Page 1 BiGuard 50G 802.11g Gateway User’s Manual Version Release 1.03 (FW:1.xx) Dual Security...
Page 2 BiGuard 50G User’s Manual (Updated September, 2007) Copyright Information © 2007 Billion Electric Corporation, Ltd. The contents of this publication may not be reproduced in whole or in part, transcribed, stored, translated, or transmitted in any form or any means, without the prior written consent of Billion Electric Corporation.
Page 3: Safety Warnings
• DO NOT use your BiGuard 50G and any accessories outdoors. • If you wall mount your BiGuard 50G, make sure that no electrical, water or gas pipes will be damaged during installation. • DO NOT install or use your BiGuard 50G during a thunderstorm.
Page 4: Table Of Contents
Table of Contents Chapter 1: Introduction 1.1 Overview 1.2 Product Highlights 1.2.1 Increased Bandwidth, Scalability and Resilience 1.2.2 Virtual Private Network Support 1.2.3 Advanced Firewall Security 1.2.4 Intelligent Bandwidth Management 1.3 Package Contents 1.3.1 Front Panel 1.3.2 Rear Panel 1.3.3 Cabling Chapter 2: Router Applications 2.1 Overview 2.2 Bandwidth Management with QoS...
Page 5 2.6.2 VPN Planning - Fail Over 2.6.3 Concentrator Chapter 3: Getting Started 3.1 Overview 3.2 Before You Begin 3.3 Connecting Your Router 3.4 Configuring PCs for TCP/IP Networking 3.4.1 Overview 3.4.2 Windows XP 3.4.2.1 Configuring 3.4.2.2 Verifying Settings 3.4.3 Windows 2000 3.4.3.1 Configuring 3.4.3.2 Verifying Settings 3.4.4 Windows 98 / ME...
Page 6 4.2.3 Routing Table 4.2.4 Session Table 4.2.5 DHCP Table 4.2.6 IPSec Status 4.2.7 PPTP Status 4.2.8 Traffic Statistics 4.2.9 CPU Statistics 4.2.10 System Log 4.3 Quick Start 4.3.1 DHCP 4.3.2 Static IP 4.3.3 PPPoE 4.3.4 PPTP 4.3.5 Big Pond 4.4 Configuration 4.4.1 LAN 4.4.1.1 Ethernet 4.4.1.2 Wireless Security...
Page 7 4.4.4.3 Firmware Upgrade 4.4.4.4 Backup / Restore 4.4.4.5 Restart 4.4.4.6 Password 4.4.5 Firewall 4.4.5.1 Packet Filter 4.4.5.2 URL Filter 4.4.5.3 Ethernet MAC Filter 4.4.5.4 Wireless MAC Filter 4.4.5.5 Block WAN Request 4.4.5.6 Intrusion Detection 4.4.6 VPN 4.4.6.1 IPSec 4.4.6.1.1 IPSec Wizard 4.4.6.1.2 IPSec Policy 4.4.6.2 PPTP 4.4.7 QoS...
Page 8 5.1.1 Router Won’t Turn On 5.1.2 LEDs Never Turn Off 5.1.3 LAN or Internet Port Not On 5.1.4 Forgot My Password 5.2 LAN Interface 5.2.1 Can’t Access Router from the LAN 5.2.2 Can’t Ping Any PC on the LAN 5.2.3 Can’t Access Web Configuration Interface 5.2.3.1 Pop-up Windows 5.2.3.2 Javascripts 5.2.3.3 Java Permissions...
Page 9 Appendix D: Network, Routing, and Firewall Basics D.1 Network Basics D.1.1 IP Addresses D.1.1.1 Netmask D.1.1.2 Subnet Addressing D.1.1.3 Private IP Addresses D.1.2 Network Address Translation (NAT) D.1.3 Dynamic Host Configuration Protocol (DHCP) D.2 Router Basics D.2.1 Why use a Router? D.2.2 What is a Router? D.2.3 Routing Information Protocol (RIP) D.3 Firewall Basics...
Page 10 Appendix E: Virtual Private Networking E.1 What is a VPN? E.1.1 VPN Applications E.2 What is IPSec? E.2.1 IPSec Security Components E.2.1.1 Authentication Header (AH) E.2.1.2 Encapsulating Security Payload (ESP) E.2.1.3 Security Associations (SA)
Page 11 E.2.2 IPSec Mod E.2.3 Tunnel Mode AH E.2.4 Tunnel Mode ESP E.2.5 Internet Key Exchange (IKE) Appendix F: IPSec Logs and Events F.1 IPSec Log Event Categories F.2 IPSec Log Event Table Appendix G: Bandwidth Management with QoS G.1 Overview G.2 What is Quality of Service? G.3 How Does QoS Work? G.4 Who Needs QoS?
Page 12: Product Highlights
IPSec VPN is up to 30 simultaneous IPSec VPN connections are possible on BiGuard 50G, with performance of up to 30Mbps. PPTP VPN is up to 4 simultaneous PPTP VPN...
Page 13: Advanced Firewall Security
1.2.4 Intelligent Bandwidth Management BiGuard 50G utilizes Quality of Service (QoS) to give you full control over the priority of both incoming and outgoing data, ensuring that critical data such as customer information moves through your network, even while under a heavy load.
Page 14 Function Power A solid light indicates a steady connection to a power source. Status A blinking light indicates the device is writing to flash memory. Lit when connected to an Ethernet device. 1 – 4 10/100M : Not lit when connected at 10Mbps. Link/ACT: Blinking when data is transmitting/receiving.
Page 15: Rear Panel
1.3.2 Rear Panel Port Function Wireless One detachable 2.4GHz 5dbi SMA antenna Antenna WAN2 10/100M Ethernet port (with auto WAN2 crossover support); connect xDSL/Cable modem here. WAN1 10/100M Ethernet port (with auto WAN1 crossover support); connect xDSL/Cable modem here. Connect a UTP Ethernet cable (Cat-5 or Cat-5e) to one of the eight LAN ports when 1 —...
Page 16: Cabling
One of the most common causes of networking problems is bad cabling. Make sure that all connected devices are turned on. On the front panel of BiGuard 50G, verify that the LAN link and WAN line LEDs are lit. If they are not, check to see that you are...
Page 17: Chapter 2: Router Applications
Chapter 2: Router Applications 2.1 Overview Your BiGuard 50G router is a versatile device that can be configured to not only protect your network from malicious attackers, but also ensure optimal usage of available bandwidth with Quality of Service (QoS) and both Inbound and Outbound Load Balancing.
Page 18: Qos Policies For Different Applications
2.2.2 QoS Policies for Different Applications By setting different QoS policies according to the applications you are running, you can use BiGuard 50G to optimize the bandwidth that is being used on your network. VoIP Normal PCs Restricted PC As illustrated in the diagram above, applications such as Voiceover IP (VoIP) require...
Page 19: Guaranteed / Maximum Bandwidth
2.2.3 Guaranteed / Maximum Bandwidth Setting a Guaranteed Bandwidth ensures that a particular service receives a minimum percentage of bandwidth. For example, you can configure BiGuard 50G to reserve 10% of the available bandwidth for a particular computer on the network to transfer files.
Page 20: Priority Bandwidth Utilization
2.2.5 Priority Bandwidth Utilization Assigning priority to a certain service allows BiGuard 50G to give either a higher or lower priority to traffic from this particular service. Assigning a higher priority to an application ensures that it is processed ahead of applications with a lower priority...
Page 21: Management By Ip Or Mac Address
2.2.6 Management by IP or MAC address BiGuard 50G can also be configured to apply traffic policies based on a particular IP or MAC address. This allows you to quickly assign different traffic policies to a specific computer on the network.
Page 22: Dscp (Matching)
IP header matches the criteria selected. These markings can be used to identify traffic within the network. 2.3 Outbound Traffic This section outlines some of the ways you can use BiGuard 50G to manage outbound traffic. 2.3.1 Outbound Fail Over Configuring BiGuard 50G for Outbound Fail Over allows you to ensure that outgoing traffic is uninterrupted by having BiGuard 50G default to WAN2 should WAN1 fail.
Page 23: Outbound Load Balancing
In the above example, PC 1 (IP_192.168.2.2) and PC 2 (IP_192.168.2.3) are connected to the Internet via WAN1 (IP_230.100.100.1) on BiGuard 50G. Should WAN1 fail, Outbound Fail Over tells BiGuard 50G to reroute outgoing traffic to WAN2 (IP_213.10.10.2). Configuring your BiGuard 50G for Outbound Fail Over provides a more reliable connection for your outgoing traffic.
Page 24: Inbound Traffic
IP address of the client. By balancing the load between WAN1 and WAN2, your BiGuard 50G can ensure that outbound traffic is efficiently handled by making sure that both ports are equally sharing the load, preventing situations where one port is completely saturated by outbound traffic.
Page 25: Inbound Fail Over
In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server (IP_192.168.2.3) are connected to the Internet via WAN1 (ftp.billion.dyndns.org) on BiGuard 50G. A remote computer is trying to access these servers via the Internet. Under normal circumstances, the remote computer will gain access to the network via WAN1.
Page 26: Inbound Load Balancing
For example, a sales force can be directed to www.billion2.dyndns.org, while the R&D group can access www.billion3.dyndns.org. By balancing the load between WAN1 and WAN2, your BiGuard 50G can ensure that inbound traffic is efficiently handled with both ports equally sharing the load, preventing situations where service is slow because one port is completely saturated by inbound traffic.
Page 27: Dns Inbound
