Grandstream Networks GWN7000 User Manual
  1. Manuals
  2. Brands
  3. Grandstream Networks Manuals
  4. Network Router
  5. GWN7000
  6. User manual

Grandstream Networks GWN7000 User Manual

Enterprise multi-wan gigabit vpn router
Hide thumbs Also See for GWN7000:
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual
Grandstream Networks, Inc.
GWN7000
Enterprise Multi-WAN Gigabit VPN Router
User Manual

Advertisement

Table of Contents
loading

Related Manuals for Grandstream Networks GWN7000

Summary of Contents for Grandstream Networks GWN7000

  • Page 1 Grandstream Networks, Inc. GWN7000 Enterprise Multi-WAN Gigabit VPN Router User Manual...
  • Page 2 Grandstream Networks, Inc. is not permitted. The latest electronic version of this guide is available for download here: http://www.grandstream.com/support Grandstream is a registered trademark and Grandstream logo is trademark of Grandstream Networks, Inc. in the United States, Europe and other countries. OPEN SOURCE LICENSES GWN7000 firmware contains third-party open source software.

  • Page 3: Table Of Contents

    WELCOME ........................16 PRODUCT OVERVIEW ....................17 Technical Specifications ........................17 INSTALLATION ......................19 Equipment Packaging .......................... 19 Connect your GWN7000 ........................19 Safety Compliances ..........................20 Warranty ............................... 20 GETTING STARTED ..................... 21 LED Indicators ............................. 21 Use the WEB GUI ..........................21 Access WEB GUI ..........................
  • Page 4 Client Bridge ............................57 Transfer AP ............................58 SSIDs ..............................58 Mesh Network ............................63 Upgrading Access Points ........................66 Single Access Point upgrade ......................66 Sequential Upgrade ........................66 CLIENTS CONFIGURATION ..................68 P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 5 Generate Server/Client Certificates ....................77 Create OpenVPN® Server ......................84 OpenVPN® Client configuration ......................88 L2TP/IPSEC Configuration ........................92 GWN7000 L2TP/IPSec Client Configuration ................92 PPTP CONFIGURATION ........................95 GWN7000 Client Configuration ....................95 GWN7000 PPTP Server Configuration ..................97 IPSec VPN Tunnel ..........................
  • Page 6 Assign Blackhole Policy to Network Groups ..................132 Assign Blackhole Policy to Clients ..................... 133 MAINTENANCE AND TROUBLESHOOTING ............136 Maintenance ............................136 Basic ............................136 Upgrade ............................136 Access ............................137 Syslog ............................137 P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 7 Upgrading via WEB GUI ......................153 Provisioning and backup ........................154 Download Configuration ......................154 Configuration Server ........................154 Reset and Reboot ..........................154 EXPERIENCING THE GWN7000 ENTERPRISE ROUTER ........155 P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 8 Table 2: GWN7000 Equipment Packaging ....................19 Table 3: LED Indicators ..........................21 Table 4: Overview ............................26 Table 5: GWN7000 WEB GUI→Router→WAN→WAN Port (1,2) ............... 29 Table 6: NET Port ............................31 Table 7: 6In4 Tunnels ..........................31 Table 8: 6rd Tunnels ............................ 31 Table 9: AICCU Tunnels ..........................
  • Page 9 Table 53: Add a New File to Share ......................149 Table 54: SNMP Basic Page ........................150 Table 55: SNMP Advanced Page ......................151 Table 56: VPN User Parameters ....................... 152 Table 57: Network Upgrade Configuration ....................153 P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 10 Table of Figures Figure 1: GWN7000 Front View ........................19 Figure 2: GWN7000 Back View ........................20 Figure 3: GWN7000 Web GUI Login Page ....................22 Figure 4: Change Password on first boot ....................23 Figure 5: Setup Wizard ..........................23 Figure 6: GWN7000 Web GUI Language ....................
  • Page 11 Figure 77: Vouchers List ........................... 126 Figure 78: Captive Portal with Voucher authentication ................128 Figure 79: MAC Address Bandwidth Rule ....................130 Figure 80: Bandwidth Rules ........................130 Figure 81: Create Blackhole Policy ......................131 P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 12 Figure 94: LED Scheduling Sample ......................148 Figure 95: Add a New File to Share ......................149 Figure 96: File Share Actions ........................149 Figure 97: Access File Share ........................150 P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 13: Document Purpose

    DOCUMENT PURPOSE This document describes how to configure the GWN7000 to manage wired and wireless networks via an intuitive WebGUI. The intended audiences of this document are network administrators. Please visit http://www.grandstream.com/support to download the latest “GWN7000 User Manual”. This guide covers following topics: •...

  • Page 14: Change Log

    CHANGE LOG This section documents significant changes from previous versions of the GWN7000 user manuals. Only major new features or major document updates are listed here. Minor updates for corrections or editing are not documented here. Firmware Version 1.0.6.28 •...

