1. Manuals
  2. Brands
  3. Niveo Manuals
  4. Wireless Router
  5. NR-70
  6. User manual

Niveo NR-70 User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual

User Manual

NR-70 Router
Prelimary version 2.8

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NR-70 and is the answer not in the manual?

Questions and answers

Summary of Contents for Niveo NR-70

  • Page 1: User Manual

    User Manual NR-70 Router Prelimary version 2.8...

  • Page 2: Copyright Notice

    Copyright Notice © 2017 Niveo International BV All rights reserved. The information of this publication is protected by copyright. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders. The scope of delivery and other details are Other trademarks and registered trademarks of products mentioned in this publication may be the properties of their respective owners and are only used for identification purposes.

  • Page 3: Table Of Contents

    Table of Contents About this Manual ........................... 1 Web UI Style ........................1 Documents Conventions ....................1 0.2.1 Format ........................1 0.2.2 Icons ........................1 Factory Default Settings ....................2 Chapter 1. Hardware Installation ....................3 Panel Description ......................3 Installation Guideline ......................
  • Page 4 4.2.4 Detection and Bandwidth ..................26 4.2.5 Identity Binding ....................27 LAN ..........................27 DHCP Server ....................... 29 4.4.1 DHCP Server Settings ..................29 4.4.2 Static DHCP ......................31 4.4.3 DHCP Auto Binding ..................... 32 4.4.4 DHCP Client List ....................33 4.4.5 Example of DHCP ....................
  • Page 5 MSN Whitelist ......................99 TradeManager......................100 Notification ......................... 101 Application Audit ......................104 Policy Database ......................105 Chapter 8. QoS Menu ......................107 Fixed Rate Limiting ....................107 Flexible Bandwidth ..................... 108 P2P Rate Limit ......................109 Session Limiting ......................110 Chapter 9.

  • Page 6: About This Manual

    Niveo Professional NR-70 About this Manual Note: For better use experience, it is strongly recommended to use Internet Explorer 8.0 or above, Google Chrome and Firefox. Web UI Style The Device’s Web User Interface (Web UI) follows the web standards, as follows: Radio Button: Allows you to choose from only one of a predefined set of options.

  • Page 7: Factory Default Settings

    Niveo Professional NR-70 Factory Default Settings The factory default settings of interfaces are shown in the following table. Parameter Default Value Description User Name admin Both the User Name and Password are case sensitive. Password admin You can use this IP address to LAN IP Address 192.168.1.1/255.255.255.0...

  • Page 8: Chapter 1. Hardware Installation

    Chapter 1. Hardware Installation This chapter describes the physical characteristics of the Device, and explains how to install them. Panel Description 1) Front Panel The LED indicators, the interface and the button are located on the front panel of the Device please see the product.

  • Page 9: Installation Guideline

    Interface Description These interfaces provide a LAN connection to network devices, such as PCs LAN Port or switches. The WAN interface is connected to your Internet device, such as PCs or WAN Port switches. The number of WAN ports depends on the device model. Connect TF card for data sharing.

  • Page 10: Installation Requirements

     Position the Device out of direct sunlight and away from sources of heat and ignition.  Please install the Device in a place far away from the High Power Radio or Radar Station.  Keep the Device far away from water! ...

  • Page 11: Connecting The Device

    Connecting the Device Before you install the Device, please make sure your PC can connect to the Internet through your broadband service successfully. If there is any problem, please contact with your ISP for help. After that, please install the Device according to the following steps. Don’t forget to pull out the power plug and keep your hands dry.

  • Page 12: Chapter 2. The Device

    Chapter 2. the Device This chapter describes how to configure TCP/IP settings on your computer, and how to login to the Device. In addition, it briefly describes the layout of the Device’s Web interface. Configuring your computer To configure the Device via Web UI, you need to properly configure TCP/IP settings on the computer that you use to manage the Device.
  • Page 13 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms ...

  • Page 14: Logging To The Device

    Logging to the Device No matter what operating system is installed on your computer, such as, MS Windows, Macintosh, UNIX, or Linux, and so on, you can configure the Device through the Web browser (e.g., Internet Explorer, Firefox). Step 1: For local access of the Device’s web-based utility, launch your web browser, and enter the Device’s default IP address: 192.168.1.1, in the URL filed.
  • Page 15 Figure 2-3 Homepage Home page Description: (1) Niveo Logo: Click to go to the home page on the UTT website. (2) Model, Hardware Version and Software Version: Displays the model number, software version and firmware version of the Device. (3) Quick Link Icons: Provide quick links to the corresponding pages on the UTT website.

  • Page 16: Chapter 3. Start Menu

    Chapter 3. Start Menu The Start menu is located in the upper left of the WEB interface, which provides you four commonly used functions: Setup Wizard, Interface Status, Interface Traffic, and Restart Device. In this chapter, you can configure the basic parameters to access to internet, view each physical interface’s detail information and restart the Device.

  • Page 17: Setup Wizard - Wan1 Settings

    Next: Click to enter into the next page of the Setup Wizard. Figure 3-2 System Information .1.2 Setup Wizard - WAN1 Settings There are three connection types you can configure for WAN Internet connection: PPPoE, Static IP and DHCP. For the detail information, you can refer to the chapter: WAN.

  • Page 18: Interface Status

    Interface Status On the Start > Interface Status page, you can view the current status of all physical interface, including the type of interface, connection type, status, IP address, duration and so on. Figure 3-5 Interface Status Interface Traffic The interface rate chart dynamically displays the real-time RX/TX rate, average RX/TX rate, maximum RX/TX rate and total RX/TX traffic of each physical interface.
  • Page 19 Figure 3-6 Interface Status RX: Displays the real-time RX rate of the physical interface, which refreshes every two seconds. For the LAN interface, RX means uploading; for the WAN interface, it means downloading. TX: Displays the real-time TX rate of the physical interface, which refreshes every two seconds.

  • Page 20: Restart Device

    Restart Device On the Start > Restart Device page, you can restart the Device. Clicking the Restart button, the system will pop up a dialog. Then you can click the OK button to restart the Device, or click the Cancel button to cancel the operation. Figure 3-7 Restart Device Note: Because restarting the Device will disconnect all the sessions, please do it with caution.

  • Page 21: Chapter 4. Network Menu

    Chapter 4. Network Menu This section describes Network > WAN page, you can setup the way access to Internet. There are three connection types: PPPoE, Static IP and DHCP (Obtain an IP automatically). Depending on which connection type you select, you will see various settings.
  • Page 22 Figure 4-2 PPPoE Connection Setup ISP Policy: Select the ISP Policy (i.e., route policy database) for each Internet connection. Thus all traffic destined to an ISP’s servers will be forwarded through that ISP’s connection. User Name and Password: Enter the PPPoE login user name and password provided by your ISP.

  • Page 23: Static Ip Connection

     On Demand: If selected, the Device will establish a PPPoE session only when there are packets requesting to access the Internet (i.e., when a program on your computer attempts to access the Internet).  Manual: If selected, you can dial or hang up a PPPoE session manually. Dial Mode: If the PPPoE connection isn’t established successfully even using correct user name and password, you may try to use other modes.

  • Page 24: Dhcp Connection

    ISP Policy: Select the ISP Policy (i.e., route policy database) for each Internet connection. Thus all traffic destined to an ISP’s servers will be forwarded through that ISP’s connection. IP Address: Enter the IP address for the Device’s WAN interface, which is provided by your ISP.

