the SYN flood defense function. Once detecting the Threshold of the TCP SYN packets has exceeded the defense defined value, the Vigor router will start to discard the subsequent TCP SYN packets for a period defined in Timeout.
Page 89 header. The reason for limitation is IP option appears to be a vulnerability of the security for the LAN because it will carry significant information, such as security, TCC (closed user group) parameters, a series of Internet addresses, routing messages...etc. An eavesdropper outside might learn the details of your private networks.
Page 90: Url Content Filter
the protocol types greater than 100 are reserved and undefined at this time. Therefore, the router should have ability to detect and reject this kind of packets. Warning Messages We provide Syslog function for user to retrieve message from Vigor router.
Page 91 Enable URL Access Check the box to activate URL Access Control. Control Block websites with Click this button to restrict accessing into the corresponding matching keywords webpage with the keywords listed on the box below. Allow websites with Click this button to allow accessing into the corresponding matching keywords webpage with the keywords listed on the box below.
Page 92 Prevent web access Check the box to deny any web surfing activity using IP address, from IP address such as http://202.6.3.2. The reason for this is to prevent someone dodges the URL Access Control. You must clear your browser cache first so that the URL content filtering facility operates properly on a web page that you visited before.
Page 93: Web Content Filter (For V Models Only)
Choose IP Filter/Firewall Setup on the Advanced Setup group and click the Web Content Filter link. For this section, please refer to Web Content Filter user’s guide. Vigor2900 Series User’s Guide...
Page 94: Im Blocking
IM Blocking means instant messenger blocking. You will see a list of common IM (such as MSN, Yahoo, ICQ/AQL) applications. Check Enable IM Blocking and select the one(s) that you want to block. To block selected IM applications during specific periods, enter the number of the scheduler predefined in Call Schedule Setup.
Page 95 Action Specify the action for each protocol. Allow – Allow the client to access into the application through the specified protocol. Disallow – Forbid the client to access into the application through the specified protocol. Disallow upload – Forbid the client to access into the application through the specified protocol for uploading.
Page 96: Vpn And Remote Access Setup
A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. In short, by VPN technology, you can send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link.
Page 97 Dial-In PPP PAP Only - Select this option to force the router to Authentication authenticate dial-in users with the PAP protocol. PAP or CHAP - Selecting this option means the router will attempt to authenticate dial-in users with the CHAP protocol first.
Page 98: Vpn Ike/Ipsec General Setup
In IPSec General Setup, there are two major parts of configuration. There are two phases of IPSec. Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman parameter values, and lifetime to protect the following IKE exchange, authentication of both peers using either a Pre-Shared Key or Digital Signature (x.509). The peer that starts the negotiation proposes all its policies to the remote peer and then remote peer tries to find a highest-priority match with its policies.
Page 99: Remote User Profile Setup (Teleworker)
(data) will be encrypted and authenticated. You may select encryption algorithm from Data Encryption Standard (DES), Triple DES (3DES), and AES. You can manage remote access by maintaining a table of remote user profile, so that users can be authenticated to dial-in or build the VPN connection. You may set parameters including specified connection peer ID, connection type (VPN including PPTP, IPSec Tunnel, and L2TP by itself or over IPSec) and corresponding security methods, etc.
Page 100 Enable this account Check the box to enable this function. Idle Timeout- If the dial-in user is idle over the limitation of the timer, the router will drop this connection. By default, the Idle Timeout is set to 300 seconds. ISDN Allow the remote ISDN dial-in connection.
Page 101: Lan To Lan Profile Setup
IKE Pre-Shared Key Check the box of Pre-Shared Key to invoke this function and type in the required characters (1-63) as the pre-shared key. IPSec Security Method This group of fields is a must for IPSec Tunnels and L2TP with IPSec Policy when you specify the remote node.
Page 102 Click to clear all indexes. Name Indicate the name of the LAN-to-LAN profile. The symbol ??? represents that the profile is empty Status Indicate the status of individual profiles. The symbol V and X represent the profile to be active and inactive, respectively. Click each index to edit each profile and you will get the following page.
Page 103 Profile Name Specify a name for the profile of the LAN-to-LAN connection. Enable this profile Check here to activate this profile. Call Direction Specify the allowed call direction of this LAN-to-LAN profile. Both:-initiator/responder Dial-Out- initiator only Dial-In- responder only. Always On or Idle Timeout Always On-Check to enable router always keep VPN connection.