DNS Inbound is a three step process. First, a DNS request is made to the router via a remote PC. BiGuard 50G, based on settings specified by the user, will direct the requesting PC to the correct WAN port by replying the selected WAN IP address through the built-in DNS server.
Page 28: Dns Inbound Fail Over
2.5.1 DNS Inbound Fail Over BiGuard 50G can be configured to reply the WAN2 IP address for the DNS domain name request should WAN1 fail. In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server (IP_192.168.2.3) are connected to the Internet via WAN1 (IP_200.200.200.1) on BiGuard 50G.
Page 29: Dns Inbound Load Balancing
If WAN2 is experiencing a heavy load, BiGuard 50G responds to incoming DNS requests with WAN1. By balancing the load between WAN1 and WAN2, your BiGuard 50G can ensure that inbound traffic is efficiently handled, making sure that both ports are equally sharing the load and preventing situations where service is slow because one port is completely saturated by inbound traffic.
Page 30 HTTP request to the WAN1 IP address (6). The HTTP request will be send to BiGuard 50G’s URL Host Map (7). The Host Map will then redirect the HTTP request to the HTTP server (8). The HTTP server will reply (9). The URL Host Map will route the packet through WAN1 to the user (10).
Page 31: Virtual Private Networking
As such, it is perfect for connecting branch offices to headquarters across the Internet in a secure fashion. The following section discusses Virtual Private Networking with BiGuard 50G. 2.6.1 General VPN Setup There are typically three different VPN scenarios. The first is a Gateway to Gateway setup, where two remote gateways communicate over the Internet via a secure tunnel.
Page 32: Vpn Planning - Fail Over
The following sections demonstrate the various ways of using BiGuard 50G to setup your VPN. 2.6.2 VPN Planning - Fail Over Configuring your VPN with Fail Over allows BiGuard 50G to automatically default to WAN2 should WAN1 fail. Because the dynamic domain name biguard.billion.com is configured for both WAN1 and WAN2, the active WAN port will announce the domain name through the WAN IP address.
Page 33 WAN1 through a secure VPN tunnel. Should WAN1 fail, outbound traffic from BiGuard 50G will automatically be redirected to WAN2. This process is completely transparent to the remote gateway, as BiGuard 50G will automatically update the domain name (biguard.billion.com) with the WAN2 IP address.
Page 34: Concentrator
VPN tunnel to headquarter with the exception of LAN-side traffic. This way, all branch offices can connect to each other through headquarter via the headquarter’s firewall management. You can also configure BiGuard 50G to function as a VPN Concentrator: Please refer to appendix H for example settings.
Page 35: Chapter 3: Getting Started
Linux, Mac OS, and Windows 98/Me/NT/2000/XP operating systems. The following chapter takes you through the very first steps to configuring your network for BiGuard 50G. Take a look and see how easy it is to get your network up and running. 3.2 Before You Begin BiGuard 50G is a flexible and powerful networking device.
Page 36: Connecting Your Router
4. Prepare to physically connect BiGuard 50G to Cable or DSL modems and a computer. Be sure to also review the Safety Warnings located in the preface of this manual before working with your BiGuard 50G.
Page 37: Configuring Pcs For Tcp/Ip Networking
DHCP server. If using a fixed IP address, it is important to remember that it must be in the same subnet as the router. The default IP address of BiGuard 50G is 192.168.1.254 with a subnet mask of 255.255.255.0. Using the default configuration, networked PCs must reside in the same subnet, and have an IP address in the range of 192.168.1.1 to 192.168.1.253.
Page 38: Windows Xp
If you are using Windows 3.1, you must purchase a third-party TCP/IP application package. Any TCP/IP capable workstation can be used to communicate with or through BiGuard 50G. To configure other types of workstations, please consult the manufacturer’s documentation. 3.4.2 Windows XP 3.4.2.1 Configuring...
Page 39 3. Select Internet Protocol (TCP/IP) and click Properties. 4a. To have your PC obtain an IP address automatically, select the Obtain an IP...
Page 40 address automatically and Obtain DNS server address automatically radio buttons. 4b. To manually assign your PC a fixed IP address, select the Use the following IP address radio button and enter your desired IP address, subnet mask, and default gateway in the blanks provided. Remember that your PC must reside in the same subnet mask as the router.
Page 41: Verifying Settings
To verify your settings using a command prompt: 1. Click Start > Programs > Accessories > Command Prompt. 2. In the Command Prompt window, type ipconfig and then press ENTER. If you are using BiGuard 50G’s default settings, your PC should have:...
Page 42 - An IP address between 192.168.1.1 and 192.168.1.253 - A subnet mask of 255.255.255.0 To verify your settings using the Windows XP GUI: 1. Click Start > Settings > Network Connections.
Page 43 2. Right click one of the network connections listed and select Status from the pop-up menu. 3. Click the Support tab.
Page 44: Windows 2000
If you are using BiGuard 50G’s default settings, your PC should: - Have an IP address between 192.168.1.1 and 192.168.1.253 - Have a subnet mask of 255.255.255.0 3.4.3 Windows 2000 3.4.3.1 Configuring 1. Select Start > Settings > Control Panel.
Page 45 2. In the Control Panel window, double-click Network and Dial-up Connections. 3. In Network and Dial-up Connections, double-click Local Area Connection.
Page 46 4. In the Local Area Connection window, click Properties. 5. Select Internet Protocol (TCP/IP) and click Properties.
Page 47 6a. To have your PC obtain an IP address automatically, select the Obtain an IP address automatically and Obtain DNS server address automatically radio buttons. 6b. To manually assign your PC a fixed IP address, select the Use the following IP address radio button and enter your desired IP address, subnet mask, and default gateway in the blanks provided.
Page 48 7. Click OK to finish the configuration.
Page 49: Verifying Settings
1. Click Start > Programs > Accessories > Command Prompt. 2. In the Command Prompt window, type ipconfig and then press ENTER. If you are using BiGuard 50G’s default settings, your PC should have: - An IP address between 192.168.1.1 and 192.168.1.253...
Page 50: Windows 98 / Me
- A subnet mask of 255.255.255.0 3.4.4 Windows 98 / Me 3.4.4.1 Installing Components To prepare Windows 98/Me PCs for TCP/IP networking, you may need to manually install TCP/IP on each PC. To do this, follow the steps below. Be sure to have your Windows CD handy, as you may need to insert it during the installation process.
Page 51 You must have the following installed:...
Page 52 - An Ethernet adapter - TCP/IP protocol - Client for Microsoft Networks If you need to install a new Ethernet adapter, follow these steps: a. Click Add. b. Select Adapter, then Add. c. Select the manufacturer and model of your Ethernet adapter, then click OK.
Page 53 If you need TCP/IP: a. Click Add.
Page 54 b. Select Protocol, then click Add. c. Select Microsoft. TCP/IP, then OK. If you need Client for Microsoft Networks: a. Click Add.
Page 55: Configuring
b. Select Client, then click Add. c. Select Microsoft. Client for Microsoft Networks, and then click OK. 3. Restart your PC to apply your changes. 3.4.4.2 Configuring 1. Select Start > Settings > Control Panel.
Page 56 2. In the Control Panel, double-click Network and choose the Configuration tab.
Page 57 3. Select TCP / IP > ASUSTek or the name of any Network Interface Card (NIC) in your PC and click Properties. 4. Select the IP Address tab and click the Obtain an IP address automatically radio button.
Page 58 5. Select the DNS Configuration tab and select the Disable DNS radio button. 6. Click OK to apply the configuration.
Page 59: Verifying Settings
3.4.4.3 Verifying Settings To check the TCP/IP configuration, use the winipcfg.exe utility: 1. Select Start > Run. 2. Type winipcfg, and then click OK. 3. From the drop-down box, select your Ethernet adapter.
Page 60: Factory Default Settings
The window is updated to show your settings. Using the default BiGuard 50G settings, your PC should have: - An IP address between 192.168.1.1 and 192.168.1.253 - A subnet mask of 255.255.255.0 - A default gateway of 192.168.1.254 3.5 Factory Default Settings...
Page 61: Username And Password
