4 4 4 4 0 0 0 0 0 0 0 0 0 0 0 0 - - - - S S S S e e e e r r r r i i i i e e e e s s s s E E E E q q q q u u u u i i i i p p p p m m m m e e e e n n n n t t t t

N N N N e e e e t t t t o o o o p p p p i i i i a a a a F F F F i i i i r r r r m m m m w w w w a a a a r r r r e e e e V V V V e e e e r r r r s s s s i i i i o o o o n n n n 5 5 5 5 . . . . 4 4 4 4

Table of Contents

Summary of Contents for Netopia Firmware 4000-Series

Page 1 ® ® ® ® N N N N e e e e t t t t o o o o p p p p i i i i a a a a F F F F i i i i r r r r m m m m w w w w a a a a r r r r e e e e U U U U s s s s e e e e r r r r G G G G u u u u i i i i d d d d e e e e ®...
Page 2 Copyright© 2004, Netopia, Inc. Netopia and the Netopia logo are registered trademarks belonging to Netopia, Inc., registered U.S. Patent and Trademark Ofﬁce. Broadband Without Boundaries and 3-D Reach are trademarks belonging to Netopia, Inc. All other trademarks are the property of their respective owners. All rights reserved.
Page 3: Table Of Contents
C C C C o o o o n n n n t t t t e e e e n n n n t t t t s s s s Chapter 1 — Introduction...1-1 What’s New in Netopia Firmware Version 5.4 ... 1-1 Console-based Management... 1-2 Netopia Console Menus ...
Page 4 Firmware User Guide Modifying a scheduled connection... 2-34 Deleting a scheduled connection... 2-34 System Conﬁguration Screens ... 2-35 System conﬁguration features... 2-35 IP Setup ... 2-36 Filter Sets ... 2-36 IP Address Serving... 2-36 Network Address Translation (NAT) ... 2-36 Stateful Inspection ﬁrewall ...
Page 5 IP proﬁle parameters... 3-21 IP Parameters (WAN Default Proﬁle) ... 3-23 NAT Associations ... 3-25 IP Passthrough ... 3-27 MultiNAT Conﬁguration Example ... 3-31 Chapter 4 — Virtual Private Networks (VPNs)...4-1 Overview ... 4-1 About PPTP Tunnels ... 4-4 PPTP conﬁguration ... 4-4 About IPsec Tunnels...
Page 6 Firmware User Guide Adding an IKE Phase 1 Proﬁle ... 5-4 Changing an IKE Phase 1 Proﬁle ... 5-8 Key Management... 5-9 IPsec WAN Conﬁguration Screens ... 5-18 IPsec Manual Key Entry... 5-19 VPN Quickview ... 5-20 WAN Event History Error Reporting ... 5-21 Chapter 6 —...
Page 7 Event Logs ... 7-12 SNMP Support ... 7-13 Backup Default Gateway... 7-13 Backup Conﬁguration screen ... 7-13 IP Setup screen ... 7-15 Backup Management/Statistics ... 7-16 QuickView ... 7-17 Chapter 8 — Voice Conﬁguration...8-1 Introduction... 8-1 Explanation of terms ... 8-1 Conﬁguring the Voice Features ...
Page 8 viii Firmware User Guide Advanced Security Options ... 10-5 User access password ... 10-7 User menu differences... 10-8 User Accounts ... 10-15 Telnet Access ... 10-17 About Filters and Filter Sets... 10-18 What’s a ﬁlter and what’s a ﬁlter set? ... 10-18 How ﬁlter sets work ...
Page 9 Updating ﬁrmware... 11-7 Downloading conﬁguration ﬁles ... 11-8 Uploading conﬁguration ﬁles ... 11-9 Transferring Conﬁguration and Firmware Files with XMODEM... 11-9 Updating ﬁrmware... 11-10 Downloading conﬁguration ﬁles ... 11-11 Uploading conﬁguration ﬁles ... 11-11 Restarting the System ... 11-12 T1 Line Statistics and Diagnostics ... 11-12 Appendix A —...
Page 10 Firmware User Guide Packet header types ... B-14 Appendix C — Binary Conversion Table...C-1 Index...
Page 11: What's New In Netopia Firmware Version 5.4
I I I I n n n n t t t t r r r r o o o o d d d d u u u u c c c c t t t t i i i i o o o o n n n n This Firmware User Guide covers the advanced features of the Netopia 4000-Series Router and IAD families.
Page 12: Console-Based Management
1-2 Firmware User Guide Console-based Management Console-based management is a fast menu-driven interface for the capabilities built into the Netopia Firmware Version 5.4. Console-based management provides access to a wide variety of features that the router supports. You can customize these features for your individual setup. This chapter describes how to access the console-based management screens.
Page 13: Netopia Models
■ “Quick View Status Overview” on page Netopia Models This Firmware User Guide covers all of the Netopia 4000-Series Router and IAD models. However some information in this guide will only apply to a speciﬁc model. Screen differences Because different Netopia 4000-Series models offer many different features and interfaces, the options shown on some screens in this Firmware User Guide may not appear on your own particular model’s console screen.
Page 14: Connecting Through A Telnet Session
■ from the Start menu. If you connect a Macintosh computer, you can use the NCSA Telnet program supplied on the Netopia CD. ■ You install NCSA Telnet by simply dragging the application from the CD to your hard disk. Mac OS X users can run Telnet in the Terminal application, found in the Mac OS X Utilities folder.
Page 15: Connecting A Console Cable To Your Equipment
NT on the PC, or ZTerm, included on the Netopia CD, for Macintosh computers. You attach the Netopia device to either a PC or Macintosh computer via the serial port on the computer. (On a Macintosh computer, the serial port is called the Modem port or Printer port. Since Macintosh computers have different serial bus connectors, you may need a USB-to-DB-9 or USB-to-serial adapter.
Page 16 1-6 Firmware User Guide Launch your terminal emulation software and conﬁgure the communications software for the values shown in the table below. These are the default communication parameters that the Netopia Firmware Version 5.4 uses. Parameter Terminal type Data bits...
Page 17: Navigating Through The Console Screens
Navigating through the Console Screens Use your keyboard to navigate the Netopia Firmware Version 5.4’s conﬁguration screens, enter and edit information, and make choices. The following table lists the keys to use to navigate through the console screens. Move through selectable items in a screen or pop-up menu...
Page 18 1-8 Firmware User Guide...
Page 19: Wan Conﬁguration
C C C C h h h h a a a a p p p p t t t t e e e e r r r r 2 2 2 2 W W W W A A A A N N N N a a a a n n n n d d d d S S S S y y y y s s s s t t t t e e e e m m m m C C C C o o o o n n n n f f f f i i i i g g g g u u u u r r r r a a a a t t t t i i i i o o o o n n n n This chapter describes how to use the console-based management screens to access and conﬁgure advanced features of your equipment.
Page 20: Adsl Line Conﬁguration Screen
2-2 Firmware User Guide ADSL Line Conﬁguration screen The ADSL Line Conﬁguration screen is shown below: Circuit Type... Trellis Coding Enabled: Signaling Mode... Fast Retrain Enabled: Data Link Encapsulation... Select Circuit Type and from the pop-up menu choose the type of circuit to which you will be connecting: Multimode, T1.413, G.dmt/G.lite, or ADI.
Page 21: Sdsl/Idsl Conﬁguration Screen
SDSL/IDSL Conﬁguration screen The SDSL/IDSL Line Conﬁguration screen is shown below: Line Type... Operation Mode... Data Rate Mode... Data Rate... Data Link Encapsulation... PPP Mode... Return/Enter to select <among/between> ... Enter Information supplied to you by your telephone company. Select a Line Type from the pull-down menu. You can choose SDSL-ATM, SDSL-HDLC, IDSL, or IDSL-CM. ■...
Page 22 2-4 Firmware User Guide Line Type... Operation Mode... Data Rate Mode... Data Rate... Data Link Encapsulation... RFC1483 Mode... Some of these selections will reset the defaults for the remaining options in this screen. You will be challenged to conﬁrm your choice. The SDSL-HDLC and IDSL Line Types do not offer these choices. ■...
Page 23 IDSL Line Conﬁguration screen The IDSL Line Conﬁguration screen is shown below: Line Type... Data Rate (kbps)... Data Link Encapsulation... Return/Enter to select <among/between> ... Enter information supplied to you by your ISDN phone company. ■ For IDSL lines, the Data Rate (kbps) pull-down menu offers 64 (B1), 64 (B2), 128 (B1+B2), or 144 (2B+D).
Page 24: G.shdsl Line Conﬁguration Screen
2-6 Firmware User Guide G.SHDSL Line Conﬁguration screen The G.SHDSL Line Conﬁguration screen is shown below: Regional Setting... Cell Format... Unused Cell Format... Data Link Encapsulation... RFC1483 Mode... PPP over Ethernet (PPPoE): Each access concentrator (DSLAM) has a different set of defaults and other parameters. Your service provider should supply you with the appropriate information about the type and capabilities of the access concentrator equipment they use.
Page 25: T1 Line Conﬁguration Screen
D4 framing mode, this option is not available. ■ Select AutoDetect DS0 Channels. Netopia routers whose model number ends in “-T” may be able to use the auto detection feature. Toggle this item to Yes if your service provider uses equipment that supports DS0 channel auto detection.
Page 26: Frame Relay Options
2-8 Firmware User Guide default setting is 1 (one). Press Return. Note: You can change the First DS0 Channel number, which has a valid range from one to the maximum number minus the number of active channels. If the number of active DS0 channels is 24 (maximum), First DS0 Channel is hidden.
Page 27: Frame Relay Conﬁguration
Note: If you used Easy Setup to conﬁgure your router, you have already created a connection proﬁle called Easy Setup Proﬁle. If you return to the Easy Setup menus and change the Data Link Encapsulation method you set up in this step, the Easy Setup Data Link Encapsulation method will override this one and change the default data link encapsulation method in use.
Page 28 The N392 option speciﬁes the maximum number of (link reliability, protocol, and sequence number) error events that can occur within the N393 sliding window. If an N392 threshold is exceeded, the switch declares the Netopia Router inactive. The default setting is 3. ■...
Page 29: Frame Relay Dlci Conﬁguration
Frame Relay DLCI conﬁguration If you selected None as your LMI Type then you will need to manually conﬁgure your DLCIs. A Frame Relay DLCI is a set of parameters that tells the Netopia Router how to initially connect to a remote destination.
Page 30 2-12 Firmware User Guide To go to the Frame Relay DLCI conﬁguration screen, select Frame Relay DLCI Conﬁguration in the WAN Conﬁguration screen. Add, delete, and modify DLCIs from here. Displaying a Frame Relay DLCI conﬁguration table To display a view-only table of the Frame Relay DLCIs, select Display/Change DLCIs in the Frame Relay DLCI Conﬁguration screen, and press Return.
Page 31 Changing a Frame Relay DLCI conﬁguration To modify a Frame Relay DLCI conﬁguration, select Display/Change DLCIs in the Frame Relay DLCI Conﬁguration screen. Select a DLCI Name from the table and press Return to go to the Change DLCI screen. The parameters in this screen are the same as the parameters in the Add DLCI screen.
Page 32 This is accomplished by giving a DLCI Name to a DLCI Number. Select DLCI Enabled and toggle it to Yes to activate the proﬁle. If you disable this proﬁle, the Netopia Router will automatically disable and block access to a speciﬁc remote DLCI.
Page 33 provider agrees to transfer from a given PVC (Permanent Virtual Circuit) or DLCI (Data Link Connection Identiﬁer). The setting defaults to 64000, but you may modify the committed burst size by toggling the selection in the Use Default ﬁeld to No. You can then enter a different committed burst size in the Value ﬁeld.
Page 34: Multiple Atm Permanent Virtual Circuits
Connection Proﬁle. Multiple ATM PVC conﬁguration ATM VPI/VCI Autodetection. You can bind multiple circuits to the same Connection Proﬁle. Netopia Firmware Version 5.4 allows you to have a standard conﬁguration that uses, for example, four VCs (0/35, 0/38, 8/35, 8/38) pointing to the same proﬁle.
Page 35 Show/Change Circuit... Delete Circuit... To add a circuit, select Add Circuit and press Return. The Add Circuit screen appears. Circuit Name: Circuit Enabled: Circuit VPI (0-255): Circuit VCI (32-65535): QoS... Peak Cell Rate (0 = line rate): Use Connection Profile... Use Default Profile for Circuit ADD Circuit NOW Enter a name for the circuit in the Circuit Name ﬁeld.
Page 36 Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. ■ The Peak Cell Rate ﬁeld is editable. Netopia Firmware Version 5.4 supports two ATM classes of ser- vice for data connections: Unspeciﬁed Bit Rate (UBR) and Constant Bit Rate (CBR). You can conﬁgure these classes of service on a per VC basis.
Page 37 Note: With multiple VCs you must explicitly statically bind the second (and all subsequent) VCs to a proﬁle. The ﬁrst VC will automatically statically bind according to pre-deﬁned dynamic binding rules when you add the second VC. It will revert back to dynamic binding if the number of VCs is reduced to one; for example, by deleting previously deﬁned VCs.
Page 38: Editing Circuits
2-20 Firmware User Guide Editing circuits You conﬁgure Virtual Circuits in the ATM Circuits Conﬁguration screen. From the Main Menu, navigate to the ATM Circuits Conﬁguration screen. Main Menu Show/Change Circuit... Delete Circuit... Select Show/Change Circuit and press Return. Configuration ATM Circuits Configuration Circuit...
Page 39: Changing A Circuit
Choosing Show/Change Circuit (or Delete Circuit) displays a pop-up menu that allows you to select the circuit to be modiﬁed or deleted. Show/Change Circuit... Delete Circuit... Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. Changing a circuit If you want to make any changes to the circuit you select, you make them in the Change Circuit screen.
Page 40: Monitoring Multiple Virtual Circuits
2-22 Firmware User Guide Circuit Enabled allows you to enable or disable the circuit, using the Tab key. The default is enabled. ■ Trafﬁc Type allows you to select which type of trafﬁc will be routed on this circuit, Voice or Data. If you ■...
