Summary of Contents for SMC Networks Barricade BR14VPN
Page 2
Copyright Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC.
Page 3
Compliances FCC - Class B This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with instructions, may cause harmful interference to radio communications.
Page 4
EC Conformance Declaration – Class B SMC contact for these products in Europe is: SMC Networks Europe, Edificio Conata II Calle Fructuos Gelabert 6-8, 2o, 4a 08970 – Sant Joan Despi Barcelona, Spain This equipment complies with the requirements relating to electromagnetic compatibility, EN 55022/A1 Class B, and EN 50082-1.
1 | System Requirements • Internet access from your local telephone company or Internet Service Provider (ISP) using a DSL modem, cable modem, Dial-Up modem, or ISDN modem • A PC using a fixed IP address or dynamic IP address assigned via DHCP, as well as a Gateway server address and DNS server address from your service provider •...
4 | Panel Layout The following figure shows the front panel layout, which is followed by a table describing in detail the status and function of each LED. SMCBR14VPN Front Panel SMCBR18VPN Front Panel Function Color Power Power Green indicator System Orange status...
SMCBR18VPN Front Panel: 8 LAN, 1 WAN, and 1 COM port Port Type 5 VDC Port 1–4/8 5 | Hardware Installation The router can be placed anywhere in your office or home. No special wiring or cooling requirements are necessary. However, you should comply with the following guidelines: •...
You must first verify that the TCP/IP communication protocol is properly installed and the computer is configured to get its IP address via the DHCP Server that is built-into this router. If you have not previously installed TCP/IP protocols on your client PCs, refer to the following section.
into your CDROM drive and check the correct file location, e.g., D:\win98, D:\win9x. (if D is the letter of your CD-ROM drive). 9. Windows may prompt you to restart the PC. If so, click the Yes button. If Windows does not prompt you to restart your computer, do so to insure your settings. Windows NT From the Windows desktop click Start/Settings/Control Panel.
6.4 | Configuring a Macintosh Computer You may find that the instructions here do not exactly match your screen. This is because these steps and screen shots were created using Mac OS 10.2. Mac OS 7.x and above are all very similar, but may not be identical to Mac OS 10.2.
7 | Configuring Your Broadband VPN Router Before you attempt to log into the web-based Administration, please verify the following. Your browser is configured properly (see below). 2. Disable any firewall or security software that may be running. 3. Confirm that you have a good link LED where your computer is plugged into the Router.
Note that there are two different Web user interfaces, one for general users and one for the system administrator. To log on as an administrator, enter the system password (default password is smcadmin) and click the LOGIN button. If you typed the password correctly, the left panel of the Web user interface changes to the administrator configuration mode as shown in the following figures.
Page 16
Cable Modem The cable modem option allows you to configure a host name and MAC Address. The Host Name is optional, but may be required by some ISPs. The default MAC address is set to the WAN’s physical interface on the Router. Use this address when registering for Internet service, and do not change it unless required by your ISP.
Page 17
Fixed-IP xDSL Some xDSL Internet Service Providers may assign a fixed (static) IP address. If you have been provided with this information, choose this option and enter the assigned IP address, gateway IP address, DNS IP addresses, and subnet mask. PPPoE xDSL Enter the PPPoE User Name and Password assigned by your Service Provider.
Page 18
PPTP Point-to-Point Tunneling Protocol is a common connection method used for xDSL connections in Europe. It can be used to join different physical networks using the Internet as an intermediary. If you have been provided with the information as shown on the screen, enter the assigned IP address, subnet mask, default gateway IP address, user ID and password, and PPTP Gateway.
Page 19
BigPond If you use the BigPond Internet Service which is available in Australia, enter your username and password and apply the changes. L2TP Layer 2 Tunneling Protocol is a common connection method used for xDSL connections in Europe. It can be used to join different physical networks using the Internet as an intermediary.
Page 20
will be dropped and will automatically re-establish the connection as soon as you attempt to access the Internet again. Dial-Up Most Dial-up users will select this option to connect to their ISP through an analog dial-up modem. This feature can be used as a back-up when your broadband connectivity is unavailable.
7.4 | Advanced Setup – SYSTEM Time Zone Use the section below to configure the Barricade's system time. Select your timezone and configure the daylight savings option based on your location. This information is used for the time/date parental rules you can configure with the Barricade's Advanced Firewall. This information is also used for your network logging.
Page 23
Password Settings Use this section to configure the 2 password accounts and idle time-out setting for your Barricade Router. There are 2 levels of admin access for this VPN Router: The Administrator account has Read/Write permission to view and change any settings. The default password for this account is "smcadmin".