Page 104 User Name This field is applicable when you select PPTP or L2TP w/ or w/out IPSec policy above. Password This field is applicable when you select PPTP or L2TP w/ or w/out IPSec policy above. PPP Authentication This field is applicable when you select PPTP or L2TP w/ or w/out IPSec policy above.
Page 105 Main mode. IKE phase 1 proposal-To propose the local available authentication schemes and encryption algorithms to the VPN peers, and get its feedback to find a match. Two combinations are available for Aggressive mode and nine for Main mode. We suggest you select the combination that covers the most schemes.
Page 106 Allowed Dial-In Type Determine the dial-in connection with different types. ISDN Allow the remote ISDN dial-in connection. You can further set up Callback function below. You should set the User Name and Password of remote dial-in user below. This feature is useful for i model only.
Page 107 methods on the right side. If you uncheck the checkbox, the connection type you select above will apply the authentication methods and security methods in the general settings. User Name This field is applicable when you select PPTP or L2TP w/ or w/out IPSec policy above.
Page 108: Upnp Service Setup
phase. If the PPP IP address is fixed by remote side, specify the fixed IP address here. Remote Network IP/ Add a static router to direct all traffic destined to this Remote Remote Network Mask Network IP Address/ Remote Network Mask through the VPN connection.
Page 109 your applications to operate. This has to manually set up port mappings or use other similar methods. The screenshots below show examples of this facility. The UPnP facility on the router enables UPnP aware applications such as MSN Messenger to discover what are behind a NAT router.
Page 110: Voip Setup
Some Microsoft operating systems have found out the UPnP weaknesses and hence you need to ensure that you have applied the latest service packs and patches. Non-privileged users can control some router functions, including removing and adding port mappings. The UPnP function dynamically adds port mappings on behalf of some UPnP-aware applications.
Page 111 The major benefit of this mode is that you don’t have to memorize your friend’s IP address, which might change very frequently if it’s dynamic. Instead of that, you will only have to using dial plan or directly dial your friend’s account name if you are with the same SIP Registrar.
Page 112: Dialplan Setup
In this section, you can set your VoIP contacts in the “phonebook” we called DialPlan - help you to make calls quickly and easily by using “speed-dial” Phone Number. There are total 60 index entries in the DialPlan for you to store all your friends and family members’ SIP addresses.
Page 113: Sip Related Functions Setup
In this section, you set up your own SIP settings. When you apply for an account, your SIP service provider will give you an Account Name or user name, SIP Registrar, Proxy, and Domain name. (The last three might be the same in some case). Then you can tell your folks your SIP Address as in Account Name@ Domain name As Vigor VoIP Router is turned on, it will first register with Registrar using accountname@Domain/Realm.
Page 114 choose None and check the box to achieve the goal. Some SIP server allows user to use VoIP function without registering. For such server, please check the box of make call without register. Choosing Auto is recommended. The system will select a proper way for your VoIP call.
Page 115: Codec/Rtp/Dtmf Setup
The codec used for each call can be negotiated with the peer party before each session. Mic/Speaker Gain Adjust the volume of microphone and speaker by entering number from 1- 10. The larger of the number, the louder the volume is. Default Codec There are five different CODECs you can choose as your prefer CODEC that you wish to use.
Page 116 will contains 20 ms voice information. The more data contains in a single packet the less overhead it creates but may increase. Voice Active Detector Choose On to enable this function to detect if the user is talking or not. If it is silent, the Vigor router will take action to save the bandwidth.
Page 117: Tone Settings
Dial Tone Power Level This setting is used to adjust the loudness of the dial tone. The smaller the number is, the louder the dial tone is. It is recommended for you to use the default setting. Ring Frequency This setting is used to drive the frequency of the ring tone. It is recommended for you to use the default setting.
Page 118: Voice Call Status
supports, please use the default setting. On VoIP call status, you can find codec, connection and other important call status for both VoIP 1 and 2 ports. Refresh Seconds Specify the interval of refresh time to obtain the latest VoIP calling information.
Page 119: Vlan/Rate Control
Rx Pkts Total number of received voice packets during this connection session. Rx Losts Total number of lost packets during this connection session. Rx Jitter The jitter of received voice packets. In Calls The accumulating in-call times. Out Calls The accumulating out-call times. Volume Gain The volume of present call.
Page 120 Enable Check this box to enable this function (for VLAN Configuration). P1 – P4 Check the box to make the computer connecting to the port being grouped in specified VLAN. Be aware that each port can be grouped in different VLAN at the same time only if you check the box.
Page 121: Qos Control Setup