Page 41 Select VC Trafﬁc Statistics. The ATM VC Statistics screen appears. VPI/VCI------Local IP Addr---------Frames Rx--Frames Tx---Bytes Rx---Bytes Tx ----------------------------------SCROLL UP----------------------------------- 0/39 111.222.333.4 8/36 ---------------------------------SCROLL DOWN---------------------------------- ■ To display more information about each circuit associated with the selected WAN module, use the up or down arrow key to highlight the circuit you want to view.
Page 42: Creating A New Connection Proﬁle
Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new Conn. Profile. Finished? On a Netopia Router you can add up to 15 more connection proﬁles, for a total of 16, but you can only use one at a time, unless you are using VPNs.
Page 43 Multiple Data Link Encapsulation Settings Select Encapsulation Options and press Return. ❥ If you selected ATMP, PPTP, L2TP, or IPSec, see If you selected PPP or RFC1483, the screen offers different options: ❥ Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type...
Page 44 2-26 Firmware User Guide Datalink (PPP/MP) Options Data Compression... Send Authentication... Send User Name: Send Password: Receive User Name: Receive Password: Data Compression defaults to Standard LZS. You ❥ can select Ascend LZS, if you are connecting to compatible equipment, or None from the pull-down menu.
Page 45 Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... Local WAN IP Address: Local WAN IP Mask: Filter Set... Remove Filter Set RIP Profile Options... Toggle or enter any IP Parameters you require and return to the Add Connection Proﬁle screen by pressing Escape.
Page 46: The Default Proﬁle
2-28 Firmware User Guide The Default Proﬁle If you are using RFC1483 data link encapsulation, the Default Proﬁle screen controls whether or not the DSL link will come up without an explicitly conﬁgured connection proﬁle. (PPP datalink encapsulation does not support a default proﬁle, and the corresponding menu item is unavailable.) See page 6-32 for more information.
Page 47: Ip Parameters (Default Proﬁle) Screen
IP parameters (default proﬁle) screen If you are using RFC1483 datalink encapsulation, the IP Parameters (Default Proﬁle) screen allows you to conﬁgure various IP parameters for DSL connections established without an explicitly conﬁgured connection proﬁle: Address Translation Enabled: Filter Set (Firewall)... Remove Filter Set Receive RIP: Transmit RIP:...
Page 48: Viewing Scheduled Connections
2-30 Firmware User Guide Navigate from here to add/modify/change/delete Scheduled Connections. Viewing scheduled connections To display a table of scheduled connections, select Display/Change Scheduled Connection in the Scheduled Connections screen. Each scheduled connection occupies one row of the table. +-Days----Begin At---HH:MM---When----Conn. Prof. Name----Enabled-----+ +--------------------------------------------------------------------+ | mtWtfss 08:30PM +--------------------------------------------------------------------+...
Page 49: Adding A Scheduled Connection
The other columns show: The time of day that the connection will Begin At ■ ■ The duration of the connection (HH:MM) ■ Whether it’s a recurring Weekly connection or used Once Only ■ Which connection proﬁle (Conn. Prof.) is used to connect ■...
Page 50: Set Weekly Schedule
2-32 Firmware User Guide demand call on the line. Demand-Allowed, meaning that this schedule will permit a demand call on the line. ■ Demand-Blocked, meaning that this schedule will prevent a demand call on the line. ■ Periodic, meaning that the connection is retried several times during the scheduled time. ■...
Page 51: Set Once-Only Schedule
Set Once-Only Schedule If you set How Often to Once Only, select Set Once-Only Schedule and go to the Set Once-Only Schedule screen. Place Call on (MM/DD/YY): Scheduled Window Start Time: AM or PM: Scheduled Window Duration: ■ Select Place Call On (Date) and enter a date in the format MM/DD/YY or MM/DD/YYYY (month, day, year).
Page 52: Modifying A Scheduled Connection
2-34 Firmware User Guide Modifying a scheduled connection To modify a scheduled connection, select Display/Change Scheduled Connection in the Scheduled Connections screen to display a table of scheduled connections. Select a scheduled connection from the table and press Return. The Change Scheduled Connection screen appears.
Page 53: System Conﬁguration Screens
System Conﬁguration Screens System conﬁguration features The Netopia Firmware Version 5.4 default settings may be all you need to conﬁgure your Router. Some users, however, require advanced settings or prefer manual control over the default selections. For these users, Netopia Firmware Version 5.4 provides system conﬁguration options.
Page 54: Ip Setup
2-36 Firmware User Guide The System Conﬁguration menu screen appears: Use this screen if you want options beyond Easy Setup. IP Setup These screens allow you to conﬁgure your network’s use of the IP networking protocol. ■ Details are given in “IP Setup”...
Page 55: Stateful Inspection Firewall
Stateful Inspection ﬁrewall Stateful inspection ﬁrewall is a security feature that prevents unsolicited inbound access when NAT is disabled. You can conﬁgure UDP and TCP “no-activity” periods that will also apply to NAT time-outs if stateful inspection is enabled on the interface. Stateful Inspection parameters are active on a WAN interface only if enabled on your Gateway.
Page 56: Stateful Inspection Options
2-38 Firmware User Guide Stateful Inspection Options Enable and conﬁgure stateful inspection on a WAN interface. Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Local WAN IP Address: Local WAN IP Mask: Filter Set...
Page 57 Max. TCP Sequence Number Difference: Enable default mapping to router: Deny Fragmented Packets: Exposed Address List... Enter max. allowed TCP sequence number difference (1 - 65535), 0 to disable. Max. TCP Sequence Number Difference: Enter a value in this ﬁeld. This value represents the maximum ■...
Page 58: Exposed Addresses
2-40 Firmware User Guide Max. TCP Sequ| my_xposed_list Enable defaul| Deny Fragment| Exposed Addre| Up/Down Arrows to select, then Return/Enter; ESC to cancel. Exposed Addresses You can specify the IP addresses you want to expose by selecting Add Exposed Address List and pressing Return.
Page 59 First Exposed Address: Last Exposed Address: Protocol... Port Start: Port End: CHANGE EXPOSED ADDRESS RANGE ■ Start Address: Start IP Address of the exposed host range. ■ End Address: End IP Address of the exposed host range Protocol: Select the Protocol of the trafﬁc to be allowed to the host range from the pull-down menu. ■...
Page 60: Date And Time
2-42 Firmware User Guide Date and time You can set the system’s date and time parameters in the Set Date and Time screen. Select Date and Time in the System Conﬁguration screen and press Return. The Set Date and Time screen appears.
Page 61: Console Conﬁguration
You can upgrade your Router by adding new feature sets through the Upgrade Feature Set utility. See the release notes that came with your router or feature set upgrade, or visit the Netopia Web site at www.netopia.com for information on new feature sets, how to obtain them, and how to install them on your Router.
Page 62: Rfc-1483 Transparent Bridging
2-44 Firmware User Guide RFC-1483 Transparent Bridging This feature allows you to turn off the routing features and use your device as a bridge. If you select this option, the device will restart itself, and reset all the settings to factory defaults. Any conﬁgurations you have made will be erased.
Page 63 Bridged Frame Relay (RFC 2427) is an extension of the existing onboard Frame Relay capability. Frame Relay-capable Netopia routers (ex: T-1, IDSL) may be run in bridged mode, with the WAN handling Frame Relay packets that are bridged to the Ethernet interface. For these models, LMI, multiple DLCIs, etc. can be conﬁgured.
Page 64: Logging
2-46 Firmware User Guide Logging You can conﬁgure a UNIX-compatible syslog client to report a number of subsets of the events entered in the router’s WAN Event History. See Select Logging from the System Conﬁguration menu. The Logging Conﬁguration screen appears. WAN Event Log Options Log Boot and Errors: Log Line Specific:...
Page 65 Logging Conﬁguration screen. The following screen shows a sample syslog dump of WAN events: 5 10:14:06 tsnext.netopia.com 5 10:14:06 tsnext.netopia.com >>Issued Speech Setup Request from our DN: 5108645534 5 10:14:06 tsnext.netopia.com 5 10:14:06 tsnext.netopia.com 5 10:14:06 tsnext.netopia.com 5 10:14:06 tsnext.netopia.com >>Issued Speech Setup Request from our DN: 5108645534...
Page 66 2-48 Firmware User Guide...
Page 67: Chapter 3 - Multiple Network Address Translation
To help you understand some of the concepts discussed here, it may be helpful to introduce some NAT terminology. The term mapping refers to rules that associate one or more private addresses on the Netopia Router’s LAN to one or more public addresses on the Netopia Routers WAN interface (typically the Internet).
Page 68: Features
IP address to which you would like to provide access. You may also deﬁne a speciﬁc public IP address to use for this service if you want to use an IP other than the WAN IP address of the Netopia Router.
Page 69: Dynamic Mapping
If a host on the private network initiates a connection to the Internet, for example, the Netopia Router automatically sets up a one-to-one mapping of that host’s private IP address to one of the public IP addresses allocated to be used for Dynamic NAT.
Page 70: Wan Network
For example, if a connection is initiated from the public network and is destined for a public IP address conﬁgured on the Netopia Router, the following comparisons are made in this order. The Netopia Router ﬁrst checks its internal NAT cache to see if the data is part of a previously initiated connection, if not…...
Page 71: Supported Trafﬁc
Support for AOL Instant Messenger (AIM) File Transfer Netopia Firmware Version 5.4 provides Application Level Gateway (ALG) support for AOL Instant Messenger (AIM) ﬁle transfer. This allows AIM users to exchange ﬁles, even when both users are behind NAT. Previously, the ﬁle transfer function would work only if one or neither of the two users were behind NAT.
Page 72: Multinat Conﬁguration
3-6 Firmware User Guide Currently there is a restriction that the remote user must be routed to via the WAN interface, otherwise the connections will fail. There is no restriction as to the number of connections. There is no user conﬁguration required for this feature. MultiNAT Conﬁguration You conﬁgure the MultiNAT features through the console menu: ■...
Page 73: Server Lists And Dynamic Nat Conﬁguration
Server Lists and Dynamic NAT conﬁguration You use the advanced NAT feature sets by ﬁrst deﬁning a series of mapping rules and then grouping them into a list. There are two kinds of lists -- map lists, made up of dynamic, PAT and static mapping rules, and server lists, a list of internal services to be presented to the external world.
Page 74 Transmit RIP... Static Routes... Network Address Translation (NAT)... Set up the basic IP attributes of your Netopia in this screen. Select Network Address Translation (NAT) and press Return. The Network Address Translation screen appears. Return/Enter to configure IP Address redirection.
Page 75: Nat Rules
NAT rules The following rules apply to assigning NAT ranges and server lists: ■ Static public address ranges must not overlap other static, PAT, public addresses, or the public address assigned to the router’s WAN interface. ■ A PAT public address must not overlap any static address ranges. It may be the same as another PAT address or server list address, but the port range must not overlap.
Page 76 3-10 Firmware User Guide Select First Public Address and enter the ﬁrst exterior IP address in the range you want to assign. Select Last Public Address and enter an IP address at the end of the range. Select ADD NAT PUBLIC RANGE and press Return. The range will be added to your list and you will be ■...
Page 77 ■ Select Add Map and press Return. The Add NAT Map screen appears. First Private Address: Last Private Address: Use NAT Public Range... ADD NAT MAP ■ Select First and Last Private Address and enter the ﬁrst and last interior IP addresses you want to assign to this mapping.
Page 78 3-12 Firmware User Guide mapping and press Return. If none of your preconﬁgured ranges are suitable for this mapping, you can select <<NEW RANGE>> and create a new range. If you choose <<NEW RANGE>>, the Add NAT Public Range screen displays and you can create a new public range to be used by this map.
Page 79: Modifying Map Lists
Modifying map lists You can make changes to an existing map list after you have created it. Since there may be more than one map list you must select which one you are modifying. From the Network Address Translation screen select Show/Change Map List and press Return. ■...
Page 80 3-14 Firmware User Guide ■ Add Map allows you to add a new map to the map list. ■ Show/Change Maps allows you to modify the individual maps within the list. ■ Delete Map allows you to delete a map from the list. Selecting Show/Change Maps or Delete Map displays the same pop-up menu.
Page 81: Adding Server Lists
Adding Server Lists Server lists, also known as Exports, are handled similarly to map lists. If you want to make a particular server’s port accessible (and it isn’t accessible through other means, such as a static mapping), you must create a server list.