  • Page 15: Firmware Version 1.0.4.23

    Added support for Wi-Fi schedule [SSIDs] • Added option to enable/disable DHCP option 66 & 43 override [Allow DHCP options 66 and 43 override] Firmware Version 1.0.2.71 • This is the initial version. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 16: Welcome

    User Manual, could void your manufacturer warranty. Warning: Please do not use a different power adaptor with the GWN7000 as it may cause damage to the products and void the manufacturer warranty.

  • Page 17: Product Overview

    PRODUCT OVERVIEW Technical Specifications Table 1: GWN7000 Technical Specifications • 2 x autosensing 10/100/1000 WAN Ports • 1 x autosensing 10/100/1000 NET port configurable as LAN, WAN or Network Interfaces VoIP port • 4 x autosensing 10/100/1000 LAN Ports •...
  • Page 18 • Unit Dimensions: 200 x 136 x 37mm; Unit Weight: 570g • Physical Entire Package Dimensions: 324 x 163.5 x 54mm, Entire Package Weight: 930g • GWN7000 Enterprise Router • 12V/2A Power Adapter Package Content • Quick Installation Guide •...

  • Page 19: Installation

    INSTALLATION Before deploying and configuring the GWN7000, the device needs to be properly powered up and connected to the network. This section describes detailed information on installation, connection and warranty policy of the GWN7000. Equipment Packaging Table 2: GWN7000 Equipment Packaging...

  • Page 20: Safety Compliances

    2. Connect the other end of the Ethernet cable(s) into a DSL modem or router(s) as an uplink to ISP. 3. Connect the 12V DC power adapter into the power jack on the back of the GWN7000. Insert the main plug of the power adapter into a surge-protected power outlet.

  • Page 21: Getting Started

    This section provides step-by-step instructions on how to read LED indicators and use Web GUI interface of the GWN7000. LED Indicators The front panel of the GWN7000 has LED indicators for power and interfaces activities, the table below describes the LED indicators status. Table 3: LED Indicators...

  • Page 22: Figure 3: Gwn7000 Web Gui Login Page

    Figure 3: GWN7000 Web GUI Login Page To access the Web GUI: Connect a computer to a LAN Port of the GWN7000. Ensure the device is properly powered up, and the Power, LAN port LEDs light up in green. Open a Web browser on the computer and enter the web GUI URL in the following format: https://192.168.1.1...

  • Page 23: Figure 4: Change Password On First Boot

    At first login, a Setup Wizard tool will pop up to help going through the configuration setup, or exit to configure manually. Setup Wizard can be accessed anytime by clicking on while on the web interface. Figure 5: Setup Wizard P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 24: Web Gui Languages

    Figure 6: GWN7000 Web GUI Language Figure 7: GWN7000 Web GUI Language WEB GUI Configuration GWN7000 web GUI includes 8 main sections to configure and manage the router and check connection status. • Overview: Provides an overall view of the GWN7000’s information presented in a Dashboard style for easy monitoring.

  • Page 25: Overview Page

    • Clients: Shows and manages the list of the clients connected to LAN ports of the GWN7000 and wireless clients connected via GWN76xx access points. • VPN: Configures OpenVPN® Client/Server, PPTP, IPSec and L2TP/IPSec client tunnels. • Firewall: Basic and advanced Firewall configuration to securely manage router’s incoming/outgoing traffic.

  • Page 26: Table 4: Overview

    It is used to show the status of the GWN7000 for different items, please refer to the following table for each item: Table 4: Overview Shows the number of Access Points that are Discovered, Paired (Online) and Offline. Click on to go to Access Points’...

  • Page 27: Save And Apply Changes

    Figure 9: Apply Changes Click on button to apply changes, or to undo the changes. The router will reload all necessary services in order to for the changes to take effect. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 28: Router Configuration

    Status page displays Device Status to check MAC address, Part Number, Firmware related information and Uptime for the GWN7000; and WAN Status showing general information about WAN Ports such as uptime, current throughput, aggregate usage, and IP address and also the application traffic.

  • Page 29: Router Configuration

    Router Configuration Connect to GWN7000’s Web GUI from a computer connected to a LAN port and go to Router→WAN page for Port configuration. WAN Ports Settings The GWN7000 has 2 WAN ports configured as DHCP clients by default. Each port can be connected with DSL modem or routers.

  • Page 30: Additional Wan Port

    Used to enable assigning IPv6 address to GWN7000. Once checked users will be Native IPv6 able to configure following fields: “IPv6 Address Assignment”, “Preferred IPv6 DNS”, “Alternate IPv6 DNS” and “IPv6 Relay to LAN”. This option is appearing when enabling “Native IPv6” option.

  • Page 31: Net Port

    Enable the NET port as a WAN port, and set the required configuration as WAN1 Enable WAN (Net → → → and 2. See Table 5: GWN7000 WEB GUI Router WAN Port (1,2) Port) Tunnel Tunnel page is used to set IPv6 tunnels on WAN ports via IPv6 tunnel brokers service providers, this serves the purpose of transferring IPv6 packets over IPv4 Network.