  • Page 25: Edit The Connection

    Internet Connection List. Click Refresh button to view current status of the connection. Figure 4-5 Internet Connection List Interface: Displays the name of the physical interface to which the connection is bound. Connection Type: Displays the type of the Internet connection. Status: Displays the current status of the Internet connection.

  • Page 26: Delete The Connection

    Modify the connection settings. Step 2 Click the Save button to save the settings. Step 3 .1.6 Delete the Connection If you want to delete the connection, do the following: Step 1 In the Internet Connection List, click the related WAN hyperlink, the related information will be displayed in the setup fields.

  • Page 27: Renew Or Release A Dhcp Connection

    .1.8 Renew or Release a DHCP Connection If the connection type is DHCP, when you click the WAN1 hyperlink, the Renew, Release and Refresh buttons will be shown on the Internet Connection List. Click the Renew button to re-acquire an IP address from the ISP’s DHCP server. Click the Release button to release the IP address obtained from the ISP’s DHCP server.

  • Page 28: Global Settings

    Internet connection, please set it as 0. ● Retry Times: The number of retries per detection period. For a normal Internet connection and a faulty Internet connection, the detection mechanisms are different. For a faulty normal Internet connection, the detection mechanism is as follows: The Device periodically sends a detection packet at the specified time interval to the target IP address.
  • Page 29 3) Once the faulty connection is back to normal, the Device will enable it immediately, and the traffic will be redistributed automatically. If you choose to use Partial Load Balancing, some Internet connections are used as primary connections, and others are used as backup connections. The operation principle is as follows: 1) As long as one or more primary connections are normal, the LAN users will use the primary connection(s) to access the Internet.

  • Page 30: Load Balancing List

    Figure 4-9 Partial Load Balancing Mode: Specify the mode of load balancing. Here please select Partial Load Balancing. Primary: Specify the primary connection group. An Internet connection in the Primary list box is a primary connection. Backup: Specify the backup connection group. An Internet connection in the Backup list box is a backup connection.

  • Page 31: Detection And Bandwidth

    Figure 4-10 Load Balancing List .2.4 Detection and Bandwidth In the Network > Load Balancing > Detection and Bandwidth page, you can configure the connection detection related parameters for each Internet connection respectively. Figure 4-11 Detection and Bandwidth Settings Interface: Select the physical interface you want to set load balancing. Detection Interval: Specify the time interval at which the Device periodically sends detection packets, one packet at a time.

  • Page 32: Identity Binding

    Detection Target: The IP address of a detection target device. The Device will monitor an Internet connection by sending the detection packets to the detection target IP address. If you select Gateway IP Address from the drop-down list, the Device will send the detection packets to the selected Internet connection’s default gateway;...
  • Page 33 Figure 4-13 LAN Settings IP Address: Specify the IP address of the LAN interface. The default value is 192.168.1.1. Subnet Mask: Specify the subnet mask that defines the range of the LAN. The default value is 255.255.255.0. MAC Address: The MAC address of the LAN interface. We recommend that you do not change the default value unless absolutely necessary.

  • Page 34: Dhcp Server

    DHCP Server The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network. DHCP allows a host to be configured automatically, eliminating the need for intervention by a network administrator. The Device can act as a DHCP server to assign network addresses and deliver other TCP/IP configuration parameters (such as gateway IP address, DNS server IP address, etc.) to the LAN hosts.
  • Page 35 Enable DHCP Server: Select to enable DHCP server. Start and End IP Address: Specify the range of IP addresses assigned to DHCP clients. The range of IP addresses must be on the same subnet as the LAN interface of the Device, and cannot include the IP address of the LAN interface. Subnet Mask: The subnet mask address assigned by the DHCP server to the intranet computers automatically.

  • Page 36: Static Dhcp

    DNS server provided by your ISP on the Device. It is obvious that you can specify the secondary DNS server provided by your ISP. 4) The Device can act as a DNS proxy server to all LAN users; this greatly simplifies the LAN hosts setup.

  • Page 37: Dhcp Auto Binding

    4.4.2.2 Static DHCP Settings Click the Add button in the page as shown in Figure 4-15 to enter into the Static DHCP Settings page as shown below, and then configure it. Figure 4-16 Static DHCP settings User Name: Specify a unique name for the static DHCP entry. IP Address: Specify the reserved IP address, which must be the valid IP address within the range of IP addresses assigned by the DHCP server.

  • Page 38: Dhcp Client List

    Figure 4-17 DHCP Auto Binding Enable DHCP Auto Binding: If selected, once a LAN host obtains an IP address from the Device that acts as a DHCP server, the Device will immediately bind the host’s IP and MAC address as a static DHCP entry. Enable DHCP Auto Deleting: If selected, the Device will automatically delete the static DHCP entry when the corresponding host releases the IP address initiatively or its lease time expires.

  • Page 39: Example Of Dhcp

    .4.5 Example of DHCP 1) Requirements In this case, the DHCP function must be enabled on the Device, with the start IP Address as 192.168.1.10, and a total of 50 addresses can be assigned; here, the host with the MAC address of 00:21:85:9B:45:46 assigns the fixed IP address of 192.168.1.15, and the host with the MAC address of 00:1F:3C:0F:07:F4 assigns the fixed IP address of 192.168.1.10.

  • Page 40: Ddns

    Figure 4-21 Static DHCP Settings_Example B At this point, the configuration is complete, and you can view the information about 2 static DHCP entries in the Static DHCP List, as shown in the following figure. Figure 4-22 Static DHCP List_Example DDNS Dynamic Domain Name Service (DDNS) is a service used to map a domain name which never changes to a dynamic IP address which may change quite often.

  • Page 41: Ddns Service Provided By Dyndns.org

    no-ip.com. 2) DDNS Settings – no-ip.com Figure 4-23 DDNS_no-ip.com Service Provider: Select the DDNS service provider who offers services to the Device. Here please select no-ip.com. Host Name: Specify the host name of the Device. User Name: Enter the user name of the account. It should be the same with the user name that you entered when registering the DDNS account.

  • Page 42: Ddns Verification

    Figure 4-24 DDNS_dyndns.org Service Provider: Select the DDNS service provider who offers services to the Device. Here please select dyndns.org. Host Name: Specify the host name of the Device. User Name: Enter the user name of the account. It should be the same with the user name that you entered when registering the DDNS account.

  • Page 43: Upnp

    1) If your ISP assigns a private IP address (192.168.x.x, 10.x.x.x, or 172.16.x.x) instead of a public IP address to the Device, DDNS will not work. 2) DDNS feature can help you implement VPN tunnels using dynamic IP addresses on the Device. UpnP The Universal Plug and Play (UPnP) is architecture that implements zero configuration networking, that is, it provides automatic IP configuration and dynamic...

  • Page 44: Number Of Wan

    Number of WAN On the Network > Number of WAN page, you can set the number of WAN interface. Select the number of WAN interface and click the Save button to save the settings. Figure 4-26 Number of WAN Settings Note: 1) After the number of WAN interface is changed, you need to restart the Device for the setting take effect.

  • Page 45: Chapter 5. Advanced Menu

    Chapter 5. Advanced Menu NAT&DMZ This chapter describes how to configure and use NAT features, including port forwarding, DMZ hosts, and NAT rule. 5.1.1.1 Port Forwarding Port forwarding can be used to set up public services on your network. When users from the Internet make certain requests on your network, the Device can forward those requests to computers equipped to handle the requests.
  • Page 46  Edit a Port Forwarding Rule: Click the Name or Edit hyperlink of this rule entry, the related information will display in the setup fields. Then modify it, and click the Save button.  Delete Port Forwarding Rule(s): Select the leftmost check boxes of entries, and then click the Delete button.
  • Page 47 Bind to: Select the NAT rule to which this port forwarding rule is bound. The port forwarding rule will use the WAN interface’s IP address as the external IP address. Note: The system will automatically create some port forwarding rules. You cannot modify or delete them.
  • Page 48 Figure 5-4 Port Forwarding Settings - Example Two 5.1.1.4.3 Example Three An organization obtains eight public IP addresses (from 218.1.21.0/29 to 218.1.21.7/29) from the ISP. Therein, 218.1.21.1/29 is used as the Internet connection’s gateway IP address, 218.1.21.2/29 is used as the Device’s WAN1 interface’s IP address.