The Status LED will remain solid as the device boots. Once the boot sequence is complete, the LED will shut off, indicating that BiGuard 50G is ready. 3.5.2 LAN and WAN Port Addresses...
Page 62: Information From Your Isp
If your account uses PPP over Ethernet (PPPoE), you will need to enter your login name and password when configuring your BiGuard 50G. After the network and firewall are configured, BiGuard 50G will login automatically, and you will no longer need to run the login program from your PC.
Page 63: Configuration Information
- One or more domain name server (DNS) IP addresses Depending on your ISP, a host name and domain suffix may also be provided. If any of these items are dynamically supplied by the ISP, your BiGuard 50G will automatically acquire them.
Page 64 2. Double-click the Network icon. 3. In the Network Connections window, right-click Local Area Connection and select Properties.
Page 65 4. Select Internet Protocol (TCP/IP) and click Properties. 5. If an IP address, subnet mask and a Default gateway are shown, write down the information. If no address is present, your account’s IP address is dynamically...
Page 66 assigned. Click the Obtain an IP address automatically radio button. 6. If any DNS server addresses are shown, write them down. Click the Obtain DNS server address automatically radio button. 7. Click OK to save your changes.
Page 67: Web Configuration Interface
3.7 Web Configuration Interface BiGuard 50G includes a Web Configuration Interface for easy administration via virtually any browser on your network. To access this interface, open your web browser, enter the IP address of your router, which by default is 192.168.1.254, and click Go.
Page 68 If the Web Configuration Interface appears, congratulations! You are now ready to configure your BiGuard 50G. If you are having trouble accessing the interface, please refer to Chapter 5: Troubleshooting for possible resolutions.
Page 69: Chapter 4: Router Configuration
Chapter 4: Router Configuration 4.1 Overview The Web Configuration Interface makes it easy for you to manage your network via any PC connected to it. On the Web Configuration homepage, you will see the navigation pane located on the left hand side. From it, you will be able to select various options used to configure your router.
Page 70: Status
(5 minutes by default). The following sections will show you how to configure your router using the Web Configuration Interface. 4.2 Status The Status menu displays the various options that have been selected and a number of statistics about your BiGuard 50G.
Page 71 Registration: Click on the Register button to open a web page on Billion’s website to register the BiGuard 50G. Registration enables users to access new firmware, a user’s manual, latest product news, quick customer support, and FAQ. Failover Status: Displays the current Failover port and show whether it is active or inactive.
Page 72 In this menu, you will find the following sections: - ARP Table - Wireless Association - Routing Table - Session Table - DHCP Table - IPSec Status - PPTP Status - Traffic Statistics - CPU Status - System Log...
Page 73: Arp Table
4.2.1 ARP Table The Address Resolution Protocol (ARP) Table shows the mapping of Internet (IP) addresses to Ethernet (MAC) addresses. This is a quick way to determine the MAC address of your PC’s network interface to use with the router’s Firewall – MAC Address Filter function.
Page 74: Routing Table
4.2.3 Routing Table The Routing Table displays the current path for transmitted packets. Both static and dynamic routes are displayed. No.: Number of the list. Destination: The IP address of the destination network. Netmask: The destination netmask address. Gateway/Interface: The IP address of the gateway or existing interface that this route will use.
Page 75: Dhcp Table
Device Name: The host name (computer name) of the client. MAC Address: The MAC address of client. Lease Time: The connection time to the DHCP server. 4.2.6 IPSec Status The IPSec Status window displays the status of the IPSec Tunnels that are currently configured on your BiGuard 50G.
Page 76: Pptp Status
4.2.7 PPTP Status The PPTP Status window displays the status of the PPTP Tunnels that are currently configured on your BiGuard 50G. Name: The name you assigned to the particular PPTP entry. Enable: Whether the PPTP connection is currently Enable or Disable.
Page 77: Cpu Statistics
WAN1: Transmitted (Tx) and Received (Rx) bytes and packets for WAN1. WAN2: Transmitted (Tx) and Received (Rx) bytes and packets for WAN2. Display: Allows you to change the units of measurement for the traffic graph. 4.2.9 CPU Statistics This page displays the router’s system information. Processor: The router’s processor type and model.
Page 78: System Log
When the CPU percentage in use is lower than 80% the line will turn blue. 4.2.10 System Log This window displays BiGuard 50G’s System Log entries. Major events are logged on this window. Display: There are several options in display, All logs allows the system to show all types of system logs, and there are also specific event logs such as;...
Page 79: Quick Start
First directs the page number for the table to the 1 page, previous directs the page number for the table to the one page before, the dropdown menu allows the user to specifically select the page number to view, next directs the page number for the table to the one page after current page, and last directs the page number for the table to the last page of the table.
Page 80: Static Ip
4.3.2 Static IP IP assigned by your ISP: Enter the assigned IP address from your IP. IP Subnet Mask: Enter your IP subnet mask. ISP Gateway Address: Enter your ISP gateway address. Primary DNS: Enter your primary DNS. Secondary DNS: Enter your secondary DNS. Click Apply to save your changes.
Page 81: Pptp
is a packet requesting access to the Internet (i.e. when a program on your computer attempts to access the Internet), select Trigger on Demand. Idle Time: Auto-disconnect the router when there is no activity on the line for a predetermined period of time. Select the idle time from the drop down menu. Active if Trigger on Demand is selected.
Page 82: Big Pond
For detailed instructions on configuring WAN settings, please refer to the WAN section of this chapter. 4.4 Configuration The Configuration menu allows you to set many of the operating parameters of BiGuard 50G. In this menu, you will find the following sections: - LAN - WAN - Dual WAN...
Page 83: Lan
- QoS - Virtual Server - Advanced These items are described below in the following sections. 4.4.1 LAN There are three items within this section: Ethernet, Wireless, Wireless Securtiy, DHCP Server and LAN Address Mapping. 4.4.1.1 Ethernet...
Page 84 IP Address: Enter the internal LAN IP address for BiGuard 50G (192.168.1.254 by default). Subnet Mask: Enter the subnet mask (255.255.255.0 by default). RIP: RIP v2 Broadcast and RIP v2 Multicast. Check to enable RIP. Wireless WLAN Service: Default setting is set to Disable. If you have any wireless, both 802.11g and 802.11b, device in your network, you can select Enable.
Page 85 Hide ESSID: It is function in which transmits its ESSID to the air so that when wireless client searches for a network, router can then be discovered and recognized. Default setting is Disable. Enable: Select Enable if you do not want broadcast your ESSID. When select Enable, no one will be able to locate the Access Point (AP) of your router.
Page 86: Wireless Security
of the connected AP. WDS takes advantages of cost saving and flexibility which no extra wireless client device is required to bridge between two access points and extending an existing wired or wireless infrastructure network to create a larger network. In addition, WDS enhances its link connection security in WEP mode, WEP key encryption must be the same for both access points.
Page 87 Encryption Standard) utilizes a stronger encryption method and incorporates Message Integrity Code (MIC) to provide protection against hackers. WPA Shared Key: The key for network authentication. The input format is in character style and key size should be in the range between 8 and 63 characters. Group Key Renewal: The period of renewal time for changing the security key (AP).
Page 88: Wep
In this menu, you can disable or enable the Dynamic Host Configuration Protocol (DHCP) server. The DHCP protocol allows your BiGuard 50G to dynamically assign IP addresses to PCs on your network if they are configured to automatically obtain IP...