Page 82 3-16 Firmware User Guide ■ Select Add Server and press Return. The Add NAT Server screen appears. Service... Server Private IP Address: Public IP Address: ADD NAT SERVER ■ Select Service and press Return. A pop-up menu appears listing a selection of commonly exported services.
Page 83 Note: In order to use CUSeeMe through the Netopia Router, you must export the ports 7648 and 7649. In MultiNat, you may use a port range export. Without the export, CUSeeMe will fail to work. This is true unless a static mapping is in place for the host using CUSeeMe.
Page 84: Modifying Server Lists
3-18 Firmware User Guide Modifying server lists Once a server list exists, you can select it for modiﬁcation or deletion. ■ Select Show/Change Server List from the Network Address Translation screen. ■ Select the Server List Name you want to modify from the pop-up menu and press Return. Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.
Page 85 ■ Selecting Show/Change Server or Delete Server displays the same pop-up menu. +-Private Address--Public Address----Port------------+ +----------------------------------------------------+ Se| 192.168.1.254 | 192.168.1.254 | 192.168.1.254 Ad| 192.168.1.254 | 192.168.1.254 +----------------------------------------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. Select any server from the list and press Return. The Change NAT Server screen appears. Service...
Page 86: Deleting A Server
3-20 Firmware User Guide Deleting a server To delete a server from the list, select Delete Server from the Show/Change NAT Server List menu and press Return. A pop-up menu lists your conﬁgured servers. Select the one you want to delete and press Return. A dialog box asks you to conﬁrm your choice.
Page 87: Binding Map Lists And Server Lists
Binding Map Lists and Server Lists Once you have created your map lists and server lists, for most Netopia Router models you must bind them to a proﬁle, either a Connection Proﬁle or the Default Proﬁle. You do this in one of the following screens: ■...
Page 88 3-22 Firmware User Guide ■ Select NAT Map List and press Return. A pop-up menu displays a list of your deﬁned map lists. Address Trans| Easy-PAT IP Addressing| my_map NAT Map List.| NAT Server Li| Local WAN IP | Remote IP Add| Remote IP Mas| Filter Set...| Remove Filter|...
Page 89: Ip Parameters (Wan Default Proﬁle)
IP Parameters (WAN Default Proﬁle) The Netopia Firmware Version 5.4 using RFC 1483 supports a WAN default proﬁle that permits several parameters to be conﬁgured without an explicitly conﬁgured Connection Proﬁle. The procedure is similar to the procedure to bind map lists and server lists to a Connection Proﬁle.
Page 90 3-24 Firmware User Guide ■ Select NAT Map List and press Return. A pop-up menu displays a list of your deﬁned map lists. Address Trans| <<None>> NAT Map List.| NAT Server Li| Filter Set (F| Remove Filter| Receive RIP: | Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.
Page 91: Nat Associations
NAT Associations Conﬁguration of map and server lists alone is not sufﬁcient to enable NAT for a WAN connection because map and server lists must be linked to a proﬁle that controls the WAN interface. This can be a Connection Proﬁle, a WAN Ethernet interface, a default proﬁle, or a default answer proﬁle.
Page 92 3-26 Firmware User Guide keys. Select the item by pressing Return to display a pop-up menu of all of your conﬁgured lists. Profile/Interface Name-------------Nat+------------------+Server List Name Easy Setup Profile Profile 01 Profile 02 Profile 03 Profile 04 Default Answer Profile Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.
Page 93: Ip Passthrough
IP Passthrough Netopia Firmware Version 5.4 offers an IP passthrough feature. The IP passthrough feature allows for a single PC on the LAN to have the router’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet.
Page 94 3-28 Firmware User Guide The IP Proﬁle Parameters screen, found under the WAN Conﬁguration menu, Add/Change Connection Proﬁle screen, appears as shown. Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Local WAN IP Address: Local WAN IP Mask: Filter Set...
Page 95 If you specify a non-zeroes MAC address, the DHCP Client Identiﬁer must be in the format speciﬁed above. Macintosh computers allow the DHCP Client Identiﬁer to be entered as a name or text, however Netopia routers accept only strict (binary/hex) MAC address format. Macintosh computers display their strict MAC addresses in the TCP/IP Control Panel (Classic MacOS) or the Network Preference Pane of System Preferences (Mac OS X).
Page 96 3-30 Firmware User Guide A restriction Since both the router and the passthrough host will use same IP address, new sessions that conﬂict with existing sessions will be rejected by the router. For example, suppose you are a teleworker using an IPSec tunnel from the router and from the passthrough host.
Page 97: Multinat Conﬁguration Example
Public IP addresses assigned by the ISP are 206.1.1.1 through 206.1.1.6 (255.255.255.248 subnet mask). Your internal devices have IP addresses of 192.168.1.1 through 192.168.1.254 (255.255.255.0 subnet mask). Netopia Router's address is: Web server's address is: Mail server's address is: FTP server's address is: In this example you will statically map the ﬁrst ﬁve public IP addresses (206.1.1.1 - 206.1.1.5) to the ﬁrst ﬁve...
Page 98 Default IP Gateway: IP Address Serving: Number of Client IP Addresses: 1st Client Address: PREVIOUS SCREEN Set up the basic IP attributes of your Netopia in this screen. Then navigate to the Network Address Translation (NAT) screen. Main Menu Configuration...
Page 99 Select Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned for your public address (206.1.1.6, in this example). Toggle Type to pat. Your public address is then mapped to the remaining private IP addresses using PAT. (If you were not using the Easy-PAT Range and Easy-PAT List that are created by default by using Easy Setup, you would have to deﬁne a public range and map list.
Page 100: Notes On The Example
You do this through either the NAT Associations screen or the proﬁle’s conﬁguration screens. The PAT part of this example setup will allow any user on the Netopia Router's LAN with an IP address in the range of 192.168.1.6 through 192.168.1.254 to initiate trafﬁc ﬂow to the outside world (for example, the Internet).
Page 101 IP address, 206.1.1.3. For the sake of this example, alias both services to 206.1.1.2. Now, as before, the PAT conﬁguration will allow any user on the Netopia Router's LAN with an IP address in the range of 192.168.1.6 through 192.168.1.254 to initiate trafﬁc ﬂow to the Internet.
Page 102 3-36 Firmware User Guide...
Page 103: Chapter 4 - Virtual Private Networks (Vpns)
V V V V i i i i r r r r t t t t u u u u a a a a l l l l P P P P r r r r i i i i v v v v a a a a t t t t e e e e N N N N e e e e t t t t w w w w o o o o r r r r k k k k s s s s ( ( ( ( V V V V P P P P N N N N s s s s ) ) ) ) The Netopia Firmware Version 5.4 offers IPsec, PPTP, and ATMP tunneling support for Virtual Private Networks (VPN).
Page 104 Netopia’s PPTP implementation is compatible with Microsoft’s and can function as either the client (PAC) or the server (PNS). As a client, a Netopia R-series router can provide all users on a LAN with secure access over the Internet to the resources of another LAN by setting up a tunnel with a Windows NT server running Remote Access Services (RAS) or with another Netopia Router.
Page 105 When used to initiate the tunnelled connection, the Router is called a PPTP Access Concentrator (PAC, in PPTP language), or a foreign agent (in ATMP language). When used to answer the tunnelled connection, the Netopia Router is called a PPTP Network Server (PNS, in PPTP language) or a home agent (in ATMP language).
Page 106: About Pptp Tunnels
4-4 Firmware User Guide About PPTP Tunnels To set up a PPTP tunnel, you create a Connection Proﬁle including the IP address and other relevant information for the remote PPTP partner. You use the same procedure to initiate a PPTP tunnel that terminates at a remote PPTP server or to terminate a tunnel initiated by a remote PPTP client.
Page 107 When you deﬁne a Connection Proﬁle as using PPTP by selecting PPTP as the datalink encapsulation method, and then select Data Link Options, the PPTP Tunnel Options screen appears. PPTP Partner IP Address: Tunnel Via Gateway: Authentication... Data Compression... Send Host name: Send Password: Receive Host name: Receive Password:...
Page 108 MS-CHAP version 1 (MS-CHAP-V1). When you choose MS-CHAP as the authentication method for the PPTP tunnel, the Netopia router will start negotiating MS-CHAP-V2. If the router you are connecting to does not support MS-CHAP-V2, it will fall back to MS-CHAP-V1, or, if the router you are connecting to does not support MPPE at all, the PPP session will be dropped.
Page 109: About Ipsec Tunnels
On the receiving side, an IPsec-compliant device decrypts each packet. Netopia Routers support the more secure Tunnel mode. Netopia Firmware Version 5.4 offers IPsec 3DES encryption over the VPN tunnel. DES stands for Data Encryption Standard, a popular symmetric-key encryption method. DES uses a 56-bit key. Netopia Routers offer IPsec 3DES (triple DES) encryption as a standard option.
Page 110: About Atmp Tunnels
4-8 Firmware User Guide About ATMP Tunnels To set up an ATMP tunnel, you create a Connection Proﬁle including the IP address and other relevant information for the remote ATMP partner. ATMP uses the terminology of a foreign agent that initiates tunnels and a home agent that terminates them.
Page 111 ■ You can specify a Network Name. When the tunnel partner is another Netopia router, this name may be used to match against a Connection Proﬁle. When the partner is an Ascend router in Gateway mode, then Network Name is used by the Ascend router to match a gateway proﬁle.
Page 112: Encryption Support
Netopia’s ATMP implementation supports Data Encryption Standard (DES) data encryption for user data transfer over the ATMP tunnel between two Netopia routers. The encryption option, none or DES, is a selectable option in the ATMP Tunnel Options screen.
Page 113: Ms-Chap V2 And 128-Bit Strong Encryption
■ The Netopia Firmware Version 5.4 supports 128-bit (“strong”) encryption when using PPTP tunnels. ATMP does not have an option of using 128-bit MPPE. If you are using ATMP between two Netopia routers you can optionally set 56-bit DES encryption.
Page 114 4-12 Firmware User Guide Answer ATMP/PPTP Connections: PPTP Configuration Options Receive Authentication... Data Compression... Toggle Answer ATMP/PPTP Connections to Yes if you want the router to accept VPN connections or No ■ (the default) if you do not. For PPTP tunnel connections only, you must deﬁne what type of authentication these connections will use. ■...
Page 115: Vpn Quickview
VPN QuickView You can view the status of your VPN connections in the VPN QuickView screen. From the Main Menu select QuickView and then VPN QuickView. Main Menu The VPN QuickView screen appears. Profile Name----------Type----Rx Pckts---Tx Pckts--RxDiscard--Remote Address-- HA <-> FA1 (Jony Fon HA <->...
Page 116: Dial-Up Networking For Vpn
Microsoft Windows Dial-Up Networking software permits a remote standalone workstation to establish a VPN tunnel to a PPTP server such as a Netopia Router located at a central site. Dial-Up Networking also allows a mobile user who may not be connected to a PAC to dial into an intermediate ISP and establish a VPN tunnel to, for example, a corporate headquarters, remotely.
Page 117: Creating A New Dial-Up Networking Proﬁle
The Communications window appears. In the Communications window, select Dial-Up Networking and click the OK button. This returns you to the Windows Setup screen. Click the OK button. Respond to the prompts to install Dial-Up Networking from the system disks or CDROM. When prompted, reboot your PC.
Page 118: Conﬁguring A Dial-Up Networking Proﬁle
Windows 98 users select PPP: Windows 98, Windows NT Server, Internet ■ In the Allowed network protocols area check TCP/IP and uncheck all of the other checkboxes. Note: Netopia’s PPTP implementation does not currently support tunnelling of IPX and NetBEUI protocols.
Page 119: Installing The Vpn Client
Click the TCP/IP Settings button. If your ISP uses dynamic IP addressing (DHCP), select the Server assigned IP address radio button. ■ If your ISP uses static IP addressing, select the Specify an IP address radio button and enter your ■...
Page 120: Windows 98 Vpn Installation
4-18 Firmware User Guide This displays a list of possible selections for the communications option. Active components will have a check in the checkboxes to their left. Check Dial Up Networking at the top of the list and Virtual Private Networking at the bottom of the list. Click OK at the bottom right on each screen until you return to the Control Panel.
Page 121: Connecting Using Dial-Up Networking
Connecting using Dial-Up Networking A Dial-Up Networking connection will be automatically launched whenever you run a TCP/IP application, such as a web browser or email client. When you ﬁrst run the application a Connect To dialog box appears in which you enter your User name and Password.
Page 122: Pptp Example
4-20 Firmware User Guide PPTP example To enable a ﬁrewall to allow PPTP trafﬁc, you must provision the ﬁrewall to allow inbound and outbound TCP packets speciﬁcally destined for port 1723. The source port may be dynamic, so often it is not useful to apply a compare function upon this portion of the control/negotiation packets.
Page 123 Enabled: Forward: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: Protocol Type: In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ 0.0.0.0 0.0.0.0 +-------------------------------------------------------------------------+ Select Output Filter 1 and press Return.