  • Page 49: Nat Rule

    Figure 5-5 Port Forwarding Settings - Example Three 5.1.1.5 NAT Rule 5.1.1.6 Introduction to NAT The NAT (Network Address Translation) is an Internet standard that is used to map one IP address space (i.e., Intranet) to another IP address space (i.e., Internet). The NAT is designed to alleviate the shortage of IP addresses, that is, it allows all the LAN hosts to share a single or a small group of IP addresses: On the Internet, there is only a single device using a single or a small group of public IP addresses;...
  • Page 50 One2One (One to One): It indicates static network address translation. It is always referred to as Basic NAT, which provides a one to one mapping between an internal and an external IP address. In this type of NAT, IP address need be changed, but port needn’t.
  • Page 51 Edit a NAT Rule: Click its Edit button, the related information will be displayed in the setup page. Then modify it, and click the Save button. Delete NAT Rule(s): Select the leftmost check boxes of them, and then click the Delete button.
  • Page 52 5.1.1.10.2 EasyIP settings Figure 5-8 EasyIP settings Rule Name: Specify the name of this NAT rule entry. NAT Type: Specify the type of the NAT rule. Here please select EasyIP. External IP: Specify the external IP address to which the LAN hosts’ IP addressed are mapped.
  • Page 53 Figure 5-9 Network Topology for One2One NAT Rule Configuration Example The business employees will share a single public IP address of 202.1.1.130/29 to access the Internet. The LAN’s subnet number is 192.168.16.0, and subnet mask is 255.255.255.0. And the business want to use the remaining four public IP addresses (from 202.1.1.131/29 to 202.1.1.134/29) to create a One2One rule for the four local servers, then the outside users can use these public addresses to access the local servers through the Device.
  • Page 54 Figure 5-10 One2One NAT Rule Settings - Example Enter 202.1.1.131 in the Start External IP text box, enter 192.168.16.200 in Step 3 the Start Internal IP text box, and enter 192.168.16.203 in the End Internal IP text box. Select WAN1 from the Bind to drop-down list. Step 4 Click the Save button to save the settings.
  • Page 55 Figure 5-11 EasyIP NAT Rule Settings - Example Step 3 Enter 218.1.21.3 in the External IP text box, enter 192.168.16.10 in the Start Internal IP text box, and enter 192.168.16.100 in the End Internal IP text box. Step 4 Select WAN1 from the Bind to drop-down list. Click the Save button to save the settings.

  • Page 56: Static Route

    DMZ Host IP Address: Specify the private IP address of the DMZ host. Note: The computer designated as the DMZ host will lose firewall protection provided by the Device. As the DMZ host is exposed to many exploits from the Internet, it may be used to attack your network.

  • Page 57: Static Route Settings

    Figure 5-13 Static Route List  Add Static Route: Click the Add button, then setup it, lastly click the Save button.  Edit Static Route: Click its Edit hyperlink, the related information will be displayed in the setup page. Then modify it, and click the Save button. ...

  • Page 58: Policy Routing

    Destination IP: Specify the IP address of the destination network or host. Subnet Mask: Specify the subnet mask of the destination network or host. Gateway IP Address: Specify the IP address of the next hop router to which to forward the packets. Priority: Specify the priority of the static route.
  • Page 59 5.3.1.1 Policy Routing List Figure 5-15 Policy Routing List Enable policy routing: Select to enable Policy Routing. Add a Policy Routing Entry: Click the Add button, then setup it, lastly click the Save button. Allow a PBR Entry: Select the Allow check box to enable the corresponding Policy Routing entry.

  • Page 60: Policy Routing Settings

    5.3.1.2 Policy Routing settings Figure 5-16 Policy Routing settings Enable: Select to enable the Policy Routing entry. Only you have selected this checkbox, the Policy Routing entries will take effect. Policy routing name: Specify the name of this Policy Routing entry. Interface: Specify an outbound interface through which the packets matching the Policy Routing entry are forwarded.

  • Page 61: Anti-Netsniper

    Figure 5-17 Anti-NetSniper Plug and Play Plug and Play is a new feature of Niveo series security firewalls. If you enable plug and play feature on the Device, the LAN users can access the Internet through the Device without changing any network parameters, no matter what IP address, subnet mask, default gateway and DNS server they might have.

  • Page 62: Port Mirroring

    Figure 5-18 Plug and Play Note: 1) The LAN hosts basic TCP/IP parameters (including IP address, subnet mask, gateway IP address, and DNS server IP address) should be set properly; otherwise, plug and play feature cannot act on those hosts. 2) Once plug and play is enabled, the Device will automatically enable proxy ARP, enable DNS proxy, and disable IP spoofing defense.

  • Page 63: Syslog

    Figure 5-19 Port Mirroring Enable Port Mirroring: Select to enable port mirroring. Mirroring Port: Specify the capture port that will mirror the traffic of the mirrored port(s). Syslog This section describes the Advanced > Syslog page. Syslog is a standard protocol used to capture a lot of running information about network activity.

  • Page 64: Network Sharing Menu

    Syslog Message Facility: Specify the facility level used for logging. The facilities are used to distinguish different classes of syslog messages. Note: So far, only the Xport HiPER Manager software of UTT Technologies Co., Ltd. can identify the heartbeat message. Network Sharing Menu This section describes the function on the Network Sharing menu.

  • Page 65: Ftp Server

    1) Before you eject the USB/SD card from the Device, please click the Eject Device button first, in case of unexpected error or irreparable hardware damage. 2) It is recommended to use NTFS file system. 5.10 FTP Server On the Network Sharing > FTP Server page, you can setup FTP server to share data to local area users.
  • Page 66 the setting of the current folders. Figure 5-23 FTP Server Settings Name: Specify the name of the folder which will be display on the Shared Directory List. Folder: Select to share all folders. Select Folder: Select one of the paths to share. Notes: 1) All the changes you have made will be take effect after restart.

  • Page 67: Shared Account

    5.11 Shared Account You need to add account for users to access the FTP server before enabling network sharing. Figure 5-24 Shared Account Please setup the username and password for the user account before enabling network sharing. The two default account is admin and guest. The account of admin has the right to write and read data, and who also can upload the changes on the volume to the server through IE.
  • Page 68 Access: Grant this account the right to read or read and write. . Enable FTP Access: Select Yes to allow this account to access FTP server, select No to forbid this account to access FTP server.

  • Page 69: Chapter 6. User Management Menu

    Chapter 6. User Management Menu User Status This section describes User Management > User Status page, where you can monitor and analyze network traffic, online behaviors of the LAN users, and current status information of each user, including Rx/Tx rate, Rx/Tx total traffic, Internet behavior, online time, etc.
  • Page 70 Clear Statistics: The system provides network traffic and Internet behavior statistics for the current day. To reset the current statistics, click the Clear Statistics button. Enable Recognition: Click to enable application recognition. If enabled, the Internet application management feature (set in App Control > Application Control page) will take effect.