  • Page 32: Table 9: Aiccu Tunnels

    “General” tab of Firewall → Advanced as well. Tunnel Input Key Specifies the key that would be added to the incoming packets. Tunnel Output Key Specifies the key that would be added to the outgoing packets. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 33: Global Settings

    Note: Reboot the router to take effect. Switch Configuration GWN7000 supports creating up to 16 different LAN groups separated as VLANs with the possibility to add and pair GWN76xx Access Points to each LAN which is mapped to an SSID by VLAN tagging.

  • Page 34: Table 12: Lan Group Options

    Configure the LAN port membership. If choose lan1 (NET Port), please LAN Membership make sure you have enabled lan1 under Router→ WAN→ NET port Tab. P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 35 Set the preferred DNS Servers via DHCP. DHCP Alternate DNS Set the alternate DNS Servers via DHCP. Enable this option, if you want the GWN7000 relays the DHCP requests DHCPv4 Relay Enabled from clients to another DHCP server(s). Once checked, click...

  • Page 36: Static Dhcp

    Figure 14: Static DHCP Devices List Switch Under switch configuration menu, admin users can enable port mirroring and the GWN7000 will send a copy of all network packets seen on one LAN port to another port, where the packet can be analyzed. Refer to the below table for the available fields to configure.

  • Page 37: Table 13: Port Mirroring

    Untagged: The port will participate on the VLAN but will not tag outgoing frames. • Off: The port will not participate on the VLAN. Figure 15 : Custom Port VLAN Mapping P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 38: Qos

    The GWN7000 offers the possibility to enable and configure QoS on WAN interfaces, this will help to manage in more depth the network traffic to define priority and classify different services and protocols in an efficient manner. Also, the GWN provides the capabilities to configure advanced QoS features such as Active Congestion Control (ACC) in order to avoid bottleneck on the network, especially when using VoIP.

  • Page 39: Table 14: General Settings

    • Legacy: Select this option in order to use legacy classifying and filter QoS mode, users need to configure the related DSCP marking and bandwidth limitations under the menu “Router→QoS→Legacy QoS”. P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 40 ECN Status on Select whether to set or not ECN status on inbound packets. Inbound packets ECN Status on Select whether to set or not ECN status on bound packets. outbound packets P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 41: Table 15: Legacy Qos Settings

    Specify the TCP Source port from which the traffic filter rule will be applied. TCP Destination Port Specify the TCP Source port to which the traffic filter rule will be applied. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 42: Table 16: Qos Policy Manager (Acc)

    Configure the bandwidth share percentage for this class of traffic, the acc Bandwidth share % mechanism will dynamically borrow bandwidth from other classes if one class needs more, thus using efficiently the available bandwidth. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 43: Ddns

    Select from the drop-down list the class where this traffic will be put, thus making Class all necessary bandwidth reservations for this traffic in respect of the configurations set under the class settings. DDNS DDNS allows accessing GWN7000 via domain name instead of IP address, the GWN7000 supports following DDNS providers: • Dyndns.org •...

  • Page 44: Dpi

    IP address. DPI stands for Deep Packet Inspection which is an option that allows the GWN7000 to analyze the core of the packet to collect and report information at the Application-layer, such as traffic volume of an application used by the host.

  • Page 45: Table 17: Dpi Settings

    Select the interface on which the application tracking will be performed. By default, Interface it’s WAN Port 1. Note: A reboot is required after enabling Depp packet inspection in order for the feature to take effect. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 46: Routing

    ROUTING Static Routes GWN7000 supports setting manually static IPv4 and IPv6 routes as well as displaying routing table entries. Static routes configuration page can be accessed from GWN7000 WebGUI→Router→Static Routes: Three tabs are available: Routes to view routing table entries.

  • Page 47: Table 19: Ipv6 Static Routes

    Set the metric value. The valid range is 0-255. Default value is 1. To check the routing table of the router, go under the Routes tab which displays all routes learned by the router. Figure 18: Routes P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 48: Policy Routing

    Global Settings” in order to dictate to the router either to use failover or load-balancing for locally generated packets. Creating/Configuring Routing Policies The basic flow for traffic handled by policy-based routing in GWN7000 is as follows: • Traffic matched with a specific iptables rule is marked to be used with a Policy.

  • Page 49: Table 20: Create Policy Members

    Default value is 1. Note: By default, GWN7000 router will generate automatically members for each created/configured WAN interface and VPN client tunnel interface.

  • Page 50: Using Routing Policies

    Using Routing Policies In order to illustrate how policy-based routing can be used, let’s imagine an SMB who has a GWN7000 router running their network with two WAN (WAN1 and WAN2) ports for normal data traffic and a third WAN port (NET port used as wan) for VoIP service since this link has QoS support.

  • Page 51: Figure 21: Members List

    We consider that the administrator has already configured the three wan ports and their IP and running which can be under the “Router → Status” page. As explained above, the GWN7000 router will automatically generate members for the three wan ports under “Routing → Policy Routing → Members”...