To remove VLAN, uncheck the needed box and click OK to save the results. Deploying QoS (Quality of Service) management to guarantee that all applications receive the service levels required and sufficient bandwidth to meet performance expectations is indeed one important aspect of modern enterprise network. One reason for QoS is that numerous TCP-based applications tend to continually increase their transmission rate and consume all available bandwidth, which is called TCP slow start.
Page 122 Vigor routers as edge routers of DS domain shall check the marked DSCP value in the IP header of bypassing traffic, thus to allocate certain amount of resource execute appropriate policing, classification or scheduling. The core routers in the backbone will do the same checking before executing treatments in order to ensure service-level consistency throughout the whole QoS-enabled network.
Page 123 Reserved Bandwidth Ratio It is reserved for the group index in the form of ratio of reserved bandwidth to upstream speed and reserved bandwidth to downstream speed. Setup There are two-level of settings: Basic - setup Reserved Bandwidth Ratio according to the traffic service type.
Page 124 level type by the system. Please assign one of the levels of the data for processing with QoS control. Service Type – It determines the service type of the data for processing with QoS control. It can also be edited. Simply click Add/Edd/Delete button to access into the following page.
Page 125 Please type in the service name, select Service type (TCP/UDP and both). Next choose either one of the port configuration type (Single or Range) and type in the range for the Port Number. Enable UDP Bandwidth Check this and set the limited bandwidth ratio on the right Control field.
Page 126 This page is left blank. Vigor2900 Series User’s Guide...
Page 127: System Management
The Online Status provides basic network settings of Vigor router. It includes LAN and WAN interface information. Also, you could get the current running firmware version or firmware related information from this presentation. Primary DNS Displays the assigned IP address of the primary DNS. Secondary DNS Displays the assigned IP address of the secondary DNS.
Page 128: Configuration Backup/Restoration
Displays the VPN connection name. Type Displays the VPN connection type. Remote IP Displays the remote IP of VPN connection. Virtual Network Displays the IP address and subnet mask of virtual network. Tx Pkts Displays the total transmitted packets. Tx Rate Displays the speed of transmitted packets.
Page 129 Click Backup button to get into the following dialog. Click Save button to open another dialog for saving configuration as a file. In Save As dialog, the default filename is config.cfg. You could give it another name by yourself. Vigor2900 Series User’s Guide...
Page 130 Click Save button, the configuration will download automatically to your computer as a file named config.cfg. The above example is using Windows platform for demonstrating examples. The Mac or Linux platform will appear different windows, but the backup function is still available. Vigor2900 Series User’s Guide...
Page 131 Click Configuration Backup/Restoration on the System Management group. The following window will be popped-up. Click Browse button to choose the correct configuration file for uploading to the router. Click Restore button and wait for few seconds, the following picture will tell you that the restoration procedure is successful.
Page 132: Syslog/Mail Alert Setup
SysLog is a popular utility in Unix world. To monitor router activity, you can run a SysLog Daemon to capture all activities from the router. This Daemon program can run on a local PC or a remote one elsewhere on the Internet. In addition, the Vigor routers provide the Mail Alert facility so that the SysLog messages can be packed as an e-mail for someone who wants to receive these messages.
Page 133 From the Syslog screen, select the router you want to monitor. Be reminded that in Network Information, select the network adapter used to connect to the router. Otherwise, you won’t succeed in retrieving information from the router. Vigor2900 Series User’s Guide...
Page 134 The Vigor router will send many types of SysLog messages. Some examples of the SysLog messages with their individual formats are shown below. An example of User Access log message: An example of WAN log message to record the status of VPN/IPSec tunnel: An example of VPN (IPSec) log message to record the status of the VPN/IPSec tunnel: Vigor2900 Series User’s Guide...
Page 135: Time Setup
It allows you to specify where the time of the router should be inquired from. Current System Time Click Inquire Time to get the current time. Use Browser Time Select this option to use the browser time from the remote administrator PC host as router’s system time.
Page 136: Management Setup
The port number used to send/receive SIP message for building a session. The default value is 5060 and this must match with the peer Registrar when making VoIP calls. Chick the checkbox to allow remote firmware upgrade through Enable remote firmware FTP (File Transfer Protocol).
Page 137: Diagnostic Tools
Trap Community Set trap community by typing a proper name. The default setting is public. Notification Host IP Set the IP address of the host that will receive the trap community. Trap Timeout The default setting is 10 seconds. Diagnostic Tools provide a useful way to view or diagnose the status of your Vigor router. Below shows the menu items for Diagnostics.