  • Page 71: Ip/Mac Binding

    for Serious, Yellow stands for slight, and Green stands for normal. For a user, if the percentage of network traffic made up by accessing shopping sites, social networking sites, using stock software, and playing online/web games is equal to or above 70%, his/her online activities seriously affect work.
  • Page 72 the Internet behaviors of the LAN users. In this section, we will describe how to implement user identification. The Device provides IP/MAC binding feature to implement user identification. Using the IP/MAC address pair as a unique user identity, you can protect the Device and your network against IP spoofing attacks.
  • Page 73 allowed to pass, and then be further processed by the firewall access control function module. (2) Else, the packet will be dropped immediately. For example, if the IP/MAC address pair IP 192.168.16.65 and 00:15:c5:67:41:0f is added to the IP/MAC Binding List, and its Allow check box is selected, see the following figure.
  • Page 74 (1) If the Allow Undefined LAN PCs check box is selected, the packet is allowed to pass, and then it will be further processed by the firewall access control function module. (2) Else, the packet is dropped. If you want to block the user who matches the IP/MAC binding from accessing the Device and Internet, you need unselect Allow check box, see the following figure.
  • Page 75 you change a LAN host’s IP address or MAC address, this LAN host will be unable to access the Device and access the Internet through the Device, but it still can communicate with the other LAN hosts, such as, it can browse Network Neighborhood, use windows file and printer sharing services within the LAN, and so on.

  • Page 76: Binding Settings

    Export: Click to download the IP/MAC binding (that is, static ARP binding) script file to the local host. Then run the file and restart the host to add all the static ARP entries to the host to prevent ARP spoofing. Note: If you want to unselect the Allow Undefined LAN PCs check box to block the undefined LAN hosts from accessing or passing through the Device, you should make sure that you have added the IP/MAC address pair of the host that...

  • Page 77: Internet Whitelist And Blacklist

    6.2.1.4 Internet Whitelist and Blacklist By utilizing IP/MAC binding feature, you can flexibly configure an Internet whitelist or blacklist for the LAN users. If you want to allow only a small number of LAN users to access the Internet, you can configure an Internet whitelist for these users.
  • Page 78 Figure 6-8 IP/MAC Binding List - Example Three 6.2.1.6 Configure an Internet Blacklist If you want to configure an Internet blacklist, do the following: Go to the User Management > IP/MAC Binding page, and then click the Step 1 Add button or select the Binding Settings tab to go to the setup page. Specify the illegal users by creating the IP/MAC bindings.

  • Page 79: Pppoe Server

    binding’s Allow check box to block the user’s access to the Device and Internet, see the following figure. Figure 6-9 IP/MAC Binding List - Example Four PPPoE Server 6.3.1.1 Introduction to PPPoE The PPPoE stands for Point-to-Point Protocol over Ethernet, which uses client/server model.
  • Page 80 6.3.1.3 PPPoE Discovery Stage In the PPPoE discovery stage, a PPPoE client will find a proper server, and then build the connection. When a client initiates a PPPoE session, it should perform discovery to indentify the PPPoE server’s Ethernet MAC address, and establish a PPPoE session ID.
  • Page 81 6.3.1.4 PPP Session Stage In the PPP session stage, the server and client perform standard PPP negotiation to establish a PPP connection. After the PPP connection is established successfully, the original datagram are encapsulated in PPP frames, and PPP frames are encapsulated in PPPoE session frames, which have the Ethernet type 0x8864.
  • Page 82 Mandatory PPPoE Authentication: Select the Enable checkbox to let the users access internet only after pass PPPoE authentication. Exception Group: Select the user group who do not need to pass PPPoE authentication also can access internet. You can configure the user group on User Management >...

  • Page 83: Pppoe Account List

    6.3.1.8 Account Settings 6.3.1.8.1 PPPoE Account List When you have configured some PPPoE accounts, you can view their configuration in the PPPoE Account List, including User Name, Enable, Static IP Address, User Status and so on. Add a PPPoE Account: Click the Add button to go to the setup page, and then configure it, lastly click the Save button.
  • Page 84 Figure 6-13 PPPoE Account Settings User Name: Specify a unique user name of the PPPoE account. It should be between 1 and 31 characters long. The PPPoE server will use User Name and Password to identify the PPPoE client. Password: Specify the password of the PPPoE account. MAC Binding: Specify the type of PPPoE account and MAC address binding.
  • Page 85 Select Account Group: Add the account to the selected account group. The account group should be set on the User Management > User Group page. Accounting Mode: The Device support Account Billing of PPPoE Server. It offers account billing based on time. You can configure account expiration notice on the APP Control >...
  • Page 86 Figure 6-14 PPPoE User Status List User Name: Displays the PPPoE user name. The PPPoE dial-in user uses it to dial-up and establish the PPPoE session to the Device. IP Address: Displays the PPPoE dial-in user’s IP address that is assigned by the PPPoE server.
  • Page 87 Figure 6-16 Export PPPoE accounts 6.3.1.11 Import Accounts The PPPoE > Import Accounts page provides PPPoE accounts import function to simplify operation. When you want to create a great deal of PPPoE accounts, you can import them at a time in the page. You can edit them in Notepad, and then copy them to the Import Accounts list box;...
  • Page 88 6.3.1.12 Example for PPPoE 1) Requirements In this example, an organization’s administrator wants the LAN users to act as the PPPoE clients to dial up to the Device. And it only allows the PPPoE dial-in users to access the Internet through the Device. The exception is the CEO with IP address 192.168.16.2.
  • Page 89 Go to the PPPoE > PPPoE Account > PPPoE Account Settings page. Step 1 Creating the universal PPPoE Account whose user name is All. See the Step 2 following figure, enter All in the User Name, enter test in the Password, enter universalaccount in the Remarks, enter 512 in the Tx Bandwidth and Rx Bandwidth, and enter 90 in the Max.

  • Page 90: Web Authentication

    Figure 6-20 Configuring the Advanced PPPoE Account - Example Web Authentication The Device provide Web authentication feature. This new feature will enhance network security. If you enable the Web authentication on the Device, those non-PPPoE dial-in users cannot access the Internet through the Device unless they are authenticated successfully through Web browser.
  • Page 91 6.4.1.1 Global Settings Figure 6-21 Global Settings Enable Web Authentication: If selected, non-PPPoE dial-in users cannot access the Internet through the Device unless they are authenticated successfully. Enable the Background Picture: Select to enable setting a background picture on the web authentication page. Allow Users to Change Password: Select to enable users change password themselves.
  • Page 92 Figure 6-22 Web Authentication Account List Click the Add button on the Figure 9-22 to go to setup page, and then configure it, lastly click the Save button. Figure 6-23 Web Authentication Account Settings User Name: Specify a unique user name of the web authentication account. It should be between 1 and 31 characters long.

  • Page 93: Client Status

    End Date: Select the day of account expire. Total Time: Enter the total time for this account take effect. Description: Specify the description of the web authentication account. 6.4.1.3 Client Status On the Web Authentication > Client Status page, you can view the current status of the web authentication accounts which have been used.

  • Page 94: User Group

    an authentication login page, see the figure as following. Figure 6-25 Web Authentication Login Page Enter the correct user name and password in the text boxes, and then click Step 4 the Save button, the system will pop up a prompt page. Figure 6-26 Web Authentication Prompt Page User Group This section describes User Management >...
  • Page 95 Figure 6-27 User Group List User Group Settings To add a new user group, go to User Management > User Group page, next click Add to go to User Group Settings page, and then configure it, lastly click Save. Figure 6-28 User Group Settings Group Name: Specify the unique name for the user group.