Page 89 To disable the router’s DHCP Server, select the Disable radio button, and then click Apply. When the DHCP Server is disabled, you will need to manually assign a fixed IP address to each PC on your network, and set the default gateway for each PC to the IP address of the router (192.168.1.254 by default).
Page 90 Name: Enter the name you want to give for the IP+Mac Address Fixed Host account. Active: Select whether you want to Enable or Disable this particular Fixed Host account. IP Address: Enter the IP address that you want to reserve for the above MAC address.
Page 91: Lan Address Mapping
4.4.1.5 LAN Address Mapping LAN Address Mapping is a function that can support multiple subnet and also multiple NAT, you can specify a subnet and LAN Gateway IP Address and select associated WAN IP Address specified in WAN IP Alias in Configuration -> WAN -> WAN IP Alias.
Page 92: Wan
The WAN menu contains two items: ISP Settings, Bandwidth Settings and WAN IP Alias. 4.4.2.1 ISP Settings This ISP Settings Table displays the different WAN connections that are configured on BiGuard 50G. To edit any of these connections, click Edit. You will be taken to the following menu.
Page 93: Dhcp
Connection Method: Select how your router will connect to the Internet. Selections include Obtain an IP Address Automatically, Static IP Settings, PPPoE Settings, PPTP Settings, and Big Pond Settings. For each WAN port, the factory default is DHCP. If your ISP does not use DHCP, select the correct connection method and configure the connection accordingly.
Page 94: Static Ip
MAC Address: If your ISP requires you to input a WAN Ethernet MAC, check the checkbox and enter your MAC address in the blanks below. Candidates: You can also select the MAC address from the list in the Candidates. DNS: If your ISP requires you to manually setup DNS settings, check the checkbox and enter your primary and secondary DNS.
Page 95 Primary DNS: Enter the primary DNS provided by your ISP. Secondary DNS: Enter the secondary DNS provided by your ISP. RIP: To activate RIP, select Send, Receive, or Both from the drop down menu. To disable RIP, select Disable from the drop down menu. MTU: Enter the Maximum Transmission Unit (MTU) for your network.
Page 96 select Always Connect. If you want to establish a PPPoE session only when there is a packet requesting access to the Internet (i.e. when a program on your computer attempts to access the Internet), select Trigger on Demand. Idle Time: Auto-disconnect the router when there is no activity on the line for a predetermined period of time.
Page 97: Pptp Settings
4.4.2.1.4 PPTP Settings Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. PPTP Client IP: Enter the PPTP Client IP provided by your ISP. PPTP Client IP Netmask: Enter the PPTP Client IP Netmask provided by your ISP. PPTP Client IP Gateway: Enter the PPTP Client IP Gateway provided by your ISP.
Page 98: Big Pond
button. This will take you to another page for inputting the IP address information. MAC Address: If your ISP requires you to input a WAN Ethernet MAC, check the checkbox and enter your MAC address in the blanks below. Candidates: You can also select the MAC address from the list in the Candidates. DNS: If your ISP requires you to manually setup DNS settings, check the checkbox and enter your primary and secondary DNS.
Page 99: Bandwidth Settings
MAC Address: If your ISP requires you to input a WAN Ethernet MAC, check the checkbox and enter your MAC address in the blanks below. Candidates: You can also select the MAC address from the list in the Candidates. DNS: If your ISP requires you to manually setup DNS settings, check the checkbox and enter your primary and secondary DNS.
Page 100: Wan Ip Alias
WAN IP Alias WAN IP Alias allows you to input additional WAN IP addresses. WAN IP Alias can be used for Multiple NAT settings, including LAN Address Mapping settings and Virtual Server settings. Please click Create to create a LAN Address Mapping rule. Name: Please input the name of the rule.
Page 101: General Settings
specific WAN port. In this menu are the following sections: General Settings, Outbound Load Balance, Inbound Load Balance, and Protocol Binding. 4.4.3.1 General Settings Mode: You can select Load Balance or Fail Over. Service Detection: Enables or disables the service detection feature. For fail over, the service detection function is enabled.
Page 102: Outbound Load Balance
4.4.3.2 Outbound Load Balance Outbound Load Balancing on BiGuard 50G can be based on one of two methods: 1. By session mechanism 2. By IP address hash mechanism Choose one by clicking the corresponding radio button. Based on Session Mechanism: The source IP address and destination IP address can go through WAN1 or WAN2 depending to policies set in this mechanism.
Page 103: Inbound Load Balance
to authenticate the source IP address. Balance by weight of link capacity: Uses an IP hash to balance traffic based on weight of link bandwidth capacity. Balance by weight: Uses an IP hash to balance traffic based on a ratio. Enter the desired ratio into the blanks provided.
Page 104 SOA: Domain Name: The domain name of DNS Server 1. you register on DNS organization. You have to fill-out the Fully Qualified Domain Name (FQDN) with field.(ex:abc.com.).When you enter the following domain name, you can only input different chars without an ending dot, its name is then added with domain name, and it becomes FQDN.
Page 105 MX Record Mail Exchanger: The name of the mail server. IP Address: The mail server IP address. Click Apply to save your changes. To edit the Host Mapping URL list, click Edit. This will open the Host Mapping URL table, which lists the current Host Mapping URLs. To add a host mapping URL to the list, click Create.
Page 106: Protocol Binding
Name1: The Alias Host URL Name2: The Alias Host URL Click Apply to save your changes. 4.4.3.4 Protocol Binding Protocol Binding lets you direct specific traffic to go out from a specific WAN port. Click the Create button to create a new policy entry. Policies entered would tell specific types of Internet traffic from a particular range of IPs to go to a particular range of IPs with ONE WAN port, rather than using both of the WAN ports with load balancing.
Page 107: System
Source IP Range: All Source IP: Click it to specify all source IPs. Specified Source IP: Click to specify a specific source IP address and source IP netmask. Source IP Address: If Specified Source IP was chosen, here’s where the IP can be entered.
Page 108: Time Zone
Simply choose your local time zone, enter NTP Server IP Address, and click Apply. After connecting to the Internet, BiGuard 50G will retrieve the correct local time from the NTP server you have specified. Your ISP may provide an NTP server for you to use.
Page 109: Firmware Upgrade
NOTE: When enabling remote access, please make sure to change the default administration password for security reason. Action: Select Enable or Disable remote access function. HTTPS Port: Please input the remote access HTTPS port you would like to use.(default is 443) Click Apply to apply your settings.
Page 110: Backup / Restore
Upgrading your BiGuard 50G’s firmware is a quick and easy way to enjoy increased functionality, better reliability, and ensure trouble-free operation. To upgrade your firmware, simply visit Billion’s website (http://www.billion.com) and download the latest firmware image file for BiGuard 50G. Next, click Browse and select the newly downloaded firmware file.
Page 111: Restart
4.4.4.5 Restart The Restart feature allows you to easily restart BiGuard 50G. To restart with your last saved configuration, select the Current Settings radio button and click Restart. If you wish to restart the router using the factory default settings, select Factory Default Settings and click Restart to reboot BiGuard 50G with factory default settings.
Page 112: Password
Click Reset to reset to the default administration password (admin). 4.4.5 Firewall BiGuard 50G includes a full Stateful Packet Inspection (SPI) firewall for controlling Internet access from your LAN, and preventing attacks from hackers. Your router also acts as a "natural" Internet firewall when using Network Address Translation (NAT), as all PCs on your LAN will use private IP addresses that cannot be directly accessed from the Internet.
Page 113: Packet Filter
4.4.5.1 Packet Filter The Packet Filter function is used to limit user access to certain sites on the Internet or LAN. The Filter Table displays all current filter rules. If there is an entry in the Filter Table, you can click Edit to modify the setting of this entry, click Delete to remove this entry, or click Move to change this entry’s priority.