Page 124: Atmp Example
4-22 Firmware User Guide Select Output Filter 2 and press Return. In the Change Output Filter 2 screen, set the Protocol Type to allow GRE as shown below. Enabled: Forward: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest.
Page 125 Select Input Filter 1 and press Return. In the Change Input Filter 1 screen, set the Destination Port information as shown below. Enabled: Forward: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: Protocol Type: Source Port Compare...
Page 126 4-24 Firmware User Guide In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ 0.0.0.0 0.0.0.0 +-------------------------------------------------------------------------+ Select Output Filter 1 and press Return. In the Change Output Filter 1 screen, set the Protocol Type and Destination Port information as shown below.
Page 127: Windows Networking Broadcasts
Windows Networking Broadcasts Netopia ﬁrmware provides the ability to forward Windows Networking NetBIOS broadcasts. This is useful for, for example, a Virtual Private Network, in which you want to be able to browse the remote network to which you are tunnelling, as part of your Windows Network Neighborhood.
Page 128 4-26 Firmware User Guide Conﬁguration for Router A Address Translation Enabled: Remote IP Address: Remote IP Mask: Filter Set... Remove Filter Set NetBIOS Proxy Enabled RIP Profile Options... Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). Configure IP requirements for a remote network connection here. Conﬁguration for Router B Address Translation Enabled: Remote IP Address:...
Page 129 Make sure the NetBIOS ﬁlter is not enabled in your Internet Connection Proﬁle. Netopia includes the NetBIOS Proxy feature as an enhancement and convenience for our customers. It has been lab-tested and many customers use it successfully. However, Netopia cannot guarantee that this feature will automatically give you the networking functionality you expect.
Page 130 4-28 Firmware User Guide...
Page 131: Chapter 5 - Internet Key Exchange (Ike) Ipsec Key Management For Vpns
IPsec supports two encapsulation modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. Tunnel mode encrypts both the header and the payload. On the receiving side, an IPsec-compliant device decrypts each packet. Netopia Routers support Tunnel mode.
Page 132: Internet Key Exchange (Ike) Conﬁguration
5-2 Firmware User Guide the two devices on the Internet to communicate securely. Phase 2 establishes the tunnel and provides for secure transport of data. ■ IPsec can be conﬁgured without IKE, but IKE offers additional features, ﬂexibility, and ease of conﬁguration. Key exchange between your local router and a remote point can be conﬁgured either manually or by using the key exchange protocol.
Page 133 Main Menu The Add Connection Proﬁle screen appears. Profile Name: Profile Enabled: Encapsulation Type... Encapsulation Options... IP Profile Parameters... Interface Group... COMMIT ■ From the Encapsulation Type pop-up menu select IPsec. ■ Then select Encapsulation Options. The IPsec Tunnel Options screen appears. Key Management...
Page 134: Adding An Ike Phase 1 Proﬁle
5-4 Firmware User Guide For Key Management you can use either IKE or Manual. If you choose Manual, skip to Entry” on page 5-19. If you choose IKE (the default) continue below. ■ Select IKE Phase 1 Proﬁle and press Return. Key Management...
Page 135 Profile Name: Mode... Local Identity Type... Local Identity Value: Remote Identity Type... Remote Identity Value: Authentication Method... Shared Secret: Encryption Algorithm... Hash Algorithm... Diffie-Hellman Group... Advanced IKE Phase 1 Options... ADD IKE PHASE 1 PROFILE ■ The Proﬁle Name ﬁeld accepts any name of up to 16 characters. Sixteen IKE Phase 1 proﬁles are supported, since each of the potential sixteen Connection Proﬁles may be associated with a separate IKE Phase 1 proﬁle.
Page 136 5-6 Firmware User Guide that will be used to generate key material for IKE Phase 1. The Encryption Algorithm pop-up menu speciﬁes the IKE Phase 1 encryption algorithm, and may be either ■ DES (the default) or 3DES. The Hash Algorithm pop-up menu speciﬁes the IKE Phase 1 hash algorithm, and may be either SHA1 (the ■...
Page 137 the Phase 1 SAs under which they were created. Phase 2 SAs “dangle” when the Phase 1 SA under which they were created expires before they do. There is no requirement that the Phase 1 SA exist for the duration of the Phase 2 SA’s lifetime, but it is convenient because a Delete message may be sent. ■...
Page 138: Changing An Ike Phase 1 Proﬁle
| Are you sure you want to delete this IKE Phase 1 Profile? CANCEL +------------------------------------------------------------+ IPsec Configuration +--IKE Phase1 Profile--+ +----------------------+ D| IKE Profile 2 |1 Profile... A| Arthropods D| Anthropoids |e... | Anopheles | Albigensians +----------------------+ IPsec Configuration +--IKE Phase1 Profile--+ Display+----------------------+ Add IKE| Netopia +----------------------+ CONTINUE...
Page 139: Key Management
Key Management You specify your IKE key management on a per-Connection Proﬁle basis. You can do this in one of three ways: You can create your IKE Phase 1 Proﬁle ﬁrst, and then associate it with an existing Connection Proﬁle ■...
Page 140 5-10 Firmware User Guide Note: The Change Connection Proﬁle screen will offer different options, depending on the model of router you are using. For a router with the Dial Backup feature, you can associate an IPsec proﬁle with the Primary, the Backup, or choose to apply it to Any Port of the WAN interface by choosing the interface from the Interface Group pop-up menu as shown below.
Page 141 The Key Management pop-up menu at the top of the IPsec Tunnel Options screen allows you to choose between IKE key management (the default for a new IPsec proﬁle) and Manual key management. If you select Manual, the IKE Phase 1 Proﬁle option does not display, and you must enter your IPsec Manual Keys under the IPsec Manual Keys screen.
Page 142 Dead Peer Detection toggles whether or not the router will detect a remote peer being ofﬂine. Enhanced Dead Peer Detection Netopia Firmware Version 5.4 adds a new Dead Peer Detection mechanism. In previous ﬁrmware versions, when Dead Peer Detection was enabled, a counter would begin in the router when any trafﬁc was sent through the tunnel.
Page 143 Netopia Firmware Version 5.4 provides a new Dead Peer Detection mechanism. An IPsec IP net interface sends ICMP ping requests to a speciﬁc IP address on a Remote Member network. The ping is periodic, and the reply is expected within a certain amount of time. If the ICMP reply does not arrive within that time, the peer is considered dead, the current phase 2 SAs are torn down, and the IKE SA starts a new phase 1 negotiation, followed by the normal phase 2 negotiation, thereafter.
Page 144 Domain Name System (DNS). Multiple Network IPsec Netopia Firmware Version 5.4 offers an enhancement to IPsec VPN tunnels allowing multiple network support. This feature enhances your Netopia Router’s Virtual Private Networking functionality.
Page 145 support for sub-netting, host and network range addressing modes ■ works with manual keying and Internet Key Exchange (IKE) ■ each IPsec network works under the same local/remote tunnel endpoints ■ Select Add Network and press Return. The Add Network Conﬁguration screen appears. ■...
Page 146 5-16 Firmware User Guide If you return to the IP Proﬁle Parameters screen, two new ﬁelds are displayed: Remote Tunnel Endpoint: Add Network... Display/Change Network... Delete Network... Address Translation Enabled: Filter Set... Remove Filter Set Advanced IP Profile Options... COMMIT Enter the IP Address or hostname of the remote tunnel endpoint.
Page 147 +--------------------------------------------------------------+24 | Are you sure you want to delete this network configuration? +--------------------------------------------------------------+ Specifying IKE key management alters the Advanced IP Proﬁle Options screen as follows: ■ Local Tunnel Endpoint Address: Next Hop Gateway: Idle Timeout (seconds): ■ You can specify a Local Tunnel Endpoint Address. If not 0.0.0.0, this value must be one of the assigned interface addresses, either WAN or LAN.
Page 148: Ipsec Wan Conﬁguration Screens
5-18 Firmware User Guide IPsec WAN Conﬁguration Screens You can also conﬁgure IKE Phase 1 Proﬁles in the WAN Conﬁguration menus. Main Menu The WAN Conﬁguration screen now includes IKE Phase 1 Conﬁguration as shown: From here you will configure yours and the remote sites' WAN information. Select IKE Phase 1 Conﬁguration and press Return.
Page 149: Ipsec Manual Key Entry
The IKE Phase 1 Conﬁguration screen allows conﬁguration of global (non-connection-proﬁle-speciﬁc) IPsec parameters. This screen allows you to Display, Change, Add, or Delete an IKE Phase 1 proﬁle. IPsec Manual Key Entry The Version 5.3 ﬁrmware has a redesigned layout and additional options for manual key entry. If you selected Manual Key Management in the IPsec Tunnel Options screen, you will need to enter your encryption keys in the IPsec Manual Keys screen.
Page 150: Vpn Quickview
5-20 Firmware User Guide Select IPsec Manual Keys and press Return. SHA1 ESP Auth. Key: SHA1 AH Auth. Key: Depending on your selections of Encapsulation, Encryption Transform, and Authentication Transform in the IPsec Tunnel Options screen, the IPsec Manual Keys screen will display differing entry ﬁelds to enter authorization keys and encryption keys.
Page 151: Wan Event History Error Reporting
Profile Name----------Type--Rx Pckts--Tx Pckts--Discard--Remote Address-- HA <-> FA1 (Jony Fon HA <-> FA3 (Sleve M. My IPsec Tunnel Bangalore If the remote tunnel end point is a hostname (or “0.0.0.0”) 0.0.0.0 is displayed until a Security Association is established. Previously the remote members network was displayed. WAN Event History Error Reporting The following events are logged and displayed in the WAN Event History screen: Event message:...
Page 152 5-22 Firmware User Guide Event message: IKE: no matching ph2 proposal IKE: ph2 resend timeout IKE: phase 2 complete Meaning: Either the local router rejected the proposals of the remote or the remote rejected the local router’s. The attempt to resend the phase 2 authentication timed out.
Page 153 I I I I P P P P S S S S e e e e t t t t u u u u p p p p The Netopia Firmware Version 5.4 uses Internet Protocol (IP) to communicate both locally and with remote networks.
Page 154: Chapter 6 - Ip Setup
Changes to these settings that you make in this screen will take effect only after the Netopia device is reset. To go to the IP Setup options screen, from the Main Menu, select System Conﬁguration, then IP Setup.
Page 155: Ip Setup
The Netopia Firmware Version 5.4 supports multiple IP subnets on the Ethernet interface. You may want to conﬁgure multiple IP subnets to service more hosts than are possible with your primary subnet. It is not always possible to obtain a larger subnet from your ISP. For example, if you already have a full Class C subnet, your only option is multiple Class C subnets, since it is virtually impossible to justify a Class A or Class B assignment.
Page 156: Ip Subnets
6-4 Firmware User Guide that the addresses distributed by the Router and those that are manually conﬁgured are not the same. Each method of distribution must have its own exclusive range of addresses to draw from. IP subnets The IP Subnets screen allows you to conﬁgure up to eight Ethernet IP subnets on unlimited-user models, one “primary”...
Page 157 For example: IP Address ---------------- 192.128.117.162 192.128.152.162 0.0.0.0 To delete a conﬁgured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly ■ or by clearing each ﬁeld and pressing Return to commit the change. When a conﬁgured subnet is deleted, the values in subsequent rows adjust up to ﬁll the vacant ﬁelds.
Page 158: Static Routes
Static Routes... Network Address Translation (NAT)... Set up the basic IP attributes of your Netopia in this screen. The IP address and Subnet mask items are hidden, and the Deﬁne Additional Subnets... item becomes Subnet Conﬁguration... If you select Subnet Conﬁguration, you will return to the IP Subnets screen that allows you to deﬁne IP addresses and masks for additional Ethernet IP subnets.
Page 159 The Static Routes screen will appear. Configure/View/Delete Static Routes from this and the following Screens. Viewing static routes To display a view-only table of static routes, select Display/Change Static Route. The table shown below will appear. +-Dest. Network---Subnet Mask-----Next Gateway----Priority-Enabled-+ +------------------------------------------------------------------+ | 0.0.0.0 +------------------------------------------------------------------+...
Page 160: Adding A Static Route
6-8 Firmware User Guide Subnet Mask: The subnet mask associated with the destination network. Next Gateway: The IP address of the router that will be used to reach the destination network. Priority: An indication of whether the Router will use the static route when it conﬂicts with information received from RIP packets.
Page 161: Deleting A Static Route
Rules of static route installation The Netopia Firmware Version 5.4 applies certain rules before installing enabled static routes in the IP routing table. An enabled static route will not be installed in the IP routing table if any of the following conditions are true: The static route’s Next Gateway IP Address matches an IP address in the range of IP addresses being...