  • Page 96: Chapter 7. App Control Menu

    Chapter 7. App Control Menu This chapter describes how to configure schedule, application control, QQ whitelist, MSN whitelist, TradeManager, notification, application audit, and policy database. Schedule This section describes APP Control > Schedule page, you can configure and view schedules. A schedule consists of a start date, an end date, and optional time periods. Schedule List In Schedule List, you can add, view, modify and delete schedules.

  • Page 97: Application Control

    Figure 7-2 Schedule Settings Schedule Name: Specify a unique name for the schedule. Effective Date Range: Specify the effective date range for the schedule. Time Period 1 ~ Time Period 3: Specify further constraints of active time within the specified date range. Application Control This section describes APP Control >...
  • Page 98 Figure 7-3 Application Management List Figure 7-4 Application Management List (continued) Enable Internet Application Management: Select the check box to enable Internet application management. Notes: To use this feature, you need to enable application recognition in User Management > User Status page.
  • Page 99 Internet Application Management Settings To add a new application management policy, go to App Control > Application Control page, next click Add to go to Internet Application Management Settings page, and then configure it, lastly click Save. Figure 7-5 Internet Application Management Settings Group Name: Enter a unique name for the group to which the Internet application management policy applies.
  • Page 100 Network Object: Select the members of the group. You can select the IP Range button to specify a range of IP addresses, or select the User Group button to select a user group. The members in the group are subject to the Internet application management policy.
  • Page 101  Policy 1: It is used to allow the Customer Service and Sales Departments’ employees to use IM applications, and block all other applications during working hours.  Policy 2: It is used to block the Technology and Financial Departments’ employees from accessing all the Internet applications during working hours.
  • Page 102  Select the first Select All check box in the page.  In the Schedule Settings section, do the same as the policy 1. Step 5 Click the Save button to add this policy to Application Management List. Enabling Internet Application Management Lastly, you need to enable Internet application management to make the policies take effect.

  • Page 103: Qq Whitelist

    Figure 7-7 Internet Application Management List – Example (continued) QQ Whitelist This section describes App Control > QQ Whitelist page. This feature allows you to add a list of QQ numbers that are exempt from the Internet application management policies (set in App Control > Application Control page). Figure 7-8 QQ Whitelist...

  • Page 104: Msn Whitelist

    Allow 400/800 Enterprise QQ: Select to allow 400/800 enterprise QQ. If selected, 400/800 enterprise QQ numbers are exempt from the Internet application management policies. Enable QQ Whitelist: Select to enbale QQ whitelist. If enabled, the QQ numbers in QQ Whitelist are exempt from the Internet application management policies. Add: To add a new QQ number, click Add to go to QQ Whitelist Settings page, and then configure it, lastly click Save.

  • Page 105: Trademanager

    Figure 7-10 MSN Whitelist Enable MSN Whitelist: Select the check box to enbale MSN whitelist. If enabled, the MSN accounts in MSN Whitelist are exempt from the Internet application management policies. Add: To add a new MSN account, click Add to go to MSN Whitelist Settings page, and then configure it, lastly click Save.

  • Page 106: Notification

    Figure 7-11 TradeManager Enable TradeManager Whitelist: Select the check box to enbale TradeManager whitelist. If enabled, the accounts in TradeManager list are exempt from the Internet application management policies. Add: To add a new TradeManager account, click Add New Items to go to TradeManager Account page, and then configure it, lastly click Save.
  • Page 107 7.6.1.1 Daily Routine Notification When using daily routine notice, the Device will automatically push the notice message to the LAN users that belong to the specified address group at the specified time. Figure 7-12 Daily Routine Notification Enable: Select the check box to enable Daily Routine Notification. IP Address Range: Specify the range of IP addresses to which the notification will be sent.

  • Page 108: Account Expiration Notification

    Notification Content: Specify the content of the notice message. Effective Date Range: Specify the effective date range of the notification. Recurring Time Range: Specify the days and times during which the notification will be sent. Note: Only modifying the content of notification title and notification content and then clicking the Save button will not take effect.

  • Page 109: Application Audit

    Application Audit This section describes App Control > Application Audit page. On the Device, auditing is the process of tracking user online activities. When an audited event occurs, the Device stores a record of the event to the audit log. 1) View Audit Log Figure 7-14 Internet Application Audit Note: The Device can record the last 400 audit log messages.

  • Page 110: Policy Database

    Figure 7-15 Log Management Enable Web Log: Select the check box to enable web log. If enabled, you can view the records of website visits in Application Audit page. E.g., "2012-07-09 09:36:41 srcip=200.200.202.127;url=www.paipai.com" means that the user with IP address 200.200.202.127 accessed www.paipai.com on July 09, 2012 at 09:36:41.
  • Page 111 Figure 7-16 Policy Database Name: Displays the name of the policy. Type: Displays the type of the policy. Description: Displays the description of the policy. It is usually used to describe the purpose of the policy. Update: Click to update the policy over the Internet. Update All: Click to update all policies in the list over the Internet.

  • Page 112: Chapter 8. Qos Menu

    Chapter 8. QoS Menu This chapter mainly describe fixed rate limiting, flexible bandwidth, p2p rate limit, session limiting. Fixed Rate Limiting On the QoS > Fixed Rate Limiting page, you can specify the upload/download limiting value for each LAN host, in order to allocate bandwidth equally and avoid few hosts occupying too much bandwidth.

  • Page 113: Flexible Bandwidth

    Figure 8-2 Fixed Rate Limiting Setup Group Name: Specify group name. Src Group: Specify the range of IP addresses in local network to which the fixed rate limiting rule applies. Dest Group: Specify the range of destination IP addresses to which the fixed rate limiting rule applies.

  • Page 114: P2P Rate Limit

    Figure 8-3 Flexible Bandwidth Enable Game Boost: Select to enable game boost. Uplink Bandwidth: Specify the upload speed of Internet connection. 0 means unlimited rate. Downlink Bandwidth: Specify the download speed of Internet connection. 0 means unlimited rate. Game Settings: Select the game you want to boost. P2P Rate Limit P2P software usually occupies too much bandwidth, which lead to the network very busy.

  • Page 115: Session Limiting

    Figure 8-4 P2P Rate Limit Enable P2P Rate-Limiting: Select to enable P2P Rate-Limiting. Rate-Limiting Policy: The options are Exclusive and Share.  Exclusive: The specified Max. Tx/Rx Rate is assigned to each member in the group.  Share: The specified Max. Tx/Rx Rate is shared by all members in the group.
  • Page 116 Figure 8-5 Session Limiting Enable Session Limit: Select to enable session limiting. Max. Sessions: Specify the maximum number of concurrent sessions per restricted host. 0 means no restriction. Max. TCP Sessions: Specify the maximum number of concurrent TCP sessions per restricted host. 0 means no restriction. Max.

  • Page 117: Chapter 9. Firewall Menu

    Chapter 9. Firewall Menu This chapter mainly describe attack prevention, access control, domain filtering, MAC Address Filtering. Attack Prevention This section describes the Firewall > Attack Prevention page, which includes internal attack prevention and external attack prevention. 9.1.1.1 Internal Attack Prevention In this page, you can do basic internal attack defense settings to enhance network security.
  • Page 118 Enable DDoS Prevention: If selected, the Device will be effectively protected against popular DoS/DDoS attacks. Enable IP Spoofing Prevention: If selected, the Device will be effectively protected against IP spoofing attack. The Device will only forward the packets whose source IP address is in the same subnet as the Device LAN IP address. Enable UDP Flood Prevention: If selected, the Device will be effectively protected against UDP flood attack.