Page 114 ID: This is an identify that allows you to move the rule by before or after an ID. Rule: Enable or Disable this entry. Action When Matched: Select to Drop or Forward the packet specified in this filter entry. Direction: Incoming Packet Filter rules prevent unauthorized computers or applications accessing your local network from the Internet.
Page 115: Url Filter
Destination Port Range: Enter the destination port number range. If you only want to specify one service port, then enter the same port number in both boxes. Helper: You could also select the application type you would like to apply for automatic input.
Page 116 URL Filtering: You can choose to Enable or Disable this feature. Keyword Filtering: Click the checkbox to enable this feature. To edit the list of filtered keywords, click Details. Domain Filtering: Click the "enable" checkbox to enable filtering by Domain Name. Click the "Disable all WEB traffic except for trusted domains"...
Page 117 Enter a domain and select whether this domain is trusted or forbidden with the pull-down menu. Next, click Apply. Your new domain will be added to either the Trusted Domain or Forbidden Domain listing, depending on which you selected previously. You may also designate which IP addresses are to be excluded from these filters by adding them to the Exception List.
Page 118: Ethernet Mac Filter
4.4.5.3 Ethernet MAC Filter Ethernet Mac Filter can decide if BiGuard will filter those devices at LAN side by MAC Address and determine if they can connect to the internet or not. Default Rule: Forward or Drop all LAN request. (Forward by default) Create: You can also input a specified MAC Address to be dropped or Forward without depending on the default rule.
Page 119: Wireless Mac Filter
4.4.5.4 Wireless MAC Filter Prevents unauthorized computers access from using the Internet through the router. Wireless MAC Filter can Default Rule: Forward or Drop all wireless request. (Forward by default) Click on Create to create a new rule. You can input a specified MAC Address to be dropped or Forward.
Page 120: Block Wan Request
4.4.5.5 Block WAN Request Blocking WAN requests is one way to prevent DDOS attacks by preventing ping requests from the Internet. Use this menu to enable or disable function. 4.4.5.6 Intrusion Detection Intrusion Detection can prevent most common DoS attacks from the Internet or from LAN users.
Page 121: Vpn
connections on per-user basis. This is useful when controlling users who will use the applications which create a large number of connections (such as P2P software). No Limit: No restrictions on the amount of sessions allowed to connect to BiGuard30. Limit Maximum sessions per IP to: Restricts an upper limit of sessions allowed to connect to BiGuard30, additional sessions beyond the maximum limit will not be allowed to connect.
Page 122: Ipsec
4.4.6.1 IPSec IPSec is a set of protocols that enable Virtual Private Networks (VPN). You can find two items under the IPSec section: IPSec Wizard and IPSec Policy. 4.4.6.1.1 IPSec Wizard Connection Name: A user-defined name for the connection. Interface: Select the interface the IPSec tunnel will apply to. WAN1: Select interface WAN1 WAN2: Select interface WAN2 Auto: The device will automatically apply the tunnel to WAN1 or WAN2...
Page 123 pre-shared key into both sides (router or hosts). Connection Type: There are 5 connection types: (1)LAN to LAN: BiGuard would like to establish an IPSec VPN tunnel with remote router using Fixed Internet IP or domain name by using main mode. Secure Gateway Address (or Domain Name): The IP address or hostname of the remote VPN gateway.
Page 124 (3)LAN to Host: BiGuard would like to establish an IPSec VPN tunnel with remote client software using Fixed Internet IP or domain name by using main mode. Secure Gateway Address (or Domain Name): The IP address or hostname of the remote VPN device that is connected and establishes a VPN tunnel.
Page 125 Remote Identifier: The Identifier of the remote gateway. According to the input value, the ID type will be auto-defined as IP Address, FQDN(DNS) or FQUN(E-mail). Back: Back to the Previous page. Next: Go to the next page. (5)LAN to Host (for BiGuard VPN Client only): BiGuard would like to establish an IPSec VPN tunnel with BiGuard VPN Client software C01 by using aggressive mode.
Page 126: Ipsec Policy
After your configuration is done, you will see a Configuration Summary. Back: Back to the Previous page. Done: Click Done to apply the rule. 4.4.6.1.2 IPSec Policy Click Create to create a new IPSec VPN connection account. Configuring a New VPN Connection...
Page 127 Connection Name: A user-defined name for the connection. Tunnel: Select Enable to activate this tunnel. Select Disable to deactivate this tunnel. Interface: Select the interface the IPSec tunnel will apply to. WAN1: Select interface WAN1 WAN2: Select interface WAN2 Auto: The device will automatically apply the tunnel to WAN1 or WAN2 depending on which WAN interface is active when the IPSec tunnel is being established.
Page 128 interface if Auto is selected. Local: This section configures the local host. ID: This is the identity type of the local router or host. Choose from the following four options: WAN IP Address: Automatically use the current WAN Address as ID. IP Address: Use an IP address format.
Page 129 Any Local Address: Will enable any local address on the network. Subnet: The subnet of the remote network. Selecting this option allows you to enter an IP address and netmask. IP Range: The IP Range of the remote network. Single Address: The IP address of the remote host. Gateway Address: The gateway address of the remote host.
Page 130 negotiation time. Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over the Internet. Pre-shared Key: This is for the Internet Key Exchange (IKE) protocol. IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require a key.
Page 131: Pptp
IP Addresses Assigned to Peer Start from: 192.168.1.x: please input the IP assigned range from 1 ~ 254 (except BiGuard 50G’s LAN IP address with 192.168.1.254 as BiGuard 50G’s default LAN IP address and IP pool range of DHCP server settings with 100~199 as BiGuard 50G’s default DHCP IP pool range.)
Page 132: Qos
PPTP Tunnel, please select Enable or Disable. 4.4.7 QoS BiGuard 50G can optimize your bandwidth by assigning priority to both inbound and outbound data with QoS. This menu allows you to configure QoS for both inbound and outbound traffic.
Page 133 The first menu screen gives you an overview of which WAN ports currently have QoS active, and the bandwidth settings for each. WAN1 Outbound: QoS Function: QoS status for WAN1 outbound. Select Enable to activate QoS for WAN1’s outgoing traffic. Select Disable to deactivate. Max ISP Bandwidth: The maximum bandwidth afforded by the ISP for WAN1’s outbound traffic.
Page 134 Creating a New QoS Rule To get started using QoS, you will need to establish QoS rules. These rules tell BiGuard 50G how to handle both incoming and outgoing traffic. The following example shows you how to configure WAN1 Outbound QoS. Configuring the other traffic types follows the same process.
Page 135 Interface: The current traffic type. This can be WAN1 (outbound, inbound) and WAN2 (outbound, inbound). Application: User defined application name for the current rule. Guaranteed: The guaranteed amount of bandwidth for this rule as a percentage. Maximum: The maximum amount of bandwidth for this rule as a percentage. Priority: The priority assigned to this service.
Page 136: Virtual Server
For MAC Address: Source MAC Address: The source MAC Address of the device this rule applies to. Candidates: You can also select the Candidates which are referred from the ARP table for automatic input. Source Port Range: The range of source ports this rule applies to. Destination Port Range: The range of destination ports this rule applies to.
Page 137: Dmz
PCs. Please see the WAN Configuration section of this manual for more information on NAT. BiGuard 50G can also be configured as a virtual server so that remote users accessing services such as Web or FTP services via the public (WAN) IP address can be automatically redirected to local servers in the LAN network.
Page 138: Port Forwarding Table