Page 162: Rip-2 Md5 Authentication
If any of the peers have not used the new key yet, the Netopia router will send RIP updates twice, once with each key.
Page 163 The IP Setup screen appears. Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... Default IP Gateway: Backup IP Gateway: Primary Domain Name Server: Secondary Domain Name Server: Domain Name: RIP Options... Multicast Forwarding... Static Routes... Select RIP Options. The Ethernet LAN RIP Options screen appears. ■...
Page 164 6-12 Firmware User Guide Select Receive RIP, and from the pull-down menu choose v2 MD5 Authentication. ■ Receive RIP... Transmit RIP... RIP v2 Authentication Keys... You can also select Transmit RIP, and choose v2 MD5 (broadcast) or v2 MD5 (multicast) from the ■...
Page 165 Transmit RIP. Note: • All of the changes on this menu require a reboot. This is unique to the Ethernet LAN. RIP changes on all other interfaces are immediately effective. • If you set the RIP Receive option to Both v1 and v2, the interface will ignore authenticated RIP packets since authenticated v1 packets do not exist.
Page 166 6-14 Firmware User Guide Adding a key Select Add Key. The Add Key Screen appears. Key ID: Authentication Key: Start Date (MM/DD/YY): Start Time (hh:mm): AM or PM: End Time Mode: End Date (MM/DD/YY): End Time (hh/mm): AM or PM: COMMIT ■...
Page 167 Changing or deleting a key You change or delete a key by selecting it from a pop-up menu. In the RIP v2 Authentication Keys menu, select Display/Change Key. +-Key ID--Start Date--Start Time--End Date--End Time--Valid-+ +-----------------------------------------------------------+ | 255 +-----------------------------------------------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. Note: The date and time formats are determined by the system date and time formats.
Page 168: Connection Proﬁles And Default Proﬁle
6-16 Firmware User Guide Connection Proﬁles and Default Proﬁle RIP-2 MD5 authentication may be conﬁgured in Connection Proﬁles, as well. If you are not using NAT, your public Internet connection can beneﬁt from sending authenticated RIP packets as well as receiving them. To conﬁgure RIP-2 MD5 authentication for a Connection Proﬁle, you can either change an existing Connection Proﬁle, or create a new one.
Page 169: Ip Address Serving
Connection Proﬁle. Power interruptions Netopia 4000 Series routers use NTP updates to set the correct time. Consequently, the starting time after a power cycle, whether from power failure or deliberately switching power off and on, is in the year 1904. This could invalidate some keys that would otherwise be valid.
Page 170 6-18 Firmware User Guide Go to the System Conﬁguration screen. Select IP Address Serving and press Return. The IP Address Serving screen will appear. IP Address Serving Mode... Number of Client IP Addresses: 1st Client Address: Client Default Gateway... Serve DHCP Clients: DHCP Lease Time (Hours): DHCP NetBIOS Options...
Page 171 Consequently, the DHCP lease time is conﬁgurable. The DHCP Lease Time (Hours) setting allows you to modify the router’s default lease time of one hour. You can enter any number up to and including 168 hours (one week) for the DHCP lease. Note: About DHCP Auto-conﬁguration: Beginning with Firmware Version 5.3.4, routers whose model number ends in “-T”...
Page 172: Ip Address Pools
6-20 Firmware User Guide IP Address Pools The IP Address Pools screen allows you to conﬁgure a separate IP address serving pool for each of up to eight conﬁgured Ethernet IP subnets: Subnet (# host addrs) --------------------- 192.128.117.0 192.129.117.0 This screen consists of between two and eight rows of four columns each. There are exactly as many rows as there are Ethernet IP subnets conﬁgured on the IP Subnets screen.
Page 173 ■ When requesting an address, a client may provide a client identiﬁer, or, if it does not, the Netopia Firmware Version 5.4 may construct a pseudo-client identiﬁer for the client. When the client subsequently requests an address, the Router will attempt to serve the address previously associated with the pseudo-client identiﬁer.
Page 174: Dhcp Netbios Options
6-22 Firmware User Guide DHCP NetBIOS Options If your network uses NetBIOS, you can enable the Router to use DHCP to distribute NetBIOS information. NetBIOS stands for Network Basic Input/Output System. It is a layer of software originally developed by IBM and Sytek to link a network operating system with speciﬁc hardware.
Page 175 From the NetBIOS Type pop-up menu, select the type of NetBIOS used on your network. ■ Serve NetBIOS Type: NetBIOS Type... Serve NetBIOS Scope: NetBIOS Scope: Serve NetBIOS Name Server: NetBIOS Name Server IP Addr: Local network Broadcast nodes To serve DHCP clients with the NetBIOS scope, select Serve NetBIOS Scope and toggle it to Yes. ■...
Page 176: More Address Serving Options
The ability to serve as a DHCP Relay Agent. The Netopia Firmware Version 5.4 supports reserving an IP address only for a type 1 client identiﬁer (i.e., an Ethernet hardware address). It does not support reserving an IP address for an arbitrary client identiﬁer. (For more information on client identiﬁers, see RFC 2131, section 9.14.)
Page 177: Conﬁguring The Ip Address Server Options
Conﬁguring the IP Address Server options To access the enhanced DHCP server functions, from the Main Menu navigate to Statistics & Logs and then Served IP Addresses. Main Menu The following example shows the Served IP Addresses screen after three clients have leased IP addresses. The ﬁrst client did not provide a Host Name in its DHCP messages;...
Page 178 6-26 Firmware User Guide You can select the entries in the Served IP Addresses screen. Use the up and down arrow keys to move the selection to one of the entries in the list of served IP addresses. -IP Address------Type----Expires—-Host Name/Client Identifier----------------- ----------------------------------SCROLL UP----------------------------------- 192.168.1.100 192.168.1.101...
Page 179 Details… is displayed if the entry is associated with both a host name and a client identiﬁer. ■ Selecting Details… displays a pop-up menu that provides additional information associated with the IP address. The pop-up menu includes the IP address as well as the host name and client identiﬁer supplied by the client to which the address is leased.
Page 180 6-28 Firmware User Guide -IP Address------Type----Expires—-Host Name/Client Identifier----------------- ----------------------------------SCROLL UP----------------------------------- 192.168.1.100 192.168.1.101 192.1+-------------------------------------------------------------+ 192.1+-------------------------------------------------------------+ 192.1| 192.1| You are about to make changes that will affect an address 192.1| that is currently in use. Are you sure you want to do this? | 192.1| 192.1| 192.1|...
Page 181 -IP Address------Type----Expires—-Host Name/Client Identifier----------------- ----------------------------------SCROLL UP----------------------------------- 192.168.1.100 192.168.1.101 192.168.1.102 +--------------------------------------+ 192.168.1.103 +--------------------------------------+ 192.168.1.104 192.168.1.105 | IP Address is 192.168.1.108 192.168.1.106 | MAC Address: 192.168.1.107 192.168.1.108 192.168.1.109 192.168.1.110 192.168.1.111 +--------------------------------------+ 192.168.1.112 192.168.1.113 ---------------------------------SCROLL DOWN---------------------------------- Lease Management... The router’s Ethernet IP address(es) will be automatically excluded from the address serving pool(s) on startup. Entries in the served IP address list corresponding to the router’s Ethernet IP address(es) that have been automatically excluded on startup are not selectable.
Page 182: Dhcp Relay Agent
Netopia Router. If the Netopia Router is conﬁgured to act as a DHCP server, it will assign the client an address from an address pool conﬁgured locally in the Netopia Router and respond to the client's request...
Page 183 Select IP Address Serving and press Return. The IP Address Serving screen appears. IP Address Serving Mode... Number of Client IP Addresses: 1st Client Address: Client Default Gateway... Serve DHCP Clients: DHCP NetBIOS Options... Serve BOOTP Clients: Select IP Address Serving Mode. The pop-up menu offers the choices of Disabled, DHCP Server (the default), and DHCP Relay Agent.
Page 184: Connection Proﬁles
Netopia Router does not. The DHCP server(s) to which the Netopia Router is relaying DHCP requests must be conﬁgured with one or more address pools that are within the Netopia Router’s primary Ethernet LAN subnet. (There is no mechanism for DHCP clients to receive an address on a secondary subnet via a relayed DHCP request.)
Page 185 Select Proﬁle Name and enter a name for this connection proﬁle. It can be any name you wish. For example: the name of your ISP. Toggle the Proﬁle Enabled value to Yes or No. The default is Yes. Select IP Proﬁle Parameters and press Return. The IP Proﬁle Parameters screen appears. Address Translation Enabled: IP Addressing...
Page 186: Multicast Forwarding
You see and hear the channel you are interested in, but not the others. Since a router should not be used as a passive forwarding device, Netopia routers use a protocol for forwarding multicasting. This protocol is Internet Group Management Protocol (IGMP). Two versions of IGMP are available, V1 and V2.
Page 187 Main Menu By default, Multicast Forwarding is tuned off (None). You enable the router to transmit multicast data by selecting Tx. from the pull-down menu. Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... Default IP Gateway: Backup IP Gateway: Primary Domain Name Server: Secondary Domain Name Server: Domain Name:...
Page 188 6-36 Firmware User Guide Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... Local WAN IP Address: Local WAN IP Mask: Remote IP Address: Remote IP Mask: Filter Set... Remove Filter Set Multicast Forwarding... RIP Profile Options... Typically, you will have a Connection Proﬁle that you created in Easy Setup. You may have more. Select the Connection Proﬁle that you want to use from the Display/Change Connection Proﬁle menu, and then select IP Proﬁle Parameters.
Page 189 C C C C h h h h a a a a p p p p t t t t e e e e r r r r 7 7 7 7 L L L L i i i i n n n n e e e e B B B B a a a a c c c c k k k k u u u u p p p p The ﬁrmware offers line backup functionality in the event of a line failure on a DSL, Ethernet, or leased-line primary WAN link.
Page 190: External Dial Backup Support
7-2 Firmware User Guide External Dial Backup Support Netopia equipment that supports the external dial backup feature automatically display the serial port conﬁguration menus described in the following sections. Models that do not support external dial backup do not display external dial backup-related menus, but offer menus for backup to a default gateway.
Page 191 Main Menu Return/Enter to create a new Connection Profile. From here you will configure yours and the remote sites' WAN information. The Choose Interface to Conﬁgure screen appears. Choose the interface to conﬁgure for backup, Serial Port Setup. The Serial Port Conﬁguration screen appears. WAN Configuration WAN Configuration WAN (Wide Area Network) Setup...
Page 192 7-4 Firmware User Guide Serial Port Mode... ■ The default mode is Console Only. This is the normal state for using a terminal emulation application to manage the router. See “Connecting a Console Cable to your Equipment” on page If you select Modem/Auto from the pull-down menu, the router becomes capable of auto detecting the presence of a modem or a console connection attached to the serial console port.
Page 193: Backup Conﬁguration Screen
Note: • The modem cable should have a standard DB-9 female connector to connect to the console port. This is the standard type of modem cable connector. • Macintosh users who use a USB-to-serial adapter to connect to the console serial port can use a modem in Modem/Auto mode.
Page 194 7-6 Firmware User Guide backup mode and connect via your modem. Note: Backup and Recovery have resolutions of ﬁve seconds. This is how often the router evaluates the state of the connections and makes decisions. ■ Select Ping Host Name or IP Address and enter an IP address or resolvable DNS name that the router will ping.
Page 195: Connection Proﬁles
Connection Proﬁles The line backup feature allows you to conﬁgure a complete Connection Proﬁle for the backup port, just as you do for your primary WAN connection. In this way proﬁles are associated with a particular interface. The proﬁle should reﬂect the port it is associated with. It should have switched characteristics for the backup port. Profile Name: Profile Enabled: Data Link Encapsulation...
Page 196: Using Scheduled Connections With Backup
7-8 Firmware User Guide Dial... Number to Dial: Alternate Site to Dial: Dial on Demand: Idle Timeout (seconds): Callback: ■ From the Dial pop-up menu, you can choose whether to Dial Out Only, Dial In Only, or Dial In/Out (default). ■...
Page 197 The Scheduled Connections screen appears. Return/Enter to add a Scheduled Connection. Navigate from here to add/modify/change/delete Scheduled Connections. ■ Select Add Scheduled Connection and press Return. The Add Scheduled Connection screen appears. Scheduled Connection Enable: How Often... Schedule Type... Set Weekly Schedule... Use Connection Profile...
Page 198: Management/Statistics
7-10 Firmware User Guide Monday: Tuesday: Wednesday: Thursday: Friday: Saturday: Sunday: Scheduled Window Start Time: AM or PM: Scheduled Window Duration Per Day: 24:00 Return/Enter accepts * Tab toggles * ESC cancels. ■ Toggle all the days of the week to Yes, and set the Scheduled Window Duration Per Day to 24:00. This guarantees a 24X7 connection.