Page 138: Triggered Dial-Out Packet Header
Dial ISDN Clicking here causes the router to dial to the preset ISP. Click Internet Access Setup > Dial to a Single ISP to configure dial-up settings. Activity Display the connection name for each B channel. If the B channel is idle, it will show Idle. Drop B1 Click it to disconnect the B1 channel.
Page 139: View Arp Cache Table
Click it to reload the page. In the left of each routing rule, you will see a key. These keys are defined as follows. C --- Directly connected. S --- Static route. R --- RIP. * --- Default route. ~ --- Routes for private routing domain. In the right of each routing rule, you will see an interface identifier which is defined as follows.
Page 140: Viewing Dhcp Assigned Ip Addresses
Click it to clear the whole table. The facility provides information on IP address assignments. This information is helpful in diagnosing network problems, such as IP address conflicts, etc. Click Diagnostics and click DHCP Table to open the web page. Click it to reload the page.
Page 141: Reboot System
Click it to reload the page. Each line across the screen indicates an active session. The following information is displayed: Private IP:Port The internal user’s (PC’s) IP address and port number. #Pseudo Port The public port number. Peer IP:Port The peer user’s (PC’s) IP address and port number. Ifno Stands for interface number.
Page 142: Firmware Upgrade (Tftp Server)
Note that this example is running over Windows OS (Operating System). Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.draytek.com (or local DrayTek's web site) and FTP site is ftp.draytek.com.
Page 143: Application And Examples
The most common case is that you may want to connect to network securely, such as the remote branch office and headquarter. According to the network structure as shown in the below illustration, you may follow the steps to create a LAN-to-LAN profile. These two networks (LANs) should NOT have the same network address.
Page 144 For using PPP based services, such as PPTP, L2TP, you have to set general settings in PPP General Setup. For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IPSec General Setup, such as the pre-shared key that both parties have known.
Page 145 Set Common Settings as shown below. You should enable this profile. Set Dial-Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial-Out method. If an IPSec-based service is selected, you should further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-Out connection.
Page 146 Set Dial-In settings as shown below to allow Router B dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection.
Page 147 Settings in Router B in the remote office: Choose VPN and Remote Access Setup on the Advanced Setup group. Select Remote Access Control Setup. The following page will appear. Enable the necessary VPN service and click OK. Then, return to VPN and Remote Access Setup page and choose PPP General Setup. For using PPP based services, such as PPTP, L2TP, you have to set general settings in PPP General Setup.
Page 148 Return to VPN and Remote Access Setup page and choose LAN-to-LAN Profile Setup. Click on one index number to edit a profile. Set Common Settings as shown below. You should enable both of VPN connections because any one of the parties may start the VPN connection. Set Dial-Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial-Out method.
Page 149 If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection. Set Dial-In settings as shown below to allow Router A dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection.
Page 150 If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router B can direct the packets destined to the remote network to Router A via the VPN connection.
Page 151: Create A Remote Dial-In User Connection Between The Teleworker And Headquarter
The other common case is that you, as a teleworker, may want to connect to the enterprise network securely. According to the network structure as shown in the below illustration, you may follow the steps to create a Remote User Profile and install Smart VPN Client on the remote host.
Page 152 For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IKE/IPSec General Setup, such as the pre-shared key that both parties have known. Return to VPN and Remote Access Setup page and choose Remote User Profile Setup (Teleworker).
Page 153 For Win2000/XP, please use "Network and Dial-up connections" or “Smart VPN Client”, complimentary software to help you create PPTP, L2TP, and L2TP over IPSec tunnel. You can find it in CD-ROM in the package or go to www.draytek.com download center. Install as instructed.
Page 154 In Step 2. Connect to VPN Server, click Insert button to add a new entry. If an IPSec-based service is selected as shown below, You may further specify the method you use to get IP, the security method, and authentication method. If the Pre-Shared Key is selected, it should be consistent with the one set in VPN router.
Page 155 If a PPP-based service is selected, you should further specify the remote VPN server IP address, Username, Password, and encryption method. The User Name and Password should be consistent with the one set up in the VPN router. To use default gateway on remote network means that all the packets of remote host will be directed to VPN server then forwarded to Internet.