Candidates: You can also select the Candidates which are referred from the ARP table for automatic input. Select the Apply button to apply your changes. 4.4.8.2 Port Forwarding Table Because NAT can act as a "natural" Internet firewall, your router protects your network from being accessed by outside users, as all incoming connection attempts will point to your router unless you specifically create Virtual Server entries to forward those ports to a PC on your network.
Page 139 Application: User defined application name for the current rule. Helper: You could also select the application type you would like to apply for automatic input. Protocol type: please select protocol type External Port: Enter the port number of the service that will be sent to the Internal IP address.
Page 140: Advanced
4.4.9 Advanced Configuration options within the Advanced section are for users who wish to take advantage of the more advanced features of BiGuard 50G. Users who do not understand the features should not attempt to reconfigure their router, unless advised to do so by support staff.
Page 141: Dynamic Dns
You will first need to register and establish an account with the Dynamic DNS provider using their website, Example: DYNDNS http://www.dyndns.org/ (BiGuard 50G supports several Dynamic DNS providers , such as www.dyndns.org www.orgdns.org , www.dhs.org, www.dyns.cx, www.3domain.hk, www.dyndns.org www.3322.org Click Edit on either WAN1 or WAN2 to edit the Dynamic DNS Server.
Page 142: Device Management
please fill it in the blank space below. Dynamic DNS: Disable: Check to disable the Dynamic DNS function. Enable: Check to enable the Dynamic DNS function. The following fields will be activated and required: Dynamic DNS Server: Select the DDNS service you have established an account with.
Page 143 Device Name Name: Enter a name for this device. Web Server Settings HTTP Port: This is the port number the router’s embedded web server (for web-based configuration) will use. The default value is the standard HTTP port, 80. Users may specify an alternative if, for example, they are running a web server on a PC within their LAN.
Page 144 SNMP Function: Select Enable to activate this function, Disable to deactivate this function. SNMP V1 and V2 Read Community: Input the string for Read community to match your SNMP software. Write Community: Input the string for Write community to match your SNMP software.
Page 145: Log & Email Alert
System Log Server, and E-Mail Alert. 5.1 Log Configuration The BiGuard 50G incorporates industry-standard alert protocols for capturing network activity information. The information can then be written to a log, sent to an external server, or to a selected E-mail address.
Page 146: System Log Server
Select Email Alert to send information log to a pre-specified E-mail account. 5.2 System Log Server This function allows BiGuard 50G to send system logs to an external Syslog Server. Syslog is an industry-standard protocol used to capture information about network activity.
Page 147: E-Mail Alert
5.3 E-mail Alert The Email Alert function allows a log of security-related events (such as System Log and IPSec Log) to be sent to a specified email address. Email Alert: You may enable or disable this function by selecting the appropriate radio button.
Page 148: Language
Weekly: The router will send an alert once a week. When log is full: The router will send an alert only when the log is full. 6 Language Language provides 3 different type of language to be displayed on the interface (currently supporting English, Simplified Chinese and Traditional Chinese).
Page 149: Simplified Chinese
6.2 Simplified Chinese Clicking on the Simplified Chinese link will change all the text into Simplified Chinese. 6.3 Traditional Chinese Clicking on the Traditional Chinese link will change all the text into Traditional Chinese. 7 Save Configuration To Flash After changing the router’s configuration settings, you must save all of the configuration parameters to flash memory to avoid them being lost after turning off or resetting your router.
Page 150: Logout
8 Logout To exit the router’s web interface, click Logout. Please ensure that you have saved your configuration settings before you logout. Be aware that the router is restricted to only one PC accessing the web configuration interface at a time. Once a PC has logged into the web interface, other PCs cannot gain access until the current PC has logged out.
Page 151: Chapter 5: Troubleshooting
This section deals with issues regarding your BiGuard 50G’s basic functions. 5.1.1 Router Won’t Turn On If the Power and other LEDs fail to light when your BiGuard 50G is turned on: - Make sure that the power cord is properly connected to your firewall and that the power supply adapter is properly connected to a functioning power outlet.
Page 152: Forgot My Password
Please note that both the User Name and Password are case-sensitive. If this fails, you can restore your BiGuard 50G to its factory default settings by holding the Reset button on the back of your router until the Status LED begins to blink.
Page 153: Can't Ping Any Pc On The Lan
If PCs connected to the LAN cannot be pinged: - Check the 10/100 LAN LEDs on BiGuard 50G’s front panel. One of these LEDs should be on. If they are both off, check the cables between BiGuard 50G and the hub or PC.
Page 154 3. Make sure that the Delete All Offline Content checkbox is checked, and click 4. Click OK under Internet Options to close the dialogue. - In Windows, type arp –d at the command prompt to clear you computer’s ARP table.
Page 155: Pop-Up Windows
To use the Web Configuration Interface, you need to disable pop-up blocking. You can either disable pop-up blocking, which is enabled by default in Windows XP Service Pack 2, or create an exception for your BiGuard 50G’s IP address. Disabling All Pop-ups In Internet Explorer, select Tools >...
Page 156: Java Permissions
3. Under Scripting, check to see if Active scripting is set to Enable. 4. Ensure that Scripting of Java applets is set to Enabled. 5. Click OK to close the dialogue. 5.2.3.3 Java Permissions The following Java Permissions should also be given for the Web Configuration Interface to display properly: 1.
Page 157: Wan Interface
BiGuard 50G’s system name. 5.4 ISP Connection Unless you have been assigned a static IP address by your ISP, your BiGuard 50G will need to request an IP address from the ISP in order to access the Internet. If your BiGuard 50G is unable to access the Internet, first determine if your router is able to obtain a WAN IP address from the ISP.
Page 158 If an IP address cannot be obtained: 1. Turn off the power to your cable or DSL modem. 2. Turn off the power to your BiGuard 50G. 3. Wait five minutes and power on your cable or DSL modem. 4. When the modem has finished synchronizing with the ISP (generally shown by LEDs on the modem), turn on the power to your router.
Page 159: Problems With Date And Time
Configuration > System > Time Zone. 5.6 Restoring Factory Defaults You can restore your BiGuard 50G to its factory settings by holding the Reset button on the back of your router until the Status LED begins to blink. This will reset your...
Page 160: Appendix A: Product Specifications
Appendix A: Product Specifications Availability and Resilience - Dual-WAN ports - Load balancing for increased bandwidth of inbound and outbound traffic - Automatic failover to redirect the packet when one broadband connection is broken. It will keep your Internet connection always online whenever one connection should fail.
Page 161: Content Filtering
- Netbios over VPN Firewall - Stateful Packet Inspection (SPI) and Denial of Service (DoS) prevention - Packet filter un-permitted inbound (WAN)/Inbound (LAN) Internet access by IP address, port number and packet type - Email alert and logs of attack - MAC Address Filtering - Intrusion detection Content Filtering...
Page 162: Physical Interface
Physical Interface Ethernet WAN 2 ports (10/100 Base-T), support Auto- Crossover (MDI/MDIX) Ethernet LAN 8 ports (10/100 Base-T) switch support Auto- Crossover (MDI/MDIX) Physical Specifications Dimensions: 18.98" x 6.54" x 1.77" (482mm x 166 mm x 45mm, with Bracket) 9.84" x 6.54" x 1.38" (250mm x 166 mm x 35mm, non Bracket) Power Requirement Input: 12VDC, 1A Operating Environment...
Page 163: Appendix B: Customer Support
Appendix B: Customer Support Most problems can be solved by referring to the Troubleshooting section in the User’s Manual. If you cannot resolve the problem with the Troubleshooting chapter, please contact the dealer where you purchased this product. Contact Billion Worldwide http://www.billion.com/...
Page 164: Appendix C: Fcc Interference Statement