Page 199 Select Backup Management/Statistics and press Return. Note: This option is only visible if backup is not Disabled. The Backup Management/Statistics screen appears. Current Port: Backup State: Reason: Time Since Detection: Switchover Time: ■ Current Port is a display-only ﬁeld that shows which port is currently in operation. ■...
Page 200: Quickview
7-12 Firmware User Guide connection. Switchover Time is a display-only ﬁeld that is only visible if backup or recovery is in progress. It displays ■ the time until either automatic Backup or Recovery. The FORCE BACKUP/FORCE RECOVERY option is a selectable option that, depending on the current state ■...
Page 201: Snmp Support
SNMP Support The router supports objects for determining the state of backup, as well as providing traps for the backup and recovery events. No objects support conﬁguration of backup or recovery. Backup Default Gateway Introduced in version 5.1.2, the ﬁrmware offers backup functionality to an alternate gateway typically connected to a LAN port.
Page 202 7-14 Firmware User Guide The Backup Conﬁguration screen appears. Backup Parameters Backup is... Requires Failure of (minutes): Ping Host Name or IP Address: Recovery to ADSL... Requires Recovery of (minutes): Auto-Recovery on loss of Layer 2: Automatically switches to Backup Port on loss of Layer 1 or 2. This screen is used to conﬁgure the conditions under which backup will occur, if it will recover, and how the alternate gateway is conﬁgured.
Page 203: Ip Setup Screen
Static Routes... Network Address Translation (NAT)... Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). Set up the basic IP attributes of your Netopia in this screen. For more information on IP Setup see the Note: Backup and Recovery have resolutions of ﬁve seconds. This is how often the router evaluates the state of the connections and makes decisions.
Page 204: Backup Management/Statistics
7-16 Firmware User Guide Backup Management/Statistics If backup is enabled, the Statistics & Logs menu offers a Backup Management/Statistics option. To view Backup Management/Statistics, from the Main Menu select Statistics & Logs then Backup Management/Statistics and press Return. Main Menu The Backup Management/Statistics screen appears.
Page 205: Quickview
either one and pressing Return will force the link to switch to the other mode. QuickView The QuickView screen now has an information element to indicate which gateway is in use. Default IP Gateway: Primary DNS Server: Secondary DNS Server: 0.0.0.0 Quick View 0.0.0.0 CPU Load: 5%...
Page 206 7-18 Firmware User Guide...
Page 207: Explanation Of Terms
Toll Restriction Operation - Centrex Mode: When you pick up the phone, you receive a dial tone from the central ofﬁce. When 9 is pressed, the Netopia IAD detects 9 and returns a busy tone served by the Centrex system accessible via the IAD. Incoming calls are allowed. This allows local extension calling through the...
Page 208: Conﬁguring The Voice Features
This is independent of the previous mode. Conﬁguring the Voice Features This section describes how to conﬁgure the voice telephone features in Netopia Firmware Version 5.4. From the Main Menu select Voice Conﬁguration. Return/Enter goes to Easy Setup -- minimal configuration.
Page 209 Voice Gateway... Ring Cadence... Port Configuration... Voice Coding... LES Profile Number... Select Voice Gateway and from the pop-up menu, choose the type of voice gateway device to which you will ■ be connected. The choices are: CopperCom, JetStream, TollBridge, TDSoft, Zhone, or Alcatel. Select Ring Cadence and press Return.
Page 210 From the pop-up menu choose either Proﬁle 9 or Proﬁle 10. The Netopia Firmware Version 5.4 supports LES proﬁle 9 and LES proﬁle 10. LES proﬁle 9 includes only PCM calls. LES proﬁle 10 includes PCM and ADPCM capabilities.
Page 211: Quick View Status Overview
■ Quick View Status Overview You can get a useful, overall status report from the Netopia Firmware Version 5.4 in the Quick View screen. To go to the Quick View screen, select Quick View in the Main Menu. The Quick View screen has three status sections: General status ■...
Page 212: General Status
MAC Address: The Router’s hardware address, for those interfaces that support DHCP. IP Address: The Router’s IP address, entered in the IP Setup screen. Quick View 0.0.0.0 CPU Load: 4% 0.0.0.0 Domain Name: Netopia.com 192.168.1.1 0.0.0.0 Current DSL Status 1536 IP 92.163.4.1...
Page 213: Current Status
–: The LED is off. R: The LED is red. G: The LED is green. Y: The LED is yellow. The section “Netopia Router status lights” in the Getting Started Guide describes the meanings of the colors for each LED. Current DSL Status 1536 IP 92.163.4.1...
Page 214: Statistics & Logs
You can view two different event histories: one for the router’s system and one for the WAN. Some Netopia Routers have a built-in battery backup which prevents loss of event history from a shutdown or reset.
Page 215: Wan Event History
WAN Event History The WAN Event History screen lists a total of 128 events on the WAN. The most recent events appear at the top. -Date-----Time-----Event------------------------------------------------------ ----------------------------------SCROLL UP----------------------------------- 07/03/98 13:59:06 07/03/98 13:59:05 07/03/98 13:59:05 >>WAN: data link activated at 1040 Kbps 07/03/98 13:58:32 --Device restarted----------------------------------------- 07/03/98 12:46:39 --Device restarted----------------------------------------- 07/03/98 11:45:57 --Device restarted-----------------------------------------...
Page 216 9-6 Firmware User Guide In the Statistics & Logs screen, select Device Event History. The Device Event History screen appears. -Date-----Time-----Event------------------------------------------------------ ----------------------------------SCROLL UP----------------------------------- 01/22/02 02:03:11 01/22/02 02:03:11 --BOOT: Warm start v5.3 01/22/02 02:02:32 01/22/02 02:02:32 --BOOT: Warm start v5.3 01/22/02 01:59:50 * IP: Route 0.0.0.0/0.0.0.0 not installed 01/22/02 01:59:50 01/22/02 01:59:50 --BOOT: Cold start v5.3 01/22/02 01:55:07 * IP: Route 0.0.0.0/0.0.0.0 not installed...
Page 217: Ip Routing Table
IP Routing Table Main Menu The IP routing table displays all of the IP routes currently known to the Router. Network Address-Subnet Mask-----via Router------Port------------------Type---- ----------------------------------SCROLL UP----------------------------------- 0.0.0.0 255.0.0.0 127.0.0.1 255.255.255.255 127.0.0.1 192.168.1.0 255.255.255.240 192.168.1.1 192.168.1.1 255.255.255.255 192.168.1.1 192.168.1.15 255.255.255.255 192.168.1.15 224.0.0.0 224.0.0.0 255.255.255.255 255.255.255.255 255.255.255.255 --...
Page 218: Physical Interface
9-8 Firmware User Guide Physical I/F-----Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err Ethernet Hub ATM ADSL 1 Network----------Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err VC Traffic Statistics... Physical Interface The top left side of the screen lists total packets received and total packets transmitted for the following data ports: Ethernet ■...
Page 219: System Information
System Information The System Information screen gives a summary view of the general system level values in the Router. From the Statistics & Logs menu select System Information. The System Information screen appears. Serial Number Firmware Version ModelNumber Processor Speed (Mhz) Flash Rom Capacity (MBytes) DRAM Capacity (MBytes) Hardware Acceleration...
Page 220: Simple Network Management Protocol (Snmp) - V2C
ADSL: ADSL MIB (RFC2662) These MIBs are on the Netopia CD included with the Router. Load these MIBs into your SNMP management software in the order they are listed here. Follow the instructions included with your SNMP manager on how to load MIBs.
Page 221: The Snmp Setup Screen
The SNMP Setup screen From the Main Menu, select SNMP in the System Conﬁguration screen and press Return. The SNMP Setup screen appears. Main Menu System Name: System Location: System Contact: System Trap Version: Read-Only Community String: Read/Write Community String: Authentication Traps Enable: IP Trap Receivers...
Page 222: Snmp Traps
The Netopia Firmware Version 5.4 sends traps using UDP (for IP networks). You can specify which SNMP managers are sent the IP traps generated by the Netopia Firmware Version 5.4. Up to eight receivers can be set. You can also review and remove IP traps.
Page 223: Setting The Ip Trap Receivers
To go to the IP Trap Receivers screen, select IP Trap Receivers. The IP Trap Receivers screen appears. Return/Enter to modify an existing Trap Receiver. Navigate from here to view, add, modify and delete IP Trap Receivers. Setting the IP trap receivers Select Add IP Trap Receiver.
Page 224 9-14 Firmware User Guide...
Page 225: Suggested Security Measures
Set the answer proﬁle so it must match incoming calls to a connection proﬁle. ■ ■ Leave the Enable Dial-in Console Access option set to No. ■ Conﬁgure the Netopia Firmware Version 5.4 through the serial console port, if available, to ensure that your communications cannot be intercepted. Security 10-1...
Page 226: Console Tiered Access - Two Password Levels
10-2 Firmware User Guide Console Tiered Access – Two Password Levels Netopia Firmware Version 5.4 offers tiered access control for greater security and protection against accidental or malicious misconﬁguration. Service providers and network administrators can now limit the access of other users to the various conﬁguration screens to prevent misconﬁgurations.
Page 227: Superuser Conﬁguration
PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This means that applications that support UPnP, and are used with a UPnP-enabled Netopia Gateway, will not need application layer gateway support on the Netopia Gateway to work through NAT.
Page 228: Limited User Conﬁguration
10-4 Firmware User Guide Limited user conﬁguration The Add Access Name/Password and Show/Change Access Name/Passwords screens allow you to select which conﬁguration features a limited (non-Superuser) user can access. From the Security Options screen, select Add Access Name/Password. The Add Access Name/Password screen appears. Name (19 characters max): Password: Telnet Access Enabled:...
Page 229: Advanced Security Options
WAN Data Configuration: Connection Profile Configuration: Circuit (PVC/DLCI) Configuration: LAN Data Configuration: LAN Subnet Configuration: NAT/Filters Configuration: Preferences (Global) Configuration:Yes Voice Configuration: You can toggle the default user privileges for each user. The defaults are set to minimize the possibility of an individual user inadvertently damaging the WAN connection.
Page 230 10-6 Firmware User Guide Security Databases... RADIUS Server Addr/Name: RADIUS Server Secret: Alt RADIUS Server Addr/Name: Alt RADIUS Server Secret: RADIUS Identifer: RADIUS Server Authentication Port+-----------+ RADIUS Access Privileges... Telnet Server Port: LAN (Ethernet) IP Filter Set... Remove Filter Set ■...
Page 231: User Access Password
User access password Users must be able to change their names and passwords, regardless of other security access restrictions. If a user does not have security access, then they will only be able to modify the password for their account. When a limited-access user logs into the router.
Page 232: User Menu Differences
■ access is forbidden are hidden. Main Menu The following is an example comparison of the Main Menu as seen by the Superuser and by a Limited user. Superuser Netopia Router Easy Setup... WAN Configuration... System Configuration... Utilities & Diagnostics...
Page 233 ATM Circuits Configuration... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... WAN Default Profile... ATMP/PPTP Default Profile... Advanced Connection Options... Frame Relay Configuration... Frame Relay DLCI Configuration... Establish WAN Connection... Disconnect WAN Connection... Netopia Router WAN Configuration Security 10-9...
Page 234 10-10 Firmware User Guide User Access Level Connection Profiles Connection Profiles Connection Profiles Connection Proﬁles The Superuser can disallow limited user access to a particular Connection Proﬁle. When adding a Connection Proﬁle in the Add Connection Proﬁle screen the Superuser can toggle the Superuser Accessible Only option to Yes or No.
Page 235 System Conﬁguration menu The System Conﬁguration menu is always available to all users. Based on access level, the System Conﬁguration menu displays its conﬁguration options according to the following diagram: User Access Level Global Superuser Superuser, All Superuser Note: Network Address Translation (NAT) is displayed in this screen in order to make access control simpler.
Page 236 Statistics & Logs menu The Statistics & Logs menu shown below is a composite of all the possible options on all Netopia routers and IADs supported by the ﬁrmware. Substantial differences exist among screens on a given router or IAD. Here, all selection options are shown.
Page 237 Based on access level, the Statistics & Logs menu displays its options according to the following diagram: User Access Level WAN Event History... Global Device Event History... Global Voice Log... Voice Voice Accounting Log... Voice Voice Error Log... Voice IP Routing Table... Global Served IP Addresses...
Page 238: Quick Menus