Page 156: Qos Setting Example
Assume a teleworker sometimes works at home and takes care of children. When working time, he would use Vigor router at home to connect to the server in the headquater office downtown via either HTTPS or VPN to check email and access internal database. Meanwhile, children may chat on VoIP or Skype in the restroom.
Page 157: Lan - Created By Using Nat
If the worker has connected to the headquater using host to host VPN tunnel. (Please refer to Chapter 3 VPN for detail instruction), he may set up an index for it. Enter the Class Name of Index 3. In this index, he will set reserve bandwidth for 1 VPN tunnel. And click Advanced button on the right.
Page 158 You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage. To use another DHCP server in the network rather than the built-in one of Vigor Router, you have to change the settings as show below. Vigor2900 Series User’s Guide...
Page 159 You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage. Vigor2900 Series User’s Guide...
Page 160: Calling Scenario For Voip Function
Example 1: Both John and David have SIP Addresses from different service providers. John’s SIP URL: 1234@draytel.org, David’s SIP URL: 4321@iptel.org Settings for John DialPlan index 1 Phone Number: 1111 Display Name: David SIP URL: 4321@iptel.org SIP Accounts Settings --- Profile Name: draytel1 Register via: Auto SIP Port: 5060 (default)
Page 161 Example 2: Both John and David have SIP Addresses from the same service provider. John’s SIP URL: 1234@draytel.org , David’s SIP URL: 4321@draytel.org Settings for John DialPlan index 1 Phone Number: 1111 Display Name: David SIP URL: 4321@draytel.org SIP Accounts Settings --- Profile Name: draytel 1 Register via: Auto SIP Port: 5060 (default)
Page 162: Peer-To-Peer Calling
Example 3: Both Arnor and Paulin have Vigor routers respectively, they can call each other without SIP Registrar. First they must have each other’s IP address and assign an Account Name for the port used for calling. Arnor’s SIP URL: 1234@214.61.172.53 Paulin’s SIP URL: 4321@ 203.69.175.24 Settings for Arnor DialPlan index 1...
Page 163: Upgrade Firmware For Your Router
4. The file RTSxxx.exe will be asked to copy onto your computer. Remember the place of storing the execution file. 5. Go to www.draytek.com to find out the newly update firmware for your router. 6. Access into Support Center >> Downloads. Find out the model name of the router and click the firmware link.
Page 164 9. Double click on the icon of router tool. The setup wizard will appear. 10. Follow the onscreen instructions to install the tool. Finally, click Finish to end the installation. 11. From the Start menu, open Programs and choose Router Tools XXX >> Firmware Upgrade Utility.
Page 165 14. Click Send. 15. Now the firmware update is finished. Vigor2900 Series User’s Guide...
Page 166 This page is left blank. Vigor2900 Series User’s Guide...
Page 167: Trouble Shooting
This section will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration. Please follow sections below to check your basic installation status stage by stage. Checking if the hardware status is OK or not. Checking if the network connection settings on your computer are OK or not.
Page 168 The example is based on Windows XP. As to the examples for other operation systems, please refer to the similar steps or find support notes in www.draytek.com. Go to Control Panel and then double-click on Network Connections. Right-click on Local Area Connection and click on Properties.
Page 169 Select Obtain an IP address automatically and Obtain DNS server address automatically. Double click on the current used MacOs on the desktop. Open the Application folder and get into Network. On the Network screen, select Using DHCP from the drop down list of Configure IPv4. Vigor2900 Series User’s Guide...
Page 170: Pinging The Router From Your Computer
The default gateway IP address of the router is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the router. The most important thing is that the computer will receive a reply from 192.168.1.1. If not, please check the IP address of your computer.
Page 171 Vigor2900 Series User’s Guide...
Page 172: Backing To Factory Default Setting If Necessary
Click Internet Access group and then check whether the ISP settings are set correctly. Here, we take PPPoE for an example. Check if the Enable option is selected. Check if Username and Password are entered with correct values that you got from your ISP.
Page 173: Contacting Your Dealer
After restore the factory default setting, you can configure the settings for the router again to fit your personal request. If the router still cannot work correctly after trying many efforts, please contact your dealer for further help right away. For any questions, please feel free to send e-mail to support@draytek.com. Vigor2900 Series User’s Guide...

This manual is also suitable for:

Vigor2900g Vigor2900gi Vigor2900i Vigor2900v Vigor2900vg Vigor2900vgi ... Show all

Draytek Vigor2900 Series Security Router User Manual

Preface

Configuring Basic Settings

System Management

Application and Examples

Trouble Shooting

Quick Links

Related Manuals for Draytek Vigor2900 Series Security Router

Summary of Contents for Draytek Vigor2900 Series Security Router

This manual is also suitable for:

Table of Contents