Appendix C: FCC Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: - This device may not cause harmful interference. - This device must accept any interference received, including interference that may cause undesired operations.
Page 165: Appendix D: Network, Routing, And Firewall Basics
Appendix D: Network, Routing, and Firewall Basics D.1 Network Basics D.1.1 IP Addresses With the number of TCP/IP networks interconnected across the globe, ensuring that transmitted data reaches the correct destination requires each computer on the Internet has a unique identifier. This identifier is known as the IP address. The Internet Protocol (IP) uses a 32-bit address structure, and the address is usually written in dot notation.
Page 166: Subnet Addressing
back slash (/). For example, a typical Class C address could be written as 192.168.234.245/24, which means that the net mask is 24 ones followed by 8 zeros. (11111111 11111111 11111111 00000000). D.1.1.2 Subnet Addressing Subnet addressing enables the split of one IP network address into multiple physical networks.
Page 167: Network Address Translation (Nat)
If a particular PC on your LAN requires access from outside PCs, you can use port forwarding to accomplish this. For information on how to configure port forwarding on BiGuard 50G, refer to the Virtual Server section of Chapter 4: Router Configuration.
Page 168: Router Basics
Routers can vary in performance and scale, the types of physical WAN connection they support, and the number of routing protocols supported. BiGuard 50G offers a convenient and powerful way for small-to-medium businesses to connect their networks.
Page 169: Firewall Basics
D.3.1.1 Stateful Packet Inspection BiGuard 50G uses Stateful Packet Inspection (SPI) to protect your network from intrusions and attacks. Unlike less sophisticated Internet sharing routers, SPI ensures secure firewall filtering by intercepting incoming packets at the network layer, and analyzing them for state-related information that is associated with all network connections.
Page 170: Why Use A Firewall
Internet. Still, there are ways for more dedicated hackers to either obtain information about your network or disrupt your network’s Internet access. Your BiGuard 50G provides an extra level of protection from such attacks with its built-in firewall.
Page 171: Appendix E: Virtual Private Networking
Appendix E: Virtual Private Networking E.1 What is a VPN? A Virtual Private Network (VPN) is a shared network where private data is segmented from other traffic so that only the intended recipient has access. It allows organizations to securely transmit data over a public medium like the Internet.
Page 172: Ipsec Security Components
data authentication, integrity, and confidentiality as data is transferred across IP networks. IPSec provides data security at the IP packet level, and protects against possible security risks by protecting data. IPSec is widely used to establish VPNs. There are three major functions of IPSec: - Confidentiality: Conceals data through encryption.
Page 173: Encapsulating Security Payload (Esp)
Next Payload Reserved Header Length Sequence Number Authentication Data E.2.1.2 Encapsulating Security Payload (ESP) Encapsulating Security Payload (ESP) provides privacy for data through encryption. An encryption algorithm combines the data with a key to encrypt it. It then repackages the data using a special format, and transmits it to the destination. The receiver then decrypts the data using the same algorithm.
Page 174: Security Associations (Sa)
Sequence Number Data Next Authentication Data E.2.1.3 Security Associations (SA) Security Associations are a one-way relationships between sender and receiver that specify IPSec-related parameters. They provide data protection by using the defined IPSec protocols, and allow organizations to control according to the security policy in effect, which resources may communicate securely.
Page 175: Tunnel Mode Ah
AH/E Transport Mode - This mode is used to provide data security between two networks. It provides protection for the entire IP packet and is sent by adding an outer IP header corresponding to the two tunnel end-points. Since tunnel mode hides the original IP header, it provides security of the networks with private IP address space.
Page 176: Tunnel Mode Esp
E.2.4 Tunnel Mode ESP Here is an example of a packet with ESP applied: Original Packet IP Header Data Packet with IPSec Encapsulation Security Payload New IP Header ESP Header Org IP Header Data ESP Trailer Authentication encrypted Authenticated E.2.5 Internet Key Exchange (IKE) Before either AH or ESP can be used, it is necessary for the two communication devices to exchange a secret key that the security protocols themselves will use.
Page 177 addresses. Aggressive mode reduces this process to three messages, but parameter negotiation is limited, identity protection is lacking except when using public key encryption, and is more vulnerable to Denial of Service attacks. Phase II, known as Quick Mode, establishes symmetrical IPSec Security Associations for both AH and ESP.
Page 178: Appendix F: Ipsec Logs And Events
Appendix F: IPSec Logs and Events F.1 IPSec Log Event Categories There are three major categories of IPSec Log Events for your BiGuard 50G. These include: 1. IKE Negotiate Packet Messages 2. Rejected IKE Messages 3. IKE Negotiated Status Messages The table in the following section lists the different events of each category, and provides a detailed explanation of each.
Page 179 Received Main mode Received the second message of main mode. Done to second message exchange key values. ISAKMP Send Main mode second Sending the main mode second response message. response message Done to exchange key values. ISAKMP Received Main mode Received the main mode second response message.
Page 180 Received Aggressive Received the second message of aggressive mode. mode second ISAKP Done to exchange proposal and key values. Message Send Quick mode initial Sending the first message of quick mode (Phase II). message Done to exchange proposal and key values (IPSec). Received Quick mode...
Page 181 NO PROPOSAL CHOSEN: Initial Main Mode message received on [IP:Port #] but no connection has been authorized INVALID ID: Require peer to have ID [ID], but peer declares [ID] INVALID ID INFORMATION: Initial Aggressive Mode packet claiming to be from [ID] on [IP] but no connection has been authorized INVALID ID: Require peer to have ID [ID], but peer declares [ID] INVALID ID INFORMATION: Initial Aggressive Mode packet claiming to be from [ID]...
Page 182: Appendix G: Bandwidth Management With Qos
Internet. When too many are accessing the Internet at the same time, service can slow to a crawl, causing service interruptions and general frustration. Quality of Service (QoS) is one of the ways BiGuard 50G can optimize the use of bandwidth, ensuring a smooth and responsive Internet connection for all users.
Page 183: Who Needs Qos
-Prioritization: Assigns different priority levels for different applications, prioritizing traffic. High, Normal and Low priority settings. -Outbound and Inbound IP Throttling: Controls network traffic and allows you to limit the speed of each application. -DiffServ Technology: Manages priority queues and DSCP tagging through the Internet backbone.
Page 184: Office Users
Application Data Ratio (%) On-line games Skype Email Other G.4.2 Office Users QoS is also ideal for small businesses using an office server as a web server. With QoS control, web pages served to your customers can be given top priority and delivered first so that it will not be impeded by email and office web browsing.
Page 185: Appendix H: Router Setup Examples
Appendix H: Router Setup Examples H.1 Outbound Fail Over Step 1: Go to Configuration > WAN > ISP Settings. Select WAN1 and WAN2 and click Edit. Step 2: Configure WAN1 and WAN2 according to the information given by your ISP.
Page 186 Next, input the duration of the probe cycle (30 sec. by default) and choose the way WAN ports are probed. Please ensure the WAN ports are functioning by performing a ping operation on each before proceeding. Finally, choose whether or not BiGuard 50G should fail back to...
Page 187: Outbound Load Balancing
WAN1. Step 4: Click Save Config to save all changes to flash memory. H.2 Outbound Load Balancing 192.168.2.2 192.168.2.3 With Outbound Load Balancing, you can improve upload performance by optimizing your connection via Dual WAN. To do this, follow these steps: Step 1: Go to Configuration >...