10-14 Firmware User Guide Quick Menus Quick Menus vary considerably between models, features, and access levels. The following is an example comparison of the Quick Menu as seen by the Superuser and by a Limited user. Connection Profiles Add Connection Profiles Change Connection Profiles Delete Connection Profiles WAN Default Profile...
Page 239: User Accounts
User Accounts When you ﬁrst set up and conﬁgure the Netopia Firmware Version 5.4, no passwords are required to access the conﬁguration screens. Anyone could tamper with the router’s conﬁguration by simply connecting it to a console. However, by adding user accounts, you can protect the most sensitive screens from unauthorized access. User accounts are composed of name/password combinations that can be given to authorized users.
Page 240 10-16 Firmware User Guide Enable Telnet Console Access: Enable Telnet Access to SNMP Screens: Console Access timeout (seconds): Show Users... Add User... Delete User... Advanced Security Options... Password for This Screen (11 chars max): Return/Enter accepts * Tab toggles * ESC cancels. Set up configuration access options here.
Page 241: Telnet Access
Return to delete it. To exit the list without deleting the selected account, press Escape. Telnet Access Telnet is a TCP/IP service that allows remote terminals to access hosts on an IP network. The Netopia Firmware Version 5.4 supports Telnet access to its conﬁguration screens.
Page 242: About Filters And Filter Sets
ﬁlters to control network communications can greatly improve your network’s security. The Netopia Firmware Version 5.4’s packet ﬁlters are designed to provide security for the Internet connections made to and from your network. You can customize the router’s ﬁlter sets for a variety of packet ﬁltering applications.
Page 243: Filter Priority
Each inspector has a speciﬁc task. One inspector’s task may be to examine the destination address of all outgoing packages. That inspector looks for a certain destination—which could be as speciﬁc as a street address or as broad as an entire country—and checks each package’s destination address to see if it matches that destination.
Page 244: How Individual Filters Work
This rule applies to Telnet packets that come from a host with the IP address 199.211.211.17. If a match occurs, the packet is blocked. Here is what this rule looks like when implemented as a ﬁlter on the Netopia Firmware Version 5.4: +-#--Source IP Addr--Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+ +--------------------------------------------------------------------+ 199.211.211.17...
Page 245: Port Numbers
Parts of a ﬁlter A ﬁlter consists of criteria based on packet attributes. A typical ﬁlter can match a packet on any one of the following attributes: ■ The source IP address (where the packet was sent from) ■ The destination IP address (where the packet is going) ■...
Page 246: Port Number Comparisons
10-22 Firmware User Guide Port number comparisons A ﬁlter can also use a comparison option to evaluate a packet’s source or destination port number. The comparison options are: No Compare: No comparison of the port number speciﬁed in the ﬁlter with the packet’s port number. Not Equal To: For the ﬁlter to match, the packet’s port number cannot equal the port number speciﬁed in the ﬁlter.
Page 247: Putting The Parts Together
Putting the parts together When you display a ﬁlter set, its ﬁlters are displayed as rows in a table: +-#---Source IP Addr---Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+ +----------------------------------------------------------------------+ 192.211.211.17 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 +----------------------------------------------------------------------+ The table’s columns correspond to each ﬁlter’s attributes: #: The ﬁlter’s priority in the set. Filter number 1, with the highest priority, is ﬁrst in the table. Source IP Addr: The packet source IP address to match.
Page 248 10-24 Firmware User Guide Filtering example #1 Returning to our ﬁltering rule example from above (see Start with the rule, then ﬁll in the ﬁlter’s attributes: The rule you want to implement as a ﬁlter is: Block all Telnet attempts that originate from the remote host 199.211.211.17. The host 199.211.211.17 is the source of the Telnet packets you want to block, while the destination address is any IP address.
Page 249: Design Guidelines
This ﬁlter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address signiﬁes any host on the class C IP network 200.233.14.0. If, for example, the ﬁlter is applied to a packet with the source IP address 200.233.14.5, it will block it. In this case, the mask, which does not appear in the table, must be set to 255.255.255.0.
Page 250: Working With Ip Filters And Filter Sets
10-26 Firmware User Guide An approach to using ﬁlters The ultimate goal of network security is to prevent unauthorized access to the network without compromising authorized access. Using ﬁlter sets is part of reaching that goal. Each ﬁlter set you design will be based on one of the following approaches: ■...
Page 251: Adding A Filter Set
View, change, or delete individual ﬁlters and ﬁlter sets. The sections below explain how to execute these steps. Adding a ﬁlter set You can create up to eight different custom ﬁlter sets. Each ﬁlter set can contain up to 16 output ﬁlters and up to 16 input ﬁlters.
Page 252 The Netopia Router Packets in the Netopia Firmware Version 5.4 pass through an input ﬁlter if they originate in the WAN and through an output ﬁlter if they’re being sent out to the WAN. The process for adding input and output ﬁlters is exactly the same. The main difference between the two involves their reference to source and destination.
Page 253 Filter Set Name: Note: There are two groups of items in this screen, one for input ﬁlters and one for output ﬁlters. In this section, you’ll learn how to add an input ﬁlter to a ﬁlter set. Adding an output ﬁlter works exactly the same way, providing you keep the different source and destination perspectives in mind.
Page 254 10-30 Firmware User Guide If you want the ﬁlter to forward packets that match its criteria to the destination IP address, select Forward and toggle it to Yes. If Forward is toggled to No, packets matching the ﬁlter’s criteria will be discarded. Select Source IP Address and enter the source IP address this ﬁlter will match on.
Page 255: Deleting A Filter Set
Select a ﬁlter set from the list and press Return. Select CONTINUE and press Return to delete it. A sample ﬁlter set This section contains the settings for a ﬁlter set called Basic Firewall, which is part of the Netopia Firmware Version 5.4’s factory conﬁguration.
Page 256 10-32 Firmware User Guide Basic Firewall blocks undesirable trafﬁc originating from the WAN (in most cases, the Internet), but forwards all trafﬁc originating from the LAN. It follows the conservative “that which is not expressly permitted is prohibited” approach: unless an incoming packet expressly matches one of the constituent input ﬁlters, it will not be forwarded to the LAN.
Page 257 Output ﬁlter 1: This ﬁlter forwards all outgoing trafﬁc to make sure that no outgoing connections from the LAN are blocked. Basic Firewall is suitable for a LAN containing only client hosts that want to access servers on the WAN, but not for a LAN containing servers providing services to clients on the WAN.
Page 258: Policy-Based Routing Using Filtersets
ﬁlter. In previous ﬁrmware versions, a ﬁlter would either pass or block the speciﬁed trafﬁc. Netopia Firmware Version 5.4 adds a third option, force routing. You specify a gateway IP address, and each packet matching the ﬁlter is routed according to that gateway address, rather than by means of the global routing table.
Page 259: Tos Field Matching
Destination Port ID(s) for the ﬁlter, if desired. TOS ﬁeld matching Netopia Firmware Version 5.4 adds two additional new parameters to an IP ﬁlter: TOS and TOS Mask. Both ﬁelds accept values in the range 0 – 255. Certain types of IP packets, such as voice or multimedia packets, are sensitive to latency introduced by the network.
Page 260 10-36 Firmware User Guide Enabled: Forward: Call Placement/Idle Reset: Force Routing: Gateway IP Address: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: ADD THIS FILTER NOW Return/Enter to add this Filter to the Filter Set. Enter the packet specific information for this filter.
Page 261: Firewall Tutorial
Firewall Tutorial General ﬁrewall terms Filter rule: A ﬁlter set is comprised of individual ﬁlter rules. Filter set: A grouping of individual ﬁlter rules. Firewall: A component or set of components that restrict access between a protected network and the Internet, or between two networks.
Page 262: Firewall Design Rules
10-38 Firmware User Guide Example TCP/UDP Ports TCP Port 20/21 Firewall design rules There are two basic rules to ﬁrewall design: ■ “What is not explicitly allowed is denied.” “What is not explicitly denied is allowed.” ■ The ﬁrst rule is far more secure, and is the best approach to ﬁrewall design. It is far easier (and more secure) to allow in or out only certain services and deny anything else.
Page 263: Implied Rules
and a packet goes through these rules destined for FTP, the packet would forward through the ﬁrst ﬁlter rule (WWW), match the second rule (FTP), and the packet is allowed through. Even though the next rule is to deny all FTP trafﬁc, the FTP packet will never make it to this rule.
Page 264: Filter Basics
A host address can be entered, but the applied subnet mask must be 32 bits (255.255.255.255). The Netopia Firmware Version 5.4 has the ability to compare source and destination TCP or UDP ports. These options are as follows:...
Page 265: Example Filters
Less Than or Equal Equal Greater Than or Equal Greater Than Example network Input Packet Example ﬁlters Example 1 Filter Rule: Incoming packet has the source address of 200.1.1.28 IP Address 200.1.1.28 255.255.255.128 Any port less than or equal to the port deﬁned Matches only the port deﬁned Matches the port or any port greater Matches anything greater than the port deﬁned...
Page 266 This incoming IP packet (10000000) has a source IP address that does not match the network address in the Source IP Address ﬁeld (00000000) in the Netopia Firmware Version 5.4. This rule will forward this packet because the packet does not match.
Page 267 255.255.255.240 Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 1011000, this rule does not match and this packet will be forwarded. Example 4 Filter Rule: Incoming packet has the source address of 200.1.1.104. IP Address 200.1.1.104 255.255.255.240...
Page 268: Conﬁguration Management
Conﬁguration Management Netopia Firmware Version 5.4 offers a Conﬁguration Management feature. Conﬁguration Management provides a way to store several router conﬁgurations in a single device for use at different times. This feature is supported on all models that support the version 5.4 ﬁrmware except the 4752 IAD.
Page 269 Save Current Configuration as... Replace Existing Conifiguration... Boot from a Configuration... Delete a Configuration... Select Save Current Conﬁguration as , and press Return. The Save Current Conﬁguration screen appears. Configuration Name: SAVE Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Enter a descriptive name for your current conﬁguration, select SAVE , and press Return.
Page 270 10-46 Firmware User Guide Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... A warning screen will ask you to conﬁrm your choice. Configuration Management +-Configuration Name---Type---+ +-----------------------------+ | Backup Config | HappyInternet +-----------------------------+ Binary | Binary |...
Page 271: Tftp And X-Modem
| Backup Config | HappyInternet | <Empty> Type Name +-----------------------+ X-Modem File Transfer Send Firmware to Netopia... Get Configuration Destination... Send Config to Netopia... Send Configuration... Receive Config from Netopia... Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.
Page 272: Call Filtering
10-48 Firmware User Guide Call Filtering Netopia Firmware Version 5.4 supports a call ﬁltering mechanism that lets you control which packets cause connections to be established and which packets cause connections to be maintained (that is, to not time out due to inactivity).
Page 273 Enabled: Forward: Call Placement/Idle Reset: Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: Protocol Type: ADD THIS FILTER NOW This pop-up menu allows you to conﬁgure what action will be taken for packets that the ﬁlter rule speciﬁes should be forwarded.
Page 274 10-50 Firmware User Guide...
Page 275: Chapter 11 - Utilities And Diagnostics
C C C C h h h h a a a a p p p p t t t t e e e e r r r r 1 1 1 1 1 1 1 1 U U U U t t t t i i i i l l l l i i i i t t t t i i i i e e e e s s s s a a a a n n n n d d d d D D D D i i i i a a a a g g g g n n n n o o o o s s s s t t t t i i i i c c c c s s s s A number of utilities and tests are available for system diagnostic and control purposes.
Page 276: Ping
11-2 Firmware User Guide Ping The Netopia Firmware Version 5.4 Router includes a standard Ping test utility. A Ping test generates IP packets destined for a particular (Ping-capable) IP host. Each time the target host receives a Ping packet, it returns a packet to the original sender.
Page 277 Couldn’t proceed with Ping test; try again or reset system Couldn’t proceed with Ping test; try again or reset system send Ping packet 1 Netopia receive Ping packet 1 send return Ping packet 1 receive return Ping packet 1...
Page 278: Trace Route
MIB-II ip group’s ipDefaultTTL object. Trace Route You can count the number of routers between your Netopia Router and a given destination with the Trace Route utility. In the Statistics & Diagnostics screen, select Trace Route and press Return. The Trace Route screen appears.