  • Page 119: Access Control

    Enable Port Scanning Prevention: If selected, the Device will be effectively protected against port scanning attack. After you enable this feature, if a LAN host continuously sends the SYN packets to different ports on a remote host, and the number of ports exceeds 10 at the specified time interval (set by the Threshold), the Device will consider that the LAN host is performing port scanning attack, and then randomly discard the further SYN packets from it to that destination host.
  • Page 120 9.2.1.1 The Operation Principle of Access Control By default, as no access control rule exists on the Device, the Device will forward all the valid packets received by the LAN interface. After you have enabled access control, the Device will examine each packet received by the LAN interface to determine whether to forward or drop the packet, based on the criteria you specified in the access control rules.
  • Page 121 9.2.1.3 Access Control Rule List Figure 9-3 Access Control List Add an Access Control Rule: Click the Add button to go to the setup page, and then configure it, lastly click the Save button. Edit an Access Control Rule: Click its Edit hyperlink, the related information will be displayed in the setup page.
  • Page 122 9.2.1.4.1 IP Filtering Figure 9-4 Access Control Rule Settings_IP Filtering Rule Name: Specify the name of this rule. Enable: Select to enable Access Control. Src IP: Specify the source IP addresses of the packets to which the access control rule applies. There are two options: ...

  • Page 123: Url Filtering

     Allow: If selected, the Device will allow the packets that match the rule to pass, that is, the Device will forward these packets.  Deny: If selected, the Device will deny the packets that match the rule to pass, that is, the Device will drop these packets. Filtering Type: here please select IP Filtering.
  • Page 124 The setting of Rule Name, Enable, Src IP, Action, Schedule Settings is the same with IP Filtering, please refer to the section: 12.2.1.4.1 IP Filtering. Filtering Type: Here please select URL Filtering. Filtering Content: Enter the URL address you want the access control rule applies.

  • Page 125: Dns Filtering

    Filtering Type: Here please select Keyword Filtering. Filtering Content: Specify the keywords you want the access control rule applies. Note: 1) For Keyword Filtering, there is only Deny action you can choose. 2) The filtering content couldn’t contain < > , % ‘ \ “ & ; and blank space. 9.2.1.4.4 DNS Filtering Figure 9-7 Access Control Rule Settings_DNS Filtering The setting of Rule Name, Enable, Src IP, Action, Schedule Settings is the same with...
  • Page 126 9.2.1.5 Examples for Access Control 9.2.1.5.1 Example One Requirements In this example, a business allows the IP address between 192.168.1.9 to192.168.1.20 accesses to Internet at working time (From Monday to Friday 9:00~18:00). Analysis We need to use three user-defined access control rules to meet requirements: (1) User-defined rule 1: Allow them to access DNS during working time.
  • Page 127 Figure 9-8 Access Control _Example 1_step 1 Step 2 Configuring Access Control Rule 2 Go to Firewall > Access Control page. Set the Src IP from 192.168.1.9 to 192.168.1.20, select Allow from the Action, select IP Filtering from Filtering Type, select 6(TCP) from Protocol , select 80(web) from Common Service, select Mon to Fri from the Days, select 9:00 to 18:00 from Time, lastly click the Save button to save the settings.
  • Page 128 Figure 9-9 Access Control _Example 1_step 2 Configuring Access Control Rule 3 Step 3 Go to Firewall > Access Control page. Set the Src IP from 192.168.1.9 to 192.168.1.20, select Deny from the Action, select IP Filtering from Filtering Type, select all(All) from Protocol , select Mon to Fri from the Days, select 9:00 to 18:00 from Time, lastly click the Save button to save the settings.
  • Page 129 Figure 9-10 Access Control _Example 1_step 3 9.2.1.5.2 Example Two Requirements A company uses the Device as a network access device. The requirements are as follows: Block the users at IP address between 192.168.1.80 to 192.168.1.90 access to http://www.bbc.com (IP address is 29.58.246.93) and http://www.cnn.com (IP address is 157.166.255.18).
  • Page 130 Enter www.bbc.com at Filtering Content textbox, lastly click the Save button to save the settings. Figure 9-11 Access Control _Example 2_step 1 Step 2 Configuring Access Control Rule 2 Go to Firewall > Access Control page. Set the Src IP from 192.168.1.80 to 192.168.1.90, select Deny from the Action, select URL Filtering from Filtering Type, Enter www.cnn.com at Filtering Content textbox, lastly click the Save button to save the settings.

  • Page 131: Domain Filtering

    Figure 9-12 Access Control _Example 2_step 2 Domain Filtering This section describes the steps and notes to setup Domain Filtering on the Firewall > Domain Filtering page.

  • Page 132: Domain Filtering Settings

    .3.1 Domain Filtering Settings Figure 9-13 Domain Filtering Settings Enable Domain Filtering: Select to enable this domain filtering entries Filtering Mode: Specify the mode of domain filtering. There are two available options:  Only Block Domain Names in Domain Name List: If selected, the Device will block the LAN users from accessing the domain names in the Domain Name list, but allow the users to access any other domain names.

  • Page 133: Domain Block Notification

    Domain Name: Specify the domain names that will be blocked or allowed . You can create up to 90 domain names in the list. according to the Filtering Mode Domain Name List: Displays the domain names that will be blocked or allowed .

  • Page 134: Mac Address Filtering

    Enable Domain Block Notification: If selected, a LAN user accesses a domain name which is blocked by the Device, the Device will pop up a notice message to remind the user. And the requested web page will automatically jump to the specified web page (set on Redirecting URL) after the specified time interval (set on Redirecting Time).
  • Page 135 Figure 9-15 MAC Address Filtering List Enable MAC Filter: Select to enable MAC address filtering. Filtering Mode: Select the mode of MAC address filtering.  Only allow MAC address in the list to access the Internet: Choose to allow the wireless clients with MAC address listed in MAC Address Filtering List to connect to the Device, but block all other wireless clients.
  • Page 136 Figure 9-16 MAC Address Filtering Settings...

  • Page 137: Chapter 10. Vpn Menu

    Chapter 10. VPN Menu 10.1 Introduction to VPN Technologies PPTP and IPSec are the two most popular VPN tunneling protocols. Tunneling protocols are at the heart of all VPN implementations. VPN tunneling involves establishing and maintaining a logical network connection, on which the encapsulated packets are transmitted securely.

  • Page 138: Pptp

    10.2 PPTP PPTP is a VPN tunneling protocol which encapsulates PPP frames in IP packets for transmission over a public IP network such as the Internet. PPTP is based on client/server model. The PPTP client initiates a PPTP connection to the server, while the PPTP server accepts the incoming PPTP connection from the client.