Page 188 Step 3: Go to Configuration > Dual WAN > General Settings. Select the Load Balance radio button. Step 4: Go to Configuration > Dual WAN > Outbound Load Balance. Choose the Load Balance mechanism you want and click Apply.
Page 189 Step 5: Complete. To check traffic statistics, go to Status > Traffic Statistics. Step 6: Click Save Config to save all changes to flash memory.
Page 190: Inbound Fail Over
H.3 Inbound Fail Over Configuring your BiGuard 50G for Inbound Fail Over is a great way to ensure a more reliable connection for incoming requests. To do so, follow these steps: NOTE: Before you begin, ensure that both WAN1 and WAN2 have been properly configured.
Page 191 Step 3: Go to Configuration > Advanced > Dynamic DNS. Set the WAN1 DDNS settings. Step 4: From the same menu, set the WAN2 DDNS settings. Step 5: Click Save Config to save all changes to flash memory.
Page 192: Dns Inbound Fail Over
H.4 DNS Inbound Fail Over NOTE: Before proceeding, please ensure that both WAN1 and WAN2 are properly configured according to the settings provided by your ISP. If not, please refer to Chapter 4.2.2.1 ISP Settings for details on how to configure your WAN ports. Step 1: Go to Configuration >...
Page 193 Step 2: Go to Configuration > Dual WAN > Inbound Load Balance. Select the Enable radio button and configure DNS Server 1 by clicking Edit. Step 3: Input DNS Server 1 settings and click Apply.
Page 194: Dns Inbound Load Balancing
Step 4: Configure your Host URL Mapping for DNS Server 1 by clicking Edit to enter the Host URL Mappings List. Click Create and input the settings for Host URL Mappings and click New. Step 5: Click Save Config to save all changes to flash memory. H.5 DNS Inbound Load Balancing...
Page 195 Step 1: Go to Configuration > Dual WAN > General Settings. Select the Load Balance radio button. Step 2: Go to Configuration > Dual WAN > Inbound Load Balance > Server Settings and configure DNS Server 1.
Page 196 Step 3: Go to Configuration > Dual WAN > Inbound Load Balance > Host URL Mapping and configure your FTP mapping. Step 4: Next configure your HTTP mapping.
Page 197: Dynamic Dns Inbound Load Balancing
Step 5: Click Save Config to save all changes to flash memory. H.6 Dynamic DNS Inbound Load Balancing Step 1: Go to Configuration > WAN > Bandwidth Settings. Configure your WAN inbound and outbound bandwidth.
Page 198 Step 2: Go to Configuration > Dual WAN > General Settings and enable Load Balance mode. You may then decide whether to enable Service Detection or not. Step 3: Go to Configuration > Dual WAN > Outbound Load Balance. Choose your load balance policy and click Apply to apply your changes.
Page 199 Step 4: Go to Configuration > Advanced > Dynamic DNS and input the dynamic DNS settings for WAN1 and WAN2. WAN1: WAN 2:...
Page 200: Vpn Configuration
Step 5: Go to Configuration > Virtual Server and set up a virtual server for both FTP and HTTP. Step 6: Click Save Config to save all changes to flash memory. H.7 VPN Configuration This section outlines some concrete examples on how you can configure BiGuard 50G for your VPN.
Page 201 Branch Office Local IP Address Data 69.121.1.30 Network Any Local Address IP Address 192.168.0.0 Netmask 255.255.255.0 Remote Secure Gateway 69.121.1.3 Address(or Hostname) IP Address Data 69.121.1.3 Network Subnet IP Address 192.168.1.0 Netmask 255.255.255.0 Head Office IP Address 69.121.1.3 Any Local Address 192.168.1.0 255.255.255.0 69.121.1.30...
Page 202: Host To Lan
Proposal IKE Pre-shared Key 12345678 Security Algorithm Main Mode; ESP: 3DES H.7.2 Host to LAN Single client Local IP Address Data 69.121.1.30 Network Any Local Address 12345678 Main 3DES Head Office IP Address 69.121.1.3 Any Local Address...
Page 203: Ipsec Fail Over (Gateway To Gateway)
IP Address 0.0.0.0 Netmask 0.0.0.0 Remote Secure Gateway 69.121.1.3 Address(or Hostname) IP Address Data 69.121.1.3 Network Subnet IP Address 192.168.1.0 Netmask 255.255.255.0 Proposal IKE Pre-shared Key 12345678 Security Algorithm Main Mode; ESP: 3DES H.8 IP Sec Fail Over (Gateway to Gateway) biguard.billion.com 192.168.1.0 255.255.255.0...
Page 204 Step 1: Go to Configuration > Dual WAN > General Settings. Enable Fail Over by selecting the Fail Over radio button. Then, configure your Fail Over policy. Step 2: Go to Configuration > Advanced > Dynamic DNS and configure your dynamic DNS settings (Both WAN1 and WAN2).
Page 205 Step 3: Go to Configuration > VPN > IPSec > IPSec Policy. Click Create to configure VPN settings. Step 4: Click Save Config to save all changes to flash memory. To configure BiGuard 10 gateway, refer to the screenshot below.
Page 206: Vpn Concentrator
H.9 VPN Concentrator...
Page 207 Remote subnet: 192.168.4.0 Remote mask: 255.255.255.0 Step 1: Go to Configuration > VPN > IPSec > IPSec Policy and configure the link from BiGuard 50G to BiGuard 10 Branch A. Local ID Type: Subnet Local subnet: 192.168.3.0 Local mask: 255.255.255.0 Remote ID Type: Subnet Remote subnet: 0.0.0.0...
Page 208 Step 2: Go to Configuration > VPN > IPSec > IPSec Policy and configure the link from BiGuard 50G to BiGuard 10 Branch B.
Page 209 Step 3: Go to Configuration > VPN > IPSec > IPSec Policy and configure the connection from BiGuard 10 Branch A to BiGuard 50G.
Page 210 Step 4: Go to Configuration > VPN > IPSec > IPSec Policy and configure the connection from BiGuard 10 Branch B to BiGuard 50G.
Page 211: Protocol Binding
Step 5: Click Save Config to save all changes to flash memory. H.10 Protocol Binding Step 1: Go to Configuration > Dual WAN > General Settings. Select the Load Balancing radio button.
Page 212 Step 2: Go to Configuration > Dual WAN > Protocol Binding and configure settings for WAN1. Step 3: Go to Configuration > Dual WAN > Protocol Binding and configure settings for WAN2.
Page 213: Intrusion Detection
Step 4: Click Save Config to save all changes to flash memory. H.11 Intrusion Detection BiGuard Safe!! Server Safe!! Intrusion Detection on Detected! Step 1: Go to Configuration > Firewall > Intrusion Detection and Enable the settings. Step 2: Click Apply and then Save Config to save all changes to flash memory. DoS Attack DoS Attack DoS Attack...
Page 214: Pptp Remote Access By Windows Xp
H.12 PPTP Remote Access by Windows XP Internet Internet Headquarter 100.100.100.1 BiGuard &PPTP Server Local subnet: 192.168.30.0 Local mask: 255.255.255.0 Step1: Go to Configuration > VPN > PPTP and Enable the PPTP function, Click Apply. Step2: Click Create to create a PPTP Account. Business Trip Windows XP PPTP Client...
Page 215 Step3: Click Apply, you can see the account is successfully created. Step4: Click Save Config to save all changes to flash memory. Step5: In Windows XP, go Start > Settings > Network Connections.
Page 216 Step6: In Network Tasks, Click Create a new connection, and press Next.
Page 217 Step7: Select Connect to the network at my workplace and press Next. Step8: Select Virtual Private Network connection and press Next.
Page 218 Step9: Input the user-defined name for this connection and press Next. Step10: Input PPTP Server Address and press Next.
Page 219 Step11: Please press Finish. Step12: Double click the connection, and input Username and Password that defined in BiGuard PPTP Account Settings.
Page 220 PS. You can also refer the Properties > Security page as below, by default.
Page 221: Pptp Remote Access By Biguard
H.13 PPTP Remote Access by BiGuard Internet Internet Headquarter 100.100.100.1 BiGuard &PPTP Server Local subnet: 192.168.30.0 Local mask: 255.255.255.0 Step1: Go to Configuration > VPN > PPTP and Enable the PPTP function, Disable the Encryption, then Click Apply. Step2: Click Create to create a PPTP Account. Branch Office 200.200.200.1 Internet...
Page 222 Step3: Click Apply, you can see the account is successfully created. Step4: Click Save Config to save all changes to flash memory. Step5: In another BiGuard as Client, Go to Configuration > WAN > ISP Settings.
Page 223 Step6: Click Apply, and Save CONFIG.

Billion BiGuard 50G User Manual

Chapter 1 : Introduction

Chapter 2: Router Applications

Chapter 3: Getting Started

Chapter 4: Router Configuration

Chapter 5: Troubleshooting

Appendix A: Product Specifications

Appendix B: Customer Support

Appendix C: Fcc Interference Statement

Appendix D: Network, Routing, and Firewall Basics

Appendix E: Virtual Private Networking

Appendix F: Ipsec Logs and Events

Appendix G: Bandwidth Management with Qos

Appendix H: Router Setup Examples

Quick Links

Related Manuals for Billion BiGuard 50G

Summary of Contents for Billion BiGuard 50G