  • Page 52: Figure 23: Lan Routing Policy

    For the VoIP traffic and in order to route it via the WAN3, users need to go under “Firewall → Traffic Rules → Forward” and add a new rule as follow. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 53: Figure 24: Configuring Firewall Rule Using Route Policy

    Figure 24: Configuring Firewall Rule using Route Policy This way the VoIP traffic which uses the TCP or UDP ports 5060 through 5068 will be routed over WAN3. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 54: Setting Up A Wireless Network

    Once a GWN76xx is successfully connected and has an IP from the GWN7000 router, user can then pair it to the GWN7000 and associate it with an SSID.

  • Page 55: Table 21: Device Configuration

    Figure 26: Discovered Devices 3. Click on Pair under Actions, to pair the discovered Access Point with the GWN7000. 4. The paired GWN76xx will appear Online, Click on to unpair it. Figure 27: GWN7610 online 5. Click on next to paired access point to check device configuration for its status, users...
  • Page 56 “Auto”, “1 stream”, “2 streams” and “3 streams” (For GWN7610). • Radio Power: Set the Radio Power depending on desired cell size to be broadcasted, three options are available: “Low”, “Medium” or “High”. Default is “High”. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 57: Access Point Location

    Access Point Location GWN7000 router has an interesting feature to help users to locate different access points using blinking LED, to do so go under the access points page then click on button as shown on the below figure and the corresponding LED will start blinking its LEDs.

  • Page 58: Transfer Ap

    GWN.Cloud User Guide. SSIDs When using GWN7000 as Master Access Point, users have the ability to create different SSIDs and adding GWN7610/GWN7600/GWN7600LR Slave Access Points to each SSID depending on the needs of the customer. Log in as Master to the GWN7000 WebGUI and go to SSIDs.

  • Page 59: Table 22: Wi-Fi

    Select to hide SSID. SSID will not be visible when scanning for Wi-Fi, to SSID Hidden connect a device to hidden SSID, users need to specify SSID name and authentication password manually. P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 60 Advanced Encryption Standard for encryption, this provides the most reliable security. Set the access key for the clients, and the input range should be: 8-63 WPA Pre – Shared Key ASCII characters or 8-64 hex characters. P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 61 GWN7600/GWN7600LR access points. • Radio Mode: Wireless clients can access to the internet services, GWN7xxx router and the access points GWN7600/GWN7600LR but they cannot communicate with each other. P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 62 Enable 11R Check to enable 802.11r Enable 11K Check to enable 802.11k Enable 11V Check to enable 802.11v Upstream Rate Set the maximum upstream rate Downstream Rate Set the maximum downstream rate P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 63: Mesh Network

    In order to deploy mesh access points (RE), users/installers can follow below steps: 1. Make sure to have the master and CAP access points already deployed (sometimes the CAP access points can be the master controller of the network). P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 64: Figure 33: Access Points Status

    CAP. The APs showing “Online” state are either a wired master or CAP. Figure 33: Access Points Status For Global mesh network settings, navigate to the menu “System Settings → Mesh” for setting up the following parameters described below: P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 65: Table 23: Wi-Fi

    Wireless cascades minimum value is 1 and maximum value is 4. For more detailed information about GWN Mesh network feature, you may refer to the following technical document: Mesh Network Guide. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 66: Upgrading Access Points

    “Sequential” upgrade method, the slaves will upgrade their firmware one by one in order to: • Avoid entire Wi-Fi service interruption by full system firmware upgrade. • Reduce network bandwidth consumption caused by firmware downloading. Figure 35: Sequential Upgrade - Choosing Multiple Devices P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 67: Figure 36: All-At-Once And Sequential Upgrade

    Figure 36: All-at-Once and Sequential Upgrade Once you choose sequential upgrade, the following icon will update you about the number of upgraded slaves out of the selected slaves. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 68: Clients Configuration

    Clients Connected clients to different LAN subnets can be shown and managed from a single interface. Clients list can be accessed from GWN7000’s Web GUI→Clients to perform different actions to wired and wireless clients. GWN7000 Enterprise Router with its DHCP server enabled on LAN ports level, will assign automatically an IP address to the devices connected to its LAN ports like a computer or GWN76xx access points and to wireless clients connected to paired GWN76xx access points.

  • Page 69: Status

    Throughput and Aggregate usage. Figure 38: Client's Status Edit IP and Name Configuration tab allowing to set a name for a client and set a static IP. Figure 39: Client's Configuration P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 70: Bandwidth Rules

    To unban a client, go to Router→Clients→Client Access. The banned client will be to “Global Blacklist”; you will need to click on “Edit” then Click on to remove it from the banned list. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 71: Clients Access

    MAC addresses to be matched and assign to it a schedule. Once this is done, this access list can be used under SSID WiFi settings to filter clients either using whitelist or blacklist mode. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 72: Time Policy

    In order to create a new policy, go under Clients→Time Policy and add new one., then the following parameters: P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 73: Banned Clients

    Figure 47: Ban/Unban Client P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 74: Vpn (Virtual Private Network)

    VPN (VIRTUAL PRIVATE NETWORK) Overview VPN allows the GWN7000 to be connected to a remote VPN server using PPTP, IPSec, L2TP/IPSec and OpenVPN® protocols, or configure an OpenVPN® server and generate certificates and keys for clients, VPN page can be accessed from the GWN7000 Web GUI→VPN.