  • Page 139: Pptp Server Settings

    Device that functions as a PPTP server at the head office; and at the same time, it also functions as a PPTP server to receive the packets from the mobile users, and transmit those packets destined for the head office internal network to the Device at the head office, thus the mobile users can access both the branch office and head office internal networks.
  • Page 140 10.2.1.3 Global Settings Figure 10-3 PPTP Server_Global Settings Enable PPTP Server: Select to enable PPTP Server. PPP Authentication: Specify the PPP authentication mode of the PPTP tunnel. The available options are PAP, CHAP , MS-CHAPV2 and ANY.  PAP: Password Authentication Protocol. ...
  • Page 141 Server IP Server: Specify the IP addresses of the VPN Server. This address should be on the same network segment with the VPN address pool but not including. Primary / Secondary DNS Server: When the device is setup to as the PPTP server, it can assign DNS address to the client to access internet.
  • Page 142 User Name: Specify a unique user name of the PPTP client. It should be between 1 and 31 characters long. The PPTP server will use the User Name and Password to identify the remote PPTP client. Password: Specify the password of the PPTP client. Static IP Address: Specify the IP address the PPTP server assigns to PPTP client.
  • Page 143 Tunnel Name: Specify a unique name for the PPTP tunnel. User Name: Specify the user name of the PPTP client. Password: Specify the password of the PPTP client. PPP Authentication: Specify the PPP authentication mode of the PPTP tunnel. The available options are PAP, CHAP , MS-CHAPV2 and ANY. ...
  • Page 144 Figure 10-6 PPTP List 10.2.1.7 Example of PPTP In this scenario, a company’s head office is located in Washington, and its branch office is located in New York. Now the company wants the head office and branch office to securely communicate with each other over the Internet. In addition, some mobile users (traveling employees, telecommuters, etc.) want to securely access the head office’s internal network over the Internet.
  • Page 145 as a PPTP server at the head office, and another VPN appliance acting as a PPTP client at the branch office. And the mobile users will use the Windows XP built-in PPTP client. The IP addresses are as follows: The Device (PPTP Server) at the head office: ...
  • Page 146 Figure 10-8 PPTP Server Settings (1) Creating a LAN-to-LAN PPTP Server Account for the Branch Office Click the Account Settings tab and make settings as the following figure, lastly click the Save button. Figure 10-9 PPTP Server Settings_LAN-to-LAN (2) Creating a Mobile User Server Account for Mobile Users...
  • Page 147 Figure 10-10 PPTP Server Settings_Mobile User 2) Configuring Branch office’s Device as a PPTP Client Go to VPN > PPTP page, click the Add Client button and then make settings as the following figure, lastly click the Save button. Figure 10-11 PPTP Client settings 3) Configuring a Windows XP-based Computer as a PPTP Client (Mobile User) Do the following steps on a Windows XP-based computer to configure it as a PPTP client.
  • Page 148 (1) Creating the PPTP Dial-up Connection Start Setti Control Panel, and select the Switch to Category View Go to > ngs > the Network and Internet Connections. Select Select the Create a connection to the network at my workplace. Select the Virtual Private Network connection option, and then click the Next button. Enter a name for the connection (PPTP in this example) in the Company Name text box , and then click the Next button.

  • Page 149: Ipsec

    10.3 IPSec With the development of network safety standards and protocols, various VPN technologies have emerged. IPSec VPN is one of the most widely used VPN security technologies today. IPSec is a set of open standards and protocols to implement network secure communication, which provides two security mechanisms: encryption and authentication.
  • Page 150 consists of a set of security parameters like security protocol (ESP or AH), encryption and/or authentication algorithms and keys, SA lifetime, and so on. SPI (Security Parameter Index): SPI is a 32-bit number that is used to identify an SA. The receiver uses the SPI, along with the destination IP address and security protocol type (AH or ESP) to uniquely identify an SA.
  • Page 151 like security protocol (ESP or AH), encryption and/or authentication algorithms, session keys, SA lifetime, and so on. Because an IPSec SA is simplex (unidirectional) in nature, a bidirectional communication requires at least two SAs, one in each direction. The basic operation of IKE can be broken down into two phases: ...
  • Page 152  Second exchange (message 3 and 4): A Diffie-Hellman exchange is performed. Each endpoint exchanges a nonce (i.e., random number).  Third exchange (message 5 and 6): Identities of both endpoints are exchanged and verified. In the third exchange, identities are not transmitted in clear text. The identities are protected by the encryption algorithm agreed upon in the first two exchanges.
  • Page 153 2) IKE Phase 2 Once an IKE SA is established successfully in phase 1, the two IPSec endpoints will use it to negotiate IPsec SAs in phase 2. The IPSec SAs are used to secure the user data to be transmitted through the IPSec tunnel. During IKE Phase 2, the two IPSec endpoints also exchange security proposals to determine which security parameters to be used in the IPSec SAs.

  • Page 154: Ipsec List

    messages, the endpoint will renegotiate the SAs with the peer. 10.3.1.4 IPSec NAT Traversal Network Address Translation (NAT) is a technology that allows multiple hosts on a private network to share a single or a small group of public IP addresses. Undoubtedly, NAT can help conserve the remaining IP address space and provide the benefit of network security assurance;...

  • Page 155: Ipsec Settings

    Figure 10-12 IPSec List 10.3.1.6 IPSec settings There are three connection types to choose: Bidirectional, Originate-Only, and Answer-Only. For each connection type, the configuration parameters are divided into two categories: basic and advanced parameters. Therein, the basic parameters for each type are different, but the advanced parameters are the same. The following will describe the basic parameters for each connection type respectively, and then describe the advanced parameters for them.
  • Page 156 Figure 10-13 IPSec Settings_Bidirectional Connection Type: Specify the role of the Device in the IPSec tunnel establishment. The available options are Bidirectional, Originate-Only and Answer-Only. Here please select Bidirectional. Gateway IP/Domain Name (Remote): Specify the IP address or domain name of the Device at the other end of the IPSec tunnel.
  • Page 157 P2 Encrypt/Auth Algorithms 1: It refers to the preferred phase 2 proposal that specifies a set of security protocols and algorithms for phase 2 negotiation. (2) Originate-Only If the local Device has a dynamically assigned IP address, and the remote endpoint (another enterprise wireless router or compatible VPN appliance) has a static IP address, you can choose Originate-Only as the connection type.
  • Page 158 but the identity authentication for the remote IPSec endpoint is optional. ID Type (Remote): Specify the type of remote ID. The available options are Domain Name, Email Address, IP Address and Other. In this connection type, it is an optional parameter. If you want remote IPSec device to be authenticated, please select one type and then specify ID Value (Remote).
  • Page 159 The parameters Gateway IP/Domain Name (Remote), Subnet IP (Remote), Subnet Mask (Remote), Bind to (Local), Subnet IP (Local), Subnet Mask (Local), Preshared Key, and P2 Encrypt/Auth Algorithms 1 are the same as those in the Bidirectional connection type, please refer to the detailed descriptions of them. The difference is that this connection type requires identity authentication.
  • Page 160 Figure 10-16 IPSec Advanced settings Exchange Mode: Specify the exchange mode used for IKE phase 1 negotiation. The available options are Main and Aggressive. If the Connection Type is Bidirectional, you should choose Main mode; else, you should choose Aggressive mode. SA Lifetime: It refers to IKE SA lifetime, which specifies the number of seconds (at least 600 seconds) an IKE SA will exist before expiring.
  • Page 161 Enable Anti-replay: If selected, the Device can detect and reject replayed packets (i.e., old or duplicate packets) to protect itself against replay attacks. Enable DPD: If selected, the Device will periodically send DPD heartbeat messages at the specified time interval (set by the Heartbeat Interval) to the remote IPSec device to verify its availability.
  • Page 162 the preshared key is testing, and the IP addresses are as follows: The Device at the head office:  WAN Interface IP Address: 200.200.202.123/24  Default Gateway IP Address: 200.200.202.254/24  LAN Interface IP Address: 192.168.123.1/24 The Device at the branch office: ...
  • Page 163 Connection Type Bidirectional Gateway IP/Domain Name (Remote) 200.200.202.123 Subnet IP (Remote) 192.168.123.1 Subnet Mask (Remote) 255.255.255.0 Bind to (Local) WAN1 Subnet IP (Local) 192.168.16.1 Subnet Mask (Local) 255.255.255.0 Preshared Key testing P2 Encrypt/Auth Algorithms 1 esp-aes256-md5 3) Viewing the IPSec tunnel status After you have configured IPSec parameters on both Devices, the IPSec tunnel establishment can be triggered manually.
  • Page 164 10.3.1.9 Answer-Only and Originate-Only If the local gateway has a dynamically assigned IP address (PPPoE or DHCP), and the remote endpoint has a static IP address, you can choose Originate-Only as the connection type and Answer-Only as the connection type on the other side. In this case, both IPSec endpoints should use aggressive mode for phase 1 IKE negotiation.
  • Page 165 Connection Type Answer-Only Gateway IP/Domain Name 0.0.0.0 (Remote) Subnet IP (Remote) 192.168.16.1 Subnet Mask (Remote) 255.255.255.0 ID Type (Remote) Email Address ID Value (Remote) hiper@utt.com.cn Bind to (Local) WAN1 Subnet IP (Local) 192.168.123.1 Subnet Mask (Local) 255.255.255.0 Preshared Key testing P2 Encrypt/Auth Algorithms 1 esp-aes192 Advanced Options...
  • Page 166 3) Viewing the IPSec tunnel status After you have configured IPSec parameters on both Devices, the IPSec tunnel establishment can be triggered manually. On the Device, you can go to the VPN > IPSec > IPSec List page to view the configuration of the IPSec tunnel, including the Key Mode, Remote Gateway, Remote Subnet IP, Bind to and Local Subnet IP,.
  • Page 167 Figure 10-21 Initiator’s IPSec List...