Page 24
Syslog Server The Syslog Server tool will automatically download the Barricade log to the server IP address specified by the user. Enter the Server LAN IP Address and select the Enable radio button to enable this function. The broadband router is also able to send the log files to a specific email address.
7.5 | Advanced Setup - WAN Dynamic IP The cable modem option allows you to configure a host name and MAC Address. The Host Name is optional, but may be required by some ISPs. The default MAC address is set to the WAN’s physical interface on the Router.
Page 26
PPPoE Enter the PPPoE User Name and Password assigned by your Service Provider. The Service Name is normally optional, but may be required by some service providers. Leave the Maximum Transmission Unit (MTU) at the default value unless you have a particular reason to change it.
Page 27
PPTP Point-to-Point Tunneling Protocol is a common connection method used for xDSL connections in Europe. It can be used to join different physical networks using the Internet as an intermediary. If you have been provided with the information as shown on the screen, enter the assigned IP address, subnet mask, default gateway IP address, user ID and password, and PPTP Gateway.
Page 28
BigPond If you use the BigPond Internet Service which is available in Australia, enter your username and password and apply the changes. L2TP Layer 2 Tunneling Protocol is a common connection method used for xDSL connections in Europe. It can be used to join different physical networks using the Internet as an intermediary.
Page 29
Dial Up Most Dial-up users will select this option to connect to their ISP through an analog dial-up modem. This feature can be used as a back-up when your broadband connectivity is unavailable. Enter the phone number, account name and password assigned to you by your ISP.
7.6 | Advanced Setup - LAN This is the local IP address of the router. All networked computers must use the LAN IP address of the router as their default Gateway. However, if necessary, it can be changed. Here you can configure the LAN IP address for the router and enable/disable the DHCP server for dynamic client address allocation.
Page 31
You also have the option to configure more advanced settings by clicking the “More” button. You can configure the router’s DHCP server to give out specific Primary and Secondary DNS, Primary and Secondary WINS, and an alternate Gateway (in the event that the router is not the Internet gateway).
7.7 | Advanced Setup - NAT 7.7.1 | Virtual Server The firewall of the router filters out unrecognized packets to protect your intranet. This means that all network hosts are invisible to the outside world. However, some of the hosts can be made accessible by enabling the Virtual Server mapping.
For example, if you have an FTP server (port 21) at 192.168.123.1, a Web server (port 80) at 192.168.123.2, and a VPN server at 192.168.123.6, you need to specify the following virtual server mapping as shown in the table below: Service Port 1723 The “IP Address”...
For a full list of ports and the services that run on them, see http://www.iana.org/assignments/port-numbers 7.7.3 | Virtual Computer Use the “Virtual Computer” option to maintain the privacy and security of the local network. Virtual Computer enables you to use the original NAT feature, and allows you to setup the one-to-one mapping of multiple global IP address and local IP address.
You can select one of the two filtering policies: • Allow all to pass except those that match the specified rules • Deny all to pass except those that match the specified rules You can apply up to 8 rules for each direction, inbound or outbound. For each rule you can define the following: •...
7.8.3 | MAC Filter MAC Address Filtering allows you assign different access rights to various users and you can also assign a specific IP address to a certain MAC address. Select the Enable radio button to enable the MAC Address Control. All of the settings on this screen take effect when Enable is checked.
7.8.4 | Schedule Rule Set scheduled times to be used to control what time of day a service or set of services is enabled. Use this section to configure up to 10 Schedule Rules to limit network access based on time and day. To create a schedule rule click the [Add Schedule Rule...] link below. Enter a rule name into the text field next to “Name of Rule 1”.
The Schedule Rule screen appears. It now shows your setting for Rule 1. If you need to make changes to your setting, click the Edit button. If you want to delete Rule 1, click the Delete button. 7.8.5 | Advanced In this section you can enable/disable Stateful Packet Inspection (SPI), Discard Ping from WAN, and PPTP and IPSec VPN Passthrough types.
7.8.6 | DMZ If you have a local client PC that cannot run an Internet application properly from behind the NAT firewall, then you can open the client up to unrestricted two-way Internet access by defining a Virtual DMZ Host. 7.9 | Advanced Setup - VPN 7.9.1 | IPSec Tunnel VPN settings are used to create virtual private tunnels to remote VPN gateways.
Page 40
• VPN: VPN protects network information from intruders. However, it greatly decreases network throughput. Enable it only when a security tunnel is absolutely necessary. This feature is disabled by default. • Max. Number of Tunnels: Set the number of tunnels that are allowed to be in operation simultaneously.