Page 279: Telnet Client
Select Timeout (seconds) to set when the trace will timeout for each hop, up to 10 seconds. The default is 3 seconds. Select Use Reverse DNS to learn the names of the routers between the Netopia Router and the destination router. The default is Yes.
Page 280: Factory Defaults
To use the Router as a TFTP client, a TFTP server must be available. Netopia, Inc., has a public access TFTP server on the Internet where you can obtain the latest ﬁrmware versions.
Page 281: Updating Firmware
The sections below describe how to update the Router’s ﬁrmware and how to download and upload conﬁguration ﬁles. Updating ﬁrmware Firmware updates may be available periodically from Netopia or from a site maintained by your organization’s network administrator. The Router ships with an embedded operating system referred to as ﬁrmware. The ﬁrmware governs how the device communicates with your network and the WAN or remote site.
Page 282: Downloading Conﬁguration Files
Select GET CONFIG FROM SERVER and press Return. You will see the following dialog box: ■ +----------------------------------------------------------------------+ +----------------------------------------------------------------------+ | Are you sure you want to send a saved configuration to your Netopia? | +----------------------------------------------------------------------+ ■ Select CANCEL to exit without downloading the ﬁle, or select CONTINUE to download the ﬁle. The system will reset at the end of the ﬁle transfer to put the new conﬁguration into effect.
Page 283: Uploading Conﬁguration Files
TFTP server. You may need to enter a ﬁle path along with the ﬁle name (for example, Mypc/Netopia/myﬁle). Select SEND CONFIG TO SERVER and press Return. Netopia will begin to transfer the ﬁle. The TFTP Transfer State item will change from Idle to Writing Conﬁg. The TFTP Current Transfer Bytes item will reﬂect the number of bytes transferred.
Page 284: Updating Firmware
Send Configuration... Receive Config from Netopia... Updating ﬁrmware Firmware updates may be available periodically from Netopia or from a site maintained by your organization’s network administration. Follow these steps to update the Router’s ﬁrmware: Make sure you have the ﬁrmware ﬁle on disk and know the path to its location.
Page 285: Downloading Conﬁguration Files
+----------------------------------------------------------------------+ +----------------------------------------------------------------------+ | Are you sure you want to send a saved configuration to your Netopia? | | If so, when you hit Return/Enter on the CONTINUE button, you will | have 10 seconds to begin the transfer from your terminal program.
Page 286: Restarting The System
11-12 Firmware User Guide +--------------------------------------------------------------------+ +--------------------------------------------------------------------+ | Are you sure you want to save your current Netopia configuration? | If so, when you hit Return/Enter on the CONTINUE button, you will | have 10 seconds to begin the transfer from your terminal program.
Page 287 Ping... Trace Route... Telnet... Trivial File Transfer Protocol (TFTP)... X-Modem File Transfer... Restart System... T1 Line Statistics / Diagnostics... Select T1 Line Statistics / Diagnostics and press Return. The T1 Line Statistics / Diagnostics screen appears. --Condition------------------00:16---00:27---00:12----1:57----1:42---24 hours- Errored Seconds Unavailable Seconds Severely Errored Seconds Bursty Errored Seconds...
Page 288 Normal - Clear Loopback clears any local loopbacks and sends an ANSI PLB clear to the remote CSU. This returns the Netopia Router to its normal state if any testing has been done and the router has been put into a looped state. Select this option after running tests to return the router to a normal state so that it is capable of passing trafﬁc as it should.
Page 289: Appendix A - Troubleshooting
This appendix is intended to help you troubleshoot problems you may encounter while setting up and using the Netopia Firmware Version 5.4. It also includes information on how to contact Netopia Technical Support. Important information on these problems can be found in the event histories kept by the Router. These event histories can be accessed in the Statistics &...
Page 290: Console Connection Problems
■ Verify the accuracy of the default gateway’s IP address (entered in the IP Setup or Easy Setup screen). Use the Netopia Firmware Version 5.4’s Ping utility, in the Utilities & Diagnostics screen, and try to Ping ■ local and remote hosts. See successfully Ping hosts using their IP addresses but not their domain names (198.34.7.1 but not...
Page 291: How To Reset The Router To Factory Defaults
How to Reset the Router to Factory Defaults Lose your password? This section shows how to reset the router so that you can access the console screens once again. Keep in mind that all of your connection proﬁles and settings will need to be reconﬁgured. If you don't have a password, the only way to get back into the Router is the following: Turn the router upside down.
Page 292: Technical Support
We can help you with your problem more effectively if you have completed the environment proﬁle in the previous section. If you contact us by telephone, please be ready to supply Netopia Technical Support with the information you used to conﬁgure the Router. Also, please be at the site of the problem and prepared to reproduce it and to try some troubleshooting steps.
Page 293: Appendix B - Understanding Ip Addressing
U U U U n n n n d d d d e e e e r r r r s s s s t t t t a a a a n n n n d d d d i i i i n n n n g g g g I I I I P P P P A A A A d d d d d d d d r r r r e e e e s s s s s s s s i i i i n n n n g g g g This appendix is a brief general introduction to IP addressing. A basic understanding of IP will help you in conﬁguring the Netopia Firmware Version 5.4 and using some of its powerful features, such as static routes and packet ﬁltering.
Page 294: Subnets And Subnet Masks
B-2 Firmware User Guide IP addresses indicate both the identity of the network and the identity of the individual host on the network. The number of bits used for the network number and the number of bits used for the host number can vary, as long as certain rules are followed.
Page 295: Example: Using Subnets On A Class C Ip Internet
When setting up IP routing with a Class A address, or even with multiple Class C addresses, subnetting is fairly straightforward. Subnetting a single Class C address between two networks, however, is more complex. This section describes the general procedures for subnetting a single Class C network between two Netopia routers so that each can have Internet access.
Page 296 B-4 Firmware User Guide Network conﬁguration Below is a diagram of a simple network conﬁguration. The ISP is providing a Class C address to the customer site, and both networks A and B want to gain Internet access through this address. Router B connects to Router A and is provided Internet access through Routers A and B.
Page 297: Example: Working With A Class C Subnet
Understanding IP Addressing B-5 Background The IP addresses and routing conﬁgurations for the devices shown in the diagram are outlined below. In addition, each individual ﬁeld and its meaning are described. The IP Address and Subnet Mask ﬁelds deﬁne the IP address and subnet mask of the device's Ethernet connection to the network while the Remote IP and Remote Sub ﬁelds describe the IP address and subnet mask of the remote router.
Page 298: Technical Note On Subnet Masking
B-6 Firmware User Guide There are two schemes for distributing the remaining IP addresses: Manually give each computer an address ■ ■ Let the Router automatically distribute the addresses These two methods are not mutually exclusive; you can manually issue some of the addresses while the rest are distributed by the Router.
Page 299: Conﬁguration
Netopia Firmware Version 5.4 DHCP server characteristics ■ The Netopia Firmware Version 5.4 ignores any lease-time associated with a DHCP request and automatically issues the DHCP address lease for one hour. The number of devices a Router can serve DHCP to is 512. This is imposed by global limits on the size of ■...
Page 300: Manually Distributing Ip Addresses
PPP suite call IPCP. Originally, this would apply only to switched WAN interface routers, and not to leased line routers. However, a new feature can give you Asynchronous PPP dial-in support on the Auxiliary port on any router including leased line Netopia routers.
Page 301: Tips And Rules For Distributing Ip Addresses
In any situation where a device is dialing into a Netopia router, the router may need to be conﬁgured to serve IP via the WAN interface. This is only a requirement if the calling device has not been conﬁgured locally to know what its address(es) are.
Page 302 B-10 Firmware User Guide Block of IP host addresses (derived from network IP address + mask issued by ISP) The ﬁgure above shows an example of a block of IP addresses being distributed correctly. The example follows these rules: ■ An IP address must not be used as a static address if it is also in a range of addresses being distributed by DHCP or MacIP.
Page 303: Nested Ip Subnets
Understanding IP Addressing B-11 Nested IP Subnets Under certain circumstances, you may want to create remote subnets from the limited number of IP addresses issued by your ISP or other authority. You can do this using connection proﬁles. These subnets can be nested within the range of IP addresses available to your network.
Page 304 B-12 Firmware User Guide Routers B and C (which could also be Routers) serve the two remote networks that are subnets of a.b.c.0. The subnetting is accomplished by conﬁguring the Router with connection proﬁles for Routers B and C (see the following table).
Page 305 Network Address-Subnet Mask-----via Router------Port------------------Type---- ----------------------------------SCROLL UP----------------------------------- 0.0.0.0 0.0.0.0 127.0.0.1 255.255.255.255 127.0.0.1 a.b.c.128 255.255.255.192 a.b.c.128 a.b.c.248 255.255.255.248 a.b.c.248 ---------------------------------SCROLL DOWN---------------------------------- UPDATE Let’s see how a packet from the Internet gets routed to the host with IP address a.b.c.249, which is served by Router C.
Page 306: Broadcasts
B-14 Firmware User Guide The following diagram illustrates the IP address space taken up by the two remote IP subnets. You can see from the diagram why the term nested is appropriate for describing these subnets. valid addresses used by a.b.c.128 valid addresses used by a.b.c.248 Broadcasts...
Page 307 A A A A p p p p p p p p e e e e n n n n d d d d i i i i x x x x C C C C B B B B i i i i n n n n a a a a r r r r y y y y C C C C o o o o n n n n v v v v e e e e r r r r s s s s i i i i o o o o n n n n T T T T a a a a b b b b l l l l e e e e This table is provided to help you choose subnet numbers and host numbers for IP and MacIP networks that use subnetting for IP addresses.
Page 308 C-2 Firmware User Guide Decimal Binary 10000000 10000001 10000010 10000011 10000100 10000101 10000110 10000111 10001000 10001001 10001010 10001011 10001100 10001101 10001110 10001111 10010000 10010001 10010010 10010011 10010100 10010101 10010110 10010111 10011000 10011001 10011010 10011011 10011100 10011101 10011110 10011111 Decimal Binary Decimal 10100000 10100001...
Page 309 I I I I n n n n d d d d e e e e x x x x add static route 6-8 ADSL Line Configuration 2-2 advanced configuration features 2-35 ATMP 4-10 tunnel options 4-8 backup default gateway 7-13 backup, line 7-1 basic firewall 10-32 BootP 6-17...
Page 310 with TFTP 11-8 with XMODEM 11-11 Dynamic Host Configuration Protocol (DHCP) 6-17 Dynamic Host Configuration Protocol, see DHCP Dynamic WAN 6-17 Easy Setup navigating 1-7 encryption 4-3, 4-7, 4-10, 5-1 event history device 9-5 WAN 9-5 Exposed Addresses 2-40 filter parts 10-21 parts of 10-21 filter priority 10-19...
Page 311 3-8 navigating Easy Setup 1-7 NCSA Telnet 1-4 nested IP subnets B-11 NetBIOS 6-22 NetBIOS scope 6-23 Netopia distributing IP addresses 6-17, B-5 models 1-3 monitoring 9-1 security 10-1 system utilities and diagnostics 11-1 Network Address Translation see NAT 6-1...
Page 312 port number comparisons 10-22 port numbers 10-21 PPTP 4-10 tunnel options 4-4 PVC 2-16 quality of service 10-35 Quick View 9-1 restarting the system 11-12 restricting telnet access 10-17 RFC-1483 Transparent Bridging 2-44 RIP-2 MD5 Authentication 6-10 router to serve IP addresses to hosts 6- routing tables IP 6-6, 9-7 scheduled connections 2-29...
Page 313 4-2 Universal Plug and Play (UPnP™) 10-2 Unspecified Bit Rate (UBR) 2-18 updating firmware with TFTP 11-7 with XMODEM 11-10 updating Netopia’s firmware 11-7 upgrade 1-3 uploading configuration files 11-9 with TFTP 11-9 with XMODEM 11-11 user accounts 10-15...
Page 314 Index-6...

This manual is also suitable for:

4000 series

Netopia Firmware 4000-Series Software Manual

Chapter 1 — Introduction

Chapter 2 - WAN and System Configuration

Chapter 3 - Multiple Network Address Translation

Chapter 4 - Virtual Private Networks (Vpns)

Chapter 5 - Internet Key Exchange (IKE) Ipsec Key Management for Vpns

Chapter 6 - IP Setup

Chapter 7 - Line Backup

Chapter 8 — Voice Conﬁguration

Chapter 9 — Monitoring Tools

Chapter 10 - Security

Chapter 11 - Utilities and Diagnostics

Appendix A - Troubleshooting

Appendix B - Understanding IP Addressing

Quick Links

Related Manuals for Netopia Firmware 4000-Series

Summary of Contents for Netopia Firmware 4000-Series