  • Page 75: Table 25: Ca Certificate

    Choose the key length for generating the CA certificate. Following values are available: • 1024: 1024-bit keys are no longer sufficient to protect Key Length against attacks. • 2048: 2048-bit keys are a good minimum. (Recommended). P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 76 Example: “grandstream@gmail.com” 4. Click on button after completing all the fields for the CA certificate. 5. Click on button to export the CA to local computer. The CA file has extension “.crt”. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 77: Generate Server/Client Certificates

    Figure 49: CA Certificate Generate Server/Client Certificates Create both server and client certificates for encrypted communication between clients and GWN7000 acting as an OpenVPN® server. Creating Server Certificate To create server certificate, follow below steps: 1. Navigate to “System Settings→Cert. Manager→Certificates”.

  • Page 78: Table 26: Server Certificate

    Enter the common name for the server certificate. It could be any name to identify this certificate. Common Name Example: “ServerCertificate”. Select CA certificate previously generated from the drop-down list. CA Certificate Example: “CATest”. P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 79 City Example: “Casablanca”. Enter the organization name. Organization Example: “GS”. Enter an email address. Email Address Example: “Cert@grandstream.com”. 3. Click on button after completing all the fields for the server certificate. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 80: Figure 51: User Management

    Notes: • The server certificates (.crt and .key) will be used by the GWN7000 when acting as a server. • The server certificates (.crt and .key) can be exported and used on another OpenVPN® server.
  • Page 81 Repeat above steps for each user. 2- Create Client Certificate a. Navigate under “System Settings→Cert. Manager→Certificates”. b. Click on button. The following window will pop up. c. Enter client certificate information based on below descriptions. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 82: Table 27: Client Certificate

    Select the generated CA certificate from the drop-down list. Choose the certificate type from the drop-down list. Certificate Type It can be either a client or server certificate. Select created user to generate his certificate. Username P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 83 Click on to export the client certificate file in “.crt” format. Click on to export the client key file in “.key” format. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 84: Create Openvpn® Server

    Click on to revoke the client certificate if no longer needed. The client certificates (“.crt” and “.key”) will be used by clients connected to the GWN7000 in order to establish TLS handshake. Notes: • Client certificates generated from the GWN7000 need to be uploaded to the clients.

  • Page 85: Table 28: Openvpn® Server

    Click on the checkbox in order to enable the OpenVPN® server Enable feature. VPN Name Enter a name for the OpenVPN® server. Choose the server mode the OpenVPN® server will operate with. Server Mode 4 modes are available: P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 86 Choose the Transport protocol from the dropdown list, either TCP or Protocol UDP. The default protocol is UDP. Select the interface used to connect the GWN7000 to the uplink, Interface either WAN1, WAN2 or All. Configure the listening port for OpenVPN® server.
  • Page 87 Select a generated CA from the drop-down list. Server Certificate Select a generated Server Certificate from the drop-down list. Enter the network range that the GWN7000 will be serving from to the OpenVPN® client. IPv4 Tunnel Network Note: The network format should be the following 10.0.10.0/16.

  • Page 88: Openvpn® Client Configuration

    Figure 54: OpenVPN® OpenVPN® Client configuration The GWN7000 act as both, an OpenVPN® client and server, once users and client certificate created, navigate under “VPN → OpenVPN®→ Client” and follow steps below: 1. Click on and the following window will pop up.

  • Page 89: Figure 55: Openvpn® Client

    Figure 55: OpenVPN® Client P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 90: Table 29: Openvpn® Client

    Enter a name for the OpenVPN® client. Choose the Transport protocol from the dropdown list, either TCP or Protocol UDP. The default protocol is UDP. Select the interface used to connect the GWN7000 to the uplink, Interface either WAN1, WAN2. Local Port Configure the listening port for OpenVPN®...
  • Page 91 IP address changes frequently. Click on “Upload” and select the “CA” certificate generated CA Certificate previously on this guide. Click on “Upload” and select the “Client Certificate” generated Client Certificate previously on this guide. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 92: L2Tp/Ipsec Configuration

    Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy. GWN7000 L2TP/IPSec Client Configuration To configure L2TP client on the GWN7000, navigate under “VPN→L2TP/IPSec” and set the following: 1- Click on and the following window will pop up.

  • Page 93: Table 30: L2Tp Configuration

    Enter a name for the L2TP client. Select which WAN port is connected to the uplink, either WAN1 or WAN Port WAN2. Remote L2TP Server Enter the IP/Domain of the remote L2TP Server. P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 94 L2TP/IP Server. Use Built-in IPv6 management Enable the IPv6 management for the VPN. 2- Click after completing all the fields. 3- Click on top of the web GUI to apply changes. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 95: Pptp Configuration

    Internet. Point-to-Point Tunneling Protocol (PPTP) allows the creation of virtual private networks (VPNs), which tunnel TCP/IP traffic through the Internet. GWN7000 Client Configuration To configure PPTP client on the GWN7000, navigate under “VPN→PPTP” and set the following: 1- Click on and the following window will pop up.

  • Page 96: Table 31: Pptp Configuration

    Remote PPTP Server Enter the IP/Domain of the remote PPTP Server. Username Enter the Username for authentication against the VPN Server. Password Enter the Password for authentication against the VPN Server. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 97: Gwn7000 Pptp Server Configuration

    UI to apply changes. Figure 60: PPTP Client GWN7000 PPTP Server Configuration To configure PPTP server on the GWN7000, go to “VPN→PPTP→Server” and set the following: 1- Click on and the following window will pop up.

  • Page 98: Table 32: Pptp Server Configuration Parameters

    PPTP server address. Configure the remote client IP end address. Client End Address Note: this address should be in the same subnet as the start address and PPTP server address. P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 99 GUI to apply changes. After this step, you need to create user accounts under web GUI → System Settings → User Manager in order to connected to the configured PPTP server. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 100: Ipsec Vpn Tunnel

    IPsec security services and to generate newly keyed material. They are always encrypted under the secure channel and uses the hash payload that is used to authenticate the rest of the packet. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 101: Configuring Gwn7000 Ipsec Tunnel

    Branch office router needs to connect to Headquarters office via an IPSec tunnel, on each side we have a GWN7000 router. Users can configure the two devices as following: The branch office router runs a LAN subnet 192.168.1.0/24 and the HQ router runs a LAN subnet 192.168.3.0, the public IP of the branch office router is 1.1.1.1 and the IP of the HQ router is 2.2.2.2.
  • Page 102 P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 103: Table 33: Ipsec Phase 1 Parameters

    Default: 3600 seconds. Select which mode to use for key exchange during the stage of Key Exchange mode channel establishment: Main mode or Aggressive mode. Pre-Shared key Enter the PSK password for authentication. P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 104 By default, it is set to 10 and if set to 0 the router will keep trying forever. Dead Peer Detection Check the option to enable/disable DPD. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 105: Figure 63:Branch Router Ipsec Phase 2 Configuration

    After this is done, press save and apply the settings, then configure same settings for phase 1 on the HQ router, as for phase 2 configuration parameters they should be as following: P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 106: Table 34: Ipsec Phase 2 Parameters

    Configure the local subnet that will be included on the connection. Configures the source IP to be used when transmitting a packet to Local Source IP the other end of the connection. P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 107 PFS group • MODP6144 • MODP8192 • DH23 • DH24 The default value is disabled, which indicates that the router will use the option configured on DH group under phase 1. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 108: Firewall

    SYN Flood Protection is used to avoid DOS attacks. SYN Flood Protection is enabled by default on GWN7000, you can edit the “SYN Flood Rate Limit”, “SYN Flood Burst Limit” and whether to drop or no the invalid packets as shown in the below screenshot Figure 65: Basic →...

  • Page 109: Port Forwarding

    Select the WAN Interface. Source Port Set the Source Port number. Destination Group Select the LAN group. Destination IP Set the destination IP address. Destination Port Set the Destination Port number. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 110: Dmz

    GWN7000 support DMZ, where it is possible to specify a LAN client to be put on the DMZ. • To add an IP into the DMZ, click on • To edit a DMZ entry, click on • To delete a DMZ entry, click on...

  • Page 111: Traffic Rules Settings

    To edit a rule, Click on • To delete a rule, Click on Input The GWN7000 allows to filter incoming traffic to networks group or port WAN1 or WAN2 and apply rules such as: • Accept: To allow the traffic to go through.

  • Page 112: Figure 68: Input Rule Sample

    Following actions are available to configure Input rules on the GWN7000 under “Firewall > Traffic Riles > Input” for configured protocols. • To add new rule, Click on • To edit a rule, Click on • To delete a rule, Click on...

  • Page 113: Output

    Output The GWN7000 allows to filter outgoing traffic from the local LAN networks to outside networks and apply rules such as: • Accept: To allow the traffic to go through. • Reject: A reply will be sent to the remote side stating that the packet is rejected.

  • Page 114: Figure 69: Output Rules Sample

    Figure 69: Output Rules Sample GWN7000 offers the possibility to allow traffic between different groups and interfaces. Users can select to edit a source group and add to it other network groups and WAN interfaces to allow inter-group traffic between the selected members.

  • Page 115: Table 38: Firewall Traffic Rules

    Set the destination IP address, it can be an IPv4 or IPv6 address. Destination Port(s) Set the destination’s port(s). Select which action to perform for the given traffic rule, 3 options are Firewall Action available: Accept, Reject or Drop. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 116: Firewall Advanced Settings

    To delete a SNAT rule, click on Refer to below table when creating or editing an SNAT entry: Table 40: SNAT Name Specify a name for the SNAT entry Enabled Check to enable this SNAT entry. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 117: Dnat

    Treat Time Values as UTC Check to use UTC as time zone for the specified times, instead of using Instead of Local Time GWN7000’s local time. DNAT Following actions are available for DNAT: • To add new DNAT entry, click on •...

  • Page 118: Table 41: Dnat

    Treat Time Values as UTC Check to use UTC as time zone for the specified times, instead of using Instead of Local Time GWN7000’s local time. Check to enable NAT Reflection for this DNAT entry to allow the access Enable NAT Reflection of a service via the public IP address from inside the local network.

  • Page 119: Captive Portal

    GWN7610/GWN7600/GWN7600LR AP, Wi-Fi clients will be forced to view and interact with that landing page before Internet access is granted. The Captive Portal feature can be configured from the GWN7000 Web page under “Captive Portal”. The page contains three tabs: Policy, Files and Clients.

  • Page 120: Table 42: Policy Parameters

    No Authentication: when choosing this option, the landing page feature will Authentication Type not provide any type of authentication, instead it will prompt users to accept the license agreement to gain access to internet. P a g e GWN7000 User Manual Version 1.0.6.28...
  • Page 121 Page to the GWN. Portal Page Select the customized portal page. Customization Choose the landing page, 2 options are available: redirect to the origin and Landing Page redirect to external page. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 122: Pre-Authentication Rules

    SSH connections. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 123: Files

    Captive Portal folder. Click on to edit the corresponding file, in another word, to replace the file with a new one. Click on to delete the file. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 124: Clients

    Clients This section lists the clients connected or trying to connect to Wi-Fi. Figure 75: Captive Portal Clients P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 125: Voucher

    • The admin can verify the status of each vocoder on the list (In use, not used, expired …etc). • Press to print the voucher, and to delete it. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 126: Figure 76: Add Voucher Sample

    The below figure shows the status of the vouchers after GWN randomly generates the code for each one. Figure 77: Vouchers List Users can click on buttons to delete and print multiple vouchers. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 127: Using Voucher With Gwn Captive Portal

    1. Go under “Captive Portal → Captive portal” menu. 2. Press in order to add new captive portal policy. 3. Set the following parameters as shown on the screenshot for basic setup then save and apply. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 128: Figure 78: Captive Portal With Voucher Authentication

    Figure 78: Captive Portal with Voucher authentication Then go under your SSID configuration page and enable the generated captive portal under Wi-Fi settings tab. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 129: Bandwidth Rules

    BANDWIDTH RULES The bandwidth rule is a GWN7000 feature that allows users to limit bandwidth utilization per SSID or client (MAC address or IP address). This option can be configured from the GWN7000 router web UI under “Bandwidth Rules”. Click to add a new rule, the following table provides an explanation about different options for bandwidth rules.

  • Page 130: Figure 79: Mac Address Bandwidth Rule

    Navigate on the web GUI under “SSID→Add /Edit→WiFi” and you can set the Upstream and Downstream rate in Mbps. Per-Client Navigate on the web GUI under “Clients→Edit→Bandwidth Rules” where you can set the Upstream and Downstream rate in Mbps. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 131: Website Blocking

    URL from which download full list of unwanted bad domains such as malware domains. To do so go under “System Settings → Website Blocking → Blackhole policy” and press to create a new policy. Figure 81: Create Blackhole Policy P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 132: Assign Blackhole Policy To Network Groups

    Now, that we have created a policy. It’s time to assign it to a network group or client. To assign a blocking policy to a network group go under “System Settings → Website Blocking → Network Group Blackhole” and press add P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 133: Assign Blackhole Policy To Clients

    For example, with the configuration above and while maintaining the blocking of malware websites on group0, we want to block Facebook access from some specific clients defined on access list 1. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 134: Figure 84: Clients Acl

    Next, go under “Clients → Client Access” to define the list of clients to whom the policy will apply. Figure 84: Clients ACL Finally, and in order realize the scenario above, go under “System Settings → Website Blocking → Client Blackhole” and click on P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 135: Figure 85: Client Blackhole Configuration

    On this case, we can either force the network group policy that was created for the full group0 along with the new blackhole policy (Facebook) or ignore it and assign only the Facebook blocking policy to the clients specified on list1. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 136: Maintenance And Troubleshooting

    MAINTENANCE AND TROUBLESHOOTING GWN7000 offers multiple tools and options for maintenance and debugging to help further troubleshooting and monitoring the GWN7000 resources. Maintenance Maintenance page can be accessed from GWN7000 WebGUI→System Settings→Maintenance. Maintenance page includes different tabs: Basic, Upgrade, Access, Syslog and Logserver.

  • Page 137: Access

    Click on Upgrade, to launch firmware/config file provisioning. Upgrade Now Please make sure to Save and Apply changes before clicking on Upgrade. Click on Reset to restore the GWN7000 as well as all online GWN76xx units Factory Reset to factory default settings...