Options • Select IKE proposal: Click this button to setup a set of frequently used IKE proposals for the dedicated tunnel. • Select IPSec proposal: Click this button to setup a set of frequently used IPSec proposals for the dedicated tunnel. The tunnel name is equal to the name you configured on the previous page of VPN settings.
• Life Time: The unit of Life time is based on the value of the life time unit, which can be seconds or KB. If the value of the unit is seconds, the value of life time represents the life time of the dedicated VPN tunnel between both end gateways. Its value can range from 300 to 172,800 seconds.
Page 43
• Proposal Name: The proposal name indicates which IPSec proposal will be monitored. The first character of the name with the value of 0x00 stands for the IPSec proposal that is not available. • DH Group - Three groups can be selected: Group 1 (MODP768) Group 2 (MODP1024) Group 5 (MODP1536)
7.9.4 | Dynamic VPN When using the VPN Dynamic IP Setting, the router functions as a Dynamic VPN server. The Dynamic VPN server does not check the VPN client IP information - this means that you can build a VPN tunnel with a VPN gateway from any remote host, regardless of the IP information.
7.9.5 | PPTP/L2TP Server Point-to-Point and Layer 2 Tunneling Protocols (PPTP / L2TP) allows the secure remote access over the Internet by simply dialing in a local point provided by an ISP. The following screen displays the management interface where you enter username and passwords for authorized remote users, the authentication protocol, and the IP address range to assign to those users: The VPN Broadband Router supports PAP, CHAP and MS-CHAP authentication protocols.
7.10 | Advanced Setup - SNMP The Simple Network Management Protocol (SNMP) lets you manage a computer network remotely by polling and setting terminal values and monitoring network events. • Enable SNMP: You can check Local, Remote, or both options to enable the SNMP function.
7.11 | Advanced Setup - ROUTING The Routing Table lets you determine which physical interface address to use for outgoing IP data grams. If you have more than one router and subnet, you will have to enable the routing table to allow packets to find the routing path. This allows different subnets to communicate with each other.
7.12 | Advanced Setup - MISCELLANEOUS If you experience difficulties accessing an FTP server that is running on a port other than 21, you can enter that port in the “Non-standard FTP port” and apply the changes. Wake-on-LAN is a technology that lets you power up a networked router remotely. To use this feature, the target network adapter must be Wake-on-LAN enabled and you have to know the MAC address of the adapter.
7.13 | Advanced Setup – DISPLAY STATUS Enable the Display Status option to view the WAN connectivity settings on the login page. When this is enabled, the login page appears as follows: 7.14 | DDNS (Dynamic DNS) Dynamic DNS provides users on the Internet a method to tie their domain name(s) to computers or servers.
7.15 | UPnP (Universal Plug-and-Play) The Universal Plug and Play architecture offers pervasive peer-to-peer network connectivity of PCs of all form factors, intelligent appliances, and wireless devices. UPnP enables seamless proximity networking in addition to control and data transfer among networked devices in the home, office and everywhere in between.
7.17 | Status You can use the Status screen to see the connection status for Barricade's WAN/LAN interfaces, firmware and hardware version numbers, any illegal attempts to access your network, as well as information on all DHCP client PCs currently connected to your network.
8 | IPSec Settings Guide (For Reference/Example Only) 8.1 | Tunnel between two SMCBR14VPN The easiest way to construct a VPN tunnel between two sites is to use two SMCBR14VPNs, which are connected to the internet. The steps to follow to create an IP tunnel between are the following: •...
Page 54
Set the VPN settings as follows: VPN: Enable Max. number of tunnels: Tunnel Name: Method: When finished, click “More”. VPN Settings – Tunnel 1 – IKE...
Set the Tunnel 1 IKE settings as follows: Tunnel 1: Local Subnet: 192.168.1.0 Local Netmask: 255.255.255.0 Remote Subnet: 192.168.1.0 Remote Netmask: 255.255.255.0 Remote Gateway: ip2.smc.com Preshare Key: mypresharedkey When finished, save your settings. 8.1.2 | Settings for router 2 VPN Router WAN IP Address: ip2.smc.com LAN IP Address: 192.168.2.1 192.168.2.xxx...
Page 56
Set the VPN settings as follows: VPN: Enable Max. number of tunnels: Tunnel Name: Method: When finished, click “More”. VPN Settings – Tunnel 1 – IKE...