  • Page 168: Chapter 11. System Menu

    Chapter 11. System Menu 11.1 Administrator The default administrator’s user name and password are admin (case sensitive). To ensure the Device's security, you had better change the default password and remember it. If the password has been changed, you must use the new user name and password to log into the Device.

  • Page 169: Time

    Figure 11-2 Language settings 11.3 Time In order to guarantee that the functions of the device relating to time work normally, the time of the device needs to be accurately set, to make it synchronize with the local standard time. The device provides two ways of setting system time, Setup Time Manually and Synchronize with SNTP Server.

  • Page 170: Configuration

    Set Time Manually: Manually enters the current date and time (unit: Y-M-D, H:M:S). Synchronize with SNTP Server: After using the network time synchronization function to set up the right NTP server, and when the device is connected to the Internet, it will automatically synchronize the time with the set NTP server. The two NTP server addresses preset by the system by default are 192.43.244.18, 216.45.57.38, which generally requires no change.

  • Page 171: Firmware Upgrade

    11.5 Firmware Upgrade On the Application > Firmware page, you can view the current firmware version information, download the latest firmware from the Niveo Professional website, and upgrade the firmware. Figure 11-5 Firmware Upgrade Firmware Version: Shows the current firmware version of the Device.

  • Page 172: Remote Management

    2) Choose the firmware Click the Choose File button to locate and select the firmware you want to upgrade. 3) Upgrade the firmware Click the Upgrade button. In the pop-up window appears, click OK to start the upgrade. Note: 1) As new versions of the Device’s firmware become available, you can upgrade the firmware on your Device to take advantage of new features and improved performance.

  • Page 173: Scheduled Task

    Enable HTTP: Select this check box to allow HTTP remote management. When accessing the Device from Internet, you will enter http:// and enter the Device's WAN IP address, followed by a colon (:) and the port number. For example, if WAN IP address is 218.21.31.3 and the port number is 8081, enter in your browser: http://218.21.31.3:8081.
  • Page 174 Figure 11-8 Scheduled Task Settings Task Name: Name of the custom tasks. Repeat: Specify the time cycle or when the Device will perform the task. The available options are Weekly, Daily, Hourly, Minutely. Start time: Specify the time at which the Device will start to perform the task. Its settings will change according to the value of Repeat.

  • Page 175: Chapter 12. Status Menu

    Chapter 12. Status Menu In Status menu, you can easily view the running state and the system information of the device. 12.1 Interface Status The Interface Status page described in this section is the same as the description of Start > Interface Status page, please refer to the section: Interface Status.

  • Page 176: System Log

    Memory: Displays the percentage of the current memory usage. SN: Displays the internal serial number of product (which may be different from the surface serial number). Model: Displays the product model of the device. Hardware: Displays the hardware version number of the device. When the device hardware version is V1.0.
  • Page 177 Figure 12-2 System Logs On the Status > System Log > Log Management Settings page, you can set the type of system log you want to display. Figure 12-3 System Log Settings Select All: If selected, all the provided system log features will be enabled. Enable DHCP Log: If selected, the Device will store and display the DHCP related logs in the System Log.

  • Page 178: Appendix A Faq

    Appendix A FAQ Question 1: How to configure TCP/IP? There are two methods of configuring TCP/IP properties: one is to manually configure TCP/IP properties; the other is automatically configuring TCP/IP properties with DHCP. The following describes the configuration procedure of these two methods respectively. ...
  • Page 179 Figure Appendix- 1 Manually configuring TCP/IP Step 5 Click OK in the Internet Protocol Version 4 (TCP/IPv4) dialogue, this will return you to the Local Area Connection Properties dialogue. Click OK again. Till now you have finished configuring the TCP/IP properties. ...
  • Page 180 server address automatically radio button. Figure Appendix- 2 Automatically Configuring TCP/IP with DHCP Step 4 Click OK in the Internet Protocol Version 4 (TCP/IPv4) dialogue, this will return you to the Local Area Connection Properties dialogue. Click OK again. Till now you have finished configuring the TCP/IP properties. Question 2: How to reset the Device to factory default settings? Case I: Know the administrator password Under normal circumstances, you can directly go to the System >...
  • Page 181 Notes: The reset operation will clear all custom settings on the Device, so do it with caution.

  • Page 182: Appendix B Common Ip Protocols

    UTT Technologies Fout! Gebruik het tabblad Start om 标题 1 toe te passen op de tekst die u hier wilt weergeven. Appendix B Common IP Protocols Protocol Name Protocol Number Full Name Internet Protocol ICMP Internet Protocol Message Protocol IGMP Internet Group Management Gateway-Gateway Protocol IPINIP...

  • Page 183: Appendix C Common Service Ports

    Appendix C Common Service Ports Service Name Port Protocol Description echo echo discard discard systat Active users systat Active users daytime daytime qotd Quote of the day qotd Quote of the day chargen Character generator chargen Character generator ftp-data FTP, data FTP.
  • Page 184 bootpc Bootstrap Protocol Client tftp Trivial File Transfer gopher finger http World Wide Web kerberos Kerberos kerberos Kerberos hostname NIC Host Name Server iso-tsap ISO-TSAP Class 0 rtelnet Remote Telnet Service pop2 Post Office Protocol - Version 2 pop3 Post Office Protocol - Version 3 sunrpc SUN Remote Procedure Call sunrpc...
  • Page 185 Internet Relay Chat Protocol IPX over IP ldap Lightweight Directory Access Protocol https MCom https MCom microsoft-ds microsoft-ds kpasswd Kerberos (v5) kpasswd Kerberos (v5) isakmp Internet Key Exchange exec Remote Process Execution biff login Remote Login syslog printer talk ntalk Extended File Name Server router route routed...
  • Page 186 new-rwho remotefs rmonitor monitor ldaps LDAP over TLS/SSL doom Doom Id Software doom Doom Id Software kerberos-adm Kerberos administration kerberos-adm Kerberos administration kerberos-iv Kerberos version IV kpop 1109 Kerberos POP phone 1167 Conference calling ms-sql-s 1433 Microsoft-SQL-Server ms-sql-s 1433 Microsoft-SQL-Server ms-sql-m 1434 Microsoft-SQL-Monitor...

Table of Contents