  • Page 138: Logserver

    Logserver The logserver page allows the user to configure syslog server on GWN7000 in order to save log messages on connected external USB drive. First connect a USB drive to the Access point, then configure the parameters and make sure to start the server in order to collect messages from devices sending syslog to GWN.

  • Page 139: Debug

    This section is used to capture packet traces from the GWN7000 interfaces (WAN ports and network groups) for troubleshooting purpose or monitoring... It is needed to plug an USB storage device to one of the USB ports on the back of the GWN7000. •...

  • Page 140: Table 49: Debug-Capture

    Set the Destination IP to filter capture traffic coming from the defined destination Destination IP Choose ALL or a specific protocol to capture (IP, ARP, RARP, TCP, UDP, ICMP, Protocol IPv6) P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 141: Ping/Traceroute

    Ping and Traceroute are useful debugging tools to verify reachability with other clients across the network (WAN or LAN). The GWN7000 offers both Ping and Traceroute tools for IPv4 and IPv6 protocols. To use these tools, go to GWN7000 WebGUI→System Settings→Debug and click on Ping/Traceroute.

  • Page 142: Syslog

    Figure 89: Traceroute Syslog GWN7000 supports dumping the syslog information to a remote server under Web GUI→System Settings→Maintenance→Syslog. Enter the syslog server hostname or IP address and select the level for the syslog information. Five levels of syslog are available: None, Debug, Info, Warning, and Error.

  • Page 143: Connection Table

    Figure 90: Syslog Connection Table NAT table is updated dynamically on GWN7000’s WebGUI, to check the NAT table go to System Settings→Debug→Connection Table. Users could press button to clear all entries. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 144: Email/Notification

    Specifies sender’s User ID or account ID in the email system used. Password Specifies sender’s password of the email account. Email Address Specifies the email address of the administer where to receive notifications. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 145: Schedule

    The Schedule can be used for settings up specific time for Wi-Fi where the service will be active or for LED schedule or bandwidth rules …etc. In order to configure a new schedule, follow below steps: Go under “Schedule” and click on Create New Schedule. P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 146: Figure 92: Create New Schedule

    Once the schedule periods are selected, click on Save to save the schedule. The list of created schedules will be displayed as shown on the figure below. With the possibility to edit or delete each schedule: P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 147: Led

    Table 52: LEDs Field Description LEDs Always Off Configure whether to disable the AP LED dictator Please choose a schedule to assign to LEDs, users can configure Schedule schedules under the menu Schedule P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 148: File Sharing

    Figure 94: LED Scheduling Sample File Sharing The GWN7000 has 2 USB ports that can be also used for file sharing, to enable file sharing on devices plugged on the USB ports, go to System Settings→File Sharing. Click on to share a directory and its contents on a device connected to one of the USB ports of the GWN7000, the following figure will pop up.

  • Page 149: Table 53: Add A New File To Share

    Choose whether to allow All LANs to access the shared path, restrict access by selecting only some groups or None. Edit a Shared Folder by clicking on or delete it by clicking on Figure 96: File Share Actions P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 150: Snmp

    GWN7000 supports SNMP (Simple Network Management Protocol) which is widely used in network management for network monitoring for collecting information about monitored devices. To configure SNMP settings, go to GWN7000 Web GUI→System Settings→SNMP, this page has two tabs: Basic and Advanced, refer to the below tables for each tab.

  • Page 151: Table 55: Snmp Advanced Page

    Set the Transport Type: UDPv4, UDPv6, TCPv4 or TCPv6. • Listening on Choose the IP Address from drop-down menu list. • Set the Port number on which the GWN7000 will listen on. Click on to add an SNMPv3 User: • Set the Username for authentication.

  • Page 152: User Manager

    Check this option when using PPTP, and enter the client subnet. Subnet Client Subnet Configured to which subnet this client belongs to (ex: 192.168.1.0/24). OpenVPN Subnet Configures OpenVPN user subnet (ex: 192.168.1.0/24). P a g e GWN7000 User Manual Version 1.0.6.28...

  • Page 153: Upgrading And Provisioning

    UPGRADING AND PROVISIONING Upgrading Firmware The GWN7000 can be upgraded to a new firmware version remotely or locally. This section describes how to upgrade your GWN7000. Upgrading via WEB GUI The GWN7000 can be upgraded via TFTP/HTTP/HTTPS by configuring the URL/IP Address for the TFTP/HTTP/HTTPS server and selecting a download method.

  • Page 154: Provisioning And Backup

    Microsoft IIS web server. Provisioning and backup The GWN7000 configuration can be backed up locally or via network. The backup file will be used to restore the configuration on GWN7000 when necessary. Download Configuration Download the GWN7000 configurations for restore purpose under Web GUI → Router → Maintenance →...

  • Page 155: Experiencing The Gwn7000 Enterprise Router

    Thank you again for purchasing Grandstream GWN7000 Enterprise Multi-WAN Gigabit VPN Router, it will be sure to bring convenience and color to both your business and personal life © 2002-2018 OpenVPN Technologies, Inc.

Table of Contents