Page 57
Set the Tunnel 1 IKE settings as follows: Tunnel 1: Local Subnet: 192.168.2.0 Local Netmask: 255.255.255.0 Remote Subnet: 192.168.1.0 Remote Netmask: 255.255.255.0 Remote Gateway: ip1.smc.com Preshare Key: mypresharedkey When finished, save your settings.
Page 58
8.1 3 | Common Sett ngs for both routers VPN Settings – Tunnel 1 – Set IKE Proposal Set the Tunnel 1 IKE Proposal settings as follows: Proposal Name: DH Group: Group2 Encypt. algorithm: 3DES Auth. algorithm: SHA1 Life Time: 10000 Life Time Unit: Sec.
VPN Settings – Tunnel 1 – Set IPSec Proposal Set the Tunnel 1 IPSec Proposal settings as follows: Proposal Name: DH Group: Group2 Encap. protocol: Encrypt. algorithm: Auth. Algorithm: Life Time: 10000 Life Time Unit: Sec. When finished, save the settings. Now to view the VPN connection process, go to the STATUS page and view the System Log.
8.3 | PPTP/ L2TP configuration example Pease note that the virtual address of the L2TP and PPTP server have to be different. PPTP • Step 1: Go to the PPTP Server section and select the Enable radio button • Step 2: Change the virtual IP value if necessary (this is the IP network that your PPTP clients will automatically be connected to) •...
9 | Troubleshooting A. Verifying your connection to the router If you are unable to access the Router’s web-based administration pages, then you may not be properly connected or configured. To determine your TCP/IP configuration status please follow the steps below: 1.
Page 63
F. I am having problems establishing a PPPoE xDSL WAN connection Some ISP’s require you to enter the domain name in addition to your username and password. For instance, for SBC Global, enter username@sbcglobal.net. For Ameritech users, enter username@ameritech.net. BellSouth users may need to enter username@bellsouth.net and Mindspring subscribers enter username@mindspring.com.
Page 64
J. I forgot my password and can no longer log into the router. You should restore your router to factory defaults via its hardware reset button. Locate the reset button (to the right of the power input). While the device is powered on, use a paper clip to depress this button for about 5-7 seconds and then release.
Microsoft uses an embedded L2TP/IPSEC VPN implementation. In order to use the Microsoft standard VPN client, one has to disable the IPSEC on the PC. Please refer to Microsoft help to perform this operation. 9.1 | Questions and Awnsers What is the difference between SMCBR14VPN and SMCBR18VPN? The SMCBR14VPN has 4 LAN ports and the SMCBR18VPN HAS 8 LAN ports.
10 | Technical Specifications Standards: IEEE 802.3 10Base-T Ethernet IEEE 802.3u 100Base-TX Fast Ethernet Hardware / Ports: LAN Port 4x RJ45, 10/100 Mbps with Auto-MDI/MDIX (BR14VPN) 8x RJ45, 10/100 Mbps with Auto-MDI/MDIX (BR18VPN) WAN Port 1x RJ45, 10/100 Mbps with Auto-MDI/MDIX COM Port 1x DB9 (male), Up to 115200bps Input Power...
11 | Terminology 10BaseT - Physical Layer Specification for Twisted-Pair Ethernet using Unshielded Twisted Pair wire at 10Mbps. This is the most popular type of LAN cable used today because it is very cheap and easy to install. It uses RJ-45 connectors and has a cable length span of up to 100 meters.
Page 69
DES - Data Encryption Standard. A cryptographic encryption algorithm that is part of many standards. DHCP - Dynamic Host Configuration Protocol. This protocol automatically configures the TCP/IP settings of every computer on your home network. DMZ - Allows a networked computer to be fully exposed to the Internet. This function is used when the special application sensing tunnel feature is insufficient to allow an application to function correctly.
Page 70
ISAKMP - Internet Security Association and Key Manangement Protocol. The basis for IKE. ISP - Internet Service Provider. An ISP is a business that provides connectivity to the Internet for individuals and other businesses or organizations. JPEG – Joint Photographic Experts Group. JPEG is a standard for compressing still images and it provides compression with ratios up to 100:1.
Page 71
NAT – (Network Address Translation) This process allows all of the computers on your home network to use one IP address. The NAT capability of the Barricade, allows you to access the Internet from any computer on your home network without having to purchase more IP addresses from your ISP.
Page 72
TCP/IP - Transmission Control Protocol/Internet Protocol. This is the standard protocol for data transmission over the Internet. TCP - Transmission Control Protocol - TCP and UDP (User Datagram Protocol) are the two transport protocols in TCP/IP. TCP ensures that a message is sent accurately and in